Cyber Security Headlines Week in Review: PyTorch malicious compromise, Ransomware cloned victim, LockBit gang apologizes 

This week’s Cyber Security Headlines – Week in Review, January 2-6, is hosted by Sean Kelly with our guest, Bryan Willett, CISO, Lexmark

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com

PyTorch discloses malicious dependency chain compromise over holidays

PyTorch, the open source machine learning framework, has identified a malicious dependency with the same name as the framework’s ‘torchtriton’ library. This has led to a successful compromise via the dependency confusion attack vector. PyTorch admins are warning users who installed PyTorch-nightly over the holidays, specifically between December 25th and December 30th to uninstall the framework and the counterfeit ‘torchtriton’ dependency.

(Bleeping Computer)

Ransomware gang cloned victim’s website to leak stolen data

The ransomware operators at ALPHV have become creative with their extortion tactic and, in at least one case, created a replica of the victim’s site to publish stolen data on it. The gang, also known as BlackCat , is known for testing new extortion tactics as a way to pressure and shame their victims into paying. On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat decided to leak the data, consisting of memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport scans, on a site that mimics the victim’s as far as the appearance and the domain name go. This was done to ensure wide availability of the stolen files as opposed to publishing on the dark web.

(Bleeping Computer)

LockBit gang apologizes, gives SickKids Hospital free decryptor

The LockBit ransomware gang has apologized to Toronto’s Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization. It then sent them a free decryptor. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times. In a statement that included the apology, the gang blamed a partner who “violated our rules, is blocked and is no longer in our affiliate program.”

(Bleeping Computer)

Multiple security breaches shut down trucker protest

Canada Unity, one of the groups that organized last year’s Freedom Convoy that overtook Canadian city streets to protest mandatory COVID-19 vaccinations, has canceled a repeat demonstration planned for February. According to a press release posted to the group’s Facebook page, the rally was called off following “multiple security breaches,” according to organizers, who also cited “personal character attacks” as a reason for the cancellation. One of the group’s founders,James Bauder,wrote, “As a result, the Canada Unity Convoy for Freedom – Freedom Convoy will remain Officially 10-7 until further notice.” The 10-7 is a CB radio code for Out of Service.

(The Register)

Thanks to today’s episode sponsor, AppOmni

Did you know that over half of companies have sensitive SaaS data exposed on the public internet? And many breaches making headlines now involve SaaS apps? AppOmni can help. AppOmni identifies misconfigurations and guides remediation to keep your SaaS data secure. We help Security teams make sense of data access permissions, third party app visibility, and threat detection across their entire SaaS ecosystem. Get started at AppOmni.com.

Nearly 20 car manufacturers potentially exposed PII

In November, researchers discovered significant API vulnerabilities in the technologies of well-known vehicle brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis. The flaws could allow a threat actor to unlock, start and track cars as well expose personal information of customers. The most severe API flaws were found in BMW and Mercedes-Benz, which could allow attackers to access internal systems. Ferrari also suffered from poorly implemented SSO on its CMS, exposing backend API routes and making it possible to modify and delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owner. The impacted vendors have fixed all issues so they are no longer exploitable.

(Bleeping Computer)

Flipper Zero phishing attacks target infosec community

A new phishing campaign is exploiting the security community’s growing interest in a hacking tool called Flipper Zero. Flipper Zero is a pen-testing “swiss army knife” that offers support for RFID emulation, digital access key cloning, radio communications, NFC, infrared, and Bluetooth. Threat actors are taking advantage of the popular tool and its scarce availability by creating fake Twitter accounts and stores. The stores aim to direct would-be buyers to the phishing checkout page, where they enter their name, email and shipping addresses as well as a choice to pay using Ethereum or Bitcoin cryptocurrency. 

(Bleeping Computer)

NATO tests AI’s ability to protect critical infrastructure against cyberattacks

AI can act without human intervention to identify critical infrastructure cyberattack patterns and detect malware to enable enhanced decision-making about defensive responses. These are the findings of an international experiment conducted at NATO’s Cyber Coalition event late last year. The experimental findings were published in late December shortly after a new US Government Accounting Office (GAO) report warned that numerous key government entities are flying blind on critical infrastructure security, having failed to implement most recommendations related to protecting critical infrastructure since 2010. 

(CSOOnline)

Slack’s private GitHub code repositories stolen over holidays

The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. The incident involves threat actors gaining access to Slack’s externally hosted GitHub repositories via a “limited” number of Slack employee tokens that were stolen. While some of Slack’s private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company. There is no indication that sensitive areas of Slack’s environment, including production, were accessed.

(Bleeping Computer