Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
NortonLifeLock warns that hackers breached Password Manager accounts
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. The notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts. For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults.
Ransomware revenue falls by $300 million in 2022 as more victims refuse to pay
According to a new report from blockchain research firm Chainalysis, the fall was from $765.6 million in 2021 to $456.8 million last year. The report attributed the drop to a variety of factors, most notably that more victims are simply refusing to pay up when threatened by criminal groups. The report’s researchers spoke with several ransomware experts to check whether their theory was correct. Michael Phillips, chief claims officer of cyber insurance firm Resilience, confirmed that several “meaningful disruptions” were driving the downturn in ransomware revenue including Russia’s invasion of Ukraine and law enforcement actions against ransomware gangs that included arrests and the seizure of ransoms.
ChatGPT changes the phishing game
The rise of OpenAI’s ChatGPT chatbot has raised all types of alarm flags in the business, academic, and cybersecurity communities, and we at Cyber Security Headlines have been covering examples of its versatility such as writing malicious code. But as Maria Korolov writes in CSO Online, it is also being used to craft highly convincing and grammatically correct phishing emails. In her article she shows how the phrase “im tom. writing letter to becky. i send her excel file to open. veyr important bizness content,” with almost every word spelled incorrectly, is converted to a clear and grammatically correct request, offering versions with more – or less – casual, formal, or urgent tones. The article concludes with some revamped and updated strategies for anti-phishing in the age of AI and is available at CSO Online. A direct link is available in our shownotes.
Ransomware attack impacts 1,000 ships
Norwegian maritime company, DNV, said they suffered a ransomware attack on January 7, forcing them to shut down servers connected to their ShipManager system. In total, the attack impacted roughly 1000 vessels belonging to 70 customers. DNV noted that ShipManager customers can still use offline functionality, and that no other DNV services were affected. The company is working with Norwegian police and cyber experts to respond to the incident.
Thanks to today’s episode episode sponsor, Cerby
Bridgestone Arena enhances NHL fan safety
Nashville’s Bridgestone Arena, which is home to the Nashville Predators and hosts events such as the Country Music Association (CMA) Awards, recently installed 14 Evolv Express security screening systems at the venue’s various ingress points. The system uses a combination of artificial intelligence (AI) and sensor technology to provide threat detection at high volumes and speeds. An arena spokesperson notes that the system has produced operational efficiencies and, “most importantly, happier and safer guests.” Nearby Nissan Stadium installed the same systems and detected 254 prohibited items in a three-game period and freed up 66% of gate security personnel to perform other security-related duties.
CircleCI breach caused by infostealer
The continuous integration platform confirmed it experienced a data breach on January 4th. Infostealing malware on an employee laptop resulted in the leaked data. As a result, attackers were able to capture a valid 2FA-backed single sign-on session on December 16th. The antivirus software on the laptop did not detect the malware. Due to the employees access, attackers were able to access some production systems. CircleCI encrypted the accessed data, but the attacker extracted encryption keys from a running process. The company said it closed the attack vector and added additional layers of security.
Too many admin1234 passwords still exist in industrial systems, research finds
According to research released Wednesday, operators of critical infrastructure companies aren’t updating off-the-shelf security credentials in internet devices connected to industrial systems. Roya Gordon, security research evangelist at Nozomi Networks, a cybersecurity firm that specializes in industrial security, said, “We’re seeing a lot of the ‘admin1234,’ meaning that [hackers are] still going to be using default credentials in hopes that no one is changing them for IoT devices — which is pretty accurate.” The White House is expected to release an updated national cybersecurity strategy in the coming weeks and the administration is likely to call for mandatory cybersecurity rules for particularly vulnerable industries, according to The Washington Post.
Vendors bypassing security patches
The security firm Sansec warns that some ecommerce vendors began bypassing security patches for mail templates in Adobe Commerce and Magento. These patches date back to February, fixing an actively exploited bug with improper input validation in the checkout process that opened the door to arbitrary code execution. Part of the patch saw Adobe remove the “smart” mail templates and introducing a mail template variable resolver to prevent injection attacks. That last part seems to be causing an issue, with some vendors seeking to reintroduce the functionality of the old template resolver into production Magento stores, often by copying old code. Sansec warns this effectively reintroduces the security flaw.