School’s (almost) out for Summer, but the learning continues with the May Edition of the Defrag! We’ve brought together the notable Cybersecurity news and developments of the last month so you can graduate the school year with honors as a Cybersecurity Hero. So read on, Intrepid reader, and soak in the knowledge of…The Defrag!
VULNS
Step Aside Talkboys, AI Impersonation is Here
LastPass recently thwarted an AI-based impersonation scam targeting one of its employees. The scammer used AI voice-cloning technology to mimic the voice of LastPass CEO Karim Toubba in an attempt to deceive the employee via WhatsApp. The employee, recognizing red flags such as unusual communication channels and forced urgency, wisely disregarded the messages and alerted the internal security team. This episode comes after LastPass experienced a significant breach in 2022, which involved a hacker accessing encrypted passwords and personal data from its customer database. (And kudos to real hero of this story, the unnamed employee who listened to their inner voice telling them something wasn’t quite right.)
Hackers Voice Clones the CEO of Lastpass for Attack
Cisco Has a Target on its Back
Cisco recently alerted the cybersecurity community about a series of targeted attacks by suspected nation-state hackers against its Adaptive Security Appliances. The attacks exploited previously undisclosed vulnerabilities to deploy malware and control affected systems. These incidents, which began as early as July and escalated in November, also targeted Microsoft Exchange servers and various network devices from other vendors, often involving government networks globally. Cisco has responded by releasing software updates to patch these vulnerabilities and strongly advises all users to update their systems promptly.
Nation-state spies target Cisco firewalls – Axios
MULTI-FACTOR
Last Chance LastPass
LastPass users were recently the target of a phishing campaign that utilized a phishing-as-a-service kit called CryptoChameleon. This campaign employed a combination of email, SMS, and voice calls to convincingly mimic official communications from LastPass. Attackers tricked users into divulging their master passwords by directing them to a fake website through cleverly crafted phishing emails and spoofed calls, posing as LastPass customer support. LastPass has taken steps to mitigate the attack and has advised customers on vigilance against such scams.
LastPass users targeted in phishing attacks good enough to trick even the savvy – Arstechnica
MFA Bombs are Dropping on iPhone Users
Recent reports have highlighted a surge in password reset attacks targeting Apple iPhone users, a method also known as MFA bombing or fatigue attacks. These attacks barrage users with incessant password reset notifications, rendering the device nearly unusable. The assault escalates when the hacker, masquerading as an Apple employee using a spoofed official number, calls the victim to discuss the password issue, leveraging personally identifiable information to appear credible. However, falling for this scam isn’t inevitable. Resources like Mashable and 9to5Mac offer preventive advice, such as ignoring unsolicited calls and pressing “Don’t Allow” on reset prompts, to help users shield themselves from these social engineering attacks. The key is skepticism and verifying communications directly through official channels.
iPhone Protect Password Reset Attack – Mashable
Credential-Stuffing Campaign Utilizes Proxy Networks
In a recent advisory, Okta has highlighted the escalation of a credential-stuffing campaign that masks fraudulent login attempts using everyday users’ mobile devices and browsers. This tactic makes the malicious activity less detectable as it bypasses the usual scrutiny associated with logins from known compromised sources like virtual private servers. The attackers exploit a variety of anonymizing methods, including TOR networks and proxy services from NSOCKS, Luminati, and DataImpulse. Some devices involved are infected with malware or enrolled in proxy services without user awareness, others via incentivized proxyware downloads. This campaign comes on the heels of Cisco’s Talos report detailing a vast credential compromise endeavor, prompting Okta to observe a significant spike in similar attacks. To counter these threats, Okta recommends robust password policies and multifactor authentication, emphasizing the importance of network vigilance against the use of residential proxies that route authentication requests through legitimate devices.
Account compromise of “unprecedented scale” uses everyday home devices – Arstechnica
Cisco Duo’s Multifactor Authentication Service Breached
A third-party telephony provider for Cisco’s Duo multifactor authentication service was recently compromised through a social engineering attack. This breach involved unauthorized access and download of SMS logs containing phone numbers, carriers, and other metadata from March 1 to March 31, 2024, though the content of the messages remained secure. Cisco has alerted its customers to the breach and advised them to be on guard for potential phishing attacks using the stolen data. Organizations are encouraged to review their dependencies on such third-party services and strengthen their response strategies to mitigate potential impacts from similar breaches.
Cisco Duo’s Multifactor Authentication Service Breached – Dark Reading
INSIGHTS
Foiled Supply-Chain Hack Raises Alarms Throughout Washington, DC.
A recent near-miss hacking incident involving the open-source data compression tool Xz, has set off alarm bells in Washington D.C. over the security of the open-source supply chain. The malicious code had the potential to enable extensive spying campaigns or cyberattacks against Linux users. CISA quickly responded with guidance to mitigate the risk. This incident is notable not just for its sophistication but also for the method of execution: a GitHub user, suspected to be a fabricated identity, spent two years gaining trust within the developer community before compromising the software. Every company out there should be thinking about and examining how their suppliers can impact their own security.
Thwarted supply-chain hack sets off alarm bells across DC – Politico
The High Cost of Windows Security Updates
In a move that can in no way backfire, Microsoft has issued new pricing for its Extended Security Updates (ESU). Although the new costs apply only to commercial and educational customers at the moment, further information for consumers is to be announced later. Windows 10 will continue to receive free security updates until October 14, 2025, but after that, users will need to pay to enroll in the ESU program. Initially, the cost for the first year is $61 per device, with the price doubling each subsequent year for up to three years. Notably, Microsoft Education customers can secure ESU licenses at significantly reduced rates—$1 for the first year, $2 for the second, and $4 for the third. This pricing model, while beneficial for educational institutions, presents a substantial financial consideration for others, especially as the cost of maintaining security updates for Windows 10 escalates steeply over time. Security Updates as a Service (Note: We’re nominating SecUpAas as the worst acronym ever.) is a terrible look for any company, let alone one responsible for approximately 70% of the worldwide market share of desktop operating systems.
To stay safe in Windows 10 from next October commercial customers have to pay $61, then ‘double every consecutive year for a maximum of three years’ – PC Gamer
Will Sunbird Catch Fire Again?
Sunbird has announced a relaunch of its messaging app. After a disastrous debut in 2022, where user data was easily accessible and the app faced operational shutdown, Sunbird is rolling out invites to rejoin in a phased approach. The company has revamped its architecture to enhance security, transitioning from Firestore to a new “AV2” system that employs MQTTS and integrates RCS via Google Messages. They assert that messages remain encrypted during transit and are only decrypted momentarily during delivery, with security measures in place for both static files and message transportation. Despite these improvements, skepticism remains.
Sunbird, the security nightmare that tried to bring iMessage to Android, is returning – 9to5Google
BREACHES
What customers should know about AT&T’s massive data breach
Over the weekend, AT&T disclosed a massive data breach impacting approximately 73 million current and former customers, marking another significant cybersecurity incident for the company. The breach, which may have originated from AT&T or one of its vendors, (See, we told you!) led to the exposure of personal information, including Social Security numbers and passcodes, on the dark web. The affected data, dating from 2019 or earlier, prompted a class-action lawsuit for negligence and breach of contract. AT&T is conducting a thorough investigation with the help of external forensic specialists and has taken immediate steps such as resetting passcodes and offering credit-monitoring services to affected customers. As the probe continues, customers are advised to freeze their credit reports, sign up for credit monitoring, and enable two-factor authentication on their accounts to safeguard their personal information.
What customers should know about AT&T’s massive data breach – CBSNews
US government review faults Microsoft for ‘cascade’ of errors that allowed Chinese hackers to breach senior US officials’ emails
A recent report by the US Cyber Safety Review Board criticized Microsoft for a series of errors that allowed Chinese hackers to access the email accounts of high-ranking US officials, including the Secretary of Commerce and US diplomats. The board, established by President Biden in 2021, highlighted Microsoft’s failure to secure a critical cryptographic key, which the hackers exploited to forge credentials and gain unauthorized entry. This breach, deemed preventable by the board, underscores the need for Microsoft to significantly overhaul its security practices given its pivotal role in the global technology ecosystem. In response, Microsoft has committed to enhancing its security measures, including improving legacy infrastructure, processes, and enforcing stricter security benchmarks. This incident adds to a growing list of cyber-espionage activities targeting US interests through vulnerabilities in widely used software platforms. Microsoft’s response to this seems, disappointingly, to be announcing charges for Security updates, as detailed above.
US government review faults Microsoft for ‘cascade’ of errors that allowed Chinese hackers to breach senior US officials’ emails – CNN
CISO Initiative Summit – Fort Myers June 5-6, 2024
Just a few weeks away and a few seats left. Get ready to geek out with principia/RAID as we launch The CISO Initiative, an exciting new chapter built on the foundation of the acclaimed CIO Initiative summits. Expect a tour through the latest in tech, cyber-smarts, and leadership wizardry, all served up by the brightest minds in our field. Networking is at the heart of the event, offering unmatched opportunities to connect with peers, forge valuable partnerships, and engage in thought-provoking discussions.
CISO Initiative Summit – Fort Myers 2024
That’s all for this month’s issue of principia/RAID’s Defrag, Intrepid Reader. Until next time, enjoy those graduation picnics and be careful of those Multifactor scams out there, you Cyber Security Heroes!
principia/RAID Digital Security delivers information technology advisory and consulting services with a specific focus on vCISO services, information security and compliance management. We thrive on helping our clients reduce their cybersecurity risk and achieve compliance with their CMMC, NIST 800-171, NIST 800-53, DFARS, and SOC/ISO requirements.
Have questions? We can help you. contact@principiaraid.com
