Project Hyphae
Search

Information Security News 6-10-2024

Share This Post

Frontier Warns 750,000 of a Data Breach After Extortion Threats

Article Link: https://www.bleepingcomputer.com/news/security/frontier-warns-750-000-of-a-data-breach-after-extorted-by-ransomhub

  • Due to a ransomware attack by the RansomHub group, Frontier Communications experienced a data breach in mid-April 2024. Personal information of 750,000 customers, including full names and SSNs, has been exposed in the breach. There was no breach of customers’ financial data.
  • On April 14th, Frontier discovered an unauthorized access and took immediate action to stop the attack. During the attack, some customers experienced an Internet outage and customer service lines were not functioning correctly.
  • On June 4, RansomHub claimed responsibility for the attack and listed Frontier Communications on its Dark Web extortion site, threatening to leak 5GB of stolen data. The group is asking for an answer from Frontier by June 14th, or the data will be made available to the highest bidder.
  • The customer should be cautious of unwanted messages, reset passwords and monitor bank statements. Kroll is providing affected customers with one year of free credit monitoring and identity theft protection.

‘Fog’ Ransomware Rolls in to Target Education, Recreation Sectors

Article Link: https://www.darkreading.com/threat-intelligence/fog-ransomware-rolls-in-to-target-education-recreation-sectors

  • A new ransomware group named “Fog” has been identified, conducting attacks by encrypting data in virtual environments to obtain quick ransoms.
  • Artic Wolf researchers first discovered Fog on May 2nd, with attacks continuing until May 23rd, focusing on fast data encryption without exfiltration, and still leaving a ransom note.
  • Initial access is typically granted through using stolen VPN credentials, which was targeting two VPN gateway vendors, which Artic Wolf kept anonymous. The group compromises administrator accounts by using pass the hash, and then uses remote desktop protocol (RDP) to access Windows servers running Hyper-V and Veeam software.
  • These attacks have been limited to the U.S with 80% targeting the education sector, mainly due to the limited cybersecurity resources and small IT departments, particularly during summer vacation.
  • Artic Wolf Report: https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/

Cox Fixed an API Auth Bypass Exposing Millions of Modems to Attacks

Article Link: https://www.bleepingcomputer.com/news/security/cox-fixed-an-api-auth-bypass-exposing-millions-of-modems-to-attacks

  • A flaw in Cox Communications backend APIs enabled remote attackers to bypass authorization, stealing sensitive customer data, and overriding modem settings and firmware.
  • Sam Curry, a dedicated bug bounty hunter, discovered the vulnerability, highlighting the risk of attackers gaining privileges like those of ISP Technical Support.
  • Once exploited, attackers could change configuration settings on multiple cox devices, execute unauthorized commands, extract PII, obtain WIFI passwords and other data.
  • More than 700 exposed APIs were affected, some with administrative access, allowing unauthorized execution of commands through repeated HTTP requests.
  • Within 6 hours of Curry’s report, Cox deactivated the exposed API calls and patched the vulnerability the next day.

How to Change Security Behaviors Beyond Awareness Training

Article Link: https://www.infosecurity-magazine.com/news/change-security-behaviors-training

  • Traditional security awareness training often fails because it’s treated as a checkbox activity. Organizations should aim to change employee behaviors to foster a security-conscious nature.
  • The issue isn’t a lack of knowledge but rather the failure to integrate secure practices into everyday tasks. Employees need to the acknowledgement that they are increasing the security posture of the business.
  • Turning security exercises into games can make participation more engaging and attractive. Implementing leaderboards and tools of similar nature can encourage a competitive spirit and recognize good security practices.

Unauthorized AI is Eating Your Company Data, Thanks to Your Employees

Article Link: https://www.csoonline.com/article/2138447/unauthorized-ai-is-eating-your-company-data-thanks-to-your-employees.html

  • Unauthorized AI models are being used without IT leadership’s knowledge by many employees, sharing sensitive company data like business documents and source codes.
  • The Cyberhaven Q2 2024 report points out that a large proportion of AI use at work, in particular ChatGPT and GoogleAIs Gemini and Bard, are generated by non-corporate entities.
  • Between March 2023 and March 2024, the amount of data transmitted to AI tools increased by almost five times; this led to a rise in “shadow AI”.
  • Although no major breaches have yet occurred, concerns about the security of company data that had been disclosed to public accessible artificial intelligences are still present. To address these concerns, OpenAI has set up a Safety and Security Committee.
  • Report: https://www.cyberhaven.com/blog/shadow-ai-how-employees-are-leading-the-charge-in-ai-adoption-and-putting-company-data-at-risk

“Microsoft Should Recall Windows Recall” – Security Researcher Discovers Microsoft’s New AI Tool is Woefully Insecure

Article Link: https://www.windowscentral.com/software-apps/windows-11/microsoft-should-recall-windows-recall-security-researcher-finds-microsofts-new-ai-tool-woefully-insecure

  • This month, Microsoft plans to introduce an artificial intelligence feature called “Windows Recall” for new Windows 11 Copilot+ machines. The feature logs user activities on the computer and allows for semantic search of this data.
  • Although the data is stored locally on the device and claimed to be encrypted with BitLocker, it remains unencrypted when the user is logged in. Kevin Beaumont, a security researcher, discovered that Windows Recall stored data in an unprotected SQLite database while the computer was running.
  • Only when the user logs out, protecting against theft but not against malware that can access data while they are logged in, does this information become encrypted. Data is kept in the system directory and requires administrator rights for access, but this protection may be bypassed.
  • The tool is optional, and when it is active, it has a taskbar indicator to prevent it from running unnoticed. Only new Copilot+ computers and non-existing Windows 11 installations will be able to use the Windows Recall feature.
  • Research Article: https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

FBI Distributes 7,000 LockBit Ransomware Decryption Keys to Help Victims

Article Link: https://thehackernews.com/2024/06/fbi-distributes-7000-lockbit-ransomware.html

  • To help victims of LockBit ransomware recover their data without charge, the FBI has more than 7,000 decryption keys. The FBl is reaching out to victims and encouraging others to contact the Internet Crime Complaint Centre.
  • LockBit has been involved in over 2,400 attacks globally, with 1,800 in the U.S. LockBit was linked to 28 confirmed attacks in April 2024, ranking behind other ransomware groups. According to the Veeam Ransomware trends report for 2024, only 57% of compromised data can be recovered by organizations.
  • The market is dominated by new players, i.e. SenSayQ and CashRansomware as well as current ransomware families like Target Company which are constantly looking for new techniques that can be manipulated with a new Linux variant targeted at VMWare ESXi system. This is due to vulnerable Microsoft SQL servers for initial access.
  • According to Trend Micro researchers, an affiliate named Vampire is responsible for attacks with a new Linux variant of TargetCompany ransomware.
  • Veeam Ransomware Trends report: https://www.veeam.com/blog/announcing-rw24.html
  • Trend Micro report: https://www.trendmicro.com/en_us/research/24/f/targetcompany-s-linux-variant-targets-esxi-environments.html



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.