Another Friday, another issue of the newsletter! The MOVEit exploit tops the news charts, I've tried to condense it down so you can catch up. Plenty of other interesting news too.
It's going to be about 30 degrees Celcius where I live today (~86 degrees in Freedom Units), so instead of recommending coffee I recommend a cold glas of water while you read. Or iced coffee of course. Enjoy!
Breaches and leaks
- Outlook.com has been suffering outages because of a range of DDoS attacks, claimed by Sudanese hacktivists: link. Also OneDrive, link.
- Eisai, a Japanese pharmaceutical company, disclosed a ransomware incident: link.
- Burton Snowboards notified customers of a data breach: link.
- Crypto wallet service Atomic Wallet was compromised, with a reported $35 million in crypto stolen: link.
- Honda had an unsecured API endpoint exposing customer information: link.
In the consequences category (I hope to see more of these in the future):
- Financial services company OneMain fined $4.25 million for subpar security practices: link.
There is a lot of news around a campaign targeting the MOVEit file transfer software. The linked article gives a pretty complete picture so far. In short:
- MOVEit is a file transfer app used by thousands of companies. There is a zero day bug being actively exploited.
- There is a patch available now but if you run this software you should assume to be compromised. Initial scans for the vulnerability date back all the way to March 3d. Initial exploit attempts even seem to go back to 2021.
- The CLOP ransomware gang claimed credit, the same gang that was also responsible for the GoAnywhere mass exploitation.
- CISA has ordered all government agencies to be patched by June 23d, although that sounds a bit lax to me. If patching is not easily possible, everyone is strongly advised to cut off all HTTP and HTTPs traffic to their MOVEit environment.
- Some names of organisation already known to be breached: the BBC, Britisch Airways, the government of Nova Scotia. There will probably be many more.
That's... intense. If you run a Barracude Email Security Gateway (ESG), you are highly advised to completely replace the device regardless of patch level. This is due to a remote command injection flaw that was patched recently, but it's unclear as to why they insist on replacement. Better safe than sorry I guess?
I didn't properly realise that this was a thing to watch out for. He imported old, used, or low-grade network equipment from China and Hong Kong and modified the equipment to appear as genuine, brand-new Cisco devices.
There are increased reports of people falling victim to sextortion campaigns, where attackers take publicly accessible images, manipulate them using AI to show fake but explicit sexual activity, and then extorting the victims. There's also no real way to combat it that I know off. Horrible stuff.
The reporting is a bit vague, and it's nothing new, but it's worth highlighting in my opinion: more and more attacks will target an employee's (C-suite or otherwise) home infrastructure and/or family members as a way to get to them. Makes perfect sense from an attacker's point of view, but I don't think that the average home has the proper security posture to deal with this. When was the last time that your CEO updated their router, you think?
Interesting approach. To help stop the flood of small- and midsize businesses being compromised some US universities are launching cybersecurity centers modeled on law school legal clinics to train students as digital security consultants. If all goes well then this might grow into a sort of cybersecurity emergency hotline for local businesses.
Nice to watch :-) Someone set up a server out in the open and logs every brute-force attempt that is made. When talking to non-security folks about Internet background noise, this might be nice to show them. Hackernews thread here.
Our industry is trying to completely remove phishing as a threat by using passkeys, and it has me pretty excited. Check out this article to learn more about how they work and how it applies to 1Password going forward. (Sponsored)