US Marshals hit by ransomware
The US Marshals Service (USMS) confirmed it fell victim to a ransomware attack on February 17. The USMS tracks down fugitives and protects government witnesses among other activities supporting the federal justice system. The agency said that data was exfiltrated from a system containing legal process returns and personally identifiable information (PII) of subjects of USMS investigations, third parties, and employees. USMS is treating the attack as a major incident but says it has been able to continue operations and clarified that no Witness Security Program info has been compromised.
DISH outages caused by confirmed ransomware attack
On Tuesday, satellite broadcast giant DISH reported that a ransomware attack was to blame for “system issues” that occurred over the weekend. DISH said that, “certain data was extracted from the Corporation’s IT systems as part of this incident.” DISH’s internal communications, customer call centers and websites have been affected. However, DISH, Sling and wireless and data networks remain operational. The company hired an incident response firm to assist with the ongoing investigation and will contact customers in the event that their data was compromised during the attack.
Some more bad news for LastPass
LastPass said Monday that the same attacker that stole partially encrypted login data back in August, hacked into an employee’s home computer shortly thereafter. The threat actor was able to exploit a vulnerable third-party media software package on a senior DevOps engineer’s computer to load keylogger and steal their credentials. They then used the stolen creds to break into the corporate vault which contained encryption keys for customer vault backups stored in Amazon S3 buckets. The engineer was one of only four LastPass employees with access to the corporate vault. Amazon notified LastPass of the incident after identifying the threat actor trying to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
Hackers claim they breached T-Mobile over 100 times in 2022
Researchers extensively analyzed Telegram chat logs of three different cybercriminal groups who claim to have accessed T-Mobile’s internal network more than 100 separate times throughout 2022. In each case, the attackers phished T-Mobile employees for access to internal company tools, and then set up a “SIM-swapping” service that could divert any T-Mobile user’s text messages and phone calls to another device. By doing so, attackers are able to bypass multi-factor authentication (MFA) prompts to log into any online services connected to that phone number. Researchers said that all three SIM-swapping groups remain active.
And now a word from our sponsor, Conveyor
Former FTX director pleads guilty
On Tuesday, Nishad Singh, former engineering director of the now-bankrupt FTX cryptocurrency exchange, pleaded guilty to US criminal charges. Singh said he knew by mid-2022 that FTX’s founder was borrowing customer funds to back his Alameda Research hedge fund, without their knowledge. Singh expressed his remorse for his role in the plot and agreed to cooperate with prosecutors’ investigation into FTX founder Sam Bankman-Fried. Bankman-Fried pleaded not guilty to eight criminal charges filed against him in December.
Gmail client-side encryption now publicly available
Gmail client-side encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. Gmail CSE ensures that any data sent as part of the email’s body and attachments (including inline images) will be unreadable before reaching Google’s servers. Email headers (including subject, timestamps, and recipients lists) will not be encrypted. The encryption feature was rolled out to Gmail in beta test in December 2022, after it had already been made available (in beta) for Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar.
Cloud exploitation incidents skyrocket
On Tuesday, CrowdStrike released its 2023 Global Threat Report. The report found that cloud exploitation grew by a whopping 95% last year and cloud continues to evolve as the new battleground for adversaries. Also, malware-free attacks rose in 2022, as attackers sought new ways to evade antivirus protection and outsmart machine-only defenses. The report also showed that adversaries re-weaponized and re-exploited vulnerabilities such as vulns affecting legacy Microsoft Active Directory and the ubiquitous Log4Shell vulnerability. Finally, the report highlights China-nexus as the most active targeted intrusion groups, targeting nearly all 39 global industry sectors and 20 geographic regions tracked by CrowdStrike.
Gamers are fixing a video game ‘taken over’ by hackers
Hackers have exploited serious vulnerabilities in Activision’s Black Ops III first-person shooter game, allowing them to take over other players’ computers. The hackers have the ability to kick players from games, corrupt downloadable content and potentially steal data from other players. One frustrated gamer, Maurice Heumann, resorted to hacking the game, identifying and reporting two remote code execution (RCE) vulnerabilities to Activision last year. While the company paid Heumann a bounty for one of the bugs, the company has yet to fix either of the issues. However, Activision now says it plans to release fixes this week.