This week’s Cyber Security Headlines – Week in Review, January 23-27, is hosted by David Spark with our guest, Kathleen Mullin, CISO, Cancer Treatment Centers of America
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
FBI seizes Hive ransomware group infrastructure after lurking in servers for months
After seven months spent lurking inside the notorious ransomware group’s networks, swiping decryption keys for its victims, the FBI and international partners seized infrastructure behind Hive ransomware attacks. Since June 2021, Hive has targeted more than 1,500 victims globally. While staking out Hive’s network, the FBI disrupted multiple attacks, including ones against a Louisiana hospital, a food services company and a Texas school district. Deputy Attorney General Lisa O. Monaco said during a press conference Thursday, “In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments,” “Simply put, using lawful means we hacked the hackers.”
PayPal accounts breached in large-scale credential stuffing attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. PayPal explains that the attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time and by December 20, 2022, it confirmed that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. Almost 35,000 users have been impacted by the incident, during which hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
ODIN Intelligence hack exposes a huge trove of police raid files
Detailed tactical plans for imminent police raids, confidential police reports with descriptions of alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect’s phone. These are some of the files in a huge cache of data taken from the internal servers of ODIN Intelligence, a tech company that provides apps and services to police departments, following a hack and defacement of its website over the weekend. The group behind the breach said in a message left on ODIN’s website that it hacked the company after its founder and chief executive Erik McCauley dismissed a report by Wired, which discovered the company’s flagship app SweepWizard, was insecure and spilling sensitive data about upcoming police operations to the open web. The hackers also published the company’s Amazon Web Services private keys for accessing its cloud-stored data and claimed to have “shredded” the company’s data and backups but not before exfiltrating gigabytes of data from ODIN’s systems.
Zero Trust will not mitigate over half of attacks
According to a new report from Gartner, just one in 10 large enterprises will have a “mature and measurable” zero trust program in place by 2026. Gartner warned that, over the next three years, more than half of all cyber-attacks will be focused in areas that zero trust controls don’t mitigate. Gartner cited API attacks, social engineering, and exploitation of other employee-created control bypasses as examples of areas not protected by ZTAs. Despite this, Gartner says that ZTA still reduces risk and limits the impact of many threats.
Thanks to today’s episode sponsor, SafeBase
GoTo says hackers stole encrypted backups and MFA settings
GoTo CEO Paddy Srinivasan confirmed that last August’s security breach affecting its LastPass affiliate had a much broader impact than originally reported. The hack resulted in theft of account usernames, salted and hashed passwords, product settings and licensing information. Additionally, encrypted backups were exfiltrated from a third-party cloud storage service along with the encryption key for a portion of the backups. Stolen backups affected its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products. Also, a small number of Rescue and GoToMyPC customers had their MFA settings compromised. GoTo says it is resetting passwords and MFA settings of affected users. The company is also migrating accounts to a more secure Identity Management Platform.
Government Accountability Office names and shames
Since 2010, the US Government Accountability Office released 335 public cybersecurity recommendations to federal agencies. Last week, it disclosed that federal agencies still need to implement 190 of them. In a long term review of this issue, the GAO said that a 2020 review of 23 civilian agencies found that non have fully implemented foundational practices for supply chain risk management, with 14 not implementing any of them. The office warned that not improving compliance could lead to “disrupted mission operations, theft of intellectual property, and harm to individuals.”
A look at North Korean crypto stealing tactics
The Record’s Jonathan Greig broke down a recently report on these tactics from Proofpoint, hightling the work of the APT TA444. The report describes the group as working “with a startup mentality and a passion for cryptocurrency.” While the groups activities overlap with other North Korean-linked threat actors, like Lazarus Group, it stands out as seemingly only interested in generating revenue, rather than cyber espionage. In the past, the group spread malware through malicious documents, but in 2022 expanded to using email marketing tools. These tools allowed it to more easily get past spam filters and seem legitimate. It combines this with aggressive social media strategies, contacting potential victims on LinkedIn with faked job offers. The United States Treasury Department estimates the group used various cryptocurrency mixers to launder over $120 million.
The need for EV cybersecurity roadmaps
The Office of the National Cyber Director (ONCD) recently hosted a forum with government leaders and private companies to assess both current and emerging cybersecurity threats involving electric vehicles (EVs). The most infamous story to date concerns a 19-year-old security researcher who, in early 2022, was able to hack into 25 Teslas around the world using a third-party, open-source logging tool known as Teslamate. Other threat vectors that the industry is watching include: Connected vehicle systems such as navigation and optimal route planning that may enable access key systems and put drivers at risk, charging stations that can become a path to exfiltrate driver data, and the use of infected cards to attack a local power grid while charging. This forum and similar gatherings are looking to establish greater transparency and communication between OEMs as well as urging for stronger password security within the many computers built into the vehicles.(Security Intelligence)