Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked

Article Link: https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/

• First detected on January 11^th, email marketing firm MailChimp suffered another breach after hackers successfully phished and accessed an internal customer support and account administration tool, allowing the threat actors to access the data of 133 customers.
• MailChimp notified the primary contacts for affected accounts within 24 hours of the breach being discovered and is currently investigating further.
• WooCommerce and FanDuel have since come out and admitted to being part of the 133 clients who had names and email addresses of their customers exposed as a result of the MailChimp breach.
• Link to MailChimp’s Full Statement: https://mailchimp.com/january-2023-security-incident/

T-Mobile Suffers 8th Data Breach in Less Than 5 Years

Article Link: https://www.csoonline.com/article/3686053/t-mobile-suffers-8th-data-breach-in-less-than-5-years.html

• According to a filing to the SEC on January 19^th, T-Mobile suffered a cybersecurity incident that resulted in the exposure of the personal details of 37 million users, first detected on January 5^th, 2023.
• In a statement from T-Mobile, they noted that customer data including customer names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, number of lines, and plan features were exposed. However, customer payment card information, social security numbers, tax IDs, driver’s license or other government ID numbers, passwords/PINs, and other financial account data are not believed to have been exposed at this time.
• T-Mobile said it identified that a bad actor had obtained data through an API without authorization on January 5^th. However, the bad actor first began retrieving data through the API on or around November 25^th, 2022.
• Link to T-Mobile’s Full Statement: https://www.t-mobile.com/news/business/customer-information

Hackers Now Use Microsoft OneNote Attachments to Spread Malware

Article Link: https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/

• As a result of Microsoft disabling macros by default on Word and Excel documents and both Microsoft and 7-Zip fixing a bug to display security warnings when opening files within downloaded ISO and ZIP files, malicious actors have turned to OneNote attachments to spread content.
• OneNote doesn’t have macro functionality, but it does allow for files to be attached within notebooks. As such, malicious actors are sending out OneNote notebooks with a blurred, legitimate-looking background and a “Double Click to View File” box in the foreground with imbedded files underneath.
• Although clicking will pop up a warning about opening attachments, it’s encouraged not to rely on this to stop clickers. Instead, researchers recommend blocking .one files at the email gateway/perimeter.

Miscreants Sure do Love Ransacking Cloud Networks, More so Than Before

Article Link: https://www.theregister.com/2023/01/20/cloud_networks_under_attack/

• As enterprises around the world continue to move to the cloud, cybercriminals are following right behind them. According to Check Point, there was a 48% year-over-year jump in 2022 in cyberattacks on cloud-based networks, and it comes at a time when 98% of global organizations use cloud services.
• Check Point attributes the increase in attacks to both an overall increase in cyberattacks globally (38% increase in 2022) and the fact that cloud networks hold more data and incorporate infrastructure and services from a large number of potential victims.
• The article highlights that while cloud resources are relatively new, many of the threats aren’t. Issues relating to social engineering and credential theft, unpatched software, loose permissions, and misconfigurations all occur against on-premises systems as well.
• Link to Check Point’s Full Report: https://blog.checkpoint.com/2023/01/17/check-point-research-flags-a-48-growth-in-cloud-based-networks-attacks-in-2022-compared-to-2021/

Cybersecurity and the Myth of Quiet Quitting

Article Link: https://www.darkreading.com/vulnerabilities-threats/cybersecurity-and-the-myth-of-quiet-quitting

• People are working harder than ever, as opposed to “quiet quitting” or doing the bare minimum to stay employed, and they are not happy about it. As such, a dissatisfied workforce increases the potential for insider threats, either through sabotage or exfiltrating corporate IP.
• The article notes that about 50% of employees exfiltrate IP that will be helpful for their next job. Despite this, some of the data that is taken with employees that are leaving includes information not related to their work, such as company lists and contract terms. Additionally, employees leaving on negative terms may work to gain revenge via corporate sabotage if they still have resource access on their way out the “door” of an organization.
• With remote work ever present, HR and IT need to take certain steps together, such as blocking shadow IT and addressing staffing changed promptly, to prevent data from being maliciously altered.

10 Data Security Enhancements to Consider as Your Employees Return to the Office

Article Link: https://www.helpnetsecurity.com/2023/01/16/data-security-enhancements/

• According to Adastra, 77% of IT decision makers in the U.S. and Canada believe their companies are likely to face a data breach within the next 3 years.
• The article specifically notes that many employees were hired virtually and, in combination with long absences from physical offices, will need a refresher of security protocols as they return to offices.
• Ten data security enhancements discussed in the article include re-educating employees on systems and protocols to prevent insider threats, knowing your inventory, deleting redundant data, reviewing early detection systems, having immutable data back-ups, limiting staff access based on least privilege, conducting security audits, establishing new passwords with MFA, updating devices, and enhancing physical security.

How CISOs can Manage the Cybersecurity of High-Level Executives

Article Link: https://www.csoonline.com/article/3685415/how-cisos-can-manage-the-security-of-high-level-executives.html

• High-level executives often have access to sensitive information, making them prime targets for bad actors looking to penetrate corporate defenses. As many security professionals know, cyber incidents often include a human element to them.
• In addition to attacking corporate systems, malicious actors are expanding out to attack personnel, especially executives, on their home networks. In other words, bad actors are hitting where corporate defenses can’t be.
• While CISOs can’t extend into personal environments, they need to be aware of where corporate and personal risk environments intersect. This includes starting by looking at your organization’s “About Us” page and recognizing how out in the open executives are online.
• Other ways of reinforcing cybersecurity with leadership include identifying what the “crown jewels” of the organization are, effectively discussing risk relating to the crown jewels with leadership, providing specific cybersecurity training to executives, and promoting the idea that a culture of security comes from deliberate support from executives.

Ransomware Profits Decline as Victims Dig In, Refuse to Pay

Article Link: https://www.darkreading.com/attacks-breaches/ransomware-profits-decline-victims-refuse-pay

• According to several reports, ransom payments as a result of ransomware incidents declined substantially in 2022 due to more victims refusing to pay their attackers.
• Specifically, cryptocurrency firm Chainanalysis reported a 40% decrease in the amount of money paid between 2021 ($765.6 million) and 2022 ($456.8 million). Similarly, data from incident response firm Coveware reported that just 41% of ransomware victims in 2022 paid a ransom, compared to 50% in 2021, 70% in 2020, and 76% in 2019.
• While there are a variety of reasons for this decrease in ransom payments, several key reasons have emerged. These include organizations being better prepared for incidents requiring fewer organizations to have to pay ransoms, paying ransoms is seen a legally riskier due to government sanctions on entities working with ransomware groups in any form, renewed efforts by many organizations to secure their networks, and greedy ransomware gangs leading organizations to incur recovery costs instead of paying malicious actors.
• Link to Chainalysis’ Full Report: https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/
• Link to Coveware’s Full Report: https://www.coveware.com/blog/2023/1/19/improved-security-and-backups-result-in-record-low-number-of-ransomware-payments