News
Hi friends,
This issue is a bit later in the day than usual. I hope you still have time to grab a (decaf?) coffee and enjoy the read :-) Cheers!
Breaches and leaks
- UPS disclosed, albeit in a shitty way, a data breach where attackers abused package tracking tools to harvest personal info. The disclosure looked like a general warning about phishing: link.
- A Russian threat group, APT28, breached the Roundcube email servers of several Ukrainian organisations and governement entities: link.
- Iowa's largest school district confirms that it fell victim to ransomware: link.
- Louisiana and Oregon warn that millions of drivers licenses were exposed in a MOVEit related data breach: link.
- Mondelēz, a snack food company, shared that over 51.000 employees are impacted by a data breach of the law firm they were using: link.
- iOttie, a car accessory maker, shared that its site was compromised for two months to steal credit cards and personal information: link.
Secure API infrastructure
Nylas, the go-to provider of email and calendar APIs, is diving into the 3 critical questions you should be asking about API security at their live webinar on June 27. Save your seat. (Sponsored)
Chinese state actors behind Barracuda ESG data-stealing attacks
I missed this one last week but still wanted to share it because it sheds some more light on the Barracuda advisory to quickly replace all your ESG's (email security gateways). Apparently, about 5% of all appliances was/is infected with malware from a Chinese state actor. The infections start with emails that are made to look spammy on purpouse so that no one opens them and investigates them, in order for the zero day to do its work in silence.
Killnet threatens attacks on SWIFT and world banking
It seems to be a lot of bark and little bite so far, but good to know about. The DDoS group Killnet claims to be teaming up with the groups Revil and Anonymous Sudan for destructive financial attacks in retaliation for EU and US aid in Ukraine.
US govt offers $10 million bounty for info on Clop ransomware
That's a sizeable reward for sure. There is some nuance though, as they seem to want information specifically linking Clop (and other threat actors) to foreign governments. Which is interesting by itself.
Mirai botnet targets 22 flaws in network devices
The botnet is using an impressive list of 22 vulnerabilities to hijack devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. All so they could be roped into a DDoS botnet.
Schneider power meter vulnerability opens door to power outages
Even though it seems like companies like Schneider are taking OT security more and more seriously, there's definitely a long road still to go. In this case there is a whole class of power meters that just continuously transmits its userID and password in cleartext. So yeah, long, long road.
SEC delays final rule on cyber incident disclosure as industry pushes back
The SEC was planning to issue rules that would force publicly traded companies to report material breaches and attacks in regulatory filings within four days. I'm not sure what would constitue "material" but it sure sounds like a good thing regardless. It would also require disclosures around cyber governance like board expertise and upper management involvement in cyber risk. Again, good stuff. It's now been delayed till October because of pushback. Some of that might be warrented though, for example Rapid7 says that disclosing within four days could tip off attackers, instead proposing the ability to wait until the attack is mitigated.
Millions of GitHub repos likely vulnerable to repojacking
When a Github repository changes the name of the owner or company, the old name will redirect to the new repo but only until someone else registers a repo with the old name. By exploiting this issue attackers can masquerade like a legit dependency but actually feed you malware. That's repojacking. Github is aware of these issues but only protects highly popular projects right now. From this research it seems that there are a lot more potentially affected repos than expected.
Swing VPN is a DDOS botnet
This is a good reminder that one needs to be very careful when selecting VPN's (and maybe not go with free ones to begin with). But I also just really enjoyed this blogpost, where the author goes through the steps required to find out what the VPN (Android) app was doing by capturing traffic, decoding config strings, etc. Nice read!
Timing of SMS delivery reports can be used to determine recipient's location
A team of university researchers has devised a new side-channel attack named 'Freaky Leaky SMS,' which relies on the timing of SMS delivery reports to deduce a recipient's location. It's not particularly practical, but still good to know that this is a thing.
Reconstruction of what someone is seeing based on eye reflection
"Seeing the world through your eyes" is a research project that aims to reconstruct what a person was looking at based on the reflection in their eyes. There's no code available yet, just this website and a paper. I don't know how practical it is but it definitely feels like the kind of scifi stuff that we might one day need to take into account when thinking of OpSec.
Unlock any CLI with 1Password shell plugins
1Password is now available to use as a shell plugin, so you no longer need to copy-paste access keys from the browser into your cli, only to have them then be stored insecurely. There are already plugins for AWS, Github, Gitlab, Okta, Stripe, CircleCI, and many more. (Sponsored)