Cyber Security Headlines: Pakistan investigating nationwide blackout, FBI identifies Horizon Bridge hackers, GoTo hack bigger than first reported

Pakistani authorities investigating whether cyberattack caused nationwide blackout

On Tuesday, Pakistan’s energy minister, Khurram Dastgir Khan, said that there was a “remote chance” that Monday’s nationwide blackout, which left millions without power, was caused by hackers. While cyberattacks on power grids are relatively rare, power outages have recently become common in Pakistan, due to an ongoing economic crisis and last year’s devastating floods. Khan said that power across Pakistan was “fully restored” within 24 hours and that the root cause of the outage is still being investigated.

(The Record)

FBI identifies hackers behind Horizon Bridge crypto theft

The Federal Bureau of Investigation (FBI) confirmed on Monday that North Korea-backed Lazarus Group and APT38 were responsible for the theft of $100 million in crypto from Harmony Horizon Bridge back in June. The attack leveraged a campaign dubbed TraderTraitor that social engineered crypto company employees into downloading rogue applications.The FBI says that just two weeks ago, threat actors laundered over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A chunk of the stolen funds has been frozen in coordination with virtual asset service providers.

(The Hacker News)

GoTo says hackers stole encrypted backups and MFA settings

GoTo CEO Paddy Srinivasan confirmed that last August’s security breach affecting its LastPass affiliate had a much broader impact than originally reported. The hack resulted in theft of account usernames, salted and hashed passwords, product settings and licensing information. Additionally, encrypted backups were exfiltrated from a third-party cloud storage service along with the encryption key for a portion of the backups. Stolen backups affected its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products. Also, a small number of Rescue and GoToMyPC customers had their MFA settings compromised. GoTo says it is resetting passwords and MFA settings of affected users. The company is also migrating accounts to a more secure Identity Management Platform.

(SecurityWeek)

Riot Games refuses to pay ransom for stolen source code

Riot Games said Tuesday that it received a ransom email following last week’s cyber attack but indicated that it refuses to pay. The video game developer said that source code for its League of Legends and Teamfight Tactics games was exfiltrated during the attacks but no player or personal data was compromised. The company expressed concerns that the hack could cause new game cheats to emerge but says it is prepared to quickly deploy fixes if that happens.

(The Record)

And now a word from our sponsor, SafeBase

Jump start your journey to long-lasting customer trust with SafeBase. Our Smart Trust Center helps your organization build customer trust through improved transparency, secure document sharing, process control and insights, and proactive communication. Security and GRC leaders at companies like Jamf, Instacart, and Snyk all rely on SafeBase as a central enabler of their trust program. Learn more and check out the case studies at SafeBase.com

Zero Trust will not mitigate over half of attacks

According to a new report from Gartner, just one in 10 large enterprises will have a “mature and measurable” zero trust program in place by 2026. Gartner warned that, over the next three years, more than half of all cyber-attacks will be focused in areas that zero trust controls don’t mitigate. Gartner cited API attacks, social engineering, and exploitation of other employee-created control bypasses as examples of areas not protected by ZTAs. Despite this, Gartner says that ZTA still reduces risk and limits the impact of many threats.

(Infosecurity Magazine)

Microsoft Office to block XLL add-ins

Microsoft is getting ready to improve the protection of Office users by automatically blocking XLL add-ins in Excel files. XLL add-ins are dynamic link library (DLL) files written in C or C++, and can only be opened in Excel. In recent years, threat actors have been abusing these files to distribute malware, typically via phishing campaigns. Currently, the feature is only in development, with worldwide roll-out set for March 2023.

(SecurityWeek)

DragonSpark uses Go-based tool to evade detection

SentinelLabs has detected a hacking group, dubbed ‘DragonSpark,’ leveraging a stealthy and little-known open-source tool called SparkRAT to steal sensitive data from compromised systems. SparkRAT is a Golang-based open-source tool that can run on Windows, macOS, and Linux, to enable remote access. The Go script uses a payload called ‘Metepreter,’ which evades static analysis by allowing code to execute without first compiling it. The threat actors are using the tool to exploit exposed MySQL database servers in China, Taiwan, and Singapore and then launching additional attacks. All of the open-source tools used by DragonSpark were developed by Chinese authors.

(Bleeping Computer)

Live Nation blames bot attacks for Taylor Swift fiasco

Back in November, Ticketmaster systems were crippled when hordes of Taylor Swift fans attempted to buy tickets for the singer’s upcoming US tour. On Tuesday, Live Nation’s CFO told the Senate Judiciary Committee that Ticketmaster’s services were affected by triple the amount of bot traffic they’d ever previously experienced. Additionally the company’s “Verified Fan access code servers” were targeted. The explanation comes amid speculation that the federal government may take anti-trust action against the company. We’ll see if Live Nation is able to shake it off.

(CyberScoop)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.