General Worldwide activity:

1st: 200 million Twitter users’ email addresses allegedly leaked online

Overview: A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. Bleeping Computer has confirmed the validity of many of the email addresses listed in the leak. Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces. These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID. The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users. Though Twitter fixed this flaw in January 2022, multiple threat actors have recently begun to leak the data sets they collected over a year ago for free.

Breakdown: Twitter remains one of the most popular social media apps, especially for the sharing of current events, even amongst the controversy surrounding Elon Musk’s takeover of the company and some major changes. Anyone with a Twitter account needs to monitor their account due to these leaks and look for any suspicious activity around their accounts. I am sure most of us have personal Twitter accounts at this point but almost every company also has multiple social media accounts and those need to be monitored as well. If any of your accounts were set up without complex/randomly generated passwords, you should update the password immediately, with the high potential chance your account was one of the scraped accounts.

2nd: Slack’s private GitHub code repositories stolen over holidays

Overview: Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. The incident involves threat actors gaining access to Slack’s externally hosted GitHub repositories via a “limited” number of Slack employee tokens that were stolen. While some of Slack’s private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company. Slack has since invalidated the stolen tokens and says it is investigating “potential impact” to customers. At this time, there is no indication that sensitive areas of Slack’s environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets.

Breakdown: Slack is not only used as a personal communication tool for online groups, conferences, and remote events, but as noted, there are many companies all over the world using it for work communications that has a high chance to contain insider information or confidential data being shared amongst co-workers in shared documents. This breach just happened and hopefully once full DFIR has been completed, no actual customer data was stolen in the event. Access to internal code repositories has its own complications but they have taken the proper steps to lock down the breached systems going forward.

3rd: Raspberry Robin Worm Hatches a Highly Complex Upgrade

Overview: Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and its complexity quotient has been significantly upgraded, researchers said this week. According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers. Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target’s network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

Breakdown: This worm, when it was initially discovered, was not all that complex, but it has quickly evolved as noted here into a real advanced threat being used by APT level threat groups. This article has a good general walk-through of the current attack, please refer to the report from Security Joes linked in the article for a highly detailed technical discussion on their research.

4th: The State of Ransomware in the US: Report and Statistics 2022

Overview: In 2021, following a series of high-profile incidents, the United States government appeared to have had enough, and decided to take ransomware seriously. Meetings were held, committees formed, and a general sense of urgency took shape around the threat. In 2022, we got to see how that would all play out — and, unfortunately, it was a case of same old, same old. The number of government, education and healthcare sector organizations impacted by ransomware this year was very similar to the number impacted in previous years.

Breakdown: Ransomware continues to be the top threat of the year for 2022, and here is just one example report based on public reporting from governmental organizations. These attack counts continue to climb year over year even with only info on attacks that are made public. This report does not cover the public reporting for private companies in any way, along with the vast number of unreported attacks at private companies that do not publish any information due to legal or regulatory concerns. The overall number of attacks, taking those factors into consideration, must be a considerably higher overall number for the year.

5th: Chinese researchers claim to have broken RSA with a quantum computer. Experts aren’t so sure

Overview: Researchers in China claim to have reached a breakthrough in quantum computing, figuring out how they can break the RSA public-key encryption system using a quantum computer of around the power that will soon be publicly available. Breaking 2048-bit RSA — in other words finding a method to consistently and quickly discover the secret prime numbers underpinning the algorithm — would be extremely significant. Although the RSA algorithm itself has largely been replaced in consumer-facing protocols, such as Transport Layer Security, it is still widely used in older enterprise and operational technology software and in many code-signing certificates.

Breakdown: Quantum computing is a very complex but interesting field that everyone in Information Technology related fields needs to monitor for general awareness. From an Information Security perspective, quantum computing is both a blessing and a curse once we have actual functioning systems. Based on the way it can process data, all current methods of encryption would be immediately in danger due to the ease of these systems to quickly break the math behind reversing the processes. The big current threats are two-fold: that all countries with the ability to do so are storing vast amounts of current communications, even if they are encrypted, with the plan to use quantum systems or new methods to read old communications eventually, and that if a major power does create a functional quantum computer capable of breaking encryption, no one else will know about it until it is too late.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 01/02 to 01/06/2023

General Worldwide activity:

Written by James Beal