I hope this week's issue finds you well. There are some more MOVEit related breaches, a few AI related stories (with many more to come down the road no doubt), and just lot's of interesting reads. Enjoy!
I would also like to welcome a new long-term sponsor, GlitchSecure! They provide continuous security testing services, performed by a wonderful group of people whom I have the pleasure of knowing personally and working with. I can't thank them enough for their support. Please check them out!
Breaches and leaks
- Research firm PBI Research Services was impacted by MOVEit, with data of 4.75 million people confirmed stolen so far, with more maybe underway: link.
- Suncor Energy suffered an attack, impacting its Petro-Canada gas stations: link.
- Pilot Credentials, a pilot recruiting firm, was breached impacting 9,000 applicants of American Airlines and Southwest Airlines. The airlines will no longer be using the service. link.
- New York City's Department of Education had a MOVEit breach impacting 45,000 students: link.
- The US agency responsible for patents and trademarks leaked the private addresses of 61,000 filers through its API: link.
- Siemens Energy confirms that data was stolen through the MOVEit zero-day: link.
Manifest confusion stems from the fact that the manifest that an npm library displays, which shows what files the library contains and what scripts it runs, can be completely different than what's actually inside the zipped' library that gets downloaded. There is no validation step that compares the two.
Europol announced that the takedown of the EncroChat platform in 2020 has led to the arrest of over 6,600 people and the seizure of $979 million in illicit funds. Very impressive result, my goodness.
Sysmon is a tool that can monitor and block suspicious activity on Windows machines and log specific events into the Event Log. If you use it you'll want to be aware of two new features: it's now a "protected process" which makes it harder for malware to mess with it, and it now has the ability to detect when executable files are created on the monitored system.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. Check them out. (Sponsored)
DDoS groups have been around for as long as I can remember, but it's still interesting to see how they operate. In this case they're at 10,000 active members, with an automated signup flow, a multi-platform attack tool and a smooth C2 process to start attacking the targets.
Not something you would have seen coming years ago, I imagine. The two nations have announced the "Crystal Ball" project, a digital platform for detecting and stopping hackers via collaboration and knowledge sharing around national-level cyberthreats.
LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps. It's part of an upgrade to a default of 600,000 rounds of the PBKDF2 hashing algorithm. If you're an LP user make sure to read the support information in detail before proceeding.
Voice cloning has now been used to try and extort $1 million by convincing a mother that her daughter was kidnapped by letting her hear the daughter's screaming voice. Turns out it was all fake and the daughter was fine. Djeezes fuckin #$%#$@#. Also, turns out that no law was broken, because no actual kidnapping took place. It was classified as a "prank call". The article above explains the broader deepfake voice issue, this article details the mother testimonial before Congress on AI-based scams.
Of course, this would only be a matter of time too. It seems that ChatGPT-like tools are being used to execute BEC scams en-masse, with better written impersonation messages in various languages.
This is an AI use case that I am actually excited about, using generative AI to help start, triage and run incident response. The article details an upcoming collaboration that will integrate Rubrik Security Cloud with Microsoft Sentinel and Azure OpenAI Service.
From what I understand this could mean that the SEC might institute punishments for the Solarwinds breaches, and/or how they were handled, directly at the executives? More to come on this later no doubt.
This seems to be a follow-up from an article a few weeks back around the development of local "cybersecurity clinics" to help defend under-resourced critical infrastructure providers. Google is committing $20 million to the program to help train thousands of students. Nice!
Considering the importance of a secure CI/CD flow (continuous integration/deployment, or how code gets built and pushed out), it's definitely a worth-while read. The full report can be found here.
Speaking of CI/CD: when configuring a CI/CD pipeline you'll usually have to copy over secrets to make it work. It always feels a bit icky, but necessary. That is until now, because now you can connect 1Password directly to the workflow instead. There's already a guide for CircleCI, Github Actions and Jenkins. (Sponsored)