Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Mary Rose Martinez, vp, CISO Marathon Petroleum
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Microsoft says Russians used previously identified tactic in senior exec email breach
Following up on a story we covered last week regarding the Russian hackers Midnight Blizzard breaking into the emails of senior Microsoft executives to read intel about themselves, Microsoft now says the hackers managed to pivot from non-production test accounts into ones used by senior leaders of the company by creating malicious OAuth applications. Specifically, “the threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.” This technique was exactly what Microsoft had warned the public about on December 15th. The company now says it has instituted further defensive measures to stop this type of attack from happening again.
PixPirate raises the bar for banking trojans
Researchers at Trusteer, a security division of IBM, have been observing a new remote access trojan attacking banks in Brazil. It is unique in its ability to conceal itself by abusing a device’s accessibility service, and then, to neutralize two-factor authentication “the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.” The malware also has an improved infection flow, using two malicious apps: a downloader and a droppee, rather than the more common single Android Package (APK) file. A link to a report describing the technical details of the PixPirate RAT is available in the show notes to this episode.
Thanks to today’s episode sponsor, Vanta
Mercedes-Benz exposes sensitive data, source code
Researchers at RedHunt Labs discovered, during a routine internet scan, an authentication token belonging to a Mercedes employee that had been left exposed in a public GitHub repository. Speaking to TechCrunch, Shubham Mittal, co-founder and chief technology officer of RedHunt Labs stated, “the GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server…the repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API Keys, and other critical internal information.” It’s not known if any customer data was contained within the repositories. TechCrunch alerted Mercedes on Monday, and on Wednesday, a Mercedes spokesperson confirmed that the company “revoked the respective API token and removed the public repository immediately.”
AI poisoning tools sees download surge
Last week researchers at the University of Chicago released a tool called Nightshade. Similar to other AI poisoning tools like Glaze, Nightshade serves to “distort feature representations inside generative AI image models.” The idea being that anyone not wanting their data scraped for training could use this while still keeping their context indexed on the open web. The team reports that since release, Nightshade saw over 250,000 downloads, indicating a high level of interest.
(Spiceworks, Nightshade Project Site)
More companies refuse to pay ransoms
The ransomware negotiation firm Coveware reports that in Q4 2023, a record low 29% of firms made payments to ransomware operators, down from 37% a year ago. The firm notes the rate of ransomware payments decreased steadily over the last five years, which saw 85% of firms pay in Q1 2019. This drop occurred even in cases when threat actors exfiltrated data. Covewave said the continued decline comes from mounting legal pressure on paying ransoms, a lack of trust in cybercriminals, and overall better preparedness for ransomware attacks.
FBI grounds Volt Typhoon
The Chinese state-affiliated hacking group Volt Typhoon created the KV botnet by infecting small office/home office routers and IoT devices from Netgear, Cisco, DrayTek and Lumen Technologies. The group used the botnet to hide reconnaissance and exploitation efforts. The FBI reports it began an operation in early December to take down the botnet with a court order to take down its C2 server. This saw the FBI compromise the server and use it to cut off access to infected devices by uninstalling its VPN component on routers. The FBI and CISA also issued guidance for SOHO router manufacturers to secure hardware against continued Volt Typhoon activity, even for end-of-life hardware.
Civilians in Jordan infected by NSO’s Pegasus spyware
A joint report released by digital rights association Access Now and Toronto-based cybersecurity association Citizen Lab, says that “the phones of some three dozen journalists, human rights advocates and lawyers in Jordan were infected with Pegasus spyware.” According to The Record, “While the report suggests the Jordan authorities are behind the campaign, the authors stop short of saying so directly.” The Record goes on to note that a previous Citizen Lab had report had confirmed that two organizations in Jordan were Pegasus spyware customers. Pegasus is a form of zero-click spyware meaning victims do not click on anything to be infected.
The Future Of Cybersecurity Is More Human Than You Think
An article in Forbes this week, chosen by our guest, points out that the rise of AI means conventional cybersecurity tactics are becoming less effective. The article points out increasing rates of anxiety among security specialists and other working people with regard to new phenomena like AI hallucinations, and AI generated malicious code that needs only to drive up a company’s operating costs and sully its reputation to cause tangible damage The article calls fro greater investment in the human side of cybersecurity.
(Forbes)