Week in Review: Microsoft email, ChatGPT leaks passwords – CISO Series
Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Mary Rose Martinez, vp, CISO Marathon Petroleum
Here are the stories we plan to cover TODAY, time permitting. Please join us live at 12:30pm PT/3:30pm ET by registering for the open discussion on YouTube Live.
Following up on a story we covered last week regarding the Russian hackers Midnight Blizzard breaking into the emails of senior Microsoft executives to read intel about themselves, Microsoft now says the hackers managed to pivot from non-production test accounts into ones used by senior leaders of the company by creating malicious OAuth applications. Specifically, “the threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.” This technique was exactly what Microsoft had warned the public about on December 15th. The company now says it has instituted further defensive measures to stop this type of attack from happening again.
(The Record)
In a story relayed to Ars Technica, a person by the name of Chase Whiteside described his discovery while using ChatGPT to devise clever names for colors in a palette. Upon returning to his research the following morning, conversations appeared in his history that had not been there before. These chats were private conversations that “contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal.” The conversations appeared to belong to people trying to troubleshoot the portal due to its poor design. An OpenAI representative said the company was investigating the report.
(Ars Technica)
Researchers at Trusteer, a security division of IBM, have been observing a new remote access trojan attacking banks in Brazil. It is unique in its ability to conceal itself by abusing a device’s accessibility service, and then, to neutralize two-factor authentication “the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.” The malware also has an improved infection flow, using two malicious apps: a downloader and a droppee, rather than the more common single Android Package (APK) file. A link to a report describing the technical details of the PixPirate RAT is available in the show notes to this episode.
(Security Intelligence)
SolarWinds is dismissing the SEC’s fraud charges against the company “as unfounded as they are unprecedented.” We of course, all remember that 18,000 organizations were impacted by the supply chain attack, ranging from major entities like Microsoft and Intel to government agencies such as the Pentagon and Treasury. In the aftermath, the SEC filed a lawsuit against SolarWinds, alleging the company and its CISO misled investors about their security practices. SolarWinds has filed a motion to dismiss the lawsuit, with a representative for the company telling The Register that SolarWinds took the proper steps when disclosing the incident. The company claims the SEC’s lawsuit is an attempt to “force companies to disclose internal details about their cybersecurity programs.” As of this recording, the SEC has not responded to The Register’s request for comment.
(The Register)
Researchers at RedHunt Labs discovered, during a routine internet scan, an authentication token belonging to a Mercedes employee that had been left exposed in a public GitHub repository. Speaking to TechCrunch, Shubham Mittal, co-founder and chief technology officer of RedHunt Labs stated, “the GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server…the repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, single sign-on passwords, API Keys, and other critical internal information.” It’s not known if any customer data was contained within the repositories. TechCrunch alerted Mercedes on Monday, and on Wednesday, a Mercedes spokesperson confirmed that the company “revoked the respective API token and removed the public repository immediately.”
(TechCrunch)
Last week researchers at the University of Chicago released a tool called Nightshade. Similar to other AI poisoning tools like Glaze, Nightshade serves to “distort feature representations inside generative AI image models.” The idea being that anyone not wanting their data scraped for training could use this while still keeping their context indexed on the open web. The team reports that since release, Nightshade saw over 250,000 downloads, indicating a high level of interest.
(Spiceworks, Nightshade Project Site)
The ransomware negotiation firm Coveware reports that in Q4 2023, a record low 29% of firms made payments to ransomware operators, down from 37% a year ago. The firm notes the rate of ransomware payments decreased steadily over the last five years, which saw 85% of firms pay in Q1 2019. This drop occurred even in cases when threat actors exfiltrated data. Covewave said the continued decline comes from mounting legal pressure on paying ransoms, a lack of trust in cybercriminals, and overall better preparedness for ransomware attacks.
(Bleeping Computer)
The Chinese state-affiliated hacking group Volt Typhoon created the KV botnet by infecting small office/home office routers and IoT devices from Netgear, Cisco, DrayTek and Lumen Technologies. The group used the botnet to hide reconnaissance and exploitation efforts. The FBI reports it began an operation in early December to take down the botnet with a court order to take down its C2 server. This saw the FBI compromise the server and use it to cut off access to infected devices by uninstalling its VPN component on routers. The FBI and CISA also issued guidance for SOHO router manufacturers to secure hardware against continued Volt Typhoon activity, even for end-of-life hardware.
(Bleeping Computer)
Global Affairs Canada a branch of the Canadian federal government, which includes Canadian trade and foreign ministries, said, in a statement dated January 30, that it “activated an unplanned IT outage on Jan. 24 to address the discovery of malicious cyber activity.” The notice stated that the “compromised”system was the virtual private network (VPN) staff use to access the department’s Ottawa headquarters. “Early results indicate there has been a data breach and that there has been unauthorized access to personal information of users including employees, the statement said.
(Reuters and CBC News)
You’ll be taken to beehiiv.com to fill out the rest.
Acting as a media network for cyber information and exchange, CISO Series is just a member of this fantastic community that unfortunately has some conflicts. We’re just putting ourselves at the center of the conversation, acting as couples counseling for security vendors and practitioners.
CISO Series: Delivering the most fun you’ll have in cybersecurity.
Contact us: info@cisoseries.com
© 2023 CISO Series