SAN MATEO, CA, May 6, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
US government warning about North Korean spoofing emails
A joint advisory published by the National Security Agency (NSA), the FBI, and the Department of State has been issued, warning of a North Korean campaign spoofing legitimate, trusted sources. According to the NSA, “The DPRK [Democratic People’s Republic of Korea] leverages these spear-phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications.” The campaign is exploiting improperly configured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to create emails that appear as though they are from a legitimate domain’s email server. The threat group believed to be behind the activity is an activity cluster referred to as Kimsuky. Read more.
Indonesia is hotbed for spyware
Research from Amnesty International has revealed Indonesia to be a hub for the “extensive sales and deployment of highly invasive spyware and other surveillance technologies in Indonesia between 2017 and 2023.” The nation is reportedly “relying on a murky ecosystem of surveillance suppliers, brokers, and resellers that obscures the sale and transfer of surveillance technology.” The research also implicates the Indonesian government, as agencies are buyers of many spyware tools. The absence of regulatory laws regarding the lawful use of surveillance tools is partly to blame, notes Amnesty, concluding their report by saying that a lack of relevant regulation “leaves the public in the dark and poses a significant risk to civil society in Indonesia.” Read more.
Dropbox Sign discloses breach affecting all users
Dropbox has disclosed that the cloud storage company’s digital signature service, Dropbox Sign, experienced a breach by unknown threat actors who could access emails, usernames, and other account information belonging to all platform users. Dropbox stated, “For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.” The breach is restricted to Dropbox Sign infrastructure, and there is no evidence that the hackers accessed the users’ agreements, templates, or payment information. It is believed that the threat actors “gained access to a Dropbox Sign automated system configuration tool and compromised a service account that’s part of Sign’s backend, exploiting the account’s elevated privileges to access its customer database.” Read more.
Affiliate of REvil ransomware gang receives 13-year prison sentence
24-year-old Ukrainian national Yaroslav Vasinskyi has been sentenced to 13 years and seven months in prison by a US court for his involvement in more than 2,500 ransomware attacks and ransom demands that total over $700 million. Vasinskyi, whose online alias was Rabotnik, must also pay more than $16 million in restitution. His sentencing follows a global operation that saw him extradited from Poland to the United States, where he faced charges. FBI Director Christopher Wray said, “We will continue to relentlessly pursue cyber criminals like Vasinksyi wherever they may hide, while we disrupt their criminal schemes, seize their money and infrastructure, and target their enablers and criminal associates to the fullest extent of the law.” Read more.
US government releases resources addressing threats posed by AI
The Department of Homeland Security (DHS) has released new resources designed to help address the latest threats posed by advances in AI. The information features guidelines on mitigating AI-related threats to critical infrastructure and “a report focusing on AI misuse in the development and production of chemical, biological, radiological and nuclear (CBRN).” The release of the resources follows last week’s establishment of the Artificial Intelligence Safety and Security Board, which “comprises technology and critical infrastructure executives, civil rights leaders, academics and policymakers, among others, aiming to advance responsible AI development and deployment.” The DHS also described a four-part mitigation strategy, “Governance, mapping individual AI use context and risk profiles, measuring and tracking AI risks, and managing identified risks to safety and security.” Read more.
Traveler details exposed in Qantas Airways app
Sensitive data belonging to Qantas Airways customers was exposed to random other users due to a misconfiguration in the company’s app. People reported on social media that they could view personally identifiable information, boarding passes, travel details, and account data for other customers. Responding to the reports, Qantas Airways confirmed that an issue on their end had taken place and recommended that all users log out of their “Frequent Flyer” account on the app and be aware that scams may target them due to the leaked data. According to a statement from the airline, “no further personal or financial information was shared, and customers would not have been able to transfer or use the Qantas Points of other frequent flyers.” Read more.
Change Healthcare unprotected by multi-factor authentication
According to UnitedHealth, the parent company of Change Healthcare, the ransomware attackers that accessed the company’s network used stolen credentials associated with a system unprotected by multi-factor authentication. CEO Andrew Witty testified that the cybercriminals “used compromised credentials to remotely access a Change Healthcare Citrix portal” but did not elaborate on how they gained the credentials required. The fallout from the pair of attacks the company faced has resulted in a loss of $870 million and the exposure of health data belonging to a “substantial proportion of people in America.” To put the impact the hack had on the company into perspective, UnitedHealth made nearly $100 billion in revenue during the same quarter the attack happened. Read more.
UK law set to ban default device passwords
Default passwords printed on smart devices have been a scourge, allowing threat actors to share lists of them that can then be used to hack into business or home networks belonging to users who simply haven’t changed them. However, a new law in the UK set to take effect this month will prohibit manufacturers from using them. According to the UK National Cyber Security Centre (NCSC), “the law, known as the Product Security and Telecommunications Infrastructure Act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.” Companies that fail to comply with the law are susceptible to recalls and financial penalties in the form of fines up to $12.5 million. Read more.
Nation-state actors appear to be using Africa as a testing ground for cyberattacks
Research from Performanta suggests that nation-state actors are targeting developing countries in Africa to test cyber warfare strategies that could then be launched against more sophisticated nations. “Attackers likely perceive attacking Africa to have fewer risks to themselves than directly attacking the West, and as a bridge to the Western world, methods are likely tried and tested in Africa first, before being deployed across developed countries later,” says Performanta’s CEO Guy Golan. The firm’s research indicates that trained hackers carried out most cyberattacks against African countries, and the most targeted industries on the continent are finance, energy, and manufacturing. Read more.
Fraudulent US Post Office websites get more traffic than the real thing
Akamai Technologies reports that its analysis of phishing campaigns that spoof the United States Post Office shows that fake USPS sites get as much, sometimes more, traffic than the actual domain. “The amount of traffic to the illegitimate domains was almost equal to the amount of traffic to legitimate domains on a normal day — and greatly exceeded legitimate traffic during the holidays.” The sites are designed to look nearly identical to the official one, and people are often directed to them via text messages or emails that say a package has been delayed or delivered. With so many purchases made during the holiday season, it’s little wonder that these campaigns are so effective. SMS messages that purport to be from a package delivery service should be carefully scrutinized. It is recommended that customers only use official websites for package tracking. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
