This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Justin Somaini, partner, YL Ventures
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
MFA bypass service admins plead guilty
Three individuals, aged between 19 and 21 have pleaded guilty in a UK court to running OTP.Agency, “an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.” Their agency allegedly helped deliver OTPs for more than 30 online services, including Apple Pay, for members who paid weekly subscriptions. These customers would be criminals who already possessed a victim’s login credentials to a service but who would also need a one-time-password. OTP.Agency arranged these by making automated, scripted calls to the victim using text-to-speech technology and asking for the temporary password, via spoofed addresses. A video showing how they did what they did is available in the show notes to this episode.
(BleepingComputer and NCA video on X)
SQL injection able to bypass airport TSA security checks
Two security researchers have identified a vulnerability in a security system that according to BleepingComputer, “allowed unauthorized individuals to potentially bypass airport security screenings and gain access to aircraft cockpits.” The researchers, Ian Carroll and Sam Curry, found the vulnerability within a third-party web-based service called FlyCASS which stands for Cockpit Access Security System (CASS). Some airlines use it to manage their Known Crewmember (KCM) program, which itself is a TSA initiative that “allows pilots and flight attendants to skip security screening, and also allows authorized pilots to use jump seats in cockpits when traveling.” The researchers saw that the FlyCASS login system was susceptible to SQL injection, which allowed them to log in as an administrator for a participating airline, and manipulate employee data within the system.
GitHub comments push malware masked as fixes
The Lumma Stealer information-stealing malware is being distributed via comments being posted in GitHub, disguised as solutions to users’ project questions. The solution, which according to one researcher was sent out 29,000 times over a three day period, tells people to “download a password-protected archive from a specific website and run the executable within it. The password is supplied in the message. The downloaded malware aims to steal “cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers,” as well as cryptocurrency wallets, private keys, and text files.
Thanks to today’s episode sponsor, Scrut Automation
Halliburton confirms data stolen in cyberattack
Following up on a story we brought to you last week on Cyber Security Headlines, the U.S. oil service giant confirmed Tuesday that corporate data was stolen from its computer systems during a ransomware attack it suffered in August. Halliburton stopped short of confirming a ransomware extortion scheme but said significant portions of its IT systems were disrupted. The company said it engaged law enforcement to help identify exactly what data was stolen and who they will need to notify. The company’s acknowledgement comes on the heels of CISA, the FBI, and HHS blaming the RansomHub gang for the attack.
City of Columbus sues researcher after ransomware attack
After suffering a ransomware attack in mid-July, the city of Columbus, Ohio is now suing a security researcher. Initially, city officials said they had thwarted the attack but later conceded that attackers had indeed stolen data and encrypted its systems. This after the Rhysida ransomware gang leaked 3.1 TB of data they claimed to have stolen from Columbus’ systems. Security researcher David Leroy Ross (also known as Connor Goodwolf) took to the media claiming the city wasn’t telling the full truth and that stolen data included names, Social Security numbers, and other data related to police officers and crime victims. The city has now accused Ross of colluding with the threat actors to obtain access to the stolen data which they say is also an invasion of privacy. An Ohio judge has granted a temporary restraining order to prevent Ross from disseminating data from Rhysida’s site but does not bar him from discussing the incident with the media.
OnlyFans malware spins a duplicitous web
Researchers at security firm Veriti have discovered a new distribution mechanism for infostealer malware: a “checker” tool used by hackers to validate stolen credentials. The OnlyFans connection comes from the fact that the checker tool provides cybercriminals with the ability to “validate OnlyFans logins, check account balances, verify if accounts have payment methods attached and determine if accounts have creator privileges.” However, Veriti says this same checker tool is also a delivery mechanism for Lumma Stealer, which buries itself deep within the systems owned by other cybercriminals. The checker tool has also been used on hackers who target accounts on Disney+ and Instagram.