Ashley Allison-Jones
MIS 5206.701
September 2023
“In the News” Article – LastPass Data Breach
Summary:
In February of this year, LastPass, an “award-winning password manager” which is used by many companies, had a striking breach out of its series of incidents that have occurred during the company’s lifespan. A malicious actor or “threat actor” seemed persistent in its attempts to gain access to LastPass’ database and exploited a vulnerability in a third-party software program used by LastPass ultimately gaining access to LastPass’ database. An investigation done by the company revealed that the threat actor who pulled off this breach was involved with two other incidents involving LastPass breaches. The first incident occurred in 2022, over a period ending in August, but then immediately pivoted to the second incident that took place until October 2022. While the article is not completely clear on how these attacks took place (or specifically what occurred during these timeframes), it is clear that data captured from the first incident was used “to enumerate and ultimately exfiltrate data from the cloud storage resources” during the second incident. Continuing investigation with Mandiant, LastPass revealed that one of their DevOps engineers’ home computers was the target in order to get around security mitigations when exploiting the third party’s software vulnerability during February’s attack. Once gaining access, the threat actor exported (assuming on their local computer) native files and folders that possessed various encryption and decryption data needed for database backups and cloud-based resources. Ultimately, the third-party vulnerability was the key to the most recent attack. The threat actor planted keylogger malware after executing some remote code which allowed the actor to capture the DevOps engineer’s credentials upon signing into their device after authenticating with MFA. Consequently, this gave the malicious actor access to the employee’s LastPass corporate vault.
As a long-time LastPass user, I’m deeply concerned by the series of breaches the company has experienced, particularly the most recent one. The fact that a third-party vulnerability was exploited to gain access to LastPass’ database is alarming, and it raises questions about the company’s overall approach to security. Even more unsettling is that the same threat actor has been involved in multiple incidents, suggesting a persistent and targeted effort to undermine LastPass. This compromises the very essence of what a password manager is supposed to provide: security and peace of mind.
The involvement of a DevOps engineer’s home computer in bypassing security measures is another red flag. It calls into question the internal security protocols at LastPass, especially if an employee’s home computer can become a weak link in the chain.
Finally, the ability of the attacker to get around multi-factor authentication (MFA) is particularly troubling, as MFA is considered one of the stronger safeguards against unauthorized access. If even that is not secure, it seriously undermines my trust in the platform.
Given these incidents, I’m now reconsidering my use of LastPass and am exploring alternative password management (Bitwarden or 1Password come to mind) solutions that might offer more robust security.
I like your comment on MFA. This particular part makes me question whether the DevOps engineer was possibly involved in this larger scheme especially since the threat actor used MFA to get into the machine. Understanding how threat actors bypass MFA, if turned on (whether email, authenticator app, or SMS is not clear here), can be a feat in itself and could take multiple players.
Oh! And also, I checked out Bitwarden and 1Password and was leaning more towards Bitwarden since it is open source but, of course, this has its implications as well.
The FBI helped to bring down a major component if the cybercrime ecosystem. It disrupted a long running botnet called QaKbot which has long been available to cybercriminals. Most people or companies had an idea they were a victim.
The FBI received permission to proceed with its operation and it stopped all computers in its botnet to stop listening. Most were fixed within a couple of hours. The FBI didn’t identify the tool which it used.
Keith Jarvis, a senior researcher at the Atlanta cybersecurity company Secureworks, which was monitoring the botnet and its takedown, said most computers infected with Qakbot were most likely effectively fixed in the first few hours of the FBI operation.
The FBI’s announcement said that law enforcement agencies in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia participated in the Qakbot takedown.
The FBI’s action was unlikely to translate into a major reduction in cyberattacks. Hackers have plenty of other ways to break in, he said. This was only a minor dent in cybercrime.
Summarized: Threat actors are exploiting insecure Microsoft SQL (MS SQL) servers in a campaign called DB#JAMMER, deploying tools like enumeration software, RAT payloads, and ransomware, including a variant called FreeWorld. They gain initial access through brute-force attacks, use it to compromise systems, and establish persistence. The attackers attempt to distribute FreeWorld ransomware after installing malicious tools like Cobalt Strike. It’s emphasized that strong passwords are crucial for publicly exposed services. In a related development, the Rhysida ransomware has targeted 41 victims, mainly in Europe, using data encryption and extortion tactics. Additionally, a decryptor has been released for the Key Group ransomware, exposing cryptographic flaws. Ransomware attacks have surged in 2023, with a low victim payment rate but higher average ransom amounts. Threat actors are evolving their tactics and sharing attack details to affect cyber insurance coverage.
This article goes over how there is still a lack of urgency at the top or organizations when it comes to cybersecurity. Even with the growing awareness of cyber risk, 65% of organizations are at risk of being attacked and almost half of them are not prepared to deal with an attack. found out that 69% of board members agree completely with their security personal but fewer than half of the members serve on boards that interact with their CISO regularly. In my opinion, an attack needs to happen to business for them to understand the consequences as some of these attacks take down business or hold them hostage for ransom etc. The communication gap between the board members and CISCO is what hinders progress in cybersecurity. The reason for this is they come from two separate worlds, technical vs financial, except for that the two realms are remarkably similar when it comes to cyber security but most importantly focusing on the correct conversion which is the focus needs to shift to resilience. The article suggests that in meetings instead of focusing on how to respond to an incident, focus should be shifted to how to prepare and quickly recover from the damage.
The article pointed something out that seems promising for the future of the ITACS industry. It stated that the SC proposed more explicit recommendations for cybersecurity risk management, governance, and disclosure for public companies, and it is expected that these proposals will become requirements. That means that these board members will need to have a clearer oversights of cybersecurity risk and include expertise on the board. I read that as job security and believe you should too. After reading this article and the percentages that were pointed out, I assumed that cybersecurity was at the forefront and that board members etc. are educated. A common theme I have already learned is communication is one of the underlying factors that you will need to be successful in this program and in the field and is why the professor pointed out at the beginning of this class that this program is not a computer science like program its more on communication , governance etc. which this article points out clearly.
I know this will not count towards participation points but I really love your last paragraph here, Jeffrey! Very insightful for the future of ITACS students. Thank you for sharing this. I, too, agree that communication is key.
Article: Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices
Summary:
The Article is about Five Eyes intelligence agencies releasing a report on “Infamous Chisel”, a malware used by Russian state-sponsored hackers against Ukrainian military Android devices. Infamous Chisel provides backdoor access, operates over Tor, and collects and exfiltrates data. The malware targets device details and data associated with military apps. While it lacks strong evasion techniques, it may exploit the lack of host-based detection on many Android devices. The report offers technical details, MITRE ATT&CK info, and indicators of compromise. The malware’s distribution method is not specified, but Russian forces were reported to have used captured Ukrainian tablets to spread malware and breach military networks. The attacks were linked to the Sandworm group and its reported the attempts were blocked.
Link: https://www.securityweek.com/five-eyes-report-new-russian-malware-targeting-ukrainian-military-android-devices/
Five Eyes Report:
Article Name: Electoral Commission failed basic security test before hack
According to a report in August, between 2021 and October 2022 an English election commission determined that hackers had compromised their systems and had access to sensitive electoral data.. While concerning in its own right, leaks from within these departments have indicated that the electoral system in question had allegedly failed an audit to verify if the system was in compliance with government policy shortly before the attack took place. Among other risks, the department was allegedly running outdated and no longer updated versions of Windows 10, as well as outdated and unsupported iPhones that are no longer considered eligible for IOS updates. These vulnerabilities allowed the attackers to gain access to at least the organizations email servers, though it is stated by spokespeople of the organization that it is possible that the attack reaches even further than the email systems and could have deeper ramifications.
Via BBC
Most of the high-risk targets seem to be less concerned about security issues. In this case the machine was probably running an outdated versions of the windows 10 as alleged.
Two men in Poland have been arrested for allegedly hacking the country’s national railway system, causing significant disruptions. One of the suspects is reported to be a police officer. The attack seemed to be in support of Russia, as the Russian national anthem and snippets of a Vladimir Putin speech were broadcast over the railway’s radio system. Poland’s railway is particularly vulnerable due to its lack of encryption and authentication. (How is this possible in today’s age of cybersecurity vs Cybercrime?) The incident has led to an ongoing investigation, given the railway’s role in supporting Ukraine amid its conflict with Russia. Poland plans to enhance its railway security by 2025.
The UK’s Electoral Commission has acknowledged failing a crucial cybersecurity test while simultaneously suffering a data breach in which the records of 40 million voters were compromised. A whistleblower revealed that the Commission received an automatic failure during a Cyber Essentials audit. The breach occurred between August 2021 and October 2022 and allowed unauthorized access to email correspondence and sensitive voter databases, with the breach method and culprits remaining unidentified. The Commission’s cybersecurity deficiencies, revealed by the failed audit, included outdated software on staff laptops and the use of unsupported iPhones. These issues raise concerns about the Commission’s cybersecurity readiness, particularly since the government mandates Cyber Essentials certification for suppliers handling sensitive data. The UK’s Information Commissioner’s Office (ICO) is urgently investigating the breach’s implications for data privacy and security.
Summary: Highgate Wood School in North London and a Berkshire schools’ group have fallen victim to planned cyberattacks just before the new school term. Highgate Wood School has delayed its resumption by one week due to the attack, making it challenging for working parents. The school is confident that its data has not been breached and is working with cybersecurity experts and authorities to restore its systems securely. The nature of the attack is unclear, but ransomware is a likely possibility. The UK’s education sector has seen a higher rate of ransomware attacks in 2022 compared to other countries. The Maiden Erlegh Trust in Berkshire also faced IT access issues due to a cyberattack, and other schools have been targeted as well. Experts emphasize the importance of improving cybersecurity measures, automation, access controls, and robust backup solutions to protect valuable student data and minimize disruptions to education.
According to hackernews.com, there is an updated version of Blister (malware loader). The updated version is being used as part of SocGholish infection chains to distribute an open-source command and control framework called Mythic. Blister now has a feature which allows precise targeting of organizations’ networks and lower exposure within virtual machine/ sandbox environments. Blister was first introduced in 2021 as a conduct to distribute Cobalt Strike and BitRat payloads on compromised systems.
From the article: “Several government bodies have banned TikTok from staff phones due to growing concerns about the company, which is owned by Chinese firm ByteDance, and whether China’s government could harvest users’ data to advance its interests.”
I am not surprised that “several government bodies” are have banned Tik Tok from staff phones. I don’t believe the App has any business on company phones (in the majority of cases) even prior to this policy under existing Acceptable Use policies.
What about staff that use their personal phones for work? How are companies going to safeguard their information if they do not own the device?
One recent cybersecurity breach that I’ve found is one against Mom’s Meals. This one especially interested me because my family uses Mom’s Meals for my grandmother, and we’ve been using it for years. Considering it impacted over 1.2 million people, my family could have been impacted. They used ransomware, which was detected February 22, 2023. They determined that the attack happened one month prior in January, and signs of network problems became evident in March. The hackers got people’s payment card information, health information, health insurance information, and even some people’s social security numbers. They can use this information for elaborate scams, phishing, and social engineering attacks. They likely stole this information to use it for their own financial gain. PurFoods, the company that owns Mom’s Meals, is offering 12 months of free of charge coverage to protect people from the effects of hackers. They offer credit monitoring and identity protection. They also told people to “remain highly vigilant with all incoming communications, whether through email, SMS text messages, or phone calls.”
One security article that intrigued me was related to pilot and staff data at American Airlines and Southwest Airlines. In a recent cybersecurity incident, both airlines were a victim of a data breach originating from a breach of their third-party vendor, Pilot Credentials. It was contained within the vendor’s systems and did not compromise the airlines’ internal networks. The breach permitted unauthorized access which led to them stealing a range of personal data from applicants, including names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers.
While there is no evidence of targeted exploitation, both airlines have taken proactive measures to enhance security. To address security concerns, both airlines have terminated their relationship with the vendor and are now directing pilot applicants to internal portals. Law enforcement agencies are actively investigating the breach, and both airlines are cooperating fully to identify the perpetrators and address the situation. Notably, this incident is not the first time American Airlines has faced data breaches, with similar occurrences in 2022 and 2021.
Erskine Payton
In the News Article- Week 1
MIS 5206
Temple University
The University of Michigan discovered that their network was under attack and to be safe they disabled the entire network. The timing of this incident happens the night before the first day of classes. Students and faculty were severely affected as they are highly dependent of the wired and wifi services like, M-Pathways, eResearch, DART, to navigate the campus. All systems used in student registration were down requiring U-M administration to waive late registration and drop fees. Were still able to access some cloud services, they were still susceptible to be unstable as traffic to the sites increase.
During my research I found that in the past six months, over 120 schools have combated ransomware attacks. Schools are a favorite target for hackers ranking fifth research shows. Experts say that hackers know that these types of environments have more laxed security measures for staff and students. Researcher also mention to combat the problem, we should put more money into securing school’s systems to avoid this type of attack in the future. In a sense, U-M was fortunate that they were able to get back online and eventually up and running. A last precaution or inconvenience is that all users were forced to reset their passwords. As of today, U-M are still piecing together how this happened.
Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger
A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a “swarm of fake and hijacked personal accounts” with the ultimate goal of taking over the targets’ accounts.
“Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods,” Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend.
Ashley Allison-Jones
MIS 5206.701
September 2023
“In the News” Article – LastPass Data Breach
Summary:
In February of this year, LastPass, an “award-winning password manager” which is used by many companies, had a striking breach out of its series of incidents that have occurred during the company’s lifespan. A malicious actor or “threat actor” seemed persistent in its attempts to gain access to LastPass’ database and exploited a vulnerability in a third-party software program used by LastPass ultimately gaining access to LastPass’ database. An investigation done by the company revealed that the threat actor who pulled off this breach was involved with two other incidents involving LastPass breaches. The first incident occurred in 2022, over a period ending in August, but then immediately pivoted to the second incident that took place until October 2022. While the article is not completely clear on how these attacks took place (or specifically what occurred during these timeframes), it is clear that data captured from the first incident was used “to enumerate and ultimately exfiltrate data from the cloud storage resources” during the second incident. Continuing investigation with Mandiant, LastPass revealed that one of their DevOps engineers’ home computers was the target in order to get around security mitigations when exploiting the third party’s software vulnerability during February’s attack. Once gaining access, the threat actor exported (assuming on their local computer) native files and folders that possessed various encryption and decryption data needed for database backups and cloud-based resources. Ultimately, the third-party vulnerability was the key to the most recent attack. The threat actor planted keylogger malware after executing some remote code which allowed the actor to capture the DevOps engineer’s credentials upon signing into their device after authenticating with MFA. Consequently, this gave the malicious actor access to the employee’s LastPass corporate vault.
Link Title – LastPass Says DevOps Engineer Home Computer Hacked – SecurityWeek
Link URL – https://www.securityweek.com/lastpass-says-devops-engineer-home-computer-hacked/#:~:text=Password%20management%20software%20firm%20LastPass%20says%20one%20of,exfiltrated%20corporate%20data%20from%20the%20cloud%20storage%20resources.
Ashley,
As a long-time LastPass user, I’m deeply concerned by the series of breaches the company has experienced, particularly the most recent one. The fact that a third-party vulnerability was exploited to gain access to LastPass’ database is alarming, and it raises questions about the company’s overall approach to security. Even more unsettling is that the same threat actor has been involved in multiple incidents, suggesting a persistent and targeted effort to undermine LastPass. This compromises the very essence of what a password manager is supposed to provide: security and peace of mind.
The involvement of a DevOps engineer’s home computer in bypassing security measures is another red flag. It calls into question the internal security protocols at LastPass, especially if an employee’s home computer can become a weak link in the chain.
Finally, the ability of the attacker to get around multi-factor authentication (MFA) is particularly troubling, as MFA is considered one of the stronger safeguards against unauthorized access. If even that is not secure, it seriously undermines my trust in the platform.
Given these incidents, I’m now reconsidering my use of LastPass and am exploring alternative password management (Bitwarden or 1Password come to mind) solutions that might offer more robust security.
I like your comment on MFA. This particular part makes me question whether the DevOps engineer was possibly involved in this larger scheme especially since the threat actor used MFA to get into the machine. Understanding how threat actors bypass MFA, if turned on (whether email, authenticator app, or SMS is not clear here), can be a feat in itself and could take multiple players.
Oh! And also, I checked out Bitwarden and 1Password and was leaning more towards Bitwarden since it is open source but, of course, this has its implications as well.
The FBI helped to bring down a major component if the cybercrime ecosystem. It disrupted a long running botnet called QaKbot which has long been available to cybercriminals. Most people or companies had an idea they were a victim.
The FBI received permission to proceed with its operation and it stopped all computers in its botnet to stop listening. Most were fixed within a couple of hours. The FBI didn’t identify the tool which it used.
Keith Jarvis, a senior researcher at the Atlanta cybersecurity company Secureworks, which was monitoring the botnet and its takedown, said most computers infected with Qakbot were most likely effectively fixed in the first few hours of the FBI operation.
The FBI’s announcement said that law enforcement agencies in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia participated in the Qakbot takedown.
The FBI’s action was unlikely to translate into a major reduction in cyberattacks. Hackers have plenty of other ways to break in, he said. This was only a minor dent in cybercrime.
https://www.nbcnews.com/tech/security/fbi-disrupts-cybercrime-operation-wiping-malicious-programs-hundreds-t-rcna102458.
Date: Sep 1, 2023
Link Title – Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware – The Hacker News
Link URL – https://thehackernews.com/2023/09/threat-actors-targeting-microsoft-sql.html
Summarized: Threat actors are exploiting insecure Microsoft SQL (MS SQL) servers in a campaign called DB#JAMMER, deploying tools like enumeration software, RAT payloads, and ransomware, including a variant called FreeWorld. They gain initial access through brute-force attacks, use it to compromise systems, and establish persistence. The attackers attempt to distribute FreeWorld ransomware after installing malicious tools like Cobalt Strike. It’s emphasized that strong passwords are crucial for publicly exposed services. In a related development, the Rhysida ransomware has targeted 41 victims, mainly in Europe, using data encryption and extortion tactics. Additionally, a decryptor has been released for the Key Group ransomware, exposing cryptographic flaws. Ransomware attacks have surged in 2023, with a low victim payment rate but higher average ransom amounts. Threat actors are evolving their tactics and sharing attack details to affect cyber insurance coverage.
Jeff Sullivan
“In the News” Article- Week 1
MIS 5206
Temple University
Boards Are Having the Wrong Conversations About Cybersecurity (hbr.org)
https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity
This article goes over how there is still a lack of urgency at the top or organizations when it comes to cybersecurity. Even with the growing awareness of cyber risk, 65% of organizations are at risk of being attacked and almost half of them are not prepared to deal with an attack. found out that 69% of board members agree completely with their security personal but fewer than half of the members serve on boards that interact with their CISO regularly. In my opinion, an attack needs to happen to business for them to understand the consequences as some of these attacks take down business or hold them hostage for ransom etc. The communication gap between the board members and CISCO is what hinders progress in cybersecurity. The reason for this is they come from two separate worlds, technical vs financial, except for that the two realms are remarkably similar when it comes to cyber security but most importantly focusing on the correct conversion which is the focus needs to shift to resilience. The article suggests that in meetings instead of focusing on how to respond to an incident, focus should be shifted to how to prepare and quickly recover from the damage.
The article pointed something out that seems promising for the future of the ITACS industry. It stated that the SC proposed more explicit recommendations for cybersecurity risk management, governance, and disclosure for public companies, and it is expected that these proposals will become requirements. That means that these board members will need to have a clearer oversights of cybersecurity risk and include expertise on the board. I read that as job security and believe you should too. After reading this article and the percentages that were pointed out, I assumed that cybersecurity was at the forefront and that board members etc. are educated. A common theme I have already learned is communication is one of the underlying factors that you will need to be successful in this program and in the field and is why the professor pointed out at the beginning of this class that this program is not a computer science like program its more on communication , governance etc. which this article points out clearly.
I know this will not count towards participation points but I really love your last paragraph here, Jeffrey! Very insightful for the future of ITACS students. Thank you for sharing this. I, too, agree that communication is key.
Thanks!
Article: Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices
Summary:
The Article is about Five Eyes intelligence agencies releasing a report on “Infamous Chisel”, a malware used by Russian state-sponsored hackers against Ukrainian military Android devices. Infamous Chisel provides backdoor access, operates over Tor, and collects and exfiltrates data. The malware targets device details and data associated with military apps. While it lacks strong evasion techniques, it may exploit the lack of host-based detection on many Android devices. The report offers technical details, MITRE ATT&CK info, and indicators of compromise. The malware’s distribution method is not specified, but Russian forces were reported to have used captured Ukrainian tablets to spread malware and breach military networks. The attacks were linked to the Sandworm group and its reported the attempts were blocked.
Link: https://www.securityweek.com/five-eyes-report-new-russian-malware-targeting-ukrainian-military-android-devices/
Five Eyes Report:
Article Name: Electoral Commission failed basic security test before hack
According to a report in August, between 2021 and October 2022 an English election commission determined that hackers had compromised their systems and had access to sensitive electoral data.. While concerning in its own right, leaks from within these departments have indicated that the electoral system in question had allegedly failed an audit to verify if the system was in compliance with government policy shortly before the attack took place. Among other risks, the department was allegedly running outdated and no longer updated versions of Windows 10, as well as outdated and unsupported iPhones that are no longer considered eligible for IOS updates. These vulnerabilities allowed the attackers to gain access to at least the organizations email servers, though it is stated by spokespeople of the organization that it is possible that the attack reaches even further than the email systems and could have deeper ramifications.
Via BBC
https://www.bbc.com/news/technology-66709556
Most of the high-risk targets seem to be less concerned about security issues. In this case the machine was probably running an outdated versions of the windows 10 as alleged.
Article: https://therecord.media/two-arrested-poland-railway-hack
Two men in Poland have been arrested for allegedly hacking the country’s national railway system, causing significant disruptions. One of the suspects is reported to be a police officer. The attack seemed to be in support of Russia, as the Russian national anthem and snippets of a Vladimir Putin speech were broadcast over the railway’s radio system. Poland’s railway is particularly vulnerable due to its lack of encryption and authentication. (How is this possible in today’s age of cybersecurity vs Cybercrime?) The incident has led to an ongoing investigation, given the railway’s role in supporting Ukraine amid its conflict with Russia. Poland plans to enhance its railway security by 2025.
Article – https://www.infosecurity-magazine.com/news/electoral-commission-fails/
The UK’s Electoral Commission has acknowledged failing a crucial cybersecurity test while simultaneously suffering a data breach in which the records of 40 million voters were compromised. A whistleblower revealed that the Commission received an automatic failure during a Cyber Essentials audit. The breach occurred between August 2021 and October 2022 and allowed unauthorized access to email correspondence and sensitive voter databases, with the breach method and culprits remaining unidentified. The Commission’s cybersecurity deficiencies, revealed by the failed audit, included outdated software on staff laptops and the use of unsupported iPhones. These issues raise concerns about the Commission’s cybersecurity readiness, particularly since the government mandates Cyber Essentials certification for suppliers handling sensitive data. The UK’s Information Commissioner’s Office (ICO) is urgently investigating the breach’s implications for data privacy and security.
I just realized that Andrew already posted this link, hence, I intend to post another one.
New article: https://www.infosecurity-magazine.com/news/second-school-cyberattack-before/
Summary: Highgate Wood School in North London and a Berkshire schools’ group have fallen victim to planned cyberattacks just before the new school term. Highgate Wood School has delayed its resumption by one week due to the attack, making it challenging for working parents. The school is confident that its data has not been breached and is working with cybersecurity experts and authorities to restore its systems securely. The nature of the attack is unclear, but ransomware is a likely possibility. The UK’s education sector has seen a higher rate of ransomware attacks in 2022 compared to other countries. The Maiden Erlegh Trust in Berkshire also faced IT access issues due to a cyberattack, and other schools have been targeted as well. Experts emphasize the importance of improving cybersecurity measures, automation, access controls, and robust backup solutions to protect valuable student data and minimize disruptions to education.
Article- https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html
According to hackernews.com, there is an updated version of Blister (malware loader). The updated version is being used as part of SocGholish infection chains to distribute an open-source command and control framework called Mythic. Blister now has a feature which allows precise targeting of organizations’ networks and lower exposure within virtual machine/ sandbox environments. Blister was first introduced in 2021 as a conduct to distribute Cobalt Strike and BitRat payloads on compromised systems.
News article: https://www.reuters.com/technology/tiktok-hires-britains-ncc-auditing-data-security-2023-09-05/
From the article: “Several government bodies have banned TikTok from staff phones due to growing concerns about the company, which is owned by Chinese firm ByteDance, and whether China’s government could harvest users’ data to advance its interests.”
I am not surprised that “several government bodies” are have banned Tik Tok from staff phones. I don’t believe the App has any business on company phones (in the majority of cases) even prior to this policy under existing Acceptable Use policies.
What about staff that use their personal phones for work? How are companies going to safeguard their information if they do not own the device?
One recent cybersecurity breach that I’ve found is one against Mom’s Meals. This one especially interested me because my family uses Mom’s Meals for my grandmother, and we’ve been using it for years. Considering it impacted over 1.2 million people, my family could have been impacted. They used ransomware, which was detected February 22, 2023. They determined that the attack happened one month prior in January, and signs of network problems became evident in March. The hackers got people’s payment card information, health information, health insurance information, and even some people’s social security numbers. They can use this information for elaborate scams, phishing, and social engineering attacks. They likely stole this information to use it for their own financial gain. PurFoods, the company that owns Mom’s Meals, is offering 12 months of free of charge coverage to protect people from the effects of hackers. They offer credit monitoring and identity protection. They also told people to “remain highly vigilant with all incoming communications, whether through email, SMS text messages, or phone calls.”
https://www.bleepingcomputer.com/news/security/moms-meals-discloses-data-breach-impacting-12-million-people/
Article Link:
https://www.infosecurity-magazine.com/news/hack-american-southwest-airlines/ by Alessandro Mascellino
One security article that intrigued me was related to pilot and staff data at American Airlines and Southwest Airlines. In a recent cybersecurity incident, both airlines were a victim of a data breach originating from a breach of their third-party vendor, Pilot Credentials. It was contained within the vendor’s systems and did not compromise the airlines’ internal networks. The breach permitted unauthorized access which led to them stealing a range of personal data from applicants, including names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers.
While there is no evidence of targeted exploitation, both airlines have taken proactive measures to enhance security. To address security concerns, both airlines have terminated their relationship with the vendor and are now directing pilot applicants to internal portals. Law enforcement agencies are actively investigating the breach, and both airlines are cooperating fully to identify the perpetrators and address the situation. Notably, this incident is not the first time American Airlines has faced data breaches, with similar occurrences in 2022 and 2021.
Erskine Payton
In the News Article- Week 1
MIS 5206
Temple University
The University of Michigan discovered that their network was under attack and to be safe they disabled the entire network. The timing of this incident happens the night before the first day of classes. Students and faculty were severely affected as they are highly dependent of the wired and wifi services like, M-Pathways, eResearch, DART, to navigate the campus. All systems used in student registration were down requiring U-M administration to waive late registration and drop fees. Were still able to access some cloud services, they were still susceptible to be unstable as traffic to the sites increase.
During my research I found that in the past six months, over 120 schools have combated ransomware attacks. Schools are a favorite target for hackers ranking fifth research shows. Experts say that hackers know that these types of environments have more laxed security measures for staff and students. Researcher also mention to combat the problem, we should put more money into securing school’s systems to avoid this type of attack in the future. In a sense, U-M was fortunate that they were able to get back online and eventually up and running. A last precaution or inconvenience is that all users were forced to reset their passwords. As of today, U-M are still piecing together how this happened.
https://www.bleepingcomputer.com/news/security/university-of-michigan-shuts-down-network-after-cyberattack/
Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger
A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a “swarm of fake and hijacked personal accounts” with the ultimate goal of taking over the targets’ accounts.
“Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods,” Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend.
https://thehackernews.com/2023/09/vietnamese-hackers-deploy-python-based.html