Information Security News 4-1-2024

AT&T Confirms Data for 73 Million Customers Leaked on Hacker Forum

Article Link: https://www.bleepingcomputer.com/news/security/atandt-confirms-data-for-73-million-customers-leaked-on-hacker-forum/

• After denying it for two weeks, AT&T recently confirmed that a leaked data set of 73 million people contains their customer data as well as data from DirectTV customers, which AT&T owned until 2021.
• AT&T stated that the data appears to be from 2019 or earlier. Likewise, the leak impacts 7.6 million current AT&T customers and 65.4 million former account holders. The passwords of 7.6 million customers were leaked as well.
• Despite the data leak, AT&T is currently stating that they haven’t found any evidence of a data breach.
• Link to AT&T’s Press Release: https://about.att.com/story/2024/addressing-data-set-released-on-dark-web.html

Suspected MFA Bombing Attacks Target Apple iPhone Users

Article Link: https://www.darkreading.com/cloud-security/mfa-bombing-attacks-target-apple-iphone-users

• According to some Apple users, bad actors are trying to takeover iCloud accounts via multifactor authentication (MFA) bombing/spamming attacks and fake Apple support phone calls.
• Specifically, the attackers send hundreds of iCloud password reset requests, which show up as notifications on connected devices like iPhones. After several days of bombardment, the spammers call potential victims using a spoofed caller ID that shows up as the Apple Support phone number in an attempt to socially engineer impacted Apple users.
• While accepting the password reset notification may not lead to an immediate compromise, researchers recommend rejecting the reset prompts and Apple Support phone calls to be safe.

Cisco Warns of Password-Spraying Attacks Targeting VPN Services

Article Link: https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/

• Cisco recently warned customers of an uptick in password-spraying attacks targeting their VPN services, such as their Remote Access VPN (RAVPN) configured on Cisco Secure Firewall devices.
• Cisco identified several indicators of compromise including an inability to establish VPN connections the Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled and an unusual amount of authentication requests.
• Cisco also outlined several defensive recommendations. These include enabling logging, securing default remote access VPN profiles, leveraging TCP shun, configuring control-plane ACLs, and using certificate-based authentication for RAVPN.
• Link to Cisco’s Recommendations: https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Google: Spyware Vendors Behind 50% of Zero-Days Exploited in 2023

Article Link: https://www.bleepingcomputer.com/news/security/google-spyware-vendors-behind-50-percent-of-zero-days-exploited-in-2023/

• Google’s Threat Analysis Group (TAG) and Mandiant recently released a report that reviewed 97 zero-days, which were exploited in attacks throughout 2023.
• According to Google’s data, financially motivated threat actors used ten of the observed zero-day vulnerabilities, a decrease from 2022. Meanwhile, 50% of all zero-days exploited in 2023 were done so by commercial surveillance vendors (CSVs), such as spyware vendors like the NSO Group.
• While it is impossible to prevent zero-day exploits, Google did provide several recommendations to harden systems. Specifically, Google recommended that Android users leverage Memory Tagging Extensions (MTE) and Lockdown mode on iPhones. Additionally, high-risk Chrome users are encouraged to use HTTPS-First Mode and disable the v8 Optimizer to limit the potentiality of security vulnerabilities introduced by Just-in-Time (JIT) code compilation.
• Link to Google’s Report: https://cloud.google.com/blog/topics/threat-intelligence/2023-zero-day-trends

Corporations With Cyber Governance Create Almost 4X More Value

Article Link: https://www.darkreading.com/cyber-risk/study-corporations-with-cyber-governance-create-almost-4x-more-value

• According to a report from Bitsight and Diligent, which surveyed 4,000 public midsized-to-large companies globally, organizations with a specific committee for cyber oversight lead by a cyber expert can help increase shareholder value by nearly four times the original amount.
• Overall, when organizations leverage specialized board committees that include a cyber expert, they are more likely to improve their overall security postures and financial performance. The report specifically noted that healthcare and financial services organizations, which ranked the highest in the report, typically had leadership with a cyber background, compared to industrial companies, who ranked the lowest and typically lacked leadership with any cyber background.
• Beyond the Bitsight report, the article also referenced a Harvard Business Review report which highlighted that, beyond who all sits on the board, CISOs can further board-driven security by regularly meeting with the board and doing more than just presenting recent audit results.
• Link to Bitsight’s Report: https://www.bitsight.com/blog/new-research-identifies-oversight-practices-correlated-with-effective-cybersecurity-outcomes
• Link to the Harvard Business Review Article: https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

HSB Introduces Cyber Insurance for Autos

Article Link: https://www.businesswire.com/news/home/20240326845397/en/HSB-Introduces-Cyber-Insurance-for-Autos

• Recently the insurance company Hartford Steam Boiler (HSB) announced the development of cyber insurance for vehicles that leverage emerging technologies like in-car internet and allow for mobile devices to connect to the car itself.
• The unique move is seen as a response to car owners connecting potentially insecure devices to their vehicles. Likewise, HSB sees vehicles as future targets for malicious hackers.
• As the article notes, the new insurance has yet to be approved by any state insurance departments.

CISA’s Proposed Framework for Cyber Incident Reporting Rules Includes Subpoena Power

Article Link: https://www.nextgov.com/cybersecurity/2024/03/cisas-proposed-framework-cyber-incident-reporting-rules-includes-subpoena-power/395275/

• Last week, the Department of Homeland Security began the public comment process for CISA’s rules on implementing the Cyber Incident Reporting for Critical infrastructure Act of 2022 (CIRCIA), which would require critical infrastructure entities to report cyber incidents in a timely manner.
• The proposed rule will require cyber incidents to be reported to CISA within 72 hours and ransomware attacks specifically to be reported within 24 hours. Additionally, organizations that pay ransoms will be required to report the details of the payments to CISA.
• Additionally, if an organization does not report in a timely manner, CISA is given the authority to subpoena them to disclose the incident. If noncompliance continues, then contracting suspensions and other penalties can occur.
• The full document is set to be published on the Federal Register on April 4^th with the comment period lasting until June 2024. From there, the final rule will likely be published 18 months after the public comment period closes.
• Link to DHS’ Full Rule: https://www.federalregister.gov/public-inspection/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act