Top five Cyber Threat Intel stories of the week: 01/16 to 01/20/2023
Top 5 general threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share with anyone inside or outside the company you think would benefit and enjoy reading about these events. Please reach out if you have any questions on any of these events. Thank you!
General Worldwide activity:
1st: NIST Releases Potential Updates to Its Cybersecurity Framework
Overview: The National Institute of Standards and Technology announced its intent to make new revisions to its Cybersecurity Framework document, with an emphasis on cyber defense inclusivity across all economic sectors. Announced by the agency on Thursday, the updates to the voluntary guidance are informed by responses received from a previous workshop on the forthcoming CSF 2.0 and a corresponding Request for Information published in early 2022. “The CSF is intended to be a living document that is refined and improved over time,” the updated concept document reads. Some of the responses officials at NIST look to include in their development of the updated framework are changes to the recommended cybersecurity best practices, sector-specific needs and new uses based on modifications to the framework.
Breakdown: This has now been several years in the making and it appears we may actually get a full update to NIST CSF this year. As noted from the article, the last update was in 2018 and version 2 was announced officially in 2021. This will be a significant update based on all of the existing feedback provided. The concept paper they are planning to release on March 3rd will have an open comment period as well. There are many companies around the world using NIST CSF as a baseline for their entire programs, so this should be a very welcome update for maturity of their programs in the future.
2nd: Miscreants sure do love ransacking cloud networks, more so than before
Overview: As enterprises around the world continue to move to the cloud, cybercriminals are following right behind them. There was a 48 percent year-over-year jump in 2022 in cyberattacks on cloud-based networks, and it comes at a time when 98 percent of global organizations use cloud services, or at least that’s what Check Point researchers say they’ve noticed. The increases were experienced in various regions, including Asia (with a 60 percent jump), Europe (50 percent), and North America (28 percent), the infosec bods wrote in a report this week. “The rise in attacks on the cloud was driven both by an overall increase in cyberattacks globally (38 percent overall in 2022, compared to 48 percent in the cloud) and also by the fact that it holds much more data and incorporates infrastructure and services from large amounts of potential victims, so when exploited the attacks could have a larger impact,” Omer Dembinsky, data group manager at Check Point, told The Register.
Breakdown: Cloud usage expands every year, so it is a shock to no one that so too does the cyberattacks on the cloud infrastructure. An almost 50% jump up from 2021 to 2022 demonstrates how important actually being secure in your processes and configurations on cloud services is for everyone moving in that direction. Everyone working in security should have at least a general awareness of how cloud infrastructure functions and the ways in which insecure configurations can occur. AWS was a great example, for years there was no real built-in security, it was pretty much just borrowing someone else’s servers to store your company data, and you were required to handle everything. They have since added tools and many vendors have created defensive toolsets as well to make sure basic misconfigurations are no longer the norm.
3rd: A busy week for breaches! Two big examples from this week are a Massive Credential Stuffing Campaign Hits 35,000 PayPal Users and T-Mobile suffers 8th data breach in less than 5 years
Overview:
Paypal: PayPal this week notified tens of thousands of US customers that their logins had been used successfully to access their accounts over a month ago. The unauthorized access occurred between December 6 and December 8 last year, after which time the firm realized what was happening and “eliminated access” for the threat actors. “During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the firm said in a breach notification letter posted to the Maine attorney general’s office.
T-Mobile: Telecom player T-Mobile US has suffered a cybersecurity incident that resulted in the exposure of the personal details of 37 million users, the company reported in a filing to the US Securities and Exchange Commission on Thursday. Customer data such as customer name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features were exposed, the company revealed. However, T-Mobile in a statement insisted that customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs, or other financial account information were not exposed.
Breakdown: Sadly, after years of constant breaches, anyone paying even semi-close attention is in a constant emotional state of burnout at each of these announcements. No one seems to get even a little surprised or shocked their info may have been leaked, as at this point, most people feel their personal details have been leaked many times over. If you are a customer of either organization, be prepared for notifications and keep a closer eye on the actual details released once we have more solid answers on root cause to decide if you want to continue to be a customer or cancel everything.
4th: Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner
Overview: Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. At least one prominent user on the cryptocurrency scene has fallen victim to the campaign, claiming it allowed hacker hackers steal all their digital crypto assets along with control over their professional and personal accounts. Over the weekend, crypto influencer Alex, better known by their online persona NFT God, was hacked after launching a fake executable for the Open Broadcaster Software (OBS) video recording and live streaming software they had downloaded from a Google ad in search results.
Breakdown: As a continuation of the recent events we have seen in the past couple weeks, here are more attacks targeting open-source software for malicious activity by attacker groups. The focus on advertisements through Google search results as the delivery mechanism, is a perfect reminder for everyone to be cautious clicking on links, even those provided by trusted sources such as Google.
5th: “Payzero” Scams and The Evolution of Asset Theft in Web3
Overview: Web3 is a lucrative emerging technology where many participants seek quick profit via the different methods of monetization for their online assets. What makes Web3 different from what’s typically called Web2 is that its users are not only participants but are also the owners of digital assets. Web3 users no longer employ the traditional user and password method for authentication. Instead, the user owns a pair of cryptographic keys and sign the messages. The signature is then used to validate and authenticate user actions. In Web3, the most import credential — the private key of the wallet address — is owned by the user. Users must handle these authentication scenarios on their own, which can be a complicated process, especially for newcomers.
Breakdown: Web3 as a newer technology may still be a bit of a mystery to many people, it is definitely still a bit of a mystery to me. I need to also spend time learning about it more in-depth as we are now seeing complex attacks against it. This article does have a wonderful walk through of the basic tech, and if you have an interest in learning more, feels like a great place to start on top of covering this attack and the details behind it.
Contact Us
contact@hunterstrategy.net
