I hope this week's issue finds you well!
Nothing special to report on my end, except for the fact that it's finally chilly enough for a sweater outside and I'm loving it. I'm an autumn person, what can I say. I'm off for a walk soon, and I hope you enjoy the read :-)
Breaches and leaks
- Microsoft AI researchers exposed 38TB of sensitive internal data, including signing keys and Teams messages: link.
- Ransomware group issues statement on MGM breach: link.
- ORBCOMM trucking fleet management suffered outage by ransomware: link.
- Hackers breached International Criminal Court’s systems: link.
- TransUnion denies it was hacked, links leaked data to 3rd party: link.
- T-Mobile app glitch let users see other people's account info: link.
- Pizza Hut Australia warns 193,000 customers of a data breach: link.
- Several Colombian government ministries hampered by ransomware attack: link.
- Air Canada says hackers accessed limited employee records during cyberattack: link.
- Canada blames border checkpoint outages on cyberattack: link.
- Cyberattack on Kansas town affects email, phone, payment systems: link.
- Clorox warns of product shortages a month after disclosing cyberattack: link.
This is definitely a big one. If you're not aware: Splunk is probably the best known SIEM, i.e. a product to collect, analyse and visualise logs and alerts. No doubt all security engineers and analysts are holding their breath to see if Cisco will screw up the product, let's hope they don't.
Starting in 2024, all Chromebooks released after 2021 will automatically qualify for ten years of security updates, delivered automatically to the device every four weeks. That is awesome news, especially considering how ubiquitous Chromebooks are in schools. Kudos Google!
There aren't any quantum computers yet that can trivially decrypt traffic, but it's important to guard against the "harvest now, decrypt later" threat. For this reason, Signal will start using quantum-resistant encryption keys to protect users from future attacks. For those who like that sort of detail, they are upgrading their usage of X3DH (Extended Triple Diffie-Hellman) to PQXDH (Post-Quantum Extended Diffie-Hellman).
GitHub has made passkeys generally available across the platform to secure accounts against phishing and allow passwordless logins for all users.
Retool is a software development platform. I could have put this in the "breaches" list, but it's worth a read to learn how this hack happened. In short, the attacker timed their attack to happen during a company migration to Okta, deepfaked the voice of an employee to trick a victim into handing over an extra MFA token, and added their device to the Okta account. That gave them access to the internal admin systems, which were then used to compromise crypto companies that are customers of Retool. One key element also seemed to be that the attacker phished access to an employee's Google account, where they could access the MFA tokens thanks to the recently added sync ability.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
Issues and fixes
- Apple emergency updates fix 3 new zero-days exploited in attacks: link.
- Thousands of Juniper devices vulnerable to unauthenticated RCE flaw: link.
- GitLab urges users to install security updates for critical pipeline flaw: link.
- Trend Micro fixes endpoint protection zero-day used in attacks: link.
- Hikvision Intercoms allow snooping on neighbors: link.
A cyber insurance firm reported a significant jump in the number of claims during the first half of the year, adding that damages caused by attacks has also increased. The average reported loss from ransomware was $365,000. The frequency of funds transfer fraud was also up, with an average loss of just under $300,000.
Researchers have given a heads up about a large set of CVE's that were inserted into the NVD database, for older bugs that never were vulnerabilities. They seem to have been scraped from old issues and filed in an automated fashion. It's also a good general reminder that not all CVE's (not even close) are actionable, speaking as someone who's job it was to triage them :-)
Passkey support is now available in 1Password, letting you create, manage, and sign in with passkeys on a growing number of websites and apps using the desktop version of 1Password in the browser, as well as on your iOS 17 and iPadOS 17 devices. (Sponsored)