Tuesday Morning Threat Report: Feb 14, 2023
Where the news is always bad, but the analysis is always good.
Welcome to the Valentine’s Day edition of the Tuesday Morning Threat Report! This week’s article is dedicated to anyone who loooves properly configured firewalls and strong passwords.
This past week, Anonymous revealed Kremlin secrets, people “jailbroke” ChatGPT, and an iPhone bug is allowing apps to track users’ geolocation. Let’s dive in!
Top Stories:
This week’s biggest headlines. Analysis section below.
Anonymous Hacks Russian ISP: Hacktivist group, Anonymous, has hacked Convex, the largest Russian Internet Service Provider (ISP). Anonymous posted the documents stolen from Convex, allegedly demonstrating that the is Kremlin illegally monitoring Russian citizens.
436 Year Old Code Cracked: Researchers have decoded Mary, Queen of Scots’ coded letters for the first time. The researchers used a combination of manual and computerized code breaking.
Australia Bans Chinese Manufactured Cameras: Citing national security concerns, the Australian Defense Department has removed all Chinese manufactured cameras from its facilities.
Jailbreaking ChatGPT: ChatGPT is a powerful AI chatbot, which contains a safety system to prevent it from recommending illegal or violent content. Users have created a prompt that causes the safety system to fail and used ChatGPT to write malware.
Florida Hospital Disaster: Tallahassee Memorial HealthCare’s IT system was breached, resulting in all systems being taken offline. All non-emergency procedures were canceled, and patients needing emergency care had to be transferred to other hospitals.
Vesuvius Cyberattacked: Vesuvius is an engineering firm listed on the London Stock Exchange. An attack on their IT infrastructure resulted in them needing to take systems offline, and their stock falling 3.8%.
r/badnews: Reddit’s source code and some internal corporate documents were stolen as a result of a cyberattack. The hack was triggered by a Reddit employee being duped by a malicious email.
Ubiquiti Extorter Sentenced: A former developer at Ubiquiti used his access to steal internal company documents, posed anonymously as a hacker, and demanded a ransom payment. He was caught and has since pleaded guilty to wire fraud.
My Takeaways
Analysis based on this week’s news and my experience in the industry. More headlines below in the Lower Echelon.
Snake in the Grass: The Ubiquiti extortion highlights the danger of insider threats. The internal Ubiquiti employee cleverly stole company data, using a VPN to cover his tracks so the IP address of his computer would be obfuscated. Once the data was stolen, he reached out to his company posing as an anonymous hacker and demanded a $2 million ransom. The only reason he was caught was because the VPN that he used suffered an outage, causing his real IP address to be logged.
Employees, contractors, and service accounts frequently have much more IT access than they need. There is a cybersecurity best practice known as “least privileges” that seeks to remediate this. As the name suggests, when following least privileges, accounts are given the minimum possible access to data and systems to complete their job. Over-permissioning of accounts is a significant hurdle for security.
Identity and Access Management (IAM) is a cybersecurity domain that seeks to address this. Core to IAM is two questions: “Who can access what?” and “Do they need that access?” Many companies do not even know what access their employee accounts have.
The good news is that IAM and the adoption of least privileges is becoming more widespread. From 2021 to 2028, the IAM market is expected to grow by 157%, largely for regulatory reasons, but also in the interest of cybersecurity. Companies are strengthening their IAM capabilities and beginning to understand “who has access to what”. Once an IAM system is implemented, the next step is figuring out and applying the minimum access employees need to do their job. This reduces over-permissioning. The combination of IAM and least privileges helps to mitigate against insider threats, and thus reduce extortionist cases like the one Ubiquiti had to deal with.
The Lower Echelon:
Interesting cybersecurity news that didn’t quite make the cut to be a top story.
iOS 16.2 Privacy Flaw: An issue with the iPhone’s iOS 16.2 software appears to let apps track users’ location without their consent.
Preinstalled Android Malware: Researchers discovered that Android devices from top vendors in China come preloaded with malware. The malware steals and transmits sensitive data, including location, social relationships, and call history.
Toyota Employee Portal Hacked: A security researcher hacked Toyota’s employee and contractor portal. The portal allows users to manage Toyota’s supply chain. The researcher alerted Toyota of the vulnerability.
Killnet IP List Published: Killnet is a Russian hacking group that leverages an army of bots to attack websites. A list has been published containing thousands of the bots’ IP addresses, which allows network administrators to block that traffic and thus those attacks.
Texas Agency Pays Ransom: The Dallas Central Appraisal District disclosed that it was hacked in November, 2022. All of their data was stolen and encrypted, and there was no paper copy for over 90% of the data. The agency paid a ransom of $170,000 to have their files decrypted.
KeePass Vulnerable: KeePass is a password manager that stores passwords locally on computers (instead of in the cloud). A Proof of Concept (POC) attack was posted in Jan, 2023 demonstrating how Notepad could be used to steal all passwords from KeePass.
CISA Releases Free Ransomware Decrypter: The Cybersecurity and Infrastructure Security Agency (CISA) released a free decrypter for victims of ESXiArgs malware. The decrypter allows victims to recover data in Virtual Machines (VMs) without paying the ransom.
Laptop Auction Troubles: A Texas school district failed to wipe employee and student data prior to auctioning off laptops. A legal battle has ensued with the school district trying to have the buyer sign an NDA, and the buyer wanting to see the school district held accountable.
On the right side of this page, you can follow and subscribe to receive this newsletter to your inbox weekly (no Medium account needed, just sign in with Google)!
Thanks for reading! See everyone next week!
About the author: Mark is a cybersecurity architect and consultant for leading cybersecurity consultancy Aujas.
