Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
London Police arrest 17-year-old hacker suspected of Uber and GTA 6 breaches
The City of London Police on Friday revealed that it has arrested a 17-year-old from Oxfordshire on suspicion of hacking. The department said the arrest was made as part of an investigation in partnership with the U.K. National Crime Agency’s cybercrime unit. No further details about the nature of the investigation were disclosed, although it’s suspected that the law enforcement action may have something to do with the recent string of high-profile hacks aimed at Uber and Rockstar Games. Both the intrusions are alleged to have been committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, has pinned the breach on an attacker (or attackers) that it believes is associated with the LAPSUS$ extortion gang, two of whom are facing fraud charges. According to cybersecurity company Flashpoint, the real world identity of the hacker behind the two incidents is said to have been outed on an online illicit forum.
Study finds organizations deluged with cybersecurity incidents
A new report from the security vendor Trellix found that the average SecOps team managed 51 cybersecurity incidents per day. 36% reported seeing significantly higher, dealing with 50 to 200 incidents daily. 46% agreed to being “inundated by a never-ending stream of cyber-attacks.” Siloed systems remained a common pain point, with 60% saying poorly integrated products reduced organizational efficiency in responding. This also appears to cost organizations money, with 84% saying they estimated losses from the incidents at up to 10% of annual revenue.
Finnish intelligence warns Russia ‘highly likely’ to turn to cyber in winter
The head of the Finnish Security Intelligence Service (Suojelupoliisi or SUPO) says it is “highly likely that Russia will turn to the cyber environment over the winter” for espionage due to challenges impacting its human intelligence work. In the unclassified National Security Overview 2022 published on Thursday, SUPO said that Russia’s traditional intelligence gathering approach using spies with diplomatic cover “has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West.” SUPO assessed that Russian citizens who occupied critical positions in Finland were particularly at risk of coercion from the Russian authorities.
Attackers impersonate CircleCI platform to compromise GitHub accounts
GitHub is warning of an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The company learned of the attacks against its users on September 16, it pointed out that the phishing campaign has impacted many victim organizations except GitHub. Phishing messages claims that a user’s CircleCI session expired and attempt to trick recipients into logging in using GitHub credentials. The company pointed out that the accounts protected by hardware security keys are not vulnerable to this attack.
Lazarus Group targets macOS users
We’ve seen a number of threat groups use the surging job market as a perfect vector for cyber attacks. The security researchers at SentinelOne report that the North Korea-linked Lazarus Group operates a campaign targeting macOS users. This lures users with job offers at Crypto.com. ESET and Malwarebytes reported on the campaign originally last month, targeting Windows users with similar crypto-related jobs. It’s not clear how the campaign specifically delivers the initial malware payload. Some reports suggest private messaging on LinkedIn. These likely represent short-term campaigns focused on theft, given the threat actors do not obfuscate any binaries in the attacks.
Thanks to today’s episode sponsor, Votiro
Geopolitics behind recent DDoS surge
It seems like in 2022, we’ve talked about another record breaking DDoS attack every couple of weeks. A new report from NETSCOUT found that these likely come from a rise in wars and regional disputes in the year. The company tracked over six million DDoS incidents, finding they used 57% more bandwidth than last year. The overall number of DDoS attacks remained consistent, the extra bandwidth reflects more intensity. Countries with ties to the war in Ukraine saw the most impact. Finland saw a 258% increas in DDoS attacks since applying for NATO membership. Ireland, India, Taiwan, Belize, Romania, Italy, Lithuania, Norway, Poland, and Latvia also saw notable increases.
Leaked ransomware builder used in attacks
Last week, a LockBit 3.0 builder leaked on Twitter. This came as the result of a seeming fallout between the ransomware operator and the developer. The leak opened the door for anyone to build a functional encryptor and decryptor for attacks. Bleeping Computer confirmed that a new ransomware group called ‘Bl00Dy Ransomware Gang’ did just that against a Ukrainian victim. Their previous work largely used Conti ransomware, targeting a group of medical practices in New York. The group did some light modifications to LockBit 3.0, but functionally it remains identical.
Cloudflare hopes Turnstile can replace CAPTCHAs
Fast Company goes dark after cyber attack
Late on September 27th, Apple News sent notifications from the publication Fast Company that contained racist and obscene language. Apple subsequently suspended its channel on the app. Fast Company confirmed a threat actor breached its Apple News account, saying it suspended its feed and shut down FastCompany.com while it investigates. This came after the attacker appeared to post a message on the site before the take down, claiming to have access to a commonly shared password with admin access. The post also pointed to a dark web forum that claims it will release thousands of employee records and draft posts from the publication. The attacker said it didn’t obtain customer information as the site stored that information on a separate server.
Researchers uncover covert attack campaign targeting military contractors
A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines. The highly-targeted intrusions, dubbed STEEP#MAVERICK by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft. Starting in late summer 2022 the infection chains begin with a phishing mail with a ZIP archive attachment containing a shortcut file that claims to be a PDF document about “Company & Benefits,” which is then used to retrieve a stager — an initial binary that’s used to download the desired malware — from a remote server.
IRS warns of “industrial scale” smishing surge
In a news alert yesterday, the tax agency said it had identified thousands of fake domains so far in 2022, used to facilitate the so-called “smishing” scams, and designed to steal victims’ personal and financial information. Spoofed to appear as if sent from the IRS, these text messages often use lures like fake COVID relief, tax credits or help setting up an IRS online account, it said. They might request personal information or covertly download malware to the user’s device by tricking them into clicking on a malicious link. “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages,” said IRS commissioner Chuck Rettig.