Project Hyphae

Information Security News 1-16-2023

Share This Post

Sneaky New Stealer Woos Corporate Workers Through Fake Zoom Downloads

Article Link: https://www.darkreading.com/threat-intelligence/sneaky-stealer-woos-remote-workers-fake-zoom-downloads

  • According to Cyble, a sneaky new info stealer, known as “Rhadamanthys Stealer”, is sliding onto user machines via traditional phishing emails and website redirects from Google Ads that pose as download sites for popular remote-workforce software, such as Zoom, AnyDesk, Notepad++, and Bluestacks.
  • Once this file is executed, the stealer is tasked with seeking out crypto wallets, FTP clients, email clients, file managers, password managers, VPN services, and messaging apps. Likewise, the malware takes screenshots of the victim’s machine.
  • It is advised to educate employees on the dangers of phishing and downloading unapproved software. Additionally, the use of strong passwords and MFA are encouraged as well. Last, organizations should block Torrent/Warez websites.
  • Link to Cyble’s Blog Post: https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

CircleCI, LastPass, Okta, and Slack: Cyberattackers Pivot to Target Core Enterprise Tools

Article Link: https://www.darkreading.com/attacks-breaches/circleci-lastpass-okta-slack-cyberattackers-target-enterprise-tools

  • High-profile software provider compromises in the past few months, such as those on CircleCI, LastPass, Okta, and Slack, show that threat actors are actively targeting the services underpinning corporate infrastructure.
  • As noted by Lori MacVittie of F5, the glut of attacks on core enterprise tools highlights the fact that companies should expect these types of providers to become regular targets in the future.
  • With enterprise tools being targeted, organizations should prepare for the worst and have a plan to limit exposure, which may include rotating things like necessary passwords, keys, and sensitive configuration files.

How to Improve Your Incident Response Plan for 2023

Article Link: https://www.helpnetsecurity.com/2023/01/09/how-to-improve-your-incident-response-plan-for-2023/

  • You may already have an IR plan, but the evolving cyber threat landscape and shifting circumstances within your organization demand regular changes and improvements.
  • The article highlights the importance of relevant personnel knowing their roles in preparation for an incident, evolving the IR plan and playbooks as new technology is adopted, proactively testing the IR plan, establishing a zero-day budget, and ensuring that IR plan training regularly occurs.
  • Link to FRSecure’s FREE IR Playbooks and Resources: https://frsecure.com/resources/

Ransomware Gangs are Starting to Ditch Encryption

Article Link: https://www.axios.com/2023/01/13/ransomware-gangs-cut-out-encryption

  • Some criminal gangs are using a new method to guarantee a ransomware payout: They’re ditching the part where they lock up a victim’s systems by encrypting them and are skipping straight to holding the company’s precious data for ransom.
  • The article noted that trying to lessen the amount of attention received from law enforcement, avoiding issues with the encryption process failing before all files are encrypted, and being able to carry out faster attacks are all possible reasons for some ransomware gangs dropping file encryption.
  • Companies that have good endpoint security tools and firewalls, as well as constant monitoring and controls that limit employees access to internal files, are the ones that will best be able to foil most ransomware threats.

Why Do User Permissions Matter for SaaS Security?

Article Link: https://thehackernews.com/2023/01/why-do-user-permissions-matter-for-saas.html

  • Over the past year, SaaS providers like Mailchimp have been the victim of cyberattacks. Introducing user permissions, through role-based account control (RBAC) and maintaining a rule of least privilege, could have severely limited the damage caused by breaches like what Mailchimp experienced.
  • Both the rule of least privilege and reviewing user permissions are vital for security. In action, if a low-privilege user account is breached, the threat actor would have less access to sensitive data contained within a breached service.
  • User permissions aren’t simply “set it and forget it” configurations, rather user access should be regularly reviewed to adjust permission levels as needed. Access reviews should take place at predetermined intervals, ensuring that unnecessary permissions are identified and addressed within a set time frame.

Maximizing Data Value While Keeping It Secure

Article Link: https://www.helpnetsecurity.com/2023/01/13/maximizing-data-value-while-keeping-it-secure/

  • It’s vital to recognize that there are two seemingly contradictory aspects of data best practices. Specifically, data must be easily available and accessible to those who need it, but it also must always be protected (and kept away from others who don’t need it).
  • The article highlights five components of balancing security with accessibility. These include discovery and visibility of what data is present, auditing access to shared sensitive data (or data in general), optimizing permission settings in line with least privilege, detecting data access anomalies, and masking shared sensitive data as opposed to having data access be all or nothing.
  • Appropriately locking down sensitive data in the enterprise and beyond is at the foundation of minimizing risk and maximizing business results.

Android TV Box on Amazon Came Pre-Installed With Malware

Article Link: https://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/

  • A Canadian security consultant, Daniel Milisic, discovered that a new and inexpensive T95 Android TV box purchased from a Chinese vendor on Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware. It’s unclear if this single device was affected or if all devices from this model or brand include the malicious elements found by Milisic.
  • The T95 streaming device uses an Android 10-based ROM signed with test keys and the ADB (Android Debug Bridge) open over Ethernet and WiFi. Upon further analysis, it was evident that the device was attempting to send DNS requests to several IPs associated with active malware.
  • The article noted that despite their inexpensive price tags, TV boxes like the T95 should be ignored in favor of streaming devices from reputable vendors, such as Google, Roku, and others.

6 Oversights That Enable Data Breaches

Article Link: https://www.helpnetsecurity.com/2023/01/12/stolen-data/

  • Personal employee or customer data accounted for nearly 45% of all data stolen between July 2021 and June 2022, while companies’ source code and proprietary information accounted for a further 6.7% and 5.6% respectively, according to Imperva. However, the research found that theft of credit card information and password details dropped by 64% compared to 2021.
  • In addition to other statistics, Imperva found that there are six common oversights that enable data breaches. These include a lack of multi-factor authentication, limited visibility into all data repositories, poor password policies, misconfigured data infrastructure, limited vulnerability protection, and simply not learning from past data breaches.
  • Link to Imperva’s Full Report: https://www.imperva.com/resources/resource-library/white-papers/more-lessons-learned-from-analyzing-100-data-breaches/

NASA Overspent $15 million on Unused Oracle Licenses as It Failed to Track Usage

Article Link: https://www.cio.com/article/419281/nasa-overspent-15-million-on-unused-oracle-licenses-as-it-failed-to-track-usage.html

  • NASA has overspent about $15 million on Oracle software over the past five years because it lacked a centralized software asset management practice, according to an audit report published by the space agency’s office of the inspector general (OIG). 
  • The report attributes the huge over-expenditure to vendor lock-in (inability to transition to rival products or services) and NASA’s unwillingness to risk a license audit by Oracle because of NASA’s lack of visibility into software management.
  • Additionally, the report highlighted that NASA could have saved approximately $35 million ($20 million in fines for software usage penalties and $15 million in unused licenses) if an asset management program was implemented.
  • Link to OIG’s Full Report: https://www.oversight.gov/report/NASA/NASA%E2%80%99s-Software-Asset-Management

More To Explore

Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked Article Link: https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/ T-Mobile Suffers 8th Data Breach in Less Than 5 Years Article Link: https://www.csoonline.com/article/3686053/t-mobile-suffers-8th-data-breach-in-less-than-5-years.html Hackers

BianLian Ransomware Decryptor Made Public

BianLian, a Windows ransomware variant written in Go, the Google-created open source programming language, has been steadily increasing in popularity among threat actors since it

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.