Information Security News 2-12-2024

Verizon Insider Data Breach Hits Over 63,000 Employees

Article Link: https://www.bleepingcomputer.com/news/security/verizon-insider-data-breach-hits-over-63-000-employees/

• Recently, Verizon announced that they suffered an insider data exposure incident that exposed the personal data of over 63,000 employees. While the data exposed varies, the type of information exposed could include full name, physical address, Social Security number, national ID, gender, union affiliation, date of birth, and compensation information.
• The incident stemmed from an employee being given unauthorized access to a file with sensitive employee information in September 2023.
• Verizon stated that they didn’t believe the data was improperly used or shared outside of Verizon and that the incident wasn’t driven by malicious intent. However, the notification to impacted employees and regulators is out of caution.
• Link to Incident Notification to the State of Maine: https://apps.web.maine.gov/online/aeviewer/ME/40/65b9290a-b22e-4ae7-93e7-5acb84357297.shtml

Ransomware Groups Claim Hits on Hyundai Motor Europe and a California Union

Article Link: https://www.darkreading.com/cyberattacks-data-breaches/ransomware-groups-black-basta-lockbit-hit-hyundai-california-seiu-union

• The article looks at two potential ransomware attacks that occurred recently.
• The first incident involves a cyberattack on Hyundai Motor Europe, in which the Black Basta ransomware gang allegedly ransomed Hyundai and stole 3 TB of data. Hyundai has yet to confirm the claims but did report that they were investigating unauthorized system access by a third party.
• The second cyberattack hit the California Service Employees International Union (SEIU) Local 1000. The LockBit ransomware gang stated that they encrypted files and stole 308 GB of data, including the Social Security numbers, salary information, and financial documents of employees. The Union’s announcement didn’t confirm LockBit’s claims but did suggest that files were encrypted.

Fake LastPass Lookalike Made It Into Apple App Store

Article Link: https://www.theregister.com/2024/02/08/lastpass_lookalike_apple_app_store/

• LastPass recently sounded the alarm on a new application on the iOS App Store named LassPass, which contained similar iconography and functionality to LastPass.
• Despite the fake app surpassing Apple’s typically stringent app review process and violating its impersonation guidelines, LassPass remained on the App Store even after LastPass notified Apple.
• While LassPass is now removed from the App Store, this incident highlights the importance of reviewing app information prior to downloading the app. Specifically, look at an app’s developer, reviews, and app permissions all can offer up additional insight into an app’s legitimacy.

QR Code ‘Quishing’ Attacks on Execs Surge, Evading Email Security

Article Link: https://www.darkreading.com/endpoint-security/qr-code-quishing-attacks-execs-email-security

• According to a report from the security provider Abnormal Security, executives and other privileged users have been targeted by QR code phishing attacks more than regular users.
• Specifically, Abnormal Security noted that the C-suite saw QR code phishing 42 times more often than the average employee in Q4 2023. As the researchers noted, this suggests that bad actors are actively targeting users most likely to have credentials with elevated privileges.
• Despite the increased target on executives’ backs, researchers at the human-risk management firm Hoxhunt suggest that email filters are catching up and slowing down more QR code phishing attempts.
• Link to Abnormal Security’s Report: https://abnormalsecurity.com/blog/data-shows-c-suite-receives-42x-more-qr-code-attacks
• Link to Hoxhunt’s Report: https://www.hoxhunt.com/blog/insights-hoxhunt-cybersecurity-human-risk-benchmark-challenge

Americans Lost Record $10 Billion to Fraud in 2023, FTC Warns

Article Link: https://www.bleepingcomputer.com/news/security/americans-lost-record-10-billion-to-fraud-in-2023-ftc-warns/

• The U.S. Federal Trade Commission (FTC) recently announced their fraud tracking statistics from 2023. The significant data point was that Americans reported losing over $10 billion to scammers in 2023, a 14% increase from 2022.
• The FTC noted that there were 2.6 million fraud reports made, $4.6 billion in fraud was due to investment scams, and $2.7 billion was lost from imposter scams.
• As the article highlights, many victims don’t report when they experience fraud, suggesting that the FTC’s data is a subset of a higher amount of fraud. As such, it is encouraged that victims report to the FTC when they experience fraud, which allows the FTC and law enforcement partners to track down fraudsters, discover trends in scams, and educate the public on scam campaigns.
• Link to the FTC’s Report: https://www.ftc.gov/business-guidance/blog/2024/02/facts-about-fraud-ftc-what-it-means-your-business
• Link to FTC’s Fraud Reporting Portal: https://reportfraud.ftc.gov/#/
• Link to FTC’s Identity Theft Reporting Portal: https://www.identitytheft.gov/#/
• FRSecure-ISACA-Security Studio Home Network Security Fundamentals: https://isaca-sd.org/events/2024-02-12

Raspberry Pi Pico Cracks BitLocker in Under a Minute

Article Link: https://www.theregister.com/2024/02/07/breaking_bitlocker_pi_pico/

• According to the security researcher StackSmashing, BitLocker can be circumvented on some laptops in under 50 seconds with a Raspberry Pi Pico and custom code, totaling to $10 worth of equipment.
• The researcher’s code specifically works on certain Lenovo computers, but other hardware is vulnerable as well. In essence, the workaround relies on the device’s CPU and Trusted Platform Module (TPM) existing separately, allowing the cleartext decryption key to be sniffed from the device. As the article noted, many devices have the CPU and TPM components combined, limiting this threat.
• Microsoft has accepted for years that with the right conditions (i.e., physical access and plenty of time), BitLocker can be bested. However, with the researcher gaining access in under a minute, what Microsoft means by their “plenty of time” statement is up for debate.
• The researcher also provided instructions on how to apply Group Policy settings to limit the issue by requiring a PIN entry in addition to the basic BitLocker functionality.
• Link to the PIN Set-Up Instructions: https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

Cybersecurity Teams Recognized as Key Enablers of Business Goals

Article Link: https://www.helpnetsecurity.com/2024/02/09/cybersecurity-teams-trust-levels/

• According to a study from the cybersecurity company CybSafe, who surveyed 1,000 office workers, 97% of office workers in the U.K. and U.S. trust their cybersecurity team’s ability to prevent or minimize damage from cyberattacks, despite this, only 12.8% of those surveyed said they were very familiar with their company’s team.
• Additionally, 86% of respondents see their security team as necessary and 74% believe their security teams enable business goals. Inversely, 38% felt their job was occasionally obstructed by security measures and 25% found their security team to be intrusive.
• Last, 82.1% say that all employees share cybersecurity responsibilities and 40.8% of employees want cybersecurity advice to incorporate real-life examples.
• Link to CybSafe’s Report: https://www.cybsafe.com/press/what-your-workforce-wishes-the-cyber-team-knew/

CISA Takes on US State Election Security Issues, Deploys Inspectors

Article Link: https://www.csoonline.com/article/1306811/cisa-takes-aim-at-us-state-election-security-issues-deploys-additional-inspectors.html

• In preparation for the upcoming 2024 election cycle, CISA has deployed additional election inspectors and security advisors to further secure the U.S.’s election process.
• Additionally, CISA launched their #Protect2024 resource hub that offers up security resources and tips for organizations in preparation for the 2024 election cycle.
• Link to Protect2024 Website: https://www.cisa.gov/topics/election-security/protect2024

FCC Gives Telecom Companies 7 Days to Alert Authorities of Discovered Data Breaches

Article Link: https://www.nextgov.com/cybersecurity/2024/02/fcc-gives-telecom-companies-7-days-alert-authorities-discovered-data-breaches/394074/

• Starting on Monday, February 12^th, the Federal Communications Commission (FCC) will adopt a rule which requires telecommunications and voice over IP providers to notify authorities of a data breach within seven business days of discovery. The rule will subsequently take effect 30 days later in March.
• The updated requirement has been in development over the past year and is an attempt to modernize the breach notification requirements. Additionally, the new rules extend compromised data to include personally identifiable information (PII), rather than just subscription data collected by telecom providers and dubbed Customer Proprietary Network Information (CPNI).
• Providers will no longer be required to notify customers of a breach if they can reasonably determine that the incident is unlikely to harm customers. Breach notification to customers is required no later than 30 days after the reasonable determination of a breach impacting customer data is identified.
• Link to FCC’s Report and Order Information (PDF): https://docs.fcc.gov/public/attachments/FCC-23-111A1.pdf
• Link Pillsbury Law (Additional Information): https://www.pillsburylaw.com/en/news-and-insights/fcc-data-breach-notification-rules.html