Information Security News 12-18-2023

**Note: With the holidays coming up soon, this will be the last Security News posting (outside of possible one-off posts by other Project Hyphae authors) until the week of January 8th, 2024. Have a great holiday season and we’ll see you all again in the new year!

Nearly a Million Non-Profit Donors’ Details Left Exposed in Unsecured Database

Article Link: https://www.theregister.com/2023/12/13/donorview_database_breach/

• According to the security researcher Jeremiah Fowler, a database that is owned and operated by DonorView, a cloud-based fundraising platform used by a variety of organizations that receive donations, was recently found to be exposing donor information to the public.
• The researcher found over 900,000 exposed records, which included donor names (including the names of children), addresses, payment methods, and more. In addition to personal information, the database also contained donor templates that could be modified and then used as phishing lures.
• While there has yet to be any information provided by DonorView, Fowler noted that the database was secured several days after his report was sent to DonorView.

BazaCall Phishing Scammers Now Leveraging Google Forms for Deception

Article Link: https://thehackernews.com/2023/12/bazacall-phishing-scammers-now.html

• According to researchers at Abnormal Security, the attackers behind the BazaCall callback phishing campaigns have begun to leverage Google Forms in their attacks.
• What makes the usage of Google Forms especially dangerous is that when Google Forms questionnaires are sent out via Forms itself, the emails come from legitimate Google no-reply email addresses. Likewise, Google Forms URLs are often dynamically generated, limiting the ability for security tools to identify potential patterns and mitigate Google Forms related threats.
• As the article highlights, in addition to BazaCall, a variety of threat actors have ramped up their phishing campaigns in recent months with an ever-growing list of potential victims to target.
• Link to Abnormal Security’s Report: https://abnormalsecurity.com/blog/bazarcall-attack-leverages-google-forms

Many Popular Websites Still Cling to Password Creation Policies From 1985

Article Link: https://www.helpnetsecurity.com/2023/12/12/websites-passwords/

• According to a report by researchers at the Georgia Institute of Technology who evaluated the user password creation policies of over 20,000 websites, many websites lack robust security policies.
• Specifically, 75% of reviewed websites allow passwords shorter than 8 characters and 33% don’t support special characters in passwords.
• Additionally, the researchers found that 42.1% of websites still adhere to NIST’s 2004 password guidelines and 16.7% still follow NIST’s 1985 recommendations.
• The researchers noted that a key reason for these discrepancies in password policies is due to the need to accommodate the default configurations of popular web software, such as Shopify.

CISA Urges Tech Manufacturers to Stop Using Default Passwords

Article Link: https://www.bleepingcomputer.com/news/security/cisa-urges-tech-manufacturers-to-stop-using-default-passwords/

• Recently, CISA sent out a notice urging technology manufacturers to stop providing software and hardware with default passwords, or at least the same passwords for each item.
• CISA emphasized that for years the responsibility to change default passwords has been on the shoulders of customers, many of which regularly fail to change the default credentials. As such, CISA considers the only other option to be for the producers to make their products more secure by design.
• As the guidance highlights, passwords in general aren’t the issue. Several solutions suggested by CISA include providing time-limited setup passwords or unique passwords for each and every software or hardware item that the manufacturers produce.
• Link to CISA’s Guidance: https://www.cisa.gov/news-events/alerts/2023/12/15/cisa-secure-design-alert-urges-manufacturers-eliminate-default-passwords

Cloud Squatting: How Attackers can use Deleted Cloud Assets Against You

Article Link: https://www.csoonline.com/article/1261461/cloud-squatting-how-attackers-can-use-deleted-cloud-assets-against-you.html

• Cloud squatting is similar to when malicious actors purchase domain names similar to an organization’s website URL in an attempt to trick users. When organizations create cloud instances, the cloud service provider will allocate publicly reachable IP addresses and assign a hostname from a shared pool of IPs.
• Each time an instance is deleted, the IP address remains and is free for an attacker to obtain and register. From there, bad actors can receive sensitive data from any internal apps and tools that have had their DNS CNAME record point to the hostname of the previously deleted bucket.
• The article highlighted several ways to address the issue. Specifically, for all already deleted instances, organizations will need to review all CNAME records that have existed at one point and ensure that the only CNAMEs used are ones that lead to services currently used by your organization. Moving forward, organizations should leverage their cloud provider’s reserved IP addresses and enforce a policy that prevents IP address hardcoding.

Industry Regulations and Standards are Driving OT Security Priorities

Article Link: https://www.helpnetsecurity.com/2023/12/13/ot-environments-ransomware-impact/

• According to a survey from Claroty who surveyed 1,100 IT and OT security professionals, in 2023, 37% of ransomware attacks impacted both IT and OT systems, compared to 27% in 2021. Additionally, of the organizations who were targeted by ransomware, 69% paid their ransoms.
• Beyond ransomware, the survey also noted that organizational security priorities were influenced by TSA Security Directives for 45%, CDM DEFEND for 39%, and ISA/IEC-62443 for 37% of respondents.
• Last, the survey highlighted several top OT security initiatives for organizations moving forward. Risk assessments are a priority for 43% of respondents, followed by lifecycle management (40%), and vulnerability management (39%).
• Link to Claroty’s Report: https://claroty.com/resources/reports/the-global-state-of-industrial-cybersecurity-2023

Securing Success: Talking to the Board About Cyber Risk

Article Link: https://staysafeonline.org/resources/securing-success-talking-to-the-board-about-cyber-risk/

• As the article states, cyber risk across all business levels influences operations, reputation, and compliance. However, a recent National Association of Corporate Directors survey noted that less than 15% of directors express high satisfaction with the cybersecurity-related information that management provides them with. This article provides tips for enhancing board-level cybersecurity discussions.
• Overall, the article emphasizes that cybersecurity leaders should be able to provide insight on risk for board members to strategize around. Within the article, there are several key questions that cybersecurity leaders should have answers for including “What is our cyber risk appetite?”, “How can cybersecurity enable other business functions?”, and “How much of our IT budget is spent on cybersecurity-related activities?” among other questions.
• In addition to offering up discussion-driving questions, the article also looks at how to provide board-level metrics. In addition to other key considerations, ensuring the data is relevant and being concise are vital when presenting data to leadership.

What to do When Receiving Unprompted MFA OTP Codes

Article Link: https://www.bleepingcomputer.com/news/security/what-to-do-when-receiving-unprompted-mfa-otp-codes/

• Receiving an unprompted one-time passcode (OTP) via email or text should be concerning, as the article notes, as it indicates that your credentials are likely compromised in some capacity.
• If you receive an unwarranted OTP, such as a six-digit code in a text message, it is encouraged to log into the service that sent the notification directly to change your credentials as a preventative measure. Additionally, if the credentials are re-used elsewhere, it is important to login to those additional services and change your credentials as well.
• As the article notes, while email and text MFA methods are better than nothing, they are far from the most secure MFA methods, provide a false sense of security, and can be circumvented by crafty malicious hackers.