This recent CISA advisory highlights how incident response and disaster recovery can be intertwined. Threat actors have been targeting uniterruptible power supplies by brute forcing common and default credentials on known devices. CISA is urging organizations to not only enumerate their UPS devices to have network visibility but to also change default passwords, remove devices from public facing internet and place UPS devices behind a VPN where necessary. Targeting UPS devices is a strategic cyber attack that hightlights how large an organization’s attack surface can be and why it is vital to practice good password management.
London police have charged two of the seven teenagers who were arrested last week who are alleged members of the LAPSUS$ hacking outfit, which has been in the news lately the past couple of months for stealing corporate data, releasing it publicly in some cases. The group, whose age range is from 16-21, is operating with notoriety as the goal rather than financial gain according to the article. Despite the arrests, the group has still recently this week leaked 70GB of corporate data from Globant, who is now conducting an “exhaustive investigation.”
Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit
Ubisoft experienced a “cyber security incident” last week that temporarily disrupted some games, systems, and services, Ubisoft said it believes that “at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident” On Friday, in a Telegram channel allegedly run by LAPSUS$, the group posted a link to this article and the smirking face emoji, seemingly taking responsibility for the Ubisoft incident, too. In response to a user in the channel, the group “confirmed” that it did not target Ubisoft’s customer information.
Thanks for this article, Kyuande! I am seeing so much about LAPSUS$ lately, between this and the OKTA breach. I am wondering if they will be maintaining a strong presence in the cyber threat actor space.
A few advanced persistent threat groups from around the world have launched spear-phishing campaigns using the Russian-Ukraine war as a lure to distribute malware and steal sensitive information. These campaigns have targeted the energy, financial, and government sectors. Decoys such as official-looking documents, news articles, and job postings are being used to launch malware attacks. Campaigns are undertaken by El Machete, Lyceum, and SideWinder. El Machete has an infection chain that uses macro-led decoy documents to deploy a trojan called Loki Rat which can collect keystrokes, credentials, and clipboard data.
The Chinese state-backed group Cicada (also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team) which is known as an advanced persistent threat typically singling out Japanese entities, has now been attributed to a new long-running espionage campaign targeting entities in Europe, Asia, and North America. Most of the targeted organizations are governmental or non-profit organizations in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. Many of these attacks are exploiting the recent Microsoft Exchange Server vulnerability. The motivation behind this campaign appears to be espionage.
Spring4Shell is a recently discovered vulnerability involving the Spring Framework of Java, which is the most widely used lightweight open-source Java framework. Spring4Shell aka CVE-2022-22965 has been labeled by CISA as a known exploited vulnerability and they recommend patching as soon as possible. This vulnerability enables remote code execution when using the Java Spring Framework. VMWare products are also affected as they use the Java Spring Framework in their releases.
Any system using JDK 9.0 or later is at risk. The only known pre-requisites to exploit this vulnerability is to have Apache Tomcat servers as the Servlet container, the app package as a WAR file and deployed in a standalone Tomcat instance. If spring boot is deployed as an embedded servlet container or reactive web server, the system should be unaffected.
Cyber incidents that happen within US critical infrastructure companies are now to be reported within 72 hours to the CISA as our President signed into law. As the article mentions, covered entities will also be obligated to report any ransomware payments to CISA within 24 hours under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The new reporting requirements apply to organizations that fall within the 16 U.S. critical infrastructure sectors such as chemical, communications, energy, financial services, healthcare sectors, etc. This includes relevant vulnerabilities, efforts taken to mitigate the attack, categories of data believed to have been accessed or acquired person and any actor reasonable believed to be responsible for the incident. Covered companies that do not report cybersecurity or ransomware payments during that period, will be issued with a subpoena by the CISA.
The article talks about terms “incident response” and “disaster recovery” as both being referred as an organization’s ability of handling of computer or network threats after a disastrous event. However, implementing these responses never has to happen if a company plans for such possibilities before they occur. Preemptive measures can prevent any major debilitation, including legal ramifications, financial losses and even simply the tarnishing of a company’s good name. “A disaster is viewed as a heart attack,” says Ken M. Shaurette, CISSP. “Disaster management could be thought of as the medicine or exercise program that your doctor has to keep you alive until you can recover from the heart attack. Incident management is all the symptoms that you might [have had] for several months before the heart attack.” https://biztechmagazine.com/article/2007/07/know-difference-between-disaster-management-vs-incident-management
Last week, the US Federal Communications Commission added Kaspersky Lab, a Russian cybersecurity company, to its list of entities which pose a threat to US national security. This list is also comprised of entities such as Huawei. Being added to this list means that US businesses are barred from using federal grants to purchase any products being sold from certain companies. Being that the United States has a historically high import rate, this can pose a serious threat to the Russian economy. The reasoning for Kaspersky being added to the FCC ‘banned’ list is that Russian nation-state entities could be seeking to engage in espionage against the United States and harm national interests/security. In 2017, Kaspersky software was found to be used by Russian Intelligence to steal secret documents from the NSA. Asides from this dated fact, I have not found any additional evidence that Kaspersky poses a threat to the US. Critically thinking, I would like to find out the reasoning behind this—was it for security or purely political?
“Block Admits Data Breach Involving Cash App Data Accessed by Former Employee”
The breach is said to have occurred last year on December 10, 2021, with the downloaded reports including customers’ full names as well as their brokerage account numbers, and in some cases, brokerage portfolio value, brokerage portfolio holdings. It was unclear how many users were affected by the breach, but Block — which said it only recently discovered the incident — said it was contacting about 8.2 million current and former customers as part of its response efforts. While a formal investigation is ongoing, the financial platform also said it has notified law enforcement and “continues to review and strengthen administrative and technical safeguards to protect its customers’ information.” “The company currently does not believe this event will have a material impact on its business, operations or financial performance,” Bullock added.
Block, Inc. (Block) is a company that provides a digital payment solution to the Cash App. Block has recently reported a data breach. Where one of their employees has unauthorizedly downloaded customers personal data. The Block has recently acknowledged the data breach to the public on April 4th. They have been contacting 8.2 million current and formal users regarding the breach. Accordingly, to the Block, the information that were being unauthorizedly accessed was the full name and the brokerage account number of the users. The Block has also confirmed that the only US customers are being impacted due to this data breach.
I came across this article that details how a youtube group was able to scam users out of almost $1.7 million of cryptocurrency. They had streamed youtube videos directing users to a website, where they would send a small amount of cryptocurrency, and receive double the amount back. They added images of Elon Musk, and other successful individuals to add legitimacy to the streams.
This sounds like a simple attempt at fraud, but I think this is another reminder that we should always be skeptical of things that sound too good to be true.
Cybersecurity incident response: Lessons learned from 2021
“Several reasons might explain that situation, according to SecureWorks. For starters, the increased use of multi-factor authentication might have led to attackers avoiding credential theft and looking instead to exploit vulnerabilities that do not require any authentication. Another reason might be that it is pretty easy to exploit proof-of-concept code published shortly after the public disclosure of vulnerabilities. That possibility of quickly having code that exploits a vulnerability, coupled with bulk scanning for targets, can quickly bring an attacker to conduct wide-scale exploitation of vulnerable devices in several companies at the same time.”
India to require cybersecurity incident reporting within six hours
I came across this article in the week and realized that it would be a good read up in line with the Incident Response module:
The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.
This requirement was promoted by India’s Computer Emergency Response Team (CERT-In), which states it has identified specific gaps causing difficulties in security incident analysis and response. To address them, it needs to impose more aggressive measures.
Source:
Kelly Sharadin says
This recent CISA advisory highlights how incident response and disaster recovery can be intertwined. Threat actors have been targeting uniterruptible power supplies by brute forcing common and default credentials on known devices. CISA is urging organizations to not only enumerate their UPS devices to have network visibility but to also change default passwords, remove devices from public facing internet and place UPS devices behind a VPN where necessary. Targeting UPS devices is a strategic cyber attack that hightlights how large an organization’s attack surface can be and why it is vital to practice good password management.
https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf
Antonio Cozza says
London police have charged two of the seven teenagers who were arrested last week who are alleged members of the LAPSUS$ hacking outfit, which has been in the news lately the past couple of months for stealing corporate data, releasing it publicly in some cases. The group, whose age range is from 16-21, is operating with notoriety as the goal rather than financial gain according to the article. Despite the arrests, the group has still recently this week leaked 70GB of corporate data from Globant, who is now conducting an “exhaustive investigation.”
https://thehackernews.com/2022/04/british-police-charge-two-teenagers.html
Kyuande Johnson says
Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit
Ubisoft experienced a “cyber security incident” last week that temporarily disrupted some games, systems, and services, Ubisoft said it believes that “at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident” On Friday, in a Telegram channel allegedly run by LAPSUS$, the group posted a link to this article and the smirking face emoji, seemingly taking responsibility for the Ubisoft incident, too. In response to a user in the channel, the group “confirmed” that it did not target Ubisoft’s customer information.
https://thehackernews.com/2022/03/gaming-company-ubisoft-confirms-it-was.html
Lauren Deinhardt says
Thanks for this article, Kyuande! I am seeing so much about LAPSUS$ lately, between this and the OKTA breach. I am wondering if they will be maintaining a strong presence in the cyber threat actor space.
Dhaval Patel says
A few advanced persistent threat groups from around the world have launched spear-phishing campaigns using the Russian-Ukraine war as a lure to distribute malware and steal sensitive information. These campaigns have targeted the energy, financial, and government sectors. Decoys such as official-looking documents, news articles, and job postings are being used to launch malware attacks. Campaigns are undertaken by El Machete, Lyceum, and SideWinder. El Machete has an infection chain that uses macro-led decoy documents to deploy a trojan called Loki Rat which can collect keystrokes, credentials, and clipboard data.
https://thehackernews.com/2022/04/multiple-hacker-groups-capitalizing-on.html
Patrick Jurgelewicz says
Researchers Trace Widespread Espionage Attacks Back to Chinese ‘Cicada’ Hackers
https://thehackernews.com/2022/04/researchers-trace-widespread-espionage.html
The Chinese state-backed group Cicada (also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team) which is known as an advanced persistent threat typically singling out Japanese entities, has now been attributed to a new long-running espionage campaign targeting entities in Europe, Asia, and North America. Most of the targeted organizations are governmental or non-profit organizations in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. Many of these attacks are exploiting the recent Microsoft Exchange Server vulnerability. The motivation behind this campaign appears to be espionage.
Madalyn Stiverson says
https://www.zdnet.com/article/spring4shell-flaw-heres-why-it-matters-and-what-you-should-do-about-it/
Spring4Shell is a recently discovered vulnerability involving the Spring Framework of Java, which is the most widely used lightweight open-source Java framework. Spring4Shell aka CVE-2022-22965 has been labeled by CISA as a known exploited vulnerability and they recommend patching as soon as possible. This vulnerability enables remote code execution when using the Java Spring Framework. VMWare products are also affected as they use the Java Spring Framework in their releases.
Any system using JDK 9.0 or later is at risk. The only known pre-requisites to exploit this vulnerability is to have Apache Tomcat servers as the Servlet container, the app package as a WAR file and deployed in a standalone Tomcat instance. If spring boot is deployed as an embedded servlet container or reactive web server, the system should be unaffected.
Victoria Zak says
“US Passes ‘Game-Changing’ Cyber Incident Reporting Legislation”
Cyber incidents that happen within US critical infrastructure companies are now to be reported within 72 hours to the CISA as our President signed into law. As the article mentions, covered entities will also be obligated to report any ransomware payments to CISA within 24 hours under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The new reporting requirements apply to organizations that fall within the 16 U.S. critical infrastructure sectors such as chemical, communications, energy, financial services, healthcare sectors, etc. This includes relevant vulnerabilities, efforts taken to mitigate the attack, categories of data believed to have been accessed or acquired person and any actor reasonable believed to be responsible for the incident. Covered companies that do not report cybersecurity or ransomware payments during that period, will be issued with a subpoena by the CISA.
Resource:
https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/
kofi bonsu says
The article talks about terms “incident response” and “disaster recovery” as both being referred as an organization’s ability of handling of computer or network threats after a disastrous event. However, implementing these responses never has to happen if a company plans for such possibilities before they occur. Preemptive measures can prevent any major debilitation, including legal ramifications, financial losses and even simply the tarnishing of a company’s good name. “A disaster is viewed as a heart attack,” says Ken M. Shaurette, CISSP. “Disaster management could be thought of as the medicine or exercise program that your doctor has to keep you alive until you can recover from the heart attack. Incident management is all the symptoms that you might [have had] for several months before the heart attack.”
https://biztechmagazine.com/article/2007/07/know-difference-between-disaster-management-vs-incident-management
Lauren Deinhardt says
https://www.theverge.com/2022/3/26/22997532/fcc-kaspersky-list-national-security-threats-huawei-zte
FCC adds Kaspersky to its list of national security threats
Last week, the US Federal Communications Commission added Kaspersky Lab, a Russian cybersecurity company, to its list of entities which pose a threat to US national security. This list is also comprised of entities such as Huawei. Being added to this list means that US businesses are barred from using federal grants to purchase any products being sold from certain companies. Being that the United States has a historically high import rate, this can pose a serious threat to the Russian economy. The reasoning for Kaspersky being added to the FCC ‘banned’ list is that Russian nation-state entities could be seeking to engage in espionage against the United States and harm national interests/security. In 2017, Kaspersky software was found to be used by Russian Intelligence to steal secret documents from the NSA. Asides from this dated fact, I have not found any additional evidence that Kaspersky poses a threat to the US. Critically thinking, I would like to find out the reasoning behind this—was it for security or purely political?
Dan Xu says
“Block Admits Data Breach Involving Cash App Data Accessed by Former Employee”
The breach is said to have occurred last year on December 10, 2021, with the downloaded reports including customers’ full names as well as their brokerage account numbers, and in some cases, brokerage portfolio value, brokerage portfolio holdings. It was unclear how many users were affected by the breach, but Block — which said it only recently discovered the incident — said it was contacting about 8.2 million current and former customers as part of its response efforts. While a formal investigation is ongoing, the financial platform also said it has notified law enforcement and “continues to review and strengthen administrative and technical safeguards to protect its customers’ information.” “The company currently does not believe this event will have a material impact on its business, operations or financial performance,” Bullock added.
https://thehackernews.com/2022/04/block-admits-data-breach-involving-cash.html
Vraj Patel says
Block, Inc. (Block) is a company that provides a digital payment solution to the Cash App. Block has recently reported a data breach. Where one of their employees has unauthorizedly downloaded customers personal data. The Block has recently acknowledged the data breach to the public on April 4th. They have been contacting 8.2 million current and formal users regarding the breach. Accordingly, to the Block, the information that were being unauthorizedly accessed was the full name and the brokerage account number of the users. The Block has also confirmed that the only US customers are being impacted due to this data breach.
Reference:
https://appleinsider.com/articles/22/04/05/over-8-million-customers-affected-in-cash-app-data-breach
Andrew Nguyen says
I came across this article that details how a youtube group was able to scam users out of almost $1.7 million of cryptocurrency. They had streamed youtube videos directing users to a website, where they would send a small amount of cryptocurrency, and receive double the amount back. They added images of Elon Musk, and other successful individuals to add legitimacy to the streams.
This sounds like a simple attempt at fraud, but I think this is another reminder that we should always be skeptical of things that sound too good to be true.
https://www.infosecurity-magazine.com/news/youtube-fraudsters-crypto-giveaway/
Bernard Antwi says
Cybersecurity incident response: Lessons learned from 2021
“Several reasons might explain that situation, according to SecureWorks. For starters, the increased use of multi-factor authentication might have led to attackers avoiding credential theft and looking instead to exploit vulnerabilities that do not require any authentication. Another reason might be that it is pretty easy to exploit proof-of-concept code published shortly after the public disclosure of vulnerabilities. That possibility of quickly having code that exploits a vulnerability, coupled with bulk scanning for targets, can quickly bring an attacker to conduct wide-scale exploitation of vulnerable devices in several companies at the same time.”
https://www.techrepublic.com/article/cybersecurity-incident-response-lessons-learned-2021/
Olayinka Lucas says
India to require cybersecurity incident reporting within six hours
I came across this article in the week and realized that it would be a good read up in line with the Incident Response module:
The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.
This requirement was promoted by India’s Computer Emergency Response Team (CERT-In), which states it has identified specific gaps causing difficulties in security incident analysis and response. To address them, it needs to impose more aggressive measures.
Source:
https://www.bleepingcomputer.com/news/security/india-to-require-cybersecurity-incident-reporting-within-six-hours/