This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino with guest Dan Walsh, CISO, VillageMD
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
How Chinese hackers stole a Microsoft signing key
Microsoft released details how the Chinese-linked Storm-0558 threat group obtained a MSA key. The attackers used this key in the recent Exchange Online and Azure Active Directory breaches. This came from a cascade of failures. The MSA key leaked after a crash dump occurred on a consumer signing system. The dump should not contain the key, but it got added due to a race condition. The crash dump eventually moved to Microsoft’ internet-connected debugging environment. When the Storm threat actors compromised a Microsoft engineer’s corporate account, it discovered the key in the crash dump.
Companies using software to track remote workers
An article in Business Insider highlights how certain companies are using keystroke monitoring software to track remote workers’ time on the keyboard, resulting in dismissals when a required number of keystrokes per hour is not achieved. Named in the story are large companies like JPMorgan and Tesla. It also quotes an earlier New York Times story that showed that eight of the 10 largest US private companies track their employees’ productivity. The story also refers to a Business Insider article from October 2022 which points out that “not turning your webcam on for a work meeting may get people fired with little chance of winning a wrongful termination claim.”
CISA hires ‘Mudge’ to work on security-by-design principles
On Monday, the US government’s cybersecurity agency (CISA) confirmed it has added Peiter ‘Mudge’ Zatko to its roster as a Senior Technical Advisor. Zatko most recently served as the CISO at Twitter and blew the whistle on the social media giant’s security shortcomings. Zatko’s resume also credits him with some of the earliest buffer overflow vulnerability research, serving as a DARPA program manager and creating the Cyber Fast Track program. Jen Easterly said, “Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country.”
Technical details of Sandworm malware ‘Infamous Chisel’ released
Security agencies from the Five Eyes intelligence alliance – the US, the UK, New Zealand, Canada, and Australia, have released technical information of malware named Infamous Chisel, used by the Russian hacking group Sandworm as part of the war effort against Ukraine. The malware focused on Android devices used by members of Ukrainian military and was deigned to collect intelligence. Largely searching for files with .jpg or .txt extensions, Infamous Chisel is considered in the report as “low to medium sophistication, giving little thought to avoiding detection.” Cyberscoop points out that since many Android devices do not have a host-based detection system, there are few ways to monitor the Android devices for malicious behavior.
(Cyberscoop and CISA)
Huge thanks to our sponsor, DataBee, from Comcast Technology Solutions
Built by security professionals for security professionals, DataBee makes your data a gold mine, rich with information that enables you to examine the past, react to the present, and protect the future of your business. Learn more at https://comca.st/DataBee.
Okta warns of IT help desk attacks
Okta, an identity and access management company, has issued a warning about a new wave of social engineering attacks aimed at IT service desk agents at some of its US-based customers. The company says these attacks are aimed at Okta Super Administrator accounts in order to get them to reset MFAs for power users. According to Bleeping Computer, “Okta has provided indicators of compromise for attacks observed between July 29 and August 19” and has also provided a list of IP addresses associated with these attacks, as well as security measures that should be taken.
LockBit leaks documents swiped from UK defense contractor
Last month, British perimeter security company, Zaun Ltd., was breached by the notorious LockBit group. In its public breach disclosure on September 1, Zaud Ltd. indicated that LockBit had breached a PC used to control one of its manufacturing machines. The PC was running Windows 7, support for which concluded in 2020, with extended security updates ending in January 2023. Zaun said its cyber defenses prevented threat actors from encrypting their data but that about 10 gigabytes of info was stolen. Lockbit appears to have leaked sensitive documents relating to the physical security of agencies in the UK Ministry of Defence. However, Zaud said it does not believe that any classified documents were compromised in the attack.
Krebs on cracked LastPass keys
Security journalist Brian Krebs reports that a rash of cracked crypto wallets indicates that threat actors began successfully cracking stolen LastPass keys. Back in November, LastPass disclosed a data breach involving stolen password vaults for over 25 million users. According to MetaMast CEO Taylor Monahan, their researchers connected thefts targeting 150 to potentially cracked vaults, with over $35 million in losses. Monahan began tracking these thefts in March. These users all seemingly stored their private key “seed phrase” in LastPass. Krebs and Monahan recommend changing important credentials stored in LastPass since November.
Connected cars not great for privacy and security
A recent report on connected cars from Mozilla gave all 25 major brands in the report a failing grade on security and privacy. Mozilla noted that privacy polies from these cars informs customers the companies can collect health and genetic information, immigration status, facial expressions, location, and in some instances sexual activity. This includes data colleced from telematics systems, but also extends to mobile apps and dealership visits. Over half the brands said they can share information with law enforcement, while 76% gave them the right to sell personal data to third parties.