Saturday, April 1, 2023

Cybersecurity news weekly roundup February 13, 2023

roundup february 13

SAN MATEO, CA, February 13, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Trickbot ransomware gang members sanctioned by US and UK

A joint effort by the US and UK has sanctioned seven individuals that have been determined to be involved in Russia’s Trickbot ransomware gang. The group members, known to have close links to Russia’s intelligence operations, have had their assets frozen and have received a travel ban from the two nations. Trickbot is known for targeting medical facilities, resulting in system outages and ambulance service disruptions. In a statement on the sanctions, the US State Department said that Russia is “a safe haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the United States, the United Kingdom, and our allies and partners.” Read more.

Reddit hacked, user accounts and passwords safe “so far”

In a thread on the site, Reddit has reported that it was hacked in a “highly targeted” phishing attack that allowed an unauthorized user to access business systems, code and internal documents. Based on the post, it appears as though a Reddit employee was tricked into clicking a link that sent them to a site that “cloned the behavior” of the company’s gateway. The statement says there is no evidence that user data or passwords had been exposed in the incident, although the investigation remains “ongoing.” Read more.

Hackers abusing Google Ads to steal AWS creds via phishing sites

A malware campaign targeting Amazon Web Services (AWS) logins by pushing phishing sites into Google Search via Google Ads has been discovered by Sentinel Labs. The phony ads send victims to a website that mimics a legitimate vegan food blog but is actually under the control of threat actors. The site then automatically directs people to a fake AWS login page designed to steal their credentials. It is one of many recent instances in which attackers abuse Google Ads to get their scams in front of potential victims. Read more.

Dozens of security flaws found in wireless IIOT devices put critical infrastructure at risk

38 security vulnerabilities have been found to exist in wireless industrial internet of things (IIOT) devices from four different vendors, according to industrial cybersecurity firm Otoro. Threat actors can leverage the flaws to gain a remote entry point for attack. From gaining total control of vulnerable devices and remote code execution to data theft, the findings highlight the risk of making IIOT devices directly accessible over the internet. The majority of these flaws can be exploited easily and the potential damage from a successful hack could be catastrophic. Read more.

Pharmaceutical distributor AmerisourceBergen hacked by Lorenz ransomware group

AmerisourceBergen, a drug distributor and major entity in the healthcare sector, has suffered a data breach at the hands of the Lorenz cybercrime gang. Data purported to come from the company and its subsidiary, MWI Animal Health, has been leaked online. While AmerisourceBergen has reported the attack and IT compromise, they have yet to confirm officially that the leaked data is genuine. Researchers have noted that the “post date” on the data is November 1st, although it has just been released. This indicates that the hack happened months ago. Lorenz has a history of targeting large companies. Read more.

Medusa botnet returns with new, albeit broken, ransomware feature

A new strain of the Medusa DDoS botnet has been observed in the wild. Medusa has been around since 2015, but this new variant includes a ransomware module and a Telnet brute-forcer and is being advertised as a MasS to be used for crypto mining and DdoS attacks. Medusa’s ransomware functions don’t appear to be functional at this time, however, as the malware deletes files before pushing a ransom note. Additionally, how it destroys system drives makes it impossible for a victim to view the note. This leads researchers to believe that ransomware functionality is still being developed and not yet ready for successful deployment. Read more.

CISA assists ESXiArgs ransomware victims with free recovery script

A widespread ransomware campaign targeting VMWareESXi servers has been prolific but largely unsuccessful, as threat actors failed to encrypt flat files thereby leaving the door open for recovery. However, the process is not simple. To assist victims, CISA has released a script on GitHub that automates the recovery process. CISA is urging administrators to carefully review how the script works. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” the agency warns. Read more.

GuLoader malware campaign adapting in response to Microsoft’s macro blocking

Researchers have uncovered a malware campaign targeting e-commerce companies worldwide, including those in the US, Korea, Germany and Japan. The campaign displays a trend in the cybercrime world that sees criminals responding to Microsoft blocking downloaded macros in Office by exploring new avenues of attack. Hackers continue to flex their muscles and adapt to new security features, and “the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection” instead of Word files packed with macros. Read more.

Flaw in Clop Linux ransomware allowed victims to recover their files quietly

Victims of Clop ransomware running Linux servers have been able to decrypt files without dealing with cybercriminals, thanks to several flaws within the variant that fail to properly keep security administrators from peeling back its layers. Clop’s Linux version is reportedly still in development, with deployed instances of it being loaded with bugs that make it far less challenging to circumvent than the Windows version. As Clop advances the malware, researchers expect it to solidify into a form with more effectiveness. Clop’s use of such a flawed attack demonstrates that the group values the ability to target Linux-using victims, even if the weapon in use is currently not its strongest. Read more.

Ransomware campaign exploiting 2021 VMware bug

A ransomware campaign targeting firms in the US, Canada, France, Finland and Italy is taking advantage of a bug within VMware ESXi hypervisors that was initially disclosed in 2021. The flaw “enables attackers to perform remote code execution by triggering a heap-overflow issue in OpenSLP.” The scale of the campaign has not yet been determined, but dozens of instances have been reported in Italy and security vendor DarkFeed has revealed over 300 victims. Users of affected products are urged to update to the latest versions immediately. Read more.

More cybersecurity news

Is the law on your side if your business is hacked?

Business hacked

NetworkTigers discusses the legal consequences if your business is hacked.

With companies and organizations amassing so much customer, patient and partner data, keeping it under lock and key following the law has become critically important. No brand wants to face public backlash resulting from lackluster cybersecurity. Still, billion-dollar corporations can usually weather the storm, as maintaining armies of lawyers and PR representatives is simply the cost of doing business at that scale.

Combined with the general population’s apparent lack of concern about cybersecurity, many large companies can sustain an attack and assume that most of their customer base will be unconcerned.

However, small businesses are a different matter. When every paying client counts and your business stays afloat by covering costs every week, a security breach or hack can spell doom. 60% of small businesses never recover from a cyberattack and close their doors permanently within six months of the incident. 

This leads many business owners to wonder, where does the law stand when it comes to my business being hacked? To what degree is my company liable for damages experienced by people whose information was accessed through an intrusion?

The answer to Is the law on your side if your business is hacked is complicated.

Can your business be sued if it’s hacked?

The short answer is yes; your business can be found liable after a hack, as companies must safeguard customer information. Lapses in that duty open them up to hundreds of thousands of dollars in expenses, enough to kill many small enterprises.

In spite of their size and resources, even giant companies are feeling the pinch of lax security. Major class action lawsuits are becoming more common and more costly. T-Mobile’s recent payout to victims of a breach was $350 million, which is still only half of the $700 million that Equifax had to pay for damages resulting from an incident in 2019. 

Cybersecurity laws

Generalizations concerning the law can’t be made responsibly, as data protection regulations vary widely between states and industries. However, the following instances of negligence are commonly on the books:

  • Failure to properly monitor for existing data intrusions
  • Failure to ensure that third-party vendors adhere to reasonable security measures
  • Failure to properly train employees in safely handling and managing personally identifiable information (PII) and personal health information (PHI)
  • Improperly maintained email security
  • Failure to ensure that PHI can only be accessed by those authorized
  • Failure to maintain records of security activity for tracking and reporting

In the event of a breach, some states require that affected customers be notified within a specific time. The details regarding breach notices are also subject to each state’s requirements, making compliance incredibly challenging for companies that do business on a national scale.

The government has realized that some hacks and breaches have national security ramifications. At a federal level, public companies must also report cybersecurity events to the Securities and Exchange Commission (SEC). Previously, voluntary changes in this law have been made to keep pace with the recent uptick in ransomware attacks. 

Whether or not the law is on your business’s “side” is wholly dependent on your compliance with regulations and whether or not your company has maintained good faith efforts limiting its risk of a successful attack.

The real costs of a cyberattack

When it comes to the aftermath of a cyberattack, most people think of immediate reputational damage as a catastrophic blow. While it can be severe, today’s fast-paced world means that people are quick to forget past transgressions as news media bombards audiences with fresh catastrophes daily, many of which are perceived as more urgent than a cybersecurity event.

What truly sinks businesses post-hack are the expenses associated with legal and financial recovery. The average cost of a data breach in 2022 was $4.35 million.

After a hack, it’s in a company’s best interest to investigate it to the fullest extent to determine what data was accessed, who is responsible for the intrusion and how it happened. Much of this must follow regulations to avoid fines and legal liability. This is followed by costs incurred by system recovery efforts and any downtime in which business operations were slowed or stopped. In the event of a ransomware attack, any money paid to the criminals can be counted as an additional expense. 

These costs can already add up to a significant sum before the risk of lawsuits is considered.

How to comply with cybersecurity laws

From a legal standpoint, protecting your business requires complete compliance with all state and federal laws. Practicing due diligence in keeping up to speed on changing rules or mandates is integral to maintaining a track record of responsible accountability. 

Cybersecurity insurance is a must for any business that stores or manages payment information, PII or customer contact data. This protection can help cover customer notification costs, incident investigation and lost revenue. 

Depending on the type of cybersecurity insurance purchased, it can also lessen the impact of legal and court fees, settlements, and fines in response to non-compliance. 

Prevent an attack

  • Mandate that all employees adhere to good password hygiene.
  • Train workers to recognize and properly report suspicious correspondences that may harbor malware or phishing scams.
  • Keep your software and firmware automatically updated to ensure that you are operating with the latest protections.
  • Update old, unsupported hardware. You can do so economically by purchasing refurbished equipment from a trusted dealer.
  • Use a VPN.
  • Use multi-factor authentication.
  • Protect all network endpoints and institute zero-trust security.

How to keep business-critical applications safe from ransomware

business-critical applications

NetworkTigers discusses keeping business-critical applications safe from ransomware and hackers.

Ransomware is a growing risk for many organizations. Apart from the reputational damage and business disruption caused by ransomware attacks, the average ransomware recovery cost is $1.85 million. As more ransomware groups emerge, lured by the enormous profit potential, it’s critical to begin taking action to prevent legal, operational, and financial damages from ransomware attacks. 

What is ransomware?

Ransomware is malware designed to secretly infect and encrypt files, infiltrate servers, then hold the information hostage until a ransom is paid. This malware spreads throughout shared devices or connected computers within the victim’s network.

Once ransomware takes hold, it locks systems down, encrypts files, and doesn’t return access until you pay a ransom. Enterprises that refuse to give in to the financial demands of hackers face the threat of their confidential information being leaked on the internet.

Ransomware is usually initiated by users tricked into clicking on harmful links that download infected files from external sites. Users unknowingly execute the ransomware file, which takes advantage of computer vulnerabilities to infiltrate a company’s network.

The ransomware displays a message on network systems demanding a ransom in exchange for a decryption key after encrypting all files.

Types of ransomware

Ransomware attacks are increasingly becoming complicated. Unfortunately, most enterprises underestimate the urgency of implementing robust security solutions. Here are different types of ransomware attacks:

  • Screen lockers – Freezes users out of their computers. In most scenarios, a window appears with a government seal, claiming that an official organization has discovered illegal activities on your computer.
  • Phishing emails – In this attack, hackers send a deceptive email that imitates a trusted sender. This involves sending email attachments with hidden links that infect your servers with ransomware once users click on them.
  • Scareware – This attack involves pop-ups that appear with threats indicating someone has accessed your encrypted files and the only way to access them is to pay.
  • Crypto ransomware – Valuable information and individual files are targeted and locked down.
  • Locker ransomware – Locks down the entire computer, making it difficult for users to use their devices.
  • Encrypting ransomware – This attack uses advanced software to encrypt your business information.

Nowadays, most ransomware attacks combine several complicated strategies, such as deploying double extortion. In this case, criminals demand two ransoms. One to prevent them from exposing your private data online and another to return access to your information. 

Ransomware has huge potential for financial gain, that dedicated groups have emerged offering ransomware-as-a-service (RaaS). The groups develop malware and charge a subscription fee or provide ransomware tools to hackers willing to pay a percentage of the payments they receive

How to prevent ransomware attacks

There are simple things you can do to reduce the risk of your organization falling victim to ransomware infection. The following steps can help you protect your company against attacks and protect its sensitive data.

Educate your employees

While it’s essential to implement the necessary policies and technology, your business may be vulnerable to ransomware if you haven’t implemented an employee training program. Lack of knowledge among your staff makes it easy for criminals to affect your network with malware. 

Without training, even intelligent employees can allow ransomware in. Offer thorough training on how to distribute confidential information and ensure you provide refresher training every year.

Put in place strong spam filters 

It is best to have robust spam filters to protect your messaging services and emails. DomainKeys Identified Mail, Sender Policy Framework, and domain message authentication reporting are valuable tools to help you verify inbound emails and block phishing emails

Without implementing these measures, it’s easy for your workforce to accidentally click on malicious links and help criminals access your network.

Implement a data backup and recovery plan

Every business should have a documented and updated disaster recovery plan. Regular backups boost your enterprise’s chance of recovery if ransomware infects your network. Aim to save three copies of your business information on different media, with a copy stored in the cloud or off-site. This way, you can easily restore your operating systems if ransomware infects your main network.

Use updated security software

Consistently implement upgrades to any applications or software you use to protect your network against threats. Updating your software regularly might seem time-consuming and an inconvenience, but it’s essential for IT security. You’ll also need to apply the latest security patches to all organization devices, applications, and computers.

Deploy layered software applications and security hardware

If you want to give your business strong protection against malware, layer multiple security measures. Most businesses require antivirus software, spam filters, anti-malware programs, firewalls such as Cisco Firewalls, and cybersecurity experts to help them manage different protocols. 

Protect your organization against ransomware attacks with cyber awareness training

Implementing a holistic security program is one of the best ways to protect your company against attacks. NetworkTiger’s compliance operation tools make it easier for your business to evaluate its readiness to deal with cyber threats, including ransomware. Contact us today to see how we can help you develop a robust security program that protects against ransomware.

Cybersecurity news weekly roundup February 6, 2023

roundup february 6

SAN MATEO, CA, February 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

TruthFinder and Instant Checkmate background check platforms suffer 20 million customer data breach

A 2019 backup database holding information related to 20 million PeopleConnect customers has been leaked, according to the company. PeopleConnect owns TruthFinder and Instant Checkmate background checkers, subscription-based platforms that let users run background checks on people. The info was posted on Breached, a hacker forum, and it was allegedly stolen from an exposed database. In a statement, PeopleConnect said that the stolen dat includes names, email addresses, phone numbers and encrypted passwords. Read more.

Cisco issues update to patch backdoor persistence bug

A high-severity, low-complexity vulnerability within Cisco’s IOx application hosting environment has been patched with an update from the developer this week. According to Cisco, “An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file.” Injection of malicious code using this flaw allows it to remain within a targeted system between reboots and across firmware updates. The bug can only be exploited by an attack that has authenticated administrative access to a victim’s system. However, further security flaws could be used to escalate privileges to the level needed to stage an attack. There has been no evidence of this exploit being utilized in the wild. Read more.

Jira releases patch for critical authentication vulnerability

Jira Service Management Server and Data Center has had an update issued by developer Atlassian to patch a flaw that allows a hacker to achieve unauthorized access by impersonating another user. The flaw, CVE-2023-22501, has been described as having “low attack complexity,” making it easy for hackers to exploit under the right circumstances. Vulnerable Atlassian products have recently become a tempting attack vector for threat actors, meaning that users of their platforms should update all software immediately upon patch releases. Read more.

New Nevada ransomware outfit growing quickly, seeking cybercriminals

Researchers have observed that a new ransomware variant called Nevada has been advancing rapidly, increasing its capabilities and targeting Windows and VMware ESXi systems. In December of last year, Nevada was being promoted on RAMP hacker forums seeking Chinese and Russian speaking members and offering an 85% share of any paid ransoms. Nevada even offered to up that to 90% for hackers who generated a high victim count. Nevada’s current features include a Rust-based locker, a chat portal used to negotiate with victims and Tor network domains for both affiliates and victims. Researchers are closely monitoring its aggressive growth. Read more.

Google Fi customer data compromise likely due to T-Mobile breach

Google Fi customers have received a notice informing them that a “limited amount” of customer information had recently been involved in a data breach. Since Google Fi uses T-Mobile for network connectivity, most experts are confident that the incident is related to the mobile carrier’s recently disclosed hack. It is not currently clear how many Google Fi customers may have been impacted by the breach. Google’s messaging indicates that no payment data, PIN numbers or text/voice message content had been stolen. Read more.

TrickGate shellcode-based packer has remained hidden for over 6 years

Researchers have uncovered TrickGate, a shellcode-based packer that has remained undetected for more than six years as threat actors have used it to launch malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze and REvil. TrickGate has evaded detection because it is continually updated and “undergoes changes periodically.” TrickGate has been in circulation since late 2016, at least, and has been mostly used in attacks against organizations within the manufacturing sector. Read more.

Killnet takes down websites of 14 US hospitals

Russian hackers Killnet are claiming credit for a wave of DDoS attacks that targeted 14 US hospitals Monday morning. As per usual, Killnet’s activity was less destructive than “annoying,” as described by security researchers, and at least half of the affected websites were back to normal operation by the afternoon. Hospitals located in the Netherlands were also reportedly attacked by Russian threat actors the same morning. Killnet targets organizations within countries that have been critical of Moscow’s ongoing war with Ukraine. Read more.

Scam reward apps on Google Play store downloaded 20 million times

According to Dr. Web, a slew of reward apps appearing on the Google Play store are actually adware that forces users to view dozens of apps to claim rewards that never materialize. The apps masquerade as fitness trackers that encourage users to take steps or otherwise remain active to earn points that can be claimed for rewards such as gift cards. Once downloaded, however, the apps become intrusive and subject users to a seemingly endless barrage of ads with little to no actual incentive being given. Dr. Web has reported that the apps in question have been downloaded on more than 20 million devices. Read more.

Vulnerabilities found in the code of OpenEMR healthcare software

Researchers at Sonar have discovered three vulnerabilities within electronic health records and medical practice management software OpenEMR. According to Sonar researchers, “a combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data.” The flaws were reported to OpenEMR administrators in October of last year and a patch was released to fix them. Users are encouraged to update immediately. Read more.

More cybersecurity news

What do cybersecurity companies do?

cybersecurity companies

NetowrkTigers discusses what cybersecurity companies do.

Cybersecurity companies play a crucial role in protecting enterprises from different cybersecurity threats. The firms help create products and develop new technology to safeguard an organization’s assets. Cybersecurity firms also work with companies to offer their expertise, vulnerability analysis, and software tools to prevent potential attacks that may disrupt operations.

Why is cybersecurity important?

Cybersecurity attacks continue to increase, leading to complexities in implementing measures to mitigate and avoid them. Cybersecurity companies can do much for your organization beyond monitoring and preventing threats. 

The companies can assist you in achieving compliance with up-to-date and relevant standards and security regulations in your industry, in the U.S. and other countries. A cybersecurity company can implement an on-going security protection strategy tailored to your enterprise. 

A managed security plan will ensure continuous protection for your business even outside your regular working hours; reducing the need to employ more in-house IT staff and in turn, minimizing your overhead costs.

Top 6 services cybersecurity companies provide

The cybersecurity requirements for your company may be different from other businesses. What works for other companies may not be adequate in mitigating the threats that could compromise your security and privacy. Here are essential services your cybersecurity firm should provide:

Penetration testing

Penetration testing is performed to determine the devices and networks vulnerable to attacks and require security upgrades. Depending on the scope of the test, the entire process can take a few days to several months to perform.

The scope of the test lists the processes and systems to be tested and is defined by the client. Cybersecurity firms that perform penetration testing cannot go beyond the scope provided by the client because the process is done to protect the integrity of the organization’s information.

The test requires the cybersecurity firm to try and breach your web application or network and identify the assets at risk of threat. By identifying the systems at risk and the magnitude of the threats involved, the firm can take appropriate action to prevent potential attacks.

Incident response

An incident response plan helps prevent all malicious activities. Cybersecurity companies that offer incident response services evaluate your cyber incident survivability and readiness, provide on-call 24/7 emergency response and awareness training.

The company also helps your enterprise detect, identify, prevent, and recover from attacker attempts, service system interruptions, virus infections, and break-ins. Additionally, the company analyzes your current plan, assists you in creating a new plan, and offers a rapid and coordinated response when needed.

Systems auditing

Systems auditing is conducted to check whether your cybersecurity technologies, protocols, and policies comply with the industry standards and legal requirements. An expert can only conduct these audits due to the evolving, highly technical, and detailed regulations implemented by relevant governments and agencies.

Most cybersecurity firms only specialize in one type of compliance: PCI DSS, FERPA, or HIPAA (Health Insurance Portability and Accountability Act). For example, most health insurance organizations perform a HIPAA audit to check off employee training, administrative, physical, and technical safeguards, and enforcement of the required standards. 

Managed services and outsourced IT

Managed services allow businesses that lack the technical expertise to outsource their cybersecurity tasks to an outside provider. Cybersecurity firms are paid to manage the support and maintenance of all the servers within an organization’s network. 

All the functions including repairing corrupt systems, security patching, systems monitoring, and recovering lost data are handled by the cybersecurity firm. This model allows SMBs to avoid paying the high upfront fees of employing and training in-house cybersecurity specialists.

Employee training

Training your employees is crucial for vulnerability management as they are the weakest link in firewalls surrounding your systems. Most of your workforce does not understand the implications of their actions or cybersecurity. 

Unfortunately, today’s cyber threats exploit this lack of knowledge, tricking users into opening suspicious attachments or clicking harmful links. A cybersecurity company teaches your employees how to identify and avoid attacks, and understand how important they are to your enterprise’s cyber defense. 

Software development  

Most cybersecurity firms only work in the development and research domain. They create security software and tools that are licensed to other cybersecurity companies. These products may range from system monitoring tools, endpoint protection software, and analysis tools to email analysis software and firewalls. 

The firms continually upgrade their tools with research teams that monitor new attacks and ways to prevent them. 

Get enhanced cyber threat protection

Whether you are yet to develop a cybersecurity program or you already have one, we will help you choose the best security strategy to make your enterprise secure round-the-clock. At NetworkTigers, we support our clients’ business continuity planning and project management requirements. Contact us today to help you make sound decisions regarding your cybersecurity needs. 

LastPass hack: What happened and what should users do?

LastPass hack

NetworkTigers discusses the LastPass hack and what users may do about it.

Hacks and breaches that compromise user data are common occurrences. From retailers to financial institutions, we entrust organizations with troves of personal information. Databases of valuable data are targeted endlessly by threat actors looking to cash in. Businesses and consumers expect companies to maintain top-notch security, but we know that keeping our data locked down may not be the main objective for most businesses.

It is more bothersome when a company that’s foundationally embedded in security and customer confidence is breached. That scenario becomes even more troubling when said company appears to be reluctant to explain the ramifications of a breach fully and seems to be more interested in telling the public the bare minimum. That appears to be what happened with LastPass.

What is LastPass?

While offering dark web scanning, browser extensions and more, LastPass is primarily a password management platform designed to make it easier for users to log in to their personal and business accounts by storing their passwords in a database or “vault.” Using a single master password, users can log in to their accounts without committing their credentials to memory.

As even casual internet users need to memorize potentially dozens of different passwords (provided that they adhere to good cybersecurity practices), LastPass offers convenience in addition to a more secure option than writing down your passwords or saving them in your web browser or operating system. LastPass has often found itself at the top of the list of recommended password management tools, having more than 33 million registered users.

LastPass hack timeline

August 5, 2022: breach disclosed; nothing to see here

In a since-updated blog post, LastPass CEO Karim Toubba wrote that the company had noticed “unusual activity within portions of the LastPass development environment.” While troubling, LastPass was quick to engage in an internal investigation regarding the anomaly. 

Toubba asserted that a compromised developer account was used to gain access to its development environment, in which no personal information is stored. The hackers, however, were said to have made off with some of the company’s proprietary source code.

After hiring a forensic cybersecurity team, Toubba said LastPass had “achieved a state of containment, implemented enhanced security measures” and found “no further evidence of unauthorized activity.” The company even went so far as to tell users that no action was required on their part to keep their data safe or protect their accounts from unauthorized access.

September 15, 2022: problem solved, reassurances issued

LastPass issued an update on the previous month’s breach, stating that security firm Mandiant had been brought in to assist with the investigation. LastPass’s administrators detected a threat actor that had remained within its development system over the course of four days, but were able to contain the hacker’s activity and implement more robust security measures where they were deemed needed.

Once more, LastPass reminded customers that the intruder was in no way able to access customer passwords or vaults, as the environment they breached is “physically separated” from those that contain user data.

How the hacker compromised a developer’s endpoint access was not disclosed. However, impersonation and the mishandling of multifactor authorization were implied. 

November 30, 2022: customer data compromised, no big deal

More than three months after initial disclosure, Toubba issued a statement explaining that the hacker responsible for the August breach “was able to gain access to certain elements of our customers’ information” using the technical data stolen over the summer. 

Toubba’s acknowledgment of user data exposure was brief. It did not describe what kind of customer information had been exposed, how long it had been accessible or how many LastPass users may have been affected by the intrusion. 

LastPass notified law enforcement of their findings and Mandiant was once again brought into the investigative fold as the company worked to “understand the scope of the incident and identify what specific information has been accessed.”

December 22, 2022: happy holidays, hackers have your passwords

In a statement issued just before the holiday weekend, LastPass reported that customer information had, in fact, been exfiltrated from the platform in the form of a cloud-based backup full of encrypted customer vault data such as login credentials and passwords. In addition, the stolen vaults contained unencrypted information including company names, contact information, IP addresses and billing addresses. 

Toubba, for his part, assured customers that their passwords were still secure. Customer vaults, he said, could only be decrypted via users’ master password, which is “never known to LastPass and is not stored or maintained by LastPass.”

In what feels like passing the buck, Toubba said that as long as customers had adhered to LastPass’s default settings and had not used their master password elsewhere, it would take a hacker “millions of years” to crack into a customer vault. He downplayed the breach further, saying that LastPass users require no action to protect themselves from being hacked. 

Toubba has, as of the writing of this article, posted no further updates on his blog regarding the incident.

January 23, 2023

LastPass’s parent company, GoTo, disclosed that the hack had impacted several of the company’s other products and that multiple encrypted customer backups had been stolen.

To the dismay of the security community, GoTo took two months to publicly announce the theft via a statement from CEO Paddy Srinivasan who provided no public guidance for concerned customers and did not reveal how many were affected. 

According to an article about the hack by Tech Crunch’s Carly Page, GoTo’s public relations director Jen Mathews and spokesperson Nikolett Bacso-Album have both declined any further comment upon being asked for more details regarding the incident.

As of now, no information has been disclosed regarding who may be responsible for the hack.

What researchers are saying about the LastPass hack 

While Toubba has minimized the severity of last year’s breach from the point of its initial discovery, security researchers and experts unaffiliated with the company have been quick to poke holes in LastPass’s official statements.

Between the trickle of information and the timing of Toubba’s most recent, and possibly last, blog update, the general consensus is that the breach is much more dangerous than implied. In the scathing words of AdBlock Plus creator Wladimir Palant, Toubba is guilty of “omissions, half-truths and outright lies.”

Jeremi Gosney, referencing LastPass’s track record with security lapses, said that “in the last 10 years. I don’t know what the threshold of ‘number of major breaches users should tolerate before they lose all faith in the service’ is, but surely it’s less than seven.” 

He holds the company’s feet to the fire in a blog post that is also critical of LastPass’s encryption methods, to put it lightly.

1Password joined the chorus as well. While they are a competitor in the password management market, principal security architect Geoffrey Goldberg’s response to Toubba’s “millions of years” comment has not been challenged. He says that the statement’s accuracy wholly depends on master passwords generated by algorithms prioritizing a degree of randomness that human-created passwords can’t achieve. 

What are LastPass users to do?

Security researchers generally agree that the theft of customer password vaults is, in the words of PCMag’s Michael Kan, ”about as bad as it can get.” A platform like LastPass relies on customer trust which, in the case of those paying attention, is likely to be at an all-time low.

If you are a LastPass user, here are some suggestions that experts are encouraging you to act on:

Security pros recommend that users simply abandon the platform in favor of managers with a better track record of customer protection. You can export your passwords from LastPass easily.

LastPass users should also operate under the assumption that the entirety of their passwords has been exposed. They should, therefore, change all of their online passwords, giving priority to those associated with financial and medical sites.

Enable multi-factor authentication across all accounts that allow for it.

If you remain with LastPass, change your master password and follow their suggested guidelines. 

Whoever is responsible for stealing LastPass vaults doesn’t need to crack them open to cause trouble. The unencrypted data taken has everything they need to create effective phishing scams. Stay vigilant and be wary of any suspicious texts or emails.

Cybersecurity news weekly roundup January 30, 2023

roundup january 30

SAN MATEO, CA, January 30, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

FBI infiltrates Hive ransomware gang for six months, shuts down websites

A statement from the US Department of Justice (DOJ) has revealed that the FBI had infiltrated the Hive ransomware gang some six months ago with officers within the collective informing victims of impending attacks and providing decryption keys. To close the operation, the FBI took down Hive’s websites and communication networks with assistance from Germany and the Netherlands. While all agencies involved are pleased with the results of the operation, no news of any arrests has been disclosed and experts agree that Hive’s members are sure to rebuild and reconnect, possibly under a different name. Read more.

CISA: federal agencies hacked via legitimate remote monitoring and management (RMM) software

CISA, the NSA, and MS-ISAC have created a joint advisory warning that hackers are turning to legitimate remote monitoring and management (RMM) software to infiltrate networks, including those belonging to the federal government. The preferred vector appears to be help desk-themed phishing emails that either contain a link or a phone number to call to cancel a fraudulent high-priced subscription. Once on the hook, the targeted victim clicks a link that opens their default web browser and automatically downloads malware that connects to a second-stage domain from which portable versions of AnyDesk and ScreenConnect are downloaded. This lets the attackers, believed to be mostly financially motivated, gain access to the network as a local user, bypassing security. Read more.

WordPress redirect campaign hacks 4,500 sites

In a campaign believed to be running since 2017, 4,500 WordPress sites have been hacked to push users to scam pages that feature malicious ads, info-stealing malware and fraudulent browser alerts. Researchers at Sucuri note that the hacks require an “injection of obfuscated JavaScript hosted on a malicious domain named ‘track[.]violetlovelines[.]com.'” The campaign is part of a broader trend in which threat actors are creating malicious websites that mimic legitimate ones and advertise them using Google Ads. To keep the hacks at bay, WordPress users are urged to update all installed themes and plugins, remove those that no longer receive support and change their passwords. Read more.

Emotet malware continues to circulate with new features

Emotet, the seemingly impossible to kill malicious software that emerged as a banking trojan in 2014 and has evolved into a malware distributor, continues to plague the cyber landscape in spite of a 2021 takedown of its infrastructure. Emotet is modular, making it an ideal platform for a range of attacks. Its two newest modifications include an SMB spreader “designed to facilitate lateral movement using a list of hard-coded usernames and passwords” and a Chrome web browser-based credit card stealer. Emotet is circulated via phishing emails and is attributed to cybercrime gang Gold Crestwood AKA Mummy Spider. Read more.

GoTo/LastPass hack worse than initially disclosed, encryption key exfiltrated

GoTo, affiliate of LastPass, has revealed that an August 2022 hack that affected both platforms did more damage than the company initially disclosed. While GoTo stated that no user data was accessed when first commenting on the attack, a statement from LastPass in December revealed that more intrusion took place and that customer data was exposed. In new emails sent to affected customers, GoTo is now alerting customers that backup data had been accessed in addition to “an encryption key for a portion of the encrypted data.” GoTo is mandating password resets for affected accounts, but the shifting description of the severity of last year’s breach has called GoTo and LastPass’s credibility into question with regard to user privacy. Read more.

FBI: North Korea responsible for $100 million Horizon Bridge theft

The FBI has reported that it has confirmed that North Korean hackers are behind the June 2022 theft of $100 million in crypto from Harmony Horizon Bridge. Lazerus and APT38 have been implicated in the hack, which used social engineering tactics to convince crypto platform employees to download malicious apps. North Korea has been responsible for a number of high profile crypto hacks in recent years, as the rogue nation uses state-sponsored hacking groups to steal from financial institutions in response to sanctions. Read more.

XLL add-in blocker coming to Microsoft365 to end Excel malware delivery

Microsoft is in the progress of adding XLL add-in protection to Microsoft365 to stymy the rise of malware being spread via Excel. XLL files are used to customize and extend the abilities of Excel by adding more functions to the base platform. However, hackers have discovered them to be ripe for phishing campaigns, as they can be used to deliver malicious code and are easily disguised as innocuous documents sent from trusted sources. The new protections, expected to begin rolling out in March, signal the company’s desire to make Microsoft365 a less appealing vector for attackers. Read more.

CISA: critical ManageEngine RCE flaw exploited

Security flaw CVE-2022-47966, a remote code execution exploit affecting Zoho ManageEngine products, has been added to CISA’s catalog of bugs seen actively exploited by hackers. While the bug was patched in a series of updates that began in October of 2022, researchers at Horizon3 have observed that 10% of vulnerable systems remain unpatched. ​Rapid7 security researchers have observed that, after a successful exploitation, “attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.” Federal agencies have until February 13th to patch their systems. Private organizations are urged to do the same. Read more.

Samsung Galaxy store exploit allows for remote app installation

Samsung’s Galaxy store, formerly Smsung Apps and Galaxy, Apps has been found to harbor two vulnerabilities that allow attackers to “stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web.” One flaw, CVE-2023-21433, allows a previously installed rogue app to install a different application from the Galaxy store. The second flaw, CVE-2023-21434, can be exploited to enable a threat actor to bypass filters and push victims to domains under their control where they may be subject to malicious links. Users are urged to update all Samsung devices to themes current OS. Read more.

FanDuel: user data exposed in MailChimp breach

Sports betting platform FanDuel has warned users that their data was exposed in the recent breach affecting MailChimp. While critical data was not stolen, FanDuel has stated that names and addresses had been exposed and that users should remain vigilant against phishing attacks that may be created using that information. Customers are also urged to change their passwords frequently and set up multifactor authentication on their accounts. Read more.

More cybersecurity news

The implications of AI for cybersecurity

ai for cybersecurity

NetworkTigers debates the possible implications of AI for cybersecurity.

With security experts worldwide predicting what 2023 may have in store about the cyber landscape, all agree that artificial intelligence (AI) and machine learning will play a critical role in how threat actors stage attacks and how organizations and administrators defend against them.

What exactly is AI and machine learning?

AI is the capability of a computer to solve problems and make decisions using a simulation of the human thought process referred to as “machine learning.”

Machine learning, as defined by IBM, “focuses on the use of data and algorithms to imitate the way that humans learn, gradually improving its accuracy.”

Why is AI controversial?

Historically, the term “AI” brought to mind science fiction stories around rogue computers that become sentient or machines that revolt against their human creators. While a scenario of that nature feels a little less like a fantasy every day, our current engagements with AI are far less cinematic.

We are already accustomed to a degree of machine learning through social media in the form of algorithmically displayed content. Streaming platforms such as Netflix also employ machine learning to suggest what entertainment we may enjoy based on our previously viewed shows and movies. These algorithms are designed to adjust dynamically to our habits without human intervention. They observe our actions, take note of how we respond to what it shows us and provide us with similar content to keep us engaging with the platform.

There are ethical arguments to be made about the nature of this type of business model when it comes to social engineering, paid advertisement, the spread of misinformation and the fact that violent content tends to circulate most fluidly. Not to mention that social media platforms can use the power of their algorithms to influence what we see in intentionally inorganic ways that serve the company more so than the individuals who use their apps.

AI is also poised to disrupt employment across all sectors. ChatGPT is an AI chatbot that can scrape the internet for information to provide answers to questions, compose content on request and even write functional coding language. From freelance writers and developers to search engine giant Google, ChatGPT is seen as an existential threat to those who make a living using their human brains to generate original content.

AI art generators like MidJourney behave similarly, using the web’s wealth of data to create startlingly high-quality images based on little more than a prompt from a user. They can accommodate requests based on style (oil painting, 70’s photograph, etc.) and even create images that accurately copy an established artist’s style.

Because AI content generators pull their data from copyrighted works, even sometimes “accidentally” including a rights holder’s watermark in their visual output, a debate is boiling as to whether or not such assimilation is a legal violation. In the meantime, however, this has not dissuaded major publishers from illustrating their articles with AI-generated content that effectively cuts the artist out of the deal. This is much to the dismay of creators who have honed their craft only to see paying clients opt for cheaper computer-generated material that may, in fact, still include aspects of their previously published work.

From medical imaging to cargo hauling, AI’s potential to displace almost the entirety of the world’s workforce is leaving many to wonder what their role will be in the upcoming years, especially with ChatGPT recently having passed the US Medical Licensing Exam and the Bar Exam.

How threat actors can harness AI

While AI content creation and an employment debate has entered public discourse, the utilization of AI among criminal enterprises or threat actors has been largely left out of the discussion. Netflix using an algorithm to suggest movies seems largely innocuous. Still, this same technology used to predict and counter an individual’s behavior in the context of a hack or social engineering scam could result in cyberattacks that are borderline impossible to dodge.

Weaponized Chatbots

Bots like ChatGPT can already create content in the voice of people whose mannerisms are entrenched in popular culture. Want a sugar cookie recipe written up in the voice of Barack Obama addressing the United Nations? Within five seconds, you’ll have it.

Aside from the fact that hackers are already using ChatGPT to write malware more efficiently, chatbots can be used to more effectively communicate with victims in their native language, avoiding the poor grammar that is often a telltale sign of a scam. Advancements in natural inflection and responses are also being developed to create convincing fake personas on dating sites and other platforms where people may be persuaded to make purchases or send money to someone that is, in fact, just a carefully curated automation.

This same AI technology could be fed a diet of a specific person’s mannerisms and used to create spear phishing attacks subtle enough to trick even the savviest internet user into believing that they are texting with their boss or family member.


Deepfake technology is a form of machine learning that can create convincing video content of a person after scanning images of their face to build a three-dimensional interpretation of how they look with various expressions. This interpretation can then be tracked to a live actor’s face as they emote and speak, resulting in what looks like the deepfaked person performing said actions. 

This technology is being applied extensively to filmmaking. Disney has been investing heavily in their proprietary deepfake algorithms, using them to de-age actors and even bring an 80s-era Mark Hamil to the screen as Luke Skywalker in “The Mandalorian.”

Amazingly, a YouTuber took issue with Disney’s original Skywalker deepfake and created a version that was so superior that they were hired to work on future episodes. While this story is interesting because it shows how a talented, determined artist can eclipse the efforts of a multi-billion dollar global entertainment empire from their desktop computer, it also highlights the danger within reach of hackers.

Criminals will surely use deepfake technology to do everything from create fraudulent videos of workplace superiors requesting login data to political leaders making inflammatory statements or engaging in controversial behavior. We are entering an era in which it will become more and more difficult to discern fact from fiction. It’s this very level of universal uncertainty that bad actors, some state-sponsored, will be able to capitalize on via social engineering schemes that employ deepfakes. 

Currently, a deepfake’s ability to create a realistic facsimile depends on the quality and quantity of photographs it is trained on, making celebrities ideal candidates due to the amount of material available. Even those who have never heard the term before are likely familiar with the comedic social media accounts that feature digitally impersonated versions of actors like Tom Cruise and Keanu Reeves performing mundane daily tasks. 

As technology advances, however, it will certainly be able to do more with less. This means that it may eventually only take a handful of photographs for a threat actor to assemble a deepfake realistic enough to do serious damage.

Deepfaked audio is also within reach. To once again cite Disney, the voice of Darth Vader in their recent “Obi-Wan Kenobi” was generated entirely by AI company Respeecher. James Earl Jones provided none of his iconic voice work for the character, whose lines were generated by a computer having been trained on the actor’s decades of recordings. Soon, we may not even be able to trust a voice call fully.

Staging and executing dynamic attacks

In a battle as old as computers themselves, criminals and developers have been playing leapfrog, each side discovering something about the other and then responding accordingly. A new exploit results in developers releasing a software update to fix the bug. Conversely, every new software version sees hackers poking and prodding for unnoticed weaknesses. 

AI is predicted to end this turn-based scenario, as security firms and criminals alike employ dynamic programs that can predict the moves of their adversary, react in real-time to thrown punches and swoop in for the kill the moment a weakness is revealed. The days of patch downloads and emails encouraging users to download the latest OS version will seem old fashioned as AIs duel in cyberspace, trading thousands of blows a second and even self-patching before an administrator knows their network is under siege.

While that scenario may not unfold now, malware that can evolve to bypass detection and remain hidden within systems is a major concern for security developers. Standard, static defensive measures simply won’t be up for the task. They will have to be supplemented, or completely replaced, with an infrastructure that has the brains needed to hunt down evasive threats actively. 

How can we defend against malicious AI usage?

It’s plain to see that we are on the verge of an arms race around AI’s use in cyberspace. Thankfully, run-of-the-mill criminals simply don’t have access to the best minds in Silicon Valley when it comes to creating proprietary technology. This means that attacks in the near future will likely only leverage familiar, widely available tools similar to ChatGPT. 

However, just as we’ve witnessed a YouTuber take on Disney and beat them at their own game, tech advances are continually leveling the playing field. Additionally, state-sponsored hacking enterprises in countries like Russia and China can focus their resources on developing competitive tools or, as is often the case, simply steal them from others via run-of-the-mill espionage and data exfiltration.

Ultimately, organizations would do well to begin to integrate AI into business operations wherever possible while still maintaining essential cybersecurity best practices like regular staff training on current threats, mandatory multifactor authentication and adopting a zero trust model. As more antivirus and cloud-based security providers integrate AI into their offerings, we can expect the shift to happen organically, as long as administrators keep their defenses regularly updated.

An uncertain future …

AI’s role in cybersecurity may seem fraught, Monica Oravcova, COO and co-founder of cybersecurity firm Naoris Protocol feels that AI’s integration could very well be a net positive for the cyber landscape as long as those on the right side of it act quickly to set the stage. 

Regulation, as noted by Oravcova, moves at a glacial pace compared to technological advancement and market adoption. Therefore, it is essential that organizations set themselves up to battle evolving threats while also maintaining an ethical implementation of their own usage of AI as it relates to their users and customer data and privacy. 

Whether or not such a degree of faith ought to be placed in corporate entities that are foundationally designed to prioritize growth over societal wellbeing and have thus far proven less than stellar at keeping customer and user data out of the hands of criminals is another matter of debate entirely. What is certain, however, is that AI’s utilization and integration into our daily lives is no longer looming in the future, but here now and in for the long haul.

Network automation: what it is and how to do it

network automation

NetworkTigers discusses network automation best practices.

Managing the integration of applications is becoming difficult as companies continue to expand their operations into several virtual and physical locations to support a global workforce. Businesses are also trying to navigate complicated multi-cloud landscapes, as well as struggling with the need for increased performance and speed to transfer more information. 

This increasing network complexity affects enterprises while hindering growth. Fortunately, automation helps standardize your network structure as it allows you to automate difficult tasks in networking. Automation also helps you build a more reliable business network.

What is network automation?

Network automation is the process of using software to manage network services and resources. This process eliminates the manual and outdated processes involved in managing networks like logging into firewalls, switches, and routers to update configurations manually.

Network automation can help you test, operate, configure and deploy components in your network. You can use a software-defined network (SDN) to achieve network automation. An SDN makes controlling and automating the networks easy as it introduces network virtualization capabilities. 

How does network automation work?

Network automation helps in managing services and resources by allowing IT staff to scale, integrate and configure applications automatically. The IT staff can automate networks with programmable logic on devices’ command line interfaces (CLIs) to enable the nodes to perform automated actions such as bandwidth control and network filtering.

The IT administrator creates programmable scripts and logic using graphical UI, devices’ CLI, automation tools, or external systems to automate and control your network.  After that, the administrator executes the scripts using the API or CLI and manages all the devices within your network via a centralized control panel. 

Top 4 network automation tools

Automation tools can assist you in automating numerous everyday networking tasks like dynamic provisioning and inventory management, as well as predicting and analyzing bandwidth usage. You can also remotely control access ports and change configurations across your organization. Here are network automation tools to help you meet your enterprise’s requirements.

SolarWinds Network Configuration Manager

Network Configuration Manager is user-friendly and easy to install. The tool features robust automated processes to manage medium and large networks. Its automation system enhances network reliability by allowing businesses to schedule automated backups, create standard configurations and disperse it to devices on the network.

This bulk capability allows users to perform quick adjustments, saving energy and time while minimizing human error. Network Configuration Manager logs device configuration and user activity to maintain compliance with regulations for switches and routers from Juniper, Cisco, Dell, and more.

This tool also issues email alerts when it detects changes in your network. You can also check for unauthorized changes, reverse those changes efficiently and troubleshoot problems. 

WhatsUp Gold

WhatsUp Gold is a powerful tool for monitoring devices, applications, and networks from the Network Configuration Management add-on module with additional enhancement from one central dashboard. The tool queries the status of devices on your network via the Simple Network Management Protocol (SNMP).

WhatsUp Gold then tests all the operations while the Network Configuration Management add-on feature scans the configuration of devices. This process allows for the automation of network device monitoring as it logs active devices on the network into an inventory.

The system dashboard then creates standardized configurations for each category of model and device. It also identifies and flags any deviation from a certain set-up through email alerts.

ManageEngine Network Configuration Manager

This tool uses the script-based approach to centralized control and configuration backup. Designed to manage configurations for firewalls, routers, and switches, ManageEngine Network Configuration Manager backs up device settings as pictures, making it easy to implement automated or manual rollbacks after unexpected changes. 

The tool is ideal for large enterprises that want to manage compliance auditing, user activity tracking, and real-time network configuration. It also allows for remote configuration management using its iOS application.

ManageEngine Network Configuration Manager uses Configlets, templates that allow users to schedule and automate commands to enable SNMP or change passwords. The system sends out email alerts each time Configlets are executed.

GFI’s Exinda Network Orchestrator

GFI’s Exinda Network Orchestrator provides real-time network monitoring and gives you control over your network’s security, performance, and resources. This helps you improve the quality of your networking applications and services.

The tool has a user-friendly dashboard to help you identify performance issues and network use. You can also use GFI’s Exinda Network Orchestrator to orchestrate bandwidth scalability and usage to enhance application performance. 

How NetworkTigers can help

Network management is a crucial component of IT infrastructure that helps organizations avoid security issues, ensure high performance, and reduce disruptions. We can help your business lower maintenance and operational costs by automating crucial network processes. Ready to automate your network so that you improve your system’s efficiency? Contact us today to learn about your options for cost savings. 

Cybersecurity news weekly roundup January 23, 2023

roundup january 23

SAN MATEO, CA, January 23, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Remote code execution exploit discovered in Microsoft Azure

A remote code execution vulnerability could allow a threat actor to deploy malicious ZIP files to a target’s Azure application, allowing them to take control of it. Successful execution of the hack, which has been dubbed EmojiDeploy, could also allow hackers to steal data or move laterally within the Azure environment. Upon being notified of the exploit, Microsoft has since patched the vulnerability with an update. Read more.

T-Mobile hacked again, 37 million accounts breached

Just as T-Mobile rounds out the last phase of a settlement from a 2021 data breach, it has reported that a threat actor has had access to data associated with 37 million of the mobile carrier’s customers since November of 2022 after taking advantage of one of its “application programming interfaces.” The information available to the hackers includes “names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts.” T-Mobile is downplaying the breach, saying that no passwords, Social Security numbers or payment data were accessible and that any data leaked was already publicly available. Read more.

Mailchimp hacked via social engineering attack

Mailchimp has reported that customer data has been exposed in a social engineering attack that targeted employees and contractors. The attack described seems almost identical to a hack against the company in August of last year, after which Mailchimp put “an additional set of enhanced security measures.” While those measures were not described, it would appear as though they were ineffective in preventing a threat actor from employing the same techniques as before to breach the company’s security and access customer support and account administrator tools. Read more.

New Hook malware sets its sights on Android users

DukeEngine, the hacker developer responsible for creating the ERMAC and BlackRock banking trojans has released another malware called Hook. Hook has new features that let attackers access device files and “create a remote interactive session” to use the device’s screen. The malware, which also has RAT capabilities and device tracking, can be rented for $7,000 a month and is sure to cause headaches among Android users as it gains traction in the wild. Read more.

Nissan: customer data exposed by third-party supplier

Nissan North America has disclosed that data associated with almost 18,000 customers was leaked by a supplier and may have been accessed by an unauthorized third party. Nissan reports that the data was given to a supplier to conduct a software test and that some of the data used was mistakenly exposed. The information in the breach includes customer birth dates, names and numbers associated with vehicle financing. While the data exposed is not critical, Nissan warns that it could be used to stage phishing attacks. Read more.

Two security exploits have been discovered in Netcomm and TP-Link routers that can be used to achieve remote code execution. Netcomm router models NF20MESH, NF20 and NL1902 running software versions earlier than R6B035 are vulnerable to flaws CVE-2022-4873 and CVE-2022-4874, which can be chained together to allow an attacker to run remote code. TP-Link routers WR710N-V1-151022 and Archer-C5-V2-160201 are vulnerable to flaws CVE-2022-4499 and CVE-2022-4498, which can lead to remote code execution and information disclosure. Read more.

Russian hackers observed testing ChatGPT’s restrictions with malicious intent

Check Point Research has observed Russian hackers trying to bypass or circumvent AI bot ChatGPT’s restrictions to use the tech for malicious activity. From using stolen credit cards to pay for limitless access to bypassing the geo-restrictions of the tool, the dark web is abuzz with threat actors poking and prodding for ways to weaponize the technology against their victim. Check Point has already observed hackers using ChatGPT to create infostealers, encryption tools and other instances of malicious code. Read more.

GitHub Codespaces can be abused to deliver malware

GitHub Cloudspaces, “a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code,” has been found to contain an exploit that lets a threat actor create a malicious file server. Cybersecurity firm Trend Micro, in a proof-of-concept demonstration, showed how an attacker could be able to create a codespace, download malware from a domain that they or another threat actor controls to the environment and then set the visibility of the forwarded port to public, thereby making the application act as a web server hosting malicious content. The exploit has yet to be observed in the wild. Read more.

Network of fake, cracked software used to spread Raccoon and Vidar stealers

A network of more than 250 domains that purportedly offer cracked versions of popular software is being used to infect users with Raccoon and Vidar information stealers, according to findings from French cybersecurity firm SEKOIA. The domains, which ultimately lead victims to download malicious files from GitHub, appear to be operated by a threat actor that rents them out to purveyors of malware. An alternate means of attack sees victims linked to the domains via phishing emails that masquerade as having been sent from banking institutions. Read more.

Norton LifeLock breached, exposing customer password managers

Norton LifeLock has released a data breach notice alerting customers to a breach in which user password managers were exposed. According to the company, the breach was likely the result of a credential-stuffing campaign as opposed to a compromise of their systems. Gen Digital, Norton LifeLock’s parent company, has sent the notice to around 6,450 users affected by the breach. According to Gen Digital, account breaches occurred as long ago as December 1st, 2022. Read more.

More cybersecurity news