This week’s Cyber Security Headlines – Week in Review, June 12-16, is hosted by Sean Kelly with our guest, Phil Beyer, former Head of Security, Etsy
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Microsoft warns of multi-stage banking attacks
Security researchers at Microsoft detailed a new campaign against financial and banking organizations. This sees the attackers compromising trusted vendors. Once achieved, they then target multiple organizations with adversary-in-the-middle and business email compromise attacks. Microsoft found these approaches show continuing evolution by threat actors, which differ from typical approaches by using indirect proxy techniques rather than reverse proxies. The attackers attempt to gain access to session cookies to defeat MFA, then send out emails as part of a second stage attack. In it’s security advisory, Microsoft recommends revoking session cookies and rolling back modifications made by threat actors.
BatCloak engine makes malware fully undetectable
Researchers at Trend Micro describe this undetectable malware obfuscation engine as giving threat actors “the ability to load numerous malware families and exploits with ease through highly obfuscated batch files.” Active since September 2022, the researchers added that almost 80% of the total 784 artifacts unearthed have no-detection across all security solutions. The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion.
More vulnerabilities found in MOVEit file transfer software
Security firms helping Progress Software dissect the fallout from a ransomware attack against its MOVEit file transfer suite have discovered more issues that the company said could be used to stage additional exploits. Progress said the discovery was made by cybersecurity firm Huntress, which it had engaged to conduct a detailed code review of its systems. The newly discovered exploits are distinct from the issue reported earlier, and as such another patch for MOVEit Transfer and MOVEit Cloud hasbeen issued to fix this latest discovered bug. Progress gave no description of the newfound vulnerabilities and said a CVE number or numbers are pending.
US intelligence confirms it buys Americans’ personal data
A newly declassified government report from the Office of the Director of National Intelligence (ODNI) confirms for the first time that US intelligence and spy agencies purchase vast amounts of commercially available information on Americans. The info includes data from connected vehicles, web browsing history, and smartphones. While government agencies normally need to secure court-approved warrants to obtain such data directly from tech companies, they can freely purchase the same data through brokers. Sen. Ron Wyden (D-OR) said, “the government’s existing policies have failed to provide essential safeguards for Americans’ privacy, or oversight of how agencies buy and use personal data.” Wyden has called for congress to pass legislation that would put guardrails on the government’s purchasing of personal info.
Thanks to today’s episode sponsor, Conveyor
Faked crypto journalists steal real crypto
The analysts at ScamSniffer found that the threat group Pink Drainer successfully impersonated journalists covering cryptocurrency to steal roughly $3 million worth of crypto assets, including $327,000 worth of NFTs from a single wallet. The attackers used hijacked accounts to impersonate journalists from Cointelegraph and Decrypt to conduct fake interviews, using this trust to get victims to enter information in malicious “Know Your Customer” validation sites. These sites stole Discord tokens, which they used to launch further phishing attacks. The researchers warn that Punk Drainer remains highly active and warned crypto investors to remain vigilant.
MSSQL makes up 93% of all database honeypot activity
In a blog post on Tuesday, Trustwave’s SpiderLabs said its study of database server honeypots based in six different countries, revealed that Microsoft SQL (MSSQL) made up 93% of all attack activity. SpiderLabs also set up sensors on default TCP ports for MySQL, MongoDB, PostgreSQL, Oracle DB, IBM DB2 (Unix/Win), Cassandra, and Couchbase. The UK and China registered the most MSSQL attacks (21.84% and 21.49% respectively) followed by Ukraine (19.52%), Russia (17.54%), Poland (11.54%), and the United States (8.08%). The researchers recommend that organizations implement strong and secure authentication, including enabling multi-factor authentication, and disabling default accounts. Additionally, security teams should closely monitor privileged access, keep software up to date and conduct frequent security audits.
Hackers create fake GitHub profiles to deliver malware through repositories
Hackers launched an elaborate campaign to deceive cybersecurity professionals on the code-hosting platform GitHub and trick them into downloading malware, according to research published on Wednesday. The group created fake profiles of real security researchers to promote code repositories that appear to house exploits for popular products like Chrome, Exchange, and Discord. According to cybersecurity company VulnCheck, the threat actors behind these repositories have invested substantial effort into making them appear authentic, creating a network of Twitter accounts, masquerading as members of a fictitious company called High Sierra Cyber Security. They even used headshots of genuine researchers employed by major cybersecurity companies.
EU passes landmark Artificial Intelligence Act
The European Parliament adopted the latest draft of the legislation with an overwhelming majority yesterday. First introduced in April 2021, the AI Act aims to strictly regulate AI services and mitigate the risk it poses. The first draft, which included measures such as adding safeguards to biometric data exploitation, mass surveillance systems and policing algorithms, preempted the surge in generative AI tool adoption that started in late 2022. This latest draft introduced new measures to control “foundational models.” These include a tiered approach for AI models, from ‘low and minimal risk’ through ‘limited risk,’ ‘high risk’ and ‘unacceptable risk’ AI practices.
St. Margaret’s becomes first hospital to cite cyberattack as a reason for its closure
St. Margaret’s Health in Illinois fell victim to a ransomware attack in February 2021, forcing them to shut down IT infrastructure at Spring Valley hospital. The payment system was taken offline for months causing billing delays and a significant economic impact on the organization. SMP’s chair, Suzanne Stahl, said that on June 16th the system will shut down its Spring Valley and Peru facilities due to a number of factors, including the cyberattack, the Covid-19 pandemic, and staffing shortages.he closure of the hospital is expected to have a dramatic impact on residents and marks the first time a hospital has cited a cyberattack as a reason for the ceasing its operations.