Security News – September 2022

An investigation into cyber-attacks on state institutions in Albania has led to the expulsion of all Iranian embassy staff in the country and a significant deterioration in their mutual relations. Cyber attacks can lead to real wars.

Since the beginning of the war, Ukraine has been working systematically to dismantle bot farms that spread Russian propaganda. The number of fake accounts controlled by these farms on social networks has exceeded 1.1 million.

Portugal was the target of an attack that led to the theft of sensitive NATO documents. The situation was brought to the attention by the US intelligence services after they discovered the documents on the dark web.

Hacktivists from Anonymous were involved in the protests in Iran as part of Operation OpIran. They are trying to make government websites inaccessible, publish leaked data or disable cameras in the country.

Ukraine dismantled a group of hackers who stole access to accounts of 30 million users (mostly from Ukraine and the EU) and sold them on the dark web. The data was bought by pro-Kremlin propagandists who used the accounts to spread disinformation on social networks.

Researchers conquered a challenge and created an image that contains and displays its own hash. They also dealt with the paradox that an input file is needed to calculate the hash and changing the input file changes the hash.

Cisco has refused to fix a newly discovered vulnerability on its small VPN routers. The reason for this is the discontinuation of their support. A successful attack can allow an attacker to penetrate an IPSec VPN network. If you are using RV110W, RV130, RV130W, and RV215W you should consider replacing them.

New vulnerabilities in Internet-connected infusion pumps (Baxter) can cause the device to become disabled, steal sensitive data, or cause a man-in-the-middle attack.

The FBI has issued a warning about the risk associated with the use of outdated and not-updated medical devices (e.g., insulin pumps, defibrillators, pacemakers).

The American CISA has expanded the list of known exploitable vulnerabilities, along with a takedown order for the U.S. federal agencies. Interestingly, one of these vulnerabilities has been known since 2010, when it was first actively exploited by the Stuxnet malware.

Someone is persistently attacking the Cobalt Strike control servers used by former members of the pro-Russian Conti ransomware gang. The attacks keep criminals busy and disrupt their activities.

Several ransomware gangs are using a new tactic of encrypting their victim’s files. Only parts of the files are encrypted. This makes the encryption faster and harder to identify.

The InterContinental Hotel Groups network of hotels (e.g., Holiday Inn, Crowne Plaza) was hacked, with the reservation system significantly compromised as of September 5. This is the third successful attack since 2017.

A rescue service in New York City was the victim of a ransomware attack that also leaked clients’ personal information (names, intervention date, insurance information, and in some cases Social Security numbers).

Rockstar Games was hacked, with the attackers obtaining source code and videos from GTA 5 and the working version of GTA 6.

Uber fell victim to an attack. Multiple internal systems were compromised. The attack was made possible by successful social engineering.

Revolut was the target of a hacking attack. The personal data of 50,150 users (0.16% of users) had been stolen. Financial assets were not affected. A phishing campaign is already underway, so it is important to be cautious.

Ransomware gang LockBit has been compromised and its latest builder (file encryptor) has been leaked. This provides better opportunities for analysis and countermeasures, but on the other hand, anyone can now start their own ransomware gang.

Hackers use a popular MFA Fatigue technique: an already compromised account (username and password) that is secured with MFA (multi-factor authentication) will start receiving many requests to confirm account login. The goal is to fatigue the user who eventually confirms consent so that she / he does not receive any more requests. 

A new malware campaign is targeting customers of Indian banks. It masquerades as a rewards offer from their bank. By doing so, it tries to trick users into installing the malware in question, which then transfers personal data, including one-time passwords.

NSA, CISA and ODNI published recommendations for developers on how to secure software against supply chain attacks. One of the prompts was the SolarWinds hack.

The EU is planning to introduce new rules to increase cyber security. This will apply to both hardware and software products. Manufacturers will have to deal with and report discovered vulnerabilities and incidents.

Updating software today is also very much about removing vulnerabilities. An example is Microsoft’s Patch Tuesday, which removes 64 vulnerabilities, including five critical ones, in Windows, Edge, .Net Framework, Azure, Azure Arc, Office, Defend, etc.

The use of advanced spell-checking capabilities in Google Chrome and Microsoft Edge runs into privacy issues. Data is sent to Google and Microsoft and it could be things like passwords, addresses, dates of birth, banking and payment information.

Microsoft Windows 11 has a new functionality in the latest update that allows it to detect password input into an insecure application (e.g. Notepad) or website. However, this functionality needs to be turned on and hopefully the number of supported applications will increase over time.

The Cyber Security Headlines podcast delivers daily short reports (<10min) from the cybersecurity field. Once a week they review the most important events with a guest (at CISO level – chief information security officer).