This week Cybersecurity Headlines – Week in ReviewSeptember 26-30, hosted by Rich Stroffolino with our guest, Sara Lazarus, Vice President and Chief Trust and Safety Officer, Stavvy
Here are some of the stories we are going to cover TODAY. Please join us live every Friday at 12:30 p.m. PT/3:30 p.m. ET by subscribing to the open discussion on YouTube Live.
London police arrest 17-year-old hacker suspected of Uber and GTA 6 offenses
City of London Police revealed on Friday that they arrested a 17-year-old from Oxfordshire on suspicion of hacking. The department said the arrest was made as part of an investigation in partnership with the UK’s National Crime Agency cybercrime unit. No further details of the nature of the investigation have been released, although it is suspected the law enforcement action may have had something to do with the recent string of high-profile hacks targeting Uber and Rockstar. Games. Both intrusions were allegedly committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, pinned the offense on an attacker (or attackers) it claims is associated with the LAPSUS dollar extortion gang, two of which face fraud charges. According to cybersecurity company Flashpoint, the real identity of the hacker behind the two incidents was leaked to an illicit online forum.
Study finds organizations are inundated with cybersecurity incidents
A new report from security vendor Trellix found that an average SecOps team handled 51 cybersecurity incidents per day. 36% said they saw a lot more, dealing with 50-200 incidents per day. 46% agreed to be “inundated by a never-ending stream of cyber-attacks”. Siled systems remained a common problem, with 60% saying that poorly integrated products reduced the organizational effectiveness of the response. It also appears to be costing organizations money, with 84% saying they estimate incident losses at 10% of their annual revenue.
Finnish intelligence warns that Russia ‘is very likely’ to turn to cyber in winter
The head of Finland’s Security Intelligence Service (Suojelupoliisi or SUPO) says it is ‘highly likely that Russia will turn to the cyber environment over the winter’ for espionage due to challenges affecting its work human intelligence. In the unclassified National Security Preview 2022 Published on Thursday, SUPO said Russia’s traditional approach to intelligence gathering using spies under diplomatic cover “has become much more difficult since Russia launched its war of aggression in Ukraine, as many diplomats Russians were expelled from the West”. The SUPO found that Russian citizens who held critical positions in Finland were particularly at risk of coercion from Russian authorities.
Attackers impersonate CircleCI platform to compromise GitHub accounts
GitHub warns of an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The company learned of the attacks against its users on September 16, it pointed out that the phishing campaign impacted many victim organizations except GitHub. Phishing messages claim that a user’s CircleCI session has expired and attempt to trick recipients into logging in using GitHub credentials. The company stressed that accounts protected by hardware security keys are not vulnerable to this attack.
Lazarus group targets macOS users
We’ve seen a number of threat groups use the booming job market as a perfect vector for cyberattacks. SentinelOne security researchers report that the North Korea-linked Lazarus group is running a campaign targeting macOS users. This attracts users with job postings on Crypto.com. ESET and Malwarebytes reported on the campaign initially last month, targeting Windows users with similar crypto-related jobs. It is unclear how the campaign specifically delivers the initial malware payload. Some reports suggest private messaging on LinkedIn. These likely represent short-term campaigns focused on theft, given that the threat actors aren’t masking any binary in the attacks.
Thanks to today’s episode sponsor, Votiro
The geopolitics behind the recent wave of DDoS
It seems that in 2022 we’ve been talking about another record DDoS attack every two weeks. A new report from NETSCOUT revealed that these likely stem from an increase in wars and regional conflicts during the year. The company tracked over six million DDoS incidents, finding that it was using 57% more bandwidth than last year. The total number of DDoS attacks remained constant, the additional bandwidth reflects more intensity. Countries with ties to the war in Ukraine have been hardest hit. Finland has seen a 258% increase in DDoS attacks since applying for NATO membership. Ireland, India, Taiwan, Belize, Romania, Italy, Lithuania, Norway, Poland and Latvia also saw notable increases.
Leaked ransomware generator used in attacks
Last week, a LockBit 3.0 builder leaked on Twitter. This is the result of an apparent fallout between the ransomware operator and the developer. The leak opened the door for anyone to build a working encryptor and decryptor for attacks. Bleeping Computer has confirmed that a new ransomware group called “Bl00Dy Ransomware Gang” did just that against a Ukrainian victim. Their previous work made extensive use of Conti ransomware, targeting a group of medical practices in New York. The group made some slight changes to LockBit 3.0, but it remains functionally the same.
Cloudflare hopes Turnstile can replace CAPTCHAs
Fast Company shuts down after cyberattack
Late on September 27, Apple News sent notifications from the Fast Company publication containing racist and obscene language. Apple then suspended its channel on the app. Fast Company has confirmed that a threat actor hacked into its Apple News account, saying it suspended its feed and shut down FastCompany.com while it investigated. This happened after the attacker appeared to post a message on the site before the takedown, claiming to have access to a shared password with administrator access. The post also pointed to a dark web forum that claims it will post thousands of employee records and draft posts from the post. The attacker said he didn’t get customer information because the site stores that information on a separate server.
Researchers Uncover Covert Attack Campaign Targeting Military Contractors
A new covert attack campaign has targeted several military companies and arms contractors with spear phishing emails to trigger a multi-step infection process designed to deploy an unknown payload to compromised machines. The highly targeted intrusions, dubbed STEEP#MAVERICK by Securonix, also targeted a strategic supplier of the F-35 Lightning II fighter jet. As of late summer 2022, infection chains begin with a phishing mail with a ZIP archive attachment containing a shortcut file that pretends to be a PDF document about “Company and Benefits”, which is then used to retrieve a stager — an initial binary that is used to download the desired malware — from a remote server.
IRS warns of wave of ‘industry-scale’ smishing
In a news alert yesterday, the tax agency said it had identified thousands of bogus domains so far in 2022 used to facilitate so-called ‘smishing’ scams and designed to steal personal and financial information. the victims. Faked to appear as if they were sent by the IRS, these text messages often use decoys like fake COVID relief, tax credits or help with setting up an IRS online account, a-t -he declares. They can ask for personal information or secretly download malware to user’s device by tricking them into clicking on a malicious link. “This is industrial-scale phishing, so thousands of people are at risk of receiving these fraudulent messages,” IRS Commissioner Chuck Rettig said.