Cyber Defense

View Original

This Month in Cybersecurity - May Edition

Over 500 Organizations Hit By Ransomware

Identified in April of 2022, the organization known as Black Basta has hit more than 500 organizations globally, according to warnings put out by multiple United States government departments, including CISA and the FBI. The group operates under a Ransomware-as-a-Service (RaaS) business model and works with affiliates to conduct cyberattacks and deploy malware against victim organizations while taking a percentage of the ransom payment in exchange.

The threat agents rely on phishing and the exploitation of known vulnerabilities, especially those that have only recently been publicly disclosed. This allows Black Basta to compromise a victim’s network and progressively move through the network to get further and further into the victim’s environment.

Of the 16 critical infrastructure sectors, 12 of them have been affected by these attacks, especially healthcare, which proves to be an attractive target due to their size, technological dependence, access to personal health information, and other facets. The authoring organizations of the reports urge all critical infrastructure organizations to apply the recommended mitigations to avoid ransomware attacks.


Gift Card Systems Being Targeted, Warns FBI

The FBI has raised concerns for US retailers regarding a cybercriminal group, STORM-0539 (also known as Atlas Lion), targeting employees through sophisticated phishing attacks to generate fraudulent gift cards. These attacks aim to infiltrate employee accounts and IT systems, allowing the criminals to move laterally within networks and steal sensitive data, including passwords and SSH keys.

The rise in gift card scams, resulting in $217 million in consumer losses in 2023 alone, highlights the urgency of the issue. Atlas Lion not only steals gift card details but also seeks employee and network data for potential sale or future attacks. The group's persistent tactics, including defeating multi-factor authentication, have prompted warnings from both the FBI and Microsoft, indicating the need for heightened cybersecurity measures and potential legislative action to safeguard consumers.


49 Million Customers Data Leaked in Dell API Hack

Dell recently notified customers about a data breach, revealing that personal data, including warranty information and order details, was stolen. The breach was attributed to a threat agent named Menelik, who accessed a portal meant for partners, resellers, and retailers by creating multiple fake accounts without verification.

Exploiting a lack of rate limiting, Menelik claimed to have harvested data from 49 million customer records over three weeks, including details on various Dell products. Although Menelik alerted Dell about the security flaw, they had already accessed the data before the company addressed the issue, underscoring the vulnerabilities associated with easy-to-access APIs and the urgent need for stricter security measures.

This incident underscores a broader trend of threat actors exploiting APIs to scrape sensitive data, with notable breaches involving Facebook, Twitter, and Trello in recent years. These breaches highlight the importance of implementing guard rails to limit how many times an action can be performed on the network and security protocols to safeguard user data.

Defensible Strategies

Learn from those who have been attacked

Post Millennial Hack Affected 26 Million People

The online data breach notification service Have I Been Pwned recently added information for over 26 million individuals affected by a hack targeting The Post Millennial, a Canadian news website. The hack, which also affected its American counterpart, resulted in the defacement of both sites' front pages with fake messages purportedly from The Post Millennial's editor.

The exposed data, encompassing names, email addresses, passwords, and even physical addresses and phone numbers, raises concerns about potential misuse by threat actors. While the exact source of the leaked data remains uncertain, Have I Been Pwned decided to include it in its breach notification service to alert potentially impacted individuals.

Despite the breach, neither The Post Millennial nor its parent company, Human Events Media Group, has issued a public statement regarding the incident, emphasizing the importance of users taking proactive measures such as password resets and heightened vigilance against suspicious communications.


New Attack on VPNs

Researchers have devised a new attack that can be used against nearly all virtual private network (VPN) applications. The attack forces them to send and receive all traffic outside of its encrypted tunnel that is designed to protect it from snooping or tampering.

The attack, which researchers have taken to calling TunnelVision, undermines the whole purpose of VPN’s which is to cloak the user’s IP address by taking incoming and outgoing Internet traffic and placing it within an encrypted tunnel. The researchers believe that there is no way to circumnavigate the attack when a user is connected to a hostile network and that the only VPN’s they noted that weren’t affected were those that ran on Linux or Android.

The researchers have warned that this attack they have discovered may have been possible since 2002, and that it may have already been used in the wild.