Flair Data Systems Cybersecurity News Update 6-26-2024

Good afternoon! 

The more and more that is released regarding the Snowflake situation and then again how Medibank is being taken to court, all because MFA was not properly enabled.  This is one of those drums I will continue to beat, MFA needs to be enabled by default and not putting it on the customer to 'enable' if they choose. Considering that there will be times when services will be purchased through other business units, not IT/Security teams, this would be best practice. 

I’m not sure if I mentioned this previously, but there was an organization that had their Facebook page taken over due to lack of MFA.  After the takeover, IT was informed of the incident and asked to "fix it" but they were not brought in previously to discuss security control best practices.  If you have ever had to deal with these types of account takeovers, it can be a nightmare.   

Now think about Snowflake and the impact this incident is having on organizations. Ask someone over at Neiman's how over 64k people were affected and data exposed.  Sp1d3r (hacker group) is requesting (ransom) a sum of $150,000 for the data that is currently up for sale on the dark web. Shocking...but common. 

So, with that, let’s dive into this week’s cybersecurity news update... 

Markopolo scam delivers infostealer through fake meeting software 

This campaign is spreading three infostealers: Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS) 

• Markopolo, the Threat Actor, uses shared hosting and C2 infrastructure to be more agile and quickly pivot when new scams are detected 
• Based on findings, these attacks are used to harvest credentials, positioning Markopolo as an initial access broker 
• Best ways to prevent is: Educate users on spotting malicious emails and software downloads, preventing the download of unlicensed software, and encourage users to report suspicious activities 

Link (1): https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers 

Medibank hack blamed on MFA failure 

In 2022, Medibank was compromised, which is a health insurance provider 

• Based on court documents, Australia's data protection regulator is claiming that the most likely cause was due to lack of multi-factor authentication 
• If these findings are true, then it appears that by not meeting these basic security controls will give grounds for suits to be filed and show being negligent in basic cybersecurity measures 

Link (1): https://therecord.media/medibank-hack-australian-government-report-mfa 

US blocks Kaspersky and sanctions executives 

Last Thursday, the US is working to ban the use of software from Kaspersky Lab's within the US 

• This is coming from the long-standing national security and data privacy concerns and a push for better protecting critical infrastructure 
• This prohibition is set to begin on September 29th, which will effectively ban Kaspersky from providing cybersecurity services anywhere in the US 
• Existing customers will also not be able to update Kaspersky software after that date 
• After July 20, the company will no longer be able to sign up new clients within the US 
• Kaspersky has stated they plan to fight these bans, but if you or anyone you know is using Kaspersky it would not hurt to start looking for alternatives 

Link (1): https://therecord.media/us-ban-kaspersky-lab-software 

CDK Global gets hacked twice - BlackSuit, SEC reports pile up following the attack 

More than 15k car dealers across North America use CDK Global for almost all aspects of their operations - facilitating car sales, repairs, registrations, etc. 

• Car repair shops use them for placing orders on parts, or in some respects use other services (Auto Trader as an example) to communicate with CDK Global to order parts 

Link (1): https://therecord.media/cyberattack-cdk-global-auto-dealershiups  

Link (2): https://therecord.media/car-dealerships-reports-sec-cdk-software-ransomware  

Link (3): https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack  

CDK Global was hit last week, and shortly after attempting to return systems back online were hit again 

Multiple organizations have had to start reporting to the SEC that they are facing disruptions because of the CDK Global shutdown in response to the cyber attack 

• Not knowing the specifics, but reading between the lines - this shows a great reason to understand how, when, and where they have established themselves before you attempt to bring systems back online 
• Do not get me wrong, an organization needs to turn systems back on to continue to do business but IF one does not know 
• when they got in (how can you know when to restore from backup) or; 
• how they got in (how can you make sure the way in was closed) or; 
• where they have placed their footholds (how do you know you have removed them) 
• Lastly, when I was looking yesterday (25th) I did not see an 8-K filing for CDK Global themselves, yet other firms are already filing theirs (previous filing was back in 2022) 

Link: See links above 

(Notes of clarification 7/3/24: I made a comment about how they had not published their 8-k yet, but that is because in late 2022 Brookfield Business Partners took them private.  Which explains why they are not held to the 8-k requirement anymore.) 

UK’s largest nuclear site pleads guilty over cybersecurity failures 

Sellafield, one that manages the world's largest stockpile of plutonium, has plead guilty to criminal charges related to cybersecurity failings 

• The charges span across 4 years (2019 - 2023), due to strict cybersecurity regulations were not sufficiently adhered to 
• These would include a failure by the site to ensure sensitive information on its IT network were adequately protected 
• Based on the reports, these deficiencies did not lead to a breach of data 

Link (1): https://www.infosecurity-magazine.com/news/sellafield-pleads-guilty/  

Federal Reserve supposedly compromised by LockBit 

Over the past few days Lockbit had announced that the Federal Reserve had up until the 25th to negotiate or have data start to be released that LockBit had gotten ahold of 

• LockBit claims to have obtained over 33TB of data, and the Federal Reserve Board has yet to confirm the breach 
• The data that was leaked was spread across 21 links (parent directories and torrent files) 

Link (1): https://www.scmagazine.com/brief/allegedly-stolen-federal-reserve-data-exposed-by-lockbit  

Link (2): https://www.scmagazine.com/news/lockbit-claims-ransom-negotiations-with-the-fed-over-33tb-of-stolen-data  

(Notes of clarification 7/3/24: It seems that it was a 3rd party that was compromised, not the Federal Reserve but the Threat Actor was making misdirected claims.  Who knew, the bad guys lied... But the story of Evolve Bank, who appears to be the one that was affected, has become an interesting one.) 

Fresh MOVEit bug under attack just hours after disclosure 

CVE-2024-5806 (7.4), is an improper authentication vulnerability in MOVEit's SFTP module, which could lead to authentication bypass in limited scenarios 

• Interesting that they state "limited scenarios" when it already being seen to be actively exploited in the wild just hours after it was made public 
• The two known attacks would be 
• An attacker could perform a forced authentication, using a malicious SMB server and a valid username (enabled by a dictionary-attack approach) 
• An attacker could impersonate any user on the system by uploading a SSH public key to the server without even logging in, giving them the rights as the user they are impersonating (reading, modifying, or deleting data) 

Link (1): https://www.darkreading.com/remote-workforce/fresh-moveit-bug-under-attack-disclosure 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!