We've got some important MOVEit updates to line up today, and a bunch of high-level breaches to look in to impacting the Swiss, Turkish and Chilean governements.
Enjoy perusing this week's issue, and have a wonderful day!
Breaches and leaks
- Private data of Turkish citizens was stolen from a e-gov service and offered for sale: link.
- The Swiss governement disclosed a recent ransomware attack through a third-party supplier and is suffering from DDoS attacks: link.
- The army of Chile was breached with data being leaked online: link.
- The University of Manchester says hackers likely stole data in cyberattack: link.
- Infotel JSC, a Russian telecom provider used by Russian banks, was taken down by Ukrainian hackers: link.
- Zacks Investment Research has suffered a breach impacting 8.8 million customers: link.
- St. Margaret's Health, an Illinois hospital, is permanently shutting down in part because of a 2021 ransomware attack: link.
Nylas, builders of API's around email, calendars and contacts, are holding an online event on API security. They'll dive deeper into API vulnerabilities, preventing data exposure and securely building and maintaining API's. Check it out! (Sponsored)
There are a few items dealing with the MOVEit file transfer vulnerabilities:
- Clop ransomware gang starts listing and extorting victims: here.
- New critical flaws were found in the MOVEit software after a security audit, so make sure you have the latest patches: link.
- A few days later MOVEit warns of yet another newly discovered vulnerability, so yeah, patch: link.
- PoC code for the original vulnerability is now publicly available, so more attackers will get on this: link.
- CISA says that the US gov has been hit several times, although interestingly Clop seems to hold itself to a promise of deleting USgov data and not publishing it: link.
You know you're making an impact if seven nations get together to alert on your crimes and share intel about you. Just not the good kind of impact of course. Unfortunately their crime does make an quite an impact, Lockbit victims in the US alone have paid over $90 million since 2020. The countries shared a pdf with informations on Lockbit, tools they use and vulnerabilities they exploit, you can find it here.
BEC is the type of attack where someone sends you an e-mail claiming to be your boss, asking you to quickly wire some money. I'm always taken aback by the impact of these attacks vs their simplicity to execute. The numbers in the report are a bit confusing but from what I can make out the FBI estimates that, based on reports made to them, other law enforcement and derived from filings with financial institutions, world-wide losses total $50 billion in one year. That's billion, with a B.
Nice reminder of just how much brute force is out there. An RDP endpoint exposed to the world was targeted 3.4 million times in three months, from 1,500 IP addresses, the yearly total reaching 13 million attempts. Interestingly, it's not all just automated dictionary attacks but there's also some manual recon work going into it, showing usernames being tried that could be relevant to the box in question. Weirdly enough the traffic patterns follow a regular work-day routine, with time for breaks and everything.
Be careful when trying out PoC's folks. Researchers uncovered an elaborate campaign of fake Github repositories claiming to contain PoC code for zero day exploits, but which do in fact contain malware. The repos show as being owned by well-know security researchers, using their profile pictures and everything, and are spread by Twitter accounts also pretending to be those researchers.
This is a very interesting debate to have. Hackernews thread doing just that here.
I did not know this was a thing. When memory chips are brought down to around -50°C, the data within can be temporarily frozen, so that it persists for several minutes, even when powered down. This robot makes that process cheaper and quicker. I won't pretend to understand all the nuances, but it's definitely, erm. Ugh, I almost said it was "cool" and chuckled to myself. Curse my dad jokes. I'll just say it's interesting.
I'm always a bit "meh" about these kinds of side-channel attacks, as I don't consider them to be practical enough to worry about unless you work in a Mission Impossible movie. But it's still a good read. This one works by video-recording power LEDs of smartcard readers, where the brightness and color of the LEDs vary slightly based on power consumption.
It's rare that increased security goes hand in hand with better user experience. Password managers have always fallen under that category for me.
1Password is working on going one step further on both the security and the UX front though, by supporting the use of passkeys. No more passwords to remember, not even a single one, and being much more secure as a result. (Sponsored)