As Lord Tennyson almost once said: In Springtime, a young Cybersecurity Hero's fancy turns lightly to...even more Cybersecurity! So read on, Intrepid Buttercups (And Tulips and Croci) because this is another edition of the principia/RAID Defrag, bringing important Cybersecurity news from the last month straight to your inbox.
VULNS
GitHub Clone Wars
Apiiro, a cybersecurity firm, has unveiled a large-scale attack leveraging potentially thousands of GitHub repositories. Dubbed a "malicious repository confusion campaign," this classic watering hole attack, lures victims to download compromised repositories that share identical names with legitimate ones. The deceptively named repositories are in fact compromised and victims find their systems infected with malware. Despite GitHub's efforts to remove these tainted repositories, the sheer volume and the attackers' use of automated account and repository generation make it a daunting task. As GitHub struggles to contain this threat, users are advised to exercise heightened caution, and consider protective measures like sandboxing unfamiliar code. This incident not only underscores the persistent challenges in securing software supply chains but also highlights the broader cybersecurity issues faced by Microsoft.
Sabotaged Messaging System (SMS)
YX International, an Asian tech firm involved in cellular networking and SMS routing, recently addressed a security lapse that left a database unprotected, potentially compromising one-time security codes and password reset links for numerous online services including Facebook, Google, and TikTok. The exposed database contained sensitive information accessible via a web browser with just the database's IP address. Despite the database being secured after the leak was reported, the duration of the exposure remains unclear, and it's uncertain if unauthorized parties accessed the sensitive data. While it should be pointed out that bad guys would need some additional information to leverage this compromise in a malicious MFA request, this incident highlights the inherent risks of SMS-based two-factor authentication.
U.S. Government Doubles Down on Chinese APT Warnings
At the Billington Cybersecurity Summit, experts underscored the growing threats from Chinese state-sponsored cyber activities targeting state and local government networks. Attention was drawn to the Volt Typhoon campaign, revealing how these actors have silently infiltrated networks, potentially gearing up for future disruptions. Identifying these actors is challenging due to their subtle techniques that mimic normal network activities. Recommended actions include thorough checks of system administrator accounts, enhancing identity management within networks, and vigilant monitoring of logs for any unusual activities. Moreover, enhancing cooperation between federal and state levels is essential for protecting essential services.
Minecraft Exploit Blocks Users
A recent exploit in Minecraft has raised concerns within the Xbox community, reportedly allowing attackers to unjustly ban any Xbox or Microsoft account by abusing the game's reporting system. This exploit, particularly affecting the Java version of Minecraft, involves filling in a user's GamerTag, spamming slurs, and then reporting these to Microsoft, leading to automated bans due to the platform's content moderation system. This situation emphasizes the need for Xbox to enhance its moderation, combining automation with human checks to prevent abuse and protect user experiences.
Apple Chip Flaw Lets Hackers Steal Encryption Keys
Security researchers have discovered a significant security flaw in Apple's M-series chips, impacting devices from late 2020 onwards. This vulnerability, which occurs during cryptographic operations, allows attackers to extract cryptographic keys from Mac and iPad devices. This poses a threat to secure communications, cloud accounts, and cryptographic wallets. Despite the complex technical nature of this issue, the core problem lies in the chips' prefetching mechanism, which could inadvertently leak sensitive information through a side-channel attack. Fortunately, the exploitation requires a malicious application to be downloaded, however it is still a considerable risk for high-end users with valuable data or assets on their devices. Apple is aware of the flaw, but given the hardware basis of the flaw, a straightforward software patch is not feasible. The responsibility now falls on cryptographic application developers to implement mitigations and update their applications to protect users.
INSIGHTS
Parting of the Red Sea Cables
Significant disruptions in telecommunications networks have arisen due to damage to submarine cables in the Red Sea, affecting up to 25% of the traffic flow between Asia, Europe, and the Middle East. The incident has impacted four major telecom networks, with HGC Global Communications, reporting considerable interruption to communications in the Middle East and undertaking efforts to reroute traffic and assist affected businesses. The damage is believed to have been cause by the dragging anchor of a vessel previously damaged by Houthi rebels. The repair process, complicated by permit acquisition, is expected to be delayed, with companies like Seacom indicating a wait of at least a month before repair work can begin. This situation highlights the vulnerability of global internet infrastructure and the need for robust contingency plans.
Click, Pay, Regret - Cybercrime on the Rise
The FBI's Internet Crime Complaint Center's 2023 report highlights a significant rise in cybercrime, with reported losses reaching approximately $12.5 billion, marking a 22% increase from 2022. This figure, stemming from a record 880,418 complaints, is considered conservative due to underreporting by victims. Notably, investment fraud, particularly involving cryptocurrency, emerged as the most prevalent cybercrime, accounting for over $3.94 billion of the total losses. Business Email Compromise (BEC) schemes followed, causing upwards of $2.9 billion in damages, while tech support scams, including those impersonating government officials, led to $1.3 billion in losses. The report also sheds light on the disparate impact of different cybercrimes across age groups, with individuals aged 30 to 49 being particularly susceptible to investment fraud, and the elderly being the primary victims of tech support scams. Interestingly, ransomware, accounted for comparatively fewer complaints and losses, with significant impacts on critical infrastructure sectors such as healthcare and government agencies.
Excel-lent Learning
Software developer Ishan Anand integrated GPT-2, a precursor to ChatGPT, into a Microsoft Excel spreadsheet to demonstrate how large language models (LLMs) operate. This educational tool, called "Spreadsheets-are-all-you-need," allows users, including non-developers, to interact directly with the model's predictive capabilities, albeit on a much smaller scale than current LLMs. Anand's project aims to demystify LLMs by providing a hands-on experience within Excel, leveraging its computational capabilities to simulate GPT-2's token prediction process. This approach not only satisfies curiosity but also educates on the foundational mechanics of LLMs in an accessible format. Anand emphasizes the educational aspect and acknowledges the spreadsheet's limitations, including its size and potential to crash Excel, recommending its use on Windows for stability.
Williams F1's Race Against Excel's 20,000-Part Spreadsheet Pitfall
Williams F1 team have identified a significant hurdle in their car design and building processes: an over-reliance on a massive, unwieldy Excel spreadsheet for tracking around 20,000 individual car parts. (A method that some of us old school compliance wogs will surely recall, not so fondly). This outdated method has led to inefficiencies, such as prioritization issues, parts mismanagement, and missed deadlines, notably impacting the team's performance and operational flow. Transitioning away from Excel to a more advanced tracking system presents a costly and labor-intensive challenge, but it's a necessary step to avoid further complications and to keep pace with the demands. This scenario reveals a common issue in many organizations where legacy systems, like Excel, still play a critical role in complex processes, despite their limitations and the potential for error.
Corporations With Cyber Governance Create Almost 4X More Value
A recent study by Bitsight and Diligent Institute sheds light on a groundbreaking revelation: corporations with dedicated cyber governance, particularly those with the wisdom to include cyber experts in their specialized committees, are seeing their shareholder value multiply almost fourfold. Despite longstanding SEC guidelines advocating for robust cybersecurity governance, many companies have lagged in adopting these practices. And it's not just about having a CISO or CTO on the board; it's about weaving their expertise into the fabric of the company's governance and risk management strategies. It really drives home the point that seeing cybersecurity as a strategic asset, rather than just a box-ticking exercise, can open up new avenues for growth and resilience.
BREACHES
Hackers Working Overtime
NSA has acknowledged the serious cyber threats targeting the U.S. defense sector due to vulnerabilities in Ivanti's VPN. This confirmation follows reports from Mandiant, which highlighted concerted efforts by suspected Chinese espionage groups to exploit these flaws in Ivanti Connect Secure. These attackers, identified as UNC5325, have showcased deep knowledge of the Ivanti system, using techniques to remain undetected and maintain their presence within the network infrastructure. Despite assurances from Ivanti's security officer that their remedies should thwart these threats, the scale of the attacks, evidenced by Akamai's finding of around 250,000 daily exploitation attempts, underscores a significant cybersecurity challenge.
CISA Counters Ivanti Vulnerability with Swift Shutdown
CISA, tasked with enhancing cybersecurity across various sectors, recently encountered a significant cyber intrusion, leading to the temporary shutdown of two critical computer systems. These systems were integral for sharing cyber and physical security tools among federal, state, and local officials and for assessing the security of chemical facilities. Despite the breach, CISA has stated that operational impacts are currently non-existent, attributing this to their prompt response in taking the compromised systems offline and their ongoing efforts to update and modernize infrastructure. The breach exploited vulnerabilities in VPN software by Ivanti.
Hijacked Browser Requests
Hundreds of WordPress sites have been hijacked and converted into command-and-control servers, launching password-cracking attacks through visitors' browsers. This alarming campaign, which saw an increase from 500 to 708 compromised sites in just two days, engaging thousands of unwitting visitors' computers in brute force attacks against other WordPress sites. The attack script, orchestrates these attacks by assigning tasks to visitors' browsers to attempt logins on targeted sites with a set of common passwords, continuously looping through tasks and reporting outcomes to the attackers. This sophisticated strategy not only exploits the compromised WordPress sites but also leverages innocent visitors' resources. As the campaign cleverly disguises its malicious traffic as legitimate browser requests, it complicates the task of filtering and blocking such activities, highlighting the need for vigilant monitoring.
🎵 In Birmingham they...were attacked to bring attention to Sudan?🎵
Alabama government websites experienced disruptions due to a denial-of-service (DDoS) attack. The attack, claimed by a group called Anonymous Sudan, aimed to draw attention to the situation in Sudan, though its relevance to Alabama is unclear. This incident underscores the vulnerability of state and local government systems to such attacks, which, while not technically sophisticated, can significantly disrupt essential services.
McDonald's is Not Loving Their Third-party Provider
McDonald's is experienced a widespread IT outage across its global chain, impacting the ability to take orders and process payments, and forcing some locations to close temporarily. The outages, affected numerous countries including the USA, Japan, and the UK. McDonald's acknowledged the issue, stating it's being resolved and clarified that it's not due to a cybersecurity event. The cause, according to a later update, was linked to a third-party provider's configuration change.
UPCOMING EVENTS
CISO Initiative Summit – Fort Myers June 5-6, 2024
Save the date! Get ready to geek out with principia/RAID as we launch The CISO Initiative, an exciting new chapter built on the foundation of the acclaimed CIO Initiative summits. Expect a tour through the latest in tech, cyber-smarts, and leadership wizardry, all served up by the brightest minds in our field. Networking is at the heart of the event, offering unmatched opportunities to connect with peers, forge valuable partnerships, and engage in thought-provoking discussions.
That's all for this month's issue of principia/RAID's Defrag. To paraphrase Ted Mosby's favorite poet: You can log all the security events, but you cannot keep spring form coming. Until next time, Stay secure you intrepid Cybersecurity Heroes.
principia/RAID Digital Security delivers information technology advisory and consulting services with a specific focus on vCISO services, information security and compliance management. We thrive on helping our clients reduce their cybersecurity risk and achieve compliance with their CMMC, NIST 800-171, NIST 800-53, DFARS, and SOC/ISO requirements.
Have questions? We can help you.