This issue is a bit later in the day than usual. I hope you still have time to grab a (decaf?) coffee and enjoy the read :-) Cheers!
Breaches and leaks
- UPS disclosed, albeit in a shitty way, a data breach where attackers abused package tracking tools to harvest personal info. The disclosure looked like a general warning about phishing: link.
- A Russian threat group, APT28, breached the Roundcube email servers of several Ukrainian organisations and governement entities: link.
- Iowa's largest school district confirms that it fell victim to ransomware: link.
- Louisiana and Oregon warn that millions of drivers licenses were exposed in a MOVEit related data breach: link.
- Mondelēz, a snack food company, shared that over 51.000 employees are impacted by a data breach of the law firm they were using: link.
- iOttie, a car accessory maker, shared that its site was compromised for two months to steal credit cards and personal information: link.
Nylas, the go-to provider of email and calendar APIs, is diving into the 3 critical questions you should be asking about API security at their live webinar on June 27. Save your seat. (Sponsored)
I missed this one last week but still wanted to share it because it sheds some more light on the Barracuda advisory to quickly replace all your ESG's (email security gateways). Apparently, about 5% of all appliances was/is infected with malware from a Chinese state actor. The infections start with emails that are made to look spammy on purpouse so that no one opens them and investigates them, in order for the zero day to do its work in silence.
It seems to be a lot of bark and little bite so far, but good to know about. The DDoS group Killnet claims to be teaming up with the groups Revil and Anonymous Sudan for destructive financial attacks in retaliation for EU and US aid in Ukraine.
That's a sizeable reward for sure. There is some nuance though, as they seem to want information specifically linking Clop (and other threat actors) to foreign governments. Which is interesting by itself.
The botnet is using an impressive list of 22 vulnerabilities to hijack devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. All so they could be roped into a DDoS botnet.
Even though it seems like companies like Schneider are taking OT security more and more seriously, there's definitely a long road still to go. In this case there is a whole class of power meters that just continuously transmits its userID and password in cleartext. So yeah, long, long road.
The SEC was planning to issue rules that would force publicly traded companies to report material breaches and attacks in regulatory filings within four days. I'm not sure what would constitue "material" but it sure sounds like a good thing regardless. It would also require disclosures around cyber governance like board expertise and upper management involvement in cyber risk. Again, good stuff. It's now been delayed till October because of pushback. Some of that might be warrented though, for example Rapid7 says that disclosing within four days could tip off attackers, instead proposing the ability to wait until the attack is mitigated.
When a Github repository changes the name of the owner or company, the old name will redirect to the new repo but only until someone else registers a repo with the old name. By exploiting this issue attackers can masquerade like a legit dependency but actually feed you malware. That's repojacking. Github is aware of these issues but only protects highly popular projects right now. From this research it seems that there are a lot more potentially affected repos than expected.
This is a good reminder that one needs to be very careful when selecting VPN's (and maybe not go with free ones to begin with). But I also just really enjoyed this blogpost, where the author goes through the steps required to find out what the VPN (Android) app was doing by capturing traffic, decoding config strings, etc. Nice read!
A team of university researchers has devised a new side-channel attack named 'Freaky Leaky SMS,' which relies on the timing of SMS delivery reports to deduce a recipient's location. It's not particularly practical, but still good to know that this is a thing.
"Seeing the world through your eyes" is a research project that aims to reconstruct what a person was looking at based on the reflection in their eyes. There's no code available yet, just this website and a paper. I don't know how practical it is but it definitely feels like the kind of scifi stuff that we might one day need to take into account when thinking of OpSec.
1Password is now available to use as a shell plugin, so you no longer need to copy-paste access keys from the browser into your cli, only to have them then be stored insecurely. There are already plugins for AWS, Github, Gitlab, Okta, Stripe, CircleCI, and many more. (Sponsored)