Project Hyphae

Information Security News 1-22-2024

Share This Post

Microsoft’s Top Execs’ Emails Breached in Sophisticated Russia-Linked APT Attack

Article Link:

  • Recently, Microsoft revealed that nation-state threat actors, known as Midnight Blizzard and other names, had stolen emails and attachments from senior Microsoft executives and other individuals across their cybersecurity and legal departments.
  • The hackers conducted a password spray attack to compromise a legacy non-production test tenant account and then used the account’s permissions to access Microsoft email accounts from there.
  • Microsoft noted that the incident began in late November 2023 and that the issue was investigated, disrupted, and mitigated once discovered on January 12, 2024. The investigation suggests that the threat actors looked for information on their hacking group and did not access any customer or production systems, AI systems, or source code.

GitHub Rotated Credentials After the Discovery of a Vulnerability

Article Link:

  • Towards the end of December, GitHub was made aware of a high severity vulnerability via its bug bounty program. After investigating the bug, GitHub resolved the issue and rotated any potentially exposed credentials, but had 3 days of downtime while fixing the issue.
  • The vulnerability was present on GitHub Enterprise Servers and could lead to reflection injection. According to GitHub, the vulnerability had been neither previously discovered nor exploited.
  • In addition to resolving the vulnerability and rotating credentials, GitHub also identified an area of improvement regarding how to navigate a credential rotation without disrupting services.
  • Link to GitHub’s Report:

Threat Actors Team Up for Post-Holiday Phishing Email Surge

Article Link:

  • The article highlights an increase in phishing due to the end of the holiday season for most people, including the malicious hackers themselves.
  • A specific campaign that was highlighted was a fake invoice campaign conducted by the threat actor duo TA866 and TA571. As the article notes, the attackers leverage traffic distribution systems (TDSes), which operate as intermediate websites that direct traffic to malicious URLs, and malware-infested PDFs related to fake payment invoices.
  • Beyond the two threat groups specifically noted, the article emphasized that security organizations, such as Proofpoint, have noticed an uptick in malicious activity following an apparent holiday break for the larger, more organized, and corporate-like threat actors.

How Small Contractors can Prepare for New Cybersecurity Rules

Article Link:

  • The Cybersecurity Maturity Model Certification (CMMC) 2.0 rules were recently published as a proposed rule with a public comment period. As a result, organizations of all sizes that are part of the Defense Industrial Base (DIB) will soon be required to meet the robust regulations.
  • While the rules are not fully enacted currently, it is encouraged to be prepared for the eventual final ruling. As the article emphasizes, mid-sized and small government contractors should anticipate future investments and costs for complying with CMMC 2.0.
  • While not all organizations are currently working towards eventually becoming compliant with CMMC 2.0, the article encourages planning to do so. Specifically, the article emphasizes reviewing your organization’s current cybersecurity posture in comparison to controls in the proposed rule.
  • Additionally, the article points out planning for additional workload and staff as well as a higher cybersecurity budget as vital considerations for organizations looking to meet the Department of Defense’s looming rules.

With Attacks on the Upswing, Cyber-Insurance Premiums Poised to Rise Too

Article Link:

  • According to Roman Itskovich, Chief Risk Officer of the cyber insurance firm At-Bay, organizations should expect cyber insurance costs to rise in the next 12 to 24 months despite premium costs dropping by 6% in the third quarter of 2023.
  • As the article discusses, the cost of cyber insurance premiums tends to lag being changes in the threat landscape. When cyberattacks surge, so too do premiums several quarters afterwards.
  • While premium prices will likely increase, many within the cyber insurance industry anticipate that premium prices will reach an equilibrium. Specifically, the Head of Insurance for the cyber insurance firm Coalition, Shawn Ram, suggested that 2024 will be the year of cyber stabilization.

Attribute-Based Encryption Could Spell the End of Data Compromise

Article Link:

  • This article looks at attribute-based encryption (ABE) and how it could potentially secure data beyond how it is secured currently. In essence, ABE strives for fine-grained access to data. As the author explained it, users are given access to a single line item of data rather than an entire file cabinet.
  • While the uses for ABE technology are essentially limitless, several potential use cases described include encrypting and decrypting specific portions of video footage (such as faces), securing electronic medical record access, and managing ticketing and physical access to transportation services.
  • Overall, there is a perceived need for a compromise between data proliferation, data access, and data privacy. As such, a number of organizations are working towards creating commercially available products that leverage ABE technology.

US Gov Publishes Cybersecurity Guidance for Water and Wastewater Utilities

Article Link:

  • Recently, CISA, the FBI, and the EPA released an incident response guide for the water and wastewater systems sector.
  • As the article highlights, the guide’s goal is to improve the water sector’s cybersecurity by helping establish guidelines for incident report and incident response, build cybersecurity baselines, and also details available resources, services, and free trainings for organizations.
  • The guide essentially has two pillars to it. The first is that water and wastewater organizations should build a robust incident response plan. The second is that organizations should reach out to federal partners in the wake of any potential incidents.
  • Link to CISA’s Guide:
  • Link to FRSecure’s IR Plan Template:

New Jersey Enacts Comprehensive Privacy Law

Article Link:

  • On January 8, 2024, New Jersey became the first state in 2024 and 13th state overall to pass legislation developing comprehensive privacy regulations. The law will go into effect on January 15, 2025.
  • As the article highlights, the law is similar to privacy legislation developed by other states. However, the article discusses several of the key differences in New Jersey’s law.
  • The Act applies to entities that do business in New Jersey and (1) process the personal data of at least 100,000 New Jersey residents or (2) process the personal data of at least 25,000 New Jersey residents and derive revenue from the sale of personal data with exceptions. However, the legislation doesn’t dictate specific revenue thresholds regarding how much data is sold as part of the total revenue. Likewise, there are fewer entities that are exempt, such as non-profit organizations or entities that are regulated under FERPA.
  • Beyond that, the Act also considers financial information as sensitive data, requires data protection assessments, requires greater protection for children between the ages of 13 and 16, and dictates that further rules and regulations will be developed by New Jersey’s Division of Consumer Affairs.
  • Link to the Signed Bill:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.