Project Hyphae
Search

Information Security News 4-22-2024

Share This Post

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs

Article Link: https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/

  • Cisco Duo recently reported that their third-party vendor who handles their VoIP and SMS MFA messages was compromised between March 1st and March 31st, 2024.
  • Cisco stated that the provider fell victim to a phishing attack, which allowed the attackers to gain access to the provider’s systems. The intruder downloaded SMS and VoIP MFA message logs associated with specific Duo accounts. The message contents weren’t exposed; however, phone numbers, carriers, location, date, time, and message type associated with the messages were taken.
  • It was noted that the incident impacted about 1% of Duo’s customers, or around 1,000 organizations. The vendor provided Duo with all of the exposed logs, which can be requested by emailing msp@duo.com. Additionally, as a result of the data stolen, Cisco is warning customers about their heightened phishing risk.

Notorious Russian Hacking Unit Linked to Breach of Texas Water Facility

Article Link: https://cyberscoop.com/sandworm-apt44-texas-water-facility/

  • The article discusses a report from Mandiant which linked Russia’s foreign intelligence agency to the threat actor group, Sandworm or APT44, which has a history of targeting critical infrastructure.
  • It was noted that Sandworm is responsible for cyberattacks on water facilities in several Western countries, including an attack in early 2024 on the water facilities of the small town of Muleshoe, TX.
  • Mandiant also highlighted that APT44 is responsible for nearly all of the disruptive and destructive cyber operations against Ukraine over the past decade.
  • Link to Mandiant’s Report: https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm

ICS Network Controllers Open to Remote Exploit, No Patches Available

Article Link: https://www.darkreading.com/ics-ot-security/ics-network-controllers-open-to-remote-exploit-no-patches-available

  • On April 18th, CISA released advisories related to several critical/high, depending on the CVSS version used, vulnerabilities impacting Unitronics and Mitsubishi programmable logical controllers (PLCs).
  • The Unitronics vulnerability has yet to be addressed by the vendor. The Mitsubishi vulnerabilities outlined by CISA have a fixed version released; however, users are unable to update the product.
  • CISA recommends securing impacted PLCs by isolating them from business networks, placing them behind firewalls, using VPNs or other secure remote access methods, and not connecting them to the Internet if possible.
  • Link to CISA’s Advisories: https://www.cisa.gov/news-events/alerts/2024/04/18/cisa-releases-three-industrial-control-systems-advisories

T-Mobile, Verizon Workers get Texts Offering $300 for SIM Swaps

Article Link: https://www.bleepingcomputer.com/news/security/t-mobile-verizon-workers-get-texts-offering-300-for-sim-swaps/

  • According to multiple reports from current and former T-Mobile and Verizon employees, malicious users have been texting them on personal and work devices trying to pay them to perform SIM swaps. Several employees at Charter Communications have received similar texts related to sending out email reset requests to user accounts.
  • Spokespeople for the organizations receiving the messages either were unable to comment or highlighted that the events are not directly tied to any new data breaches. However, recipients suggest that the would-be attackers may be leveraging contact information from past incidents.
  • These events come off the heels of the FCC introducing new rules, meant to prevent SIM swapping, in November 2023.

US Supreme Court Ruling Suggests Change in Cybersecurity Disclosure Process

Article Link: https://www.csoonline.com/article/2091556/us-supreme-court-ruling-suggests-change-in-cybersecurity-disclosure-process.html

  • A recent U.S. Supreme Court decision tried to clarify when public organizations do and do not have a legal obligation to report information in investor filings. While the specific case does not relate to the SEC’s cybersecurity material incident reporting requirements, it does extend to those rules.
  • The Court declared that public organizations don’t need to report on events that are potential and theoretical but may not have happened yet and are not material in nature. However, if the unreported information made what the company does report to the SEC misleading, the company could be penalized by the SEC.
  • As a result of this ruling, organizations filing reports to the SEC must consider the language they use to ensure that potentially unannounced scenarios aren’t overlooked, should they be announced later. In other words, if SEC filings are interpreted as misleading, the filing organization could be litigated.

51% of Enterprises Experienced a Breach Despite Large Security Stacks

Article Link: https://www.helpnetsecurity.com/2024/04/19/enterprises-pentesting-frequency/

  • According to Pentera, who surveyed 450 cybersecurity professionals at organizations with more than 1,000 employees, 60% of enterprises report a weekly minimum of 500 security events that require remediation. Likewise, 36% have reported a lack of internal resources for effective remediation, which limits further hardening exercises like penetration testing.
  • Additionally, Pentera observed that organizations have on average 53 different security solutions leveraged across the organization. However, despite all of the tools, 51% of survey organizations reported a breach over the past 24 months.
  • Pentera also noted that the organization’s surveyed try to prioritize penetration testing as well with testing accounting for an average of 13%, or $164,400, of their total IT/Security budgets.
  • Link to Pentera’s Report: https://pentera.io/press-release/the-state-of-pentesting-2024-survey-report/

Ransomware Payments Drop to Record Low of 28% in Q1 2024

Article Link: https://www.bleepingcomputer.com/news/security/ransomware-payments-drop-to-record-low-of-28-percent-in-q1-2024/

  • According to the security firm CoveWare, ransomware payments from organizations dropped to a record low of 28% based on the incidents CoveWare has been made aware of.
  • CoveWare also reported that the average ransom payment was $381,980 (down 32% from Q4 2023) and the median ransom payment was $250,000 (up 25% from Q4 2023). CoveWare suggested that these numbers reflect a change in ransomware gangs adjusting their tactics by demanding lower payment amounts to keep victim organizations at the negotiation table longer rather than scaring them from paying ransoms due to a higher ransom amount.
  • Other statistics included that Healthcare and Professional Services were the most impacted organizations over Q1 2024 at 18.7% and 17.8% respectively. Likewise, 43% of incidents impacted organizations with 101 to 1,000 employees and 28% impacted enterprises with 11 to 100 employees, suggesting that small and medium businesses (SMBs) are a prime target of ransomware gangs.
  • Link to CoveWare’s Report: https://www.coveware.com/blog/2024/4/17/raas-devs-hurt-their-credibility-by-cheating-affiliates-in-q1-2024

NSA Publishes Guidance for Strengthening AI System Security

Article Link: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3741371/nsa-publishes-guidance-for-strengthening-ai-system-security/

  • Recently, the National Security Agency (NSA) released a guide on best practices for organizations to securely deploy AI systems.
  • At a high level, the guidance has recommendations for securing the deployment environment, continuously securing the AI systems, and then conducting regular (i.e., annual) AI audits, reviews, and maintenance.
  • The NSA noted that the guidance is the first release in a series of reports and recommendations set to be published by the NSA’s Artificial Intelligence Security Center (AISC) team.
  • Link to Additional Security Resources from the NSA for DIB Organizations: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/


Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.