This morning’s news rings loud – “Nearly all AT&T customers’ call and text records exposed in massive breach”. Fresh off the heels of an unrelated data leak on third-party platform Snowflake impacting 73 million current and former customers, AT&T is seeing immediate financial damage as shares fell 1% following today’s news.

In today’s fast-changing world of cybersecurity, such breaches highlight the critical importance of robust network modeling. Network modeling involves creating a detailed representation of a network’s structure, behaviors, and interactions, enabling cybersecurity professionals to predict potential vulnerabilities and devise strategies to mitigate them. As the frequency and scale of cyber threats continue to grow, adopting advanced network modeling techniques has become essential for protecting important data and maintaining the integrity of network systems.

The importance of network modeling

Network modeling offers an organized way to understand and handle the complexities of a network. As cyber threats become more advanced, it’s essential to have a clear and complete picture of how a network operates. Network modeling serves as a blueprint, allowing cybersecurity teams to:

1. Identify vulnerabilities: By simulating various network scenarios, professionals can pinpoint weak spots and potential entry points for cyber attackers.
2. Optimize security measures: Effective network modeling helps in deploying security resources more efficiently, ensuring robust protection against threats.
3. Enhance incident response: In the event of a cyber attack, a well-modeled network facilitates quicker detection and response, minimizing damage and downtime.
4. Compliance and auditing: Detailed network models assist in maintaining regulatory compliance and provide a clear audit trail for security assessments.

Knowing what’s on your network and how it’s all connected is the fundamental first step in staying secure and compliant. It can be hard to see the bigger picture, and you don’t know what you don’t know. RedSeal reveals—and makes sense of—it all.

Take for example, the 2023 Real Estate Wealth Network (REWN) data breach. Cybersecurity Researcher, Jeremiah Fowler, discovered and reported the non-password protected database, New York-based Real Estate Wealth Network, that held 1.5 billion records containing real estate ownership data of millions of people, including celebrities, politicians. The exposure of home addresses online poses potential risks such as threats to their personal safety or an invasion of their privacy.

In other password news, the infamous SolarWinds Supply Chain Attack  was facilitated by poor password practices. An intern’s weak password, “solarwinds123,” was accessible via a misconfigured GitHub repository, allowing attackers to insert malicious code into the SolarWinds software updates​.

Password protection is merely the tip of the iceberg when it comes to comprehensive cybersecurity. A robust security strategy must encompass multiple layers of defense, including multi-factor authentication (MFA), encryption, regular software updates, network monitoring, and incident response planning. These additional measures help mitigate risks by ensuring that even if passwords are compromised, other security controls can prevent unauthorized access and protect sensitive data. Network modeling plays a crucial role in this layered approach by identifying vulnerabilities and guiding the implementation of best practices across the entire infrastructure.

 What can you do with RedSeal?

• Build an accurate and comprehensive model of your connected network—a network digital twin
• Bring private cloud, public cloud, and physical resources into one consolidated view
• Present the logical layout of assets and groupings in a clear, visual topology
• Map the physical location of assets and their Layer 2 connectivity
• See all available traffic paths among assets, subnets, and internet exposure points
• Discover network inconsistencies as well as assets and connections previously unknown or unaccounted for
• Gain visibility of IPv6 usage and connectivity

As cyber threats grow more advanced, network modeling becomes an increasingly vital tool for cybersecurity experts. Through a detailed and dynamic view of network operations, organizations are better able to identify vulnerabilities, optimize security measures, and enhance their overall cybersecurity posture. As technology continues to advance, the role of network modeling in safeguarding digital assets will only become more critical.

The RedSeal advantage

• Maintain a single source of truth for your hybrid network that all teams can trust
• Know the unknowns—the good, the bad, and the ugly—about your network
• Gain the network understanding you need to be more proactive and strategic about security and compliance

Reach out to RedSeal or schedule a demo today to learn how to bolster your cybersecurity efforts and make the strategic move that promises long-term benefits and peace of mind.

Based on the recent discovery of a significant security vulnerability known as “Regresshion,” which affects millions of Linux systems running OpenSSH, organizations are urgently reassessing their cybersecurity postures. The Regresshion vulnerability can potentially allow attackers to gain unauthorized root access to affected systems, making it a critical threat to handle promptly. This context offers a perfect scenario to illustrate how RedSeal’s network modeling and risk analysis platform can be pivotal in mitigating such threats.

How RedSeal Can Help Mitigate Risks Like Regresshion

Identifying and Mapping Vulnerable Assets

RedSeal’s network modeling capability can automatically identify and map all network assets, including those running vulnerable versions of OpenSSH. By providing a comprehensive view of all assets, RedSeal helps security teams quickly pinpoint which parts of the network are at risk due to the Regresshion vulnerability.

Prioritizing Vulnerabilities Based on Network Context

Once vulnerable assets are identified through external vulnerability scanners, RedSeal’s risk analysis capabilities come into play. RedSeal integrates the identified vulnerabilities into its network model to prioritize them based on the network context. This means understanding which vulnerabilities are most likely to be exploited and which could have the most severe impact on the network. For instance, a vulnerable server in a less critical part of the network might receive a lower priority compared to one that houses sensitive data or supports critical operations.

Enhancing Incident Response with Detailed Network Insights

In the event of an exploitation attempt, RedSeal’s detailed network insights allow incident response teams to respond more effectively. By understanding the pathways attackers might use to move laterally across the network from a compromised OpenSSH server, RedSeal helps in implementing targeted containment strategies, thereby minimizing the potential impact of an attack.

Supporting Compliance and Reporting

With the increasing scrutiny on cybersecurity practices, compliance with industry standards and regulations becomes more crucial. RedSeal not only aids in identifying and mitigating risks but also supports compliance reporting by providing proof of due diligence and proactive risk management in handling known vulnerabilities like Regresshion.

Streamlining Remediation Efforts

Finally, by integrating with other security tools, RedSeal can automate some aspects of the remediation process. For instance, upon identifying vulnerable systems, RedSeal can trigger patch management tools to apply necessary updates or patches, streamlining the remediation efforts and reducing the window of opportunity for attackers.

Conclusion

In the wake of the Regresshion vulnerability, organizations are reminded of the importance of having robust, dynamic cybersecurity solutions that can adapt to emerging threats. RedSeal’s network modeling and risk analysis capabilities provide an essential layer of intelligence that enhances security operations, from prevention through to response and recovery. By leveraging RedSeal, organizations can ensure they are better equipped to handle sophisticated threats, protecting their critical assets from potentially catastrophic breaches.

Reach out to RedSeal or schedule a demo today.

Welcome to our latest cybersecurity roundup. This week, Microsoft President Brad Smith admitted security failures that allowed Chinese hackers to access US officials’ emails. Truist Bank confirmed a breach affecting 65,000 employees. CISA led its first AI cybersecurity tabletop exercise, and Spanish authorities arrested a key member of the Scattered Spider hacking group. D-Link urged customers to update routers to fix a critical backdoor vulnerability. Stay informed on these pressing cybersecurity developments.

1. Microsoft’s President admits security failures in congressional testimony

In congressional testimony yesterday, Microsoft President Brad Smith admitted security failings that enabled Chinese state hackers to access emails of US officials in 2023. Smith accepted responsibility for issues cited in a Cyber Safety Review Board (CSRB) report. The report blamed Microsoft for security failures that let Chinese hackers, Storm-0558, access 25 organizations’ email accounts, including US officials. The hackers used a Microsoft encryption key and exploited flaws in the authentication system to gain global access to Exchange Online accounts. The CSRB found an inadequate security culture and gaps in Microsoft’s security processes.

Smith acknowledged Microsoft’s crucial cybersecurity role and the increased cyber threats from geopolitical conflicts. He apologized to those impacted by the Storm-0558 attack and outlined steps Microsoft is taking to enhance security. This includes implementing CSRB recommendations, transitioning to a new key management system, and enhancing token validation processes.Smith added that Microsoft has added security engineers and created the Office of the CISO to ensure security is prioritized. The company’s Secure Future Initiative aims to design and operate products with security in mind.Following harsh feedback from security experts, Microsoft has delayed its Recall AI feature for further security testing. This feature, intended for Copilot and Windows PCs, faced privacy concerns for recording users’ activities. The roll-out will now start with the Windows Insider Program for additional testing. (infosecurity magazine)

2. Truist commercial bank confirms a data breach

U.S. commercial bank Truist confirmed a breach in its systems from an October 2023 cyberattack. A threat actor, known as Sp1d3r, posted Truist’s data for sale on a hacking forum, claiming to have information on 65,000 employees, bank transactions, and IVR funds transfer source code. Truist, formed from the 2019 merger of SunTrust Banks and BB&T, quickly contained the breach, secured systems with outside consultants, and notified affected clients. The ongoing investigation has found no evidence of fraud. Truist denies any connection to the recent Snowflake incidents. (bleepingcomputer)

3. CISA leads first tabletop exercise for AI cybersecurity

The exercise was led by the Joint Cyber Defense Collaborative, which is a branch of CISA that works closely with industry. Fifty AI experts from 15 companies and several international cyber defense agencies were involved. This was a four-hour exercise intended to contribute knowledge to the security incident collaboration playbook, which is set to be released at the end of 2024. The goal of the exercise was to understand “what makes up AI-enabled or AI-related cybersecurity incidents, determining what types of information-sharing is needed and how industry can best work with the government, and vice versa. “A cyber incident could mean an AI system itself is jeopardized, or another system created by an AI is under threat,” said Clayton Romans, associate director of the Joint Cyber Defense Collaborative at CISA. (Cyberscoop)

4.  New Linux malware controlled through Discord emojis

Named DISGOMOJI, the malware has been observed using emojis to execute commands on infected devices in attacks on government agencies in India. According to BleepingComputer, “the malware was discovered by cybersecurity firm Volexity, which believes it is linked to a Pakistan-based threat actor known as UTA0137.” This is a group that is known for conducting cyberespionage activities. Volexity discovered a UPX-packed ELF executable in a ZIP archive, which they believe was distributed through phishing emails. “Volexity believes that the malware targets a custom Linux distribution named BOSS that Indian government agencies use as their desktop.” (BleepingComputer)

5. Spanish authorities snag a top Scattered Spider hacker

Spanish authorities, with assistance from the FBI, have arrested 22-year-old Tyler Buchanan, a key figure in the Scattered Spider hacking group, notorious for attacking organizations like MGM Resorts, Twilio, and Apple. Buchanan was apprehended in Palma de Mallorca while attempting to fly to Italy. He controlled $27 million in bitcoin at the time. This marks the second major arrest of a Scattered Spider member in 2024, following Michael Noah Urban’s earlier capture. Despite these successes, experts warn that the group’s decentralized nature means they are likely to continue their activities, with new leaders ready to step in. (ITPro)

6. D-Link urges customers to upgrade routers against a factory installed backdoor

A critical vulnerability (CVE-2024-6045) in several D-Link routers allows unauthenticated attackers to gain administrative access. With a CVSS score of 8.8, this issue stems from a factory testing backdoor. Attackers can enable Telnet and obtain admin credentials. D-Link has released firmware updates; users should promptly update to secure their devices. (GBHackers)

7. Snowflake breach escalates with ransom demands and death threats

As many as 10 companies are facing ransom payments between $300,000 and $5 million following a breach against cloud-based data analytics firm Snowflake earlier this month. According to Mandiant, who has helped lead Snowflake’s case, the hacking scheme has “entered a new stage” as the ransom demands flow in, as well as death threats against the cybersecurity experts investigating the breach. The hackers gained access to the information by targeting Snowflake users using single-factor authentication techniques. Mandiant has said it anticipates the ransomware group to “continue to attempt to extort victims.” (Bloomberg)

8. Velvet Ant maintains three-year cyber espionage campaign 

This threat actor wasn’t going down without a fight. Researchers at Sygnia have uncovered a prolonged, sophisticated cyber-espionage campaign by China’s “Velvet Ant” group targeting a large company in East Asia. Despite repeated eradication attempts, the threat actor maintained persistence for about three years by exploiting legacy and unmonitored systems, particularly using an old F5 BIG-IP appliance for internal command and control (C&C). (Dark Reading), (Sygnia), (The Hacker News)

9. Empire Market operators face life for $430 million Scheme

Two of the suspected operators behind the prominent dark web marketplace, Empire Market, face life in prison for their part in facilitating more than $430 million in dark web sales. While users could buy everything from illicit drugs to counterfeit currency, the DOJ has charged the pair with helping cybercriminals conduct nearly four million transactions. 38-year-old Thomas Pavey and 28-year-old Raheim Hamilton operated the platform from 2018 to 2020. Prior to starting Empire Market, they sold counterfeit U.S. currency on the now-shut down AlphaBay. (The Record)

10. Nvidia becomes world’s most valuable company

Not directly a cybersecurity story, but undeniably central to the business, Nvidia has just become the world’s most valuable company following a new share price surge on Tuesday. The company is now worth $3.34TN, surpassing Microsoft and Apple. The rise in its value has largely been driven by the need for the chips used for artificial intelligence (AI). For some context, eight years ago, the company’s stock was worth less than 1% of its current price and at that time was mostly in competition with AMD, in a race to make the best graphics cards. (BBC News)

11. G7 to develop cybersecurity framework for energy sector

In an announcement made on Tuesday, the member nations of the G7 have agreed to develop a cybersecurity framework for operational technologies in energy systems that targets manufacturers and operators. Its intention is to “bolster the cybersecurity of the global supply chain for critical technologies used in the management and operation of electricity, oil, and natural gas systems worldwide. The [G7] comprises Canada, France, Germany, Italy, Japan, the UK, and the U.S. (InfoSecurity Magazine)

12. Gym chain Total Fitness suffers breach

The UK fitness group has been exposed by researcher Jeremiah Fowler, who says he discovered “an unsecured database containing the images of 470,000 members and staff – all accessible to anyone on the internet, no password required.” Speaking to The Register, he added that he had “also uncovered images of members’ identity documents, banking and payment card details, phone numbers, and even – in some cases – immigration records.” Representatives of Total Fitness disputed the extent of the data breach, saying that members’ images comprised a “subset” of the database, and that most images did not contain personally identifiable information, but Fowler claims that members’ images took up roughly 97% of the database. The company has now secured the database, and has reported the breach to the UK’s data regulator, the Information Commissioner’s Office (ICO), for investigation. (BitDefender)

13. Cybersecurity burnout costing firms more than $700M annually

A report from Hack the Box, a cybersecurity training center, suggests that “British and U.S. enterprises may be throwing away as much as $756m each year through lost productivity due to burned-out cybersecurity staff.” The research claims 84% of responding cybersecurity professionals are “experiencing stress, fatigue and burnout due to the rapid pace of technological change, mounting threat volumes and being forced to perform outside their skillset, and that that three-quarters (74%) have taken time off due to work-related mental well-being problems.” (InfoSecurity Magazine)

14. Hackers derail Amtrak Guest Rewards accounts

In a breach-disclosure notice it filed in Massachusetts, the passenger rail service said an unauthorized third party gained access to a customer database between May 15-18. Amtrak said its systems were not hacked, but that accounts were likely compromised using usernames and passwords from prior breaches. Affected data includes customer names, contact information, Amtrak Guest Rewards account numbers, date of birth, partial payment details (such as partial credit card number and expiration date), gift card info (such as card number and PIN) and other transaction and trip data. In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak took quick action to restore accounts and reset passwords and also urged riders to rotate their passwords and implement multifactor authentication. (Dark Reading)

1. Hackers brick over 600,000 routers

Last October, subscribers of the ISP Windstream, which serves residential customers in 18 states, reported that their ActionTec T3200 routers suddenly stopped working, showing a steady red light and not responding to resets. Users blamed Windstream for pushing updates that bricked the devices. The ISP sent new routers to affected customers. Black Lotus Labs later revealed that malware took out over 600,000 routers, including those from Windstream, using Chalubo malware to permanently overwrite firmware. This attack, named Pumpkin Eclipse, was deliberate and targeted a single ISP’s autonomous system number. The incident raised concerns about the impact on rural communities and critical services. Researchers found no evidence of nation-state involvement and advised standard cybersecurity measures to prevent future attacks. Researchers noted that the attack was deliberate, with the threat actor using common malware instead of custom-developed tools to cover their tracks. Despite extensive analysis, the initial infection method remains unclear, though weak credentials or exposed administrative panels are possible entry points. (arstechnica)

2. Draft legislation looks to streamline federal cybersecurity regulations

Senator Gary Peters (D-MI) is proposing a bill to create an interagency committee to streamline federal cybersecurity regulations. The Office of the National Cyber Director (ONCD) would lead this effort, aiming to reduce compliance burdens for industries. This committee would identify and resolve conflicting cybersecurity requirements within a year and ensure regulatory updates are aligned. The draft legislation mandates a pilot program for at least three regulatory agencies to work with the committee on harmonizing rules. The bill also grants ONCD more authority in setting and coordinating cybersecurity regulations, which has support from industry and some experts who see a need for centralized oversight.

The proposal follows recent cybersecurity regulations from the Cybersecurity and Infrastructure Security Agency (CISA) and the Securities and Exchange Commission (SEC), highlighting the need for regulatory harmonization. Key challenges include managing jurisdictional conflicts among various congressional committees overseeing cybersecurity. However, Peters has a history of successfully passing cybersecurity legislation, and the bill has bipartisan appeal. If passed, the legislation would bolster ONCD’s efforts to streamline cybersecurity rules, ensuring better coordination across federal agencies. (The Record)

3. Ticketmster hack affects 560 million customers, third-party denies liability

The attack, which occurred on May 20, has been confirmed by its parent company, Live Nation, as having been the result of “unauthorized activity within a third-party cloud database environment containing company data.” A week later the threat actor ShinyHunters offered the data, which is alleged to contain PII and partial payment details of up to 560 million customers up for sale if a ransom payment of over $500,000 is not made. This is the same threat actor group who breached the Spanish bank Santander around the same time.

Meanwhile, the third-party vendor in question, cloud storage provider Snowflake has denied that its products were to blame for the Ticketmaster breach, or the Santander Bank, for that matter. According to a since-removed post on the website of security firm Hudson Rock, “the intruders were able to sign into a Snowflake employee’s ServiceNow  account using stolen credentials, and from there were able to generate session tokens,” however Snowflake, while acknowledging that a former employee’s demo account was accessed through stolen credentials, said it did not contain sensitive data, and that there was “no pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”   (The Guardian and The Record)

4. NSA shares mobile device best practices

The NSA has published a handy Mobile Device Best Practices report, offering tips to better protect those ubiquitous gadgets.  A simple method to thwart hackers is restarting your phone weekly, making it harder to steal information, due to many malware packages not having persistence. However, this won’t always prevent attacks. The NSA also highlights threats like malicious apps, Wi-Fi networks, spyware, and physical access. It’s a nice collection of best practices, easy to share with friends, family and coworkers. (Zdnet)

5. Authorities unmask criminals behind malware loaders

As part of Operation Endgame, law enforcement agencies in 13 countries have revealed the identities of eight Russians linked to the distribution and administration of malware loaders including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot. The loaders have been used for years to steal user data, distribute other malware, and propagate phishing campaigns. Forty-two-year-old Airat Rustemovich Gruber, has been identified as the administrator of the Smokeloader botnet, which first appeared in 2011. Seven other Russian nationals (Oleg Vyacheslavovich Kucherov, Sergey Valerievich Polyak, Fedor Aleksandrovich Andreev, Georgy Sergeevich Tesman, Anton Alexandrovich Bragin, Nikolaevich Chereshnev, and Andrei Andreyevich) are wanted for their ties with the TrickBot operation. Germany’s federal police authorities (BKA) have listed the suspects on their website along with information about the harmful loaders and the joint operation. (SecurityWeek)

6. Atlassian Confluence bug allows code execution

Researchers at SonicWall Capture Labs have discovered a remote code execution vulnerability (CVE-2024-21683) in the Atlassian Confluence Data Center and Server. The bug is assigned a CVSS score of 8.3 out of 10, and can be exploited by uploading a forged JavaScript language file containing malicious code. A proof-of-concept (PoC) exploit code has already been made available so admins should upgrade to the latest versions of Confluence as soon as possible. The researchers have published the indicators of compromise (IoCs) for the bug so admins can check for signs of exploitation. (Dark Reading)

7. Utah student floods hackers with false info to thwart Phishing

A Davis County high school junior, Charles Mortensen, developed a program dubbed VEGA (Victims’ Empowerment Guard against Attacks), which aims to take down phishing sites by flooding them with fake usernames and passwords. Mortensen said the program can send about half a million requests to a hacker site within a night, typically taking the site offline by the morning. Mortensen was motivated to create VEGA when a friend residing in foster care fell victim to an Instagram phishing attempt, jeopardizing her only means of contacting her mom. Mortensen said VEGA has enabled him to take down thirty phishing sites within a month. He is seeking a sponsor to help him to scale the operation to potentially dismantle much larger volumes of phishing sites. (The Cyber Express)

8. A report finds Rural hospitals vulnerable to ransomware

A new report from CSC 2.0, an offshoot of the Cyberspace Solarium Commission, warns that rural hospitals are particularly vulnerable to ransomware attacks due to their limited resources and outdated technology. The report finds that federal funding is crucial to addressing this issue, as it will allow for major cybersecurity investments. The threat is no longer theoretical, with recent attacks on large healthcare providers, including Ascension and Change Healthcare, disrupting patient care and medical procedures. The report recommends increasing funding for the Department of Health and Human Services, updating cybersecurity objectives, and encouraging health care providers to invest in basic cybersecurity measures such as employee training and managed IT services. (Cyberscoop)

9. Ransomware attack forces London hospitals to cancel operations

Several of London’s largest hospitals were forced to cancel operations and declare critical incident emergency status after Synnovis, a third-party provider, experienced a ransomware attack. A spokesperson for the region said the attack left multiple hospitals without access to pathology services, with “blood transfusion being particularly affected.” According to The Register, all of Synnovis’s IT systems are believed to be impacted, and as of this recording, there is no timeline for when operations are expected to be back online. (Infosecurity Magazine), (The Register), (The Record)

10. Christie’s stolen data sold to highest bidder

Going once, going twice, Christie’s stolen data has been sold. The world-renowned auction house fell victim to a second ransomware attack this year in early May, resulting in the theft of personal information from their high-profile clients. The ransomware group RansomHub set a June 3rd deadline for Christie’s to pay the ransom. When Christie’s failed to comply, the group announced on their website that the stolen data had been sold to an anonymous third party for an undisclosed amount. RansomHub claims to have stolen information from at least 500,000 of Christie’s clients, including full names, passport details, and home addresses, though this number has not been confirmed. (The Register)

11. A TikTok zero-day targets high profile accounts

Threat actors exploited a zero-day vulnerability in TikTok’s direct messages feature to hijack high-profile accounts, including those of CNN, Paris Hilton, and Sony. The malware spreads by simply opening a direct message within the app. TikTok spokesperson Alex Haurek stated that their security team has stopped the attack and is working with affected users to restore access. The extent of the impact remains unclear. No technical details about the vulnerability were disclosed. (Security Affairs)

12. OpenAI insiders describe a culture of recklessness and secrecy

A group of OpenAI insiders, including nine current and former employees, is exposing what they describe as a culture of recklessness and secrecy at the company, The New York Times reports.  The insiders claim OpenAI prioritizes profits over safety in its race to develop artificial general intelligence (AGI). The insiders accuse the company of using restrictive nondisparagement agreements to silence concerns. Former researcher Daniel Kokotajlo, a leading whistleblower, criticized OpenAI for its aggressive pursuit of AGI without sufficient safety measures. The group recently published an open letter calling for greater transparency and protections for whistleblowers in AI companies. They demand an end to restrictive agreements and advocate for a culture that allows open criticism and anonymous reporting of safety issues.

OpenAI is also dealing with several controversies, including legal battles over copyright infringement and backlash from its recent voice assistant launch. The company has faced internal turmoil, including the departure of senior AI researchers Ilya Sutskever and Jan Leike, who left due to concerns over safety being neglected in favor of rapid development. OpenAI has responded, claiming a commitment to safety and transparency and announcing new safety initiatives. The whistleblowers, however, remain skeptical and are urging regulatory oversight to ensure responsible development of powerful AI systems. (NY Times)

13. AI leveling up unsophisticated threat actors

Speaking at an event in Washington, US Treasury CISO Sarah Nur and FBI cyber division deputy assistant director Cynthia Kaiser both said that new AI tools made it easier for less sophisticated threat actors to become “at least mildly better,” allowing for things like performing scripting tasks and finding coding errors. Also at the event, assistant secretary for cyber and technology security in the State Department’s Bureau of Diplomatic Security Gharun Lacy said he’s seen AI used as an amplifier by threat actors, used to improve their best skills. All said the government needs to improve information sharing and coordination with partners across public and private sectors. (FedScoop)

14. Researchers find Chinese espionage operation

Security researchers at Sophos detailed an operation dubbed “Crimson Palance” operating in Southeast Asia throughout 2023, with unmanaged access likely starting in early 2022. This used three distinct clusters of intrusion activity that showed signs of coordination. Attack techniques and infrastructure align with Chinese state-sponsored actors. The operators primarily looked to prolong access to networks to collect sensitive military and technical information from victims. (Infosecurity Magazine)

15. Interpol makes cyber sabotage arrests

Moldovan authorities coordinated with French prosecutors and the FBI to detain four people suspected of attempting to sabotage Interpol’s Red Notice system. Red Notice is used to alert 195 member countries of wanted individuals. The suspects allegedly paid intermediaries millions of dollars to inform people listed on Red Notice as well as attempting to delete notices. The UK National Crime Agency also said it uncovered the names of other individuals accepting bribes for similar actions. Interpol said it added “additional measures” to ensure the system could not be abused with similar incidents going forward. (The Record)

16. Commando Cat targets Docker servers to deploy crypto miners

Researchers at Trend Micro describe Commando Cat, a campaign that exploits exposed Docker remote API servers to deploy cryptocurrency miners. Active since early 2024, attackers use the cmd.cat/chattrDocker image to gain access to the host system. They create containers that bind the host’s root directory, allowing unrestricted access. The attackers download and execute a malicious binary, often employing sophisticated techniques to evade detection. This campaign underscores the importance of securing Docker configurations, using trusted images, and performing regular security audits to prevent such attacks. (Trendmicro)

17. FCC moves forward with BGP security measures

The Federal Communications Commission unanimously voted to advance a proposal to improve the security of the Border Gateway Protocol (BGP) for the internet. Under this proposal, broadband providers must develop and maintain private BGP security plans, with the top nine providers submitting quarterly progress reports to the FCC. The commission highlighted current BGP vulnerabilities that have been exploited by a Chinese telecommunications company to misroute U.S. internet traffic multiple times. Additionally, the FCC approved a $200 million pilot program to help schools and libraries purchase cybersecurity equipment, despite opposition. (CyberScoop)

18. LockBit ransomware gang victims get lifeline from FBI

Are you or someone you know a victim of the LockBit ransomware gang? The FBI’s Cyber Division says they can help. A spokesperson for the agency said they have obtained more than 7,000 LockBit ransomware decryption keys and are urging victims to reach out to the FBI’s Internet Crime Complaint Center (IC3).  The report asks for information such as which version of LockBit was used to encrypt your system, what files were encrypted, and a copy of the ransom note. (IC3 Reporting Form), (Security Week)

19. Apple to debut rival password management app

Apple is saying move over 1Password and LastPass. According to Bloomberg, the tech giant plans to launch its competing password management app as early as next week. The new app, called Passwords, is similar to iCloud Keychain in that it will sync passwords the same way, but the new app will separate logins into different categories, including accounts, Wi-Fi networks, and passkeys. The new app is expected to be introduced on June 10 and available in iOS 18, iPadOS 18, and macOS 15. (The Verge), (Bloomberg)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Welcome to our latest cybersecurity roundup. This week, we cover a breach of Japan’s solar power grid by Hacker CN, LockBit’s release of 300 GB of London Drugs data, a new global ATM malware threat, and a critical vulnerability in Cisco’s Firepower Management Center software. We also discuss RansomHub’s threats against Christie’s, the FBI’s insights into the Scattered Spider group, Check Point’s VPN breach attempts, and a Fortinet SIEM exploit. Additionally, we highlight the recovery of a lost password to a $3 million crypto wallet, NIST’s efforts to clear its vulnerability backlog, and Okta’s warning of credential stuffing attacks.

We’re here to keep you informed on pressing cybersecurity developments from around the globe.

1. Hackers access a Japanese solar power grid

Japanese media reported a significant cyberattack on the solar power grid infrastructure, marking what might be the first publicly confirmed incident of its kind. Malicious actors hijacked 800 SolarView Compact remote monitoring devices, manufactured by industrial control electronics company Contec, at various solar power generation facilities. The cybercriminals used these compromised devices to engage in bank account thefts – they were after compute power. The hacker group responsible for the attack is likely Hacker CN, also known as Arsenal Depository. South Korean security firm S2W identified Hacker CN as a group potentially based in China or Russia. This group was previously linked to hacktivist attacks targeting Japanese infrastructure, particularly after the Japanese government released contaminated water from the Fukushima nuclear power plant, under an operation termed “Operation Japan.” Though the exploitation of these remote monitoring devices did not threaten power system operations, experts caution that such intrusions could be more dangerous if highly capable adversaries gained access. (CSO Online)

2. Lockbit drops 300 gigabytes of data from London Drugs

Last month, cybercriminals stole files from London Drugs’ head office and have now released some data after the company refused to pay a ransom. The Richmond, B.C.-based retailer said the files might contain employee information and is offering affected staff credit monitoring and identity theft protection. The hacking group LockBit claimed responsibility, releasing over 300 gigabytes of data. London Drugs, which shut down its stores temporarily, stated there’s no evidence customer data was compromised. LockBit, described as the “world’s most harmful cybercrime group,” has been disrupted by international law enforcement efforts, but it remains active. (The Star)

3. New ATM malware poses significant global threat

According to notifications posted on a dark web news site, a threat actor is advertising a new malware that it claims is able to compromised 99% of ATM devices in Europe and 60% of ATMs worldwide. The announcement claims it can target machines made by the world’s leading ATM manufacturers including Diebold Nixdorf, Bank of America, NCR, and Hitachi. The malware can operate automatically or with manual oversight, and interested parties are being offered a three day trial using a test payload. (Security Affairs)

4. High-severity vulnerability hits Cisco Firepower Management Center

Cisco is warning of a vulnerability with a CVSS score 8.8 within the web-based management interface of the Firepower Management Center (FMC) Software. This vulnerability is an SQL injection issue which can be exploited for an attacker who has at least Read Only user credentials. There are currently no workarounds for this vulnerability, but Cisco has confirmed that it does not affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software. (Cisco advisory)

5. The RansomHub group puts a deadline on Christie’s

The hacker group RansomHub, responsible for a recent attack on Christie’s, has threatened to leak sensitive client information if ransom demands aren’t met by May 31. RansomHub, previously behind an attack on Change Healthcare, claimed access to Christie’s data on the dark web, releasing sample data including names, birth dates, and nationalities. Christie’s acknowledged a tech issue in early May, just before major auctions, revealing unauthorized access by a third party. Despite rejecting initial ransom demands, Christie’s faces pressure to comply to avoid GDPR fines and reputational damage. (ITPro)

6. The FBI untangles Scattered Spider

At last week’s Sleuthcon conference just outside Washington DC, Bryan Vorndran, assistant director of the FBI’s Cyber Division, revealed insights into Scattered Spider, a cybercriminal group linked to numerous high-profile breaches. Known also as 0ktapus or UNC3944, Scattered Spider comprises around 1,000 members, many of whom do not know each other directly. Vorndran described the group as a “very, very large, expansive, dispersed group of individuals.” This group has breached several prominent companies, including MGM Resorts and Okta. The FBI considers Scattered Spider a top-tier cybersecurity threat, alongside nation-state actors from China and Russia. Composed primarily of native English speakers from the United States and the United Kingdom, the group employs both digital and physical threats. Some members even offer violence as a service, engaging in activities such as assaults and property damage to extort victims. Despite facing criticism for the lack of public arrests, the FBI officials say they have taken non-public actions against the group. In January, authorities in Florida arrested 19-year-old Noah Urban, identified as a key figure in the crime ring. (Cyberscoop)

7. Attackers target Check Point VPNs to access corporate networks

On Monday, cybersecurity firm Check Point issued an advisory that it observed a small number of attempts to breach its customers’ VPNs this past Friday. The attacks did not attempt to exploit a software vulnerability but instead targeted customers who are using outdated VPN local accounts with password-only authentication. The company advised customers to secure network accounts by adding another layer of authentication. Check Point also released a solution designed to automatically prevent unauthorized access via local accounts using password-only authentication. (Infosecurity Magazine)

8. PoC exploit released for bug in Fortinet SIEM

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue in Fortinet’s SIEM solution (CVE-2024-23108). The PoC exploit allows commands to execute as root on several versions of Internet-facing FortiSIEM appliances. Fortinet disclosed the maximum severity bug back in February, stating attackers may be able to execute unauthorized commands via crafted API requests. The researchers published indicators of compromise to help owners of vulnerable devices investigate potential issues. (Bleeping Computer and Security Affairs)

9. Researchers crack 11-year-old password to $3 million crypto wallet

Researcher Joe Grand and a friend helped a man find the lost password to his cryptocurrency wallet containing 43.6 BTC, valued at nearly $2.96 million. The anonymous man, dubbed Michael, set up a crypto wallet in 2013 and then used RoboForm to create its unique 20-character password. Michael opted to store the password in an encrypted file instead of storing it in RoboForm due to security concerns. However, he lost the password when the encrypted file became corrupted. The researchers recovered Michael’s password by exploiting a long-fixed vulnerability in the RoboForm password generator. Michael said he was glad he lost access to his wallet as holding onto his tokens allowed them to appreciate from $5,300 in 2013 to roughly $68,000 at current rates. He gave a portion of his bitcoin to the researchers as payment for their help. (The Block and Slashdot)

10. NIST hopes to clear out the NVD backlog

The National Institute of Standards and Technology (NIST) has awarded a contract to help process incoming Common Vulnerabilities and Exposures (CVEs) for the National Vulnerability Database (NVD). They aim to clear the backlog of unprocessed CVEs by September 30. NVD’s slowdown in CVE enrichment became evident in February. NIST is implementing a multi-pronged solution, including improved tools, automation, and a consortium to address challenges. They have started ingesting CVE 5.0 and 5.1 records hourly since May 20. NIST is committed to modernizing the NVD and addressing the growing volume of vulnerabilities with technology and process updates, ensuring the program’s sustainability and supporting automated vulnerability management. (Helpnet Security)

11. Okta warns users of credential stuffing attacks

Okta warns customers of credential stuffing attacks targeting the Customer Identity Cloud’s cross-origin authentication feature. Threat actors are using stolen username and password combinations from phishing, malware, or data breaches to compromise customers’ tenants. Customers should review logs for suspicious activity, such as failed or successful cross-origin authentication attempts and logins with leaked passwords. Okta advises rotating compromised passwords, enrolling in passwordless authentication, enforcing strong passwords, implementing MFA, disabling unused cross-origin authentication, restricting permitted origins, and enabling breached password detection. This warning follows a cyberattack in October 2023, where customer support system user data was stolen. (Securityweek)

12. Europol seizes 2,000 domains in dropper takedown

The law enforcement agency announced it carried out “Operation Endgame,” which targeted malware droppers used to initially get malware loaded onto systems. This saw the seizure of over 2,000 domains, four arrests across Armenia and Ukraine, and the release of over 13.5 million unique passwords to Have I Been Pwned. Authorities previously tied the dropper sites to use with IcedID, SmokeLoader, and Trickbot. German authorities also added eight other suspects related to this takedown to the EU’s Most Wanted list. (CyberScoop)

13. LightSpy makes its way to macOS

LightSpy serves as a modular surveillance framework, targeting iOS and Android devices. However, a report from ThreatFabric discovered a variant targeting macOS. It discovered this by exploiting a misconfigured interface, finding LightSpy can exploit a series of WebKit flaws to execute within Safari. The interface also showed references to Windows, Linux, and routers but did not include any technical documentation of how its attack chain works. It’s not clear how wide of a reach the spyware will have. It only works on macOS 10.13.3 or earlier. Apple cut off support for macOS 10 almost four years ago, so it’s probably vulnerable to a lot of other nasty stuff too. (Bleeping Computer)

14. An alleged leak of Google’s search algorithm contradicts the company’s public statements

A significant leak of 2,500 internal Google documents reveals detailed insights into how the company’s search algorithm functions, contradicting Google’s long-standing public statements. SEO expert Rand Fishkin, who received the documents, claims they show Google has misled the public about its ranking processes. The documents detail Google’s search API and data collection practices, offering technical insights valuable to developers and SEO professionals. Key revelations include discrepancies about the use of Chrome data in rankings and the role of E-E-A-T (experience, expertise, authoritativeness, and trustworthiness). Despite Google’s claims that Chrome data isn’t used for ranking and E-E-A-T isn’t a ranking factor, the documents suggest otherwise. They show Google tracks author data, which may influence search results, contrary to Google’s public statements.This leak challenges Google’s transparency, showing a complex, secretive system influencing web content and sparking calls for more critical examination of Google’s claims by journalists and the SEO industry. The U.S. government’s antitrust case against Google adds to this scrutiny, highlighting the need for greater accountability in how Google operates its search engine. (The Verge)

15. German researchers discover a critical vulnerability in a TP-Link router 

Security researchers from German cybersecurity firm ONEKEY have discovered a critical vulnerability in TP-Link’s Archer C5400X router with a maximum severity score of 10.0. The flaw in the “rftest” network service o allows remote, unauthenticated attackers to execute arbitrary commands, compromising the device completely. Exploiting this vulnerability can let hackers inject malware or use the router for further attacks. TP-Link has released a patched version, and users should update their firmware immediately to secure their routers from potential exploitation. (Techspot)

16. New North Korean hacking group emerges

A North Korean hacking group has been formally identified by Microsoft, and it has been given the name Moonstone Sleet, an upgrade from its earlier name Storm-1789, a nomenclature system Microsoft uses for uncategorized malicious actors. Moonstone Sleet appears to share techniques and code with another North Korean group, Diamond Sleet. Currently its TTP portfolio includes “setting up fake companies and job opportunities to engage with potential targets, deploying trojanized versions of legitimate tools, and creating malicious games and custom ransomware.” (InfoSecurity Magazine)

17. New report looks at the security dangers of inadequate offboarding

Wing Security says that 63% of businesses may have former employees who still have access to organizational data. Inadequate or insufficient offboarding practices, the company says, often happen during periods of mass layoffs, citing the 80,000 tech employees who were made redundant in the first half of 2024 alone, “especially considering that the average employee uses 29 different SaaS applications.” The report cites four distinct risks, being data breaches, compliance violations, insider threats, and intellectual property theft. Their recommendation is to use automation in SaaS Security Posture Management (SSPM). A link to the report is available in the show notes to this episode. (The Hacker News and Wing Security)