Project Hyphae

Information Security News 4-15-2024

Share This Post

Roku Disclosed a Security Incident Impacting 576,000 Accounts

Article Link:

  • Recently, Roku announced that 576,000 Roku accounts were hacked via credential stuffing attacks with the stolen credentials being sourced from reused credentials from other breached companies.
  • Roku’s investigation determined that Roku itself was not breached. Likewise, while the threat actors gained account access and made unauthorized purchases in 400 instances, full payment information likely wasn’t exposed according to Roku.
  • As a result of the incident, Roku initiated password resets for the impacted accounts and refunded the unauthorized purchases. Additionally, multifactor authentication has been rolled out for all users.
  • Link to Roku’s Announcement:

FBI Warns of Massive Wave of Road Toll SMS Phishing Attacks

Article Link:

  • The FBI released a public service announcement in response to a sharp increase in SMS phishing lures requesting potential victims to click a link and pay unpaid road toll fees.
  • The FBI noted that the malicious users appear to be moving from state-to-state with updated lures depending on where the potential victims may be located. Likewise, the lures are often left intentionally vague to socially engineer potential victims into clicking on the message’s embedded link.
  • Link to the FBI’s Announcement:

EPA says Allegedly Breached Data was Already Publicly Available

Article Link:

  • Recently, reports came out that data with 8.5 million users’ information from the U.S. Environmental Protection Agency (EPA) surfaced on hacker forums. However, over the past week the EPA announced that a data breach did not occur and that the data that was allegedly stolen is actually publicly available information located on the EPA’s Facility Registry Service website.
  • In addition to other information, the public data contains a list of organizations and business representatives who directly interact with the EPA, which could still hold value.

IT Pros Targeted with Malicious Google Ads for PuTTY, FileZilla

Article Link:

New Covert SharePoint Data Exfiltration Techniques Revealed

Article Link:

  • Varonis released a report that outlines two new ways for attackers to covertly exfiltrate data.
  • The first method is by leveraging the “Open in Desktop App” feature in SharePoint and then saving a local copy of the files or by accessing them via a specific link, which can be automated via a PowerShell script. The second is by downloading files from SharePoint but changing the browser’s User-Agent to “Microsoft SkyDriveSync” which logs the action as file syncs instead of downloads and allows for the download of both individual files and complete SharePoint sites.
  • Varonis disclosed the issues to Microsoft, who initially noted that a fix would be developed but that the issues are only considered moderately severe; however, Microsoft has since retracted that statement. As of April 10th, Microsoft has listed the issues as “by design” and will not be fixing them.
  • Link to Varonis’ Report:

Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks

Article Link:

  • On Wednesday, April 10th, Apple sent out a threat notification to specific users in 92 countries informing them that attackers were attempting to remotely compromise their phones.
  • As the article notes, mercenary spyware attacks are the equivalent to state-sponsored attacks in terms of complexity. The article also stated that, according to Amnesty International, many of the accounts that received the alert had evidence of advanced spyware on their associated devices.
  • Apple recommended that any users who received the notification seek professional cybersecurity help to address the spyware. Apple also reiterated key components of good cyber hygiene such as using device passcodes, keeping software up to date, and leveraging two-factor authentication.
  • Link to Apple’s Announcement:

96% of US Hospital Websites Share Visitor Info with Third Parties

Article Link:

  • According to research from the University of Pennsylvania, who sampled the websites of 100 average hospitals across the U.S., 96% of those reviewed transmit user data to third parties.
  • The researchers leveraged the tool webXray, which detects third-party HTTP requests and tries to match them to the organizations receiving data from the website. The researchers also recorded the number of third-party cookies per page as part of their study.
  • Overall, the study identified that the most prevalent third-parties receiving data included known organizations like Google and Meta alongside other large firms like Acxiom and The Trade Desk. However, two thirds of hospital websites also transferred to unidentifiable third-party domains.
  • The report noted that of the 100 hospital websites reviewed, 71 had privacy policies, 69 of the policies addressed the type of data collected, and 56 identified the third-parties receiving the data. The report also discussed possible legal risk should these policies be inaccurate or lack data deletion information.
  • Link to the Research Report:

New Draft Bipartisan US Federal Privacy Bill Unveiled

Article Link:

  • The U.S. House Committee on Energy and Commerce published a bipartisan and bicameral discussion draft version of the latest attempt by federal lawmakers to establish federal data privacy legislation, dubbed the American Privacy Rights Act (APRA).
  • Among other components, the proposed bill looks to increase data privacy and security transparency for the public, establish consumer privacy rights, establish data security and protection requirements for covered data, and regulate data brokers.
  • If passed, the bill would preempt almost all state-specific data privacy laws with several exceptions like California’s CPRA and Illinois’ Biometric Information Privacy Act. Additionally, the bill would not supersede a variety of already-established privacy-related legislation at the federal and state levels, such as HIPAA, COPPA, and other industry-specific laws.
  • Link to the Announcement and Full Text:

Sophos Study: 94% of Ransomware Victims Have Their Backups Targeted by Attackers

Article Link:

  • According to a report from Sophos, who conducted a vendor-agnostic survey of 2,974 IT/cybersecurity professionals whose organizations had been hit by ransomware in 2023, 94% of attacked organizations had the threat actors attempt to compromise their backups during the attack. Sophos noted that this occurred 99% of the time for the state and local government sector as well as the media, leisure, and entertainment sector.
  • The survey also highlighted that the success of compromising backups varies by industry, Specifically, attackers had a 79% success rate when attacking organizations in the energy, oil & gas, and utilities sectors and 71% success rate in the education sector. Comparatively, on the lowest end attackers had a 30% success rate when attacking the IT, technology, and telecom sectors and a 47% success rate when attacking the retail sector.
  • Sophos also looked at costs related to incidents depending on an organization’s backup availability. Specifically, threat actors demanded a median ransom of $2.3 million from organizations who had their backups compromised compared to $1 million from organizations who still had their backups. Likewise, the median ransomware recovery costs for organizations with compromised backups was $3 million compared to $375,000 for organizations with available backups.
  • Sophos reiterated three industry best practices regarding ensuring backup reliability. These include taking regular backups and storing them in multiple locations, securing your backups once they are taken, and then practicing recovering from backups to increase restoration process familiarity.
  • Link to Sophos’ Report:
  • Link to FRSecure’s IR Plan Template:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.