Your Daily Decrypt

8/03/2023 - Today’s news and insights for cybersecurity pros and leaders

📸 Cybersecurity Snapshot

Here's a bar chart depicting the average cost of data breaches in various industries. As we can see, healthcare has the highest average cost at $9.48 million, followed by finance at $8.07 million. Retail, technology, and manufacturing have lower average costs, with technology and manufacturing being quite close at $4.67 million and $4.52 million respectively.

📰 Top Stories

A team of researchers have discovered a new side-channel attack named Collide+Power that can be used to extract sensitive data from almost any modern CPU. The attack works by abusing the data sharing design of certain CPU components, allowing the attacker to combine their own data with data from user applications. By measuring CPU power consumption and altering their own data, attackers can infer user application data, potentially exposing passwords or encryption keys. Despite its potential severity, real-world application of the attack is currently unlikely due to the low data leakage rates and the specific conditions required for the attack.

A critical flaw in Ivanti Endpoint Manager Mobile (EPMM) has been exploited by advanced persistent threat (APT) actors since at least April 2023. The attacks, targeted at Norwegian entities, including a government network, leveraged compromised small office/home office (SOHO) routers. The exploit allows unauthorized access to personal identifiable information (PII) and system configuration changes. It's recommended that organizations patch their systems, implement multi-factor authentication (MFA), and validate their security controls.

IT firm Maximus, serving key US government programs, has confirmed a data breach potentially affecting up to 11 million people. The attack, exploiting the MOVEit file transfer software, allowed hackers to access social security numbers, protected health information, and other personal data. Maximus is cooperating with law enforcement and has begun notifying affected customers and regulators. The company expects the breach to cost an estimated $15 million.

🚨 Threat Alerts

Juice jacking is a cyberattack where scammers install fake charging stations in public spaces, such as airports or cafes, to steal sensitive information from devices plugged into them. These stations can harvest data like passwords or credit card details, and may even install malware to remotely control the victim's device. To safeguard against this, it is advised to bring your own charger or portable power bank, or use a USB data blocker to prevent data exchange between your device and the charging station. By exercising caution with public charging outlets, you can protect your personal information from these scams.

Cybercriminals are exploiting the confusion surrounding the transformation of Twitter into X by sending phishing emails to Twitter Blue users. The emails, appearing to originate from and sent via customer relationship management (CRM) company Brevo (formerly Sendinblue), ask users to migrate their Twitter Blue subscriptions to X. The phishing campaign directs users to a misleading URL and asks them to authorize a seemingly legitimate Twitter app, which, if authorized, gives the attackers control over the user's Twitter account. Twitter and Brevo are aware of the issue and are working to address it.

Android users are being targeted by a fake chat app called "Safe Chat" that is capable of stealing user data, according to researchers from CYFIRMA. The malicious campaign begins with a phishing attack via WhatsApp, encouraging users to download the app. Once installed, the app displays legitimate-looking pages and requests numerous permissions, while stealthily infiltrating the device. The app is linked to the APT Bahamut, a threat actor group known for targeting users in South Asia and the Middle East.

Cybersecurity group AlphV, also known as BlackCat, claims to have hacked Reddit, allegedly stealing 80GB of data on February 5, 2023. The group states they have twice contacted Reddit, demanding $4.5 million in return for not leaking the data and reversing API pricing changes. While they haven't yet provided proof, the incident aligns with a phishing attack Reddit disclosed in February. AlphV expects to leak the data.

🚨 Regulatory Updates

The Bank for International Settlements (BIS) has released a seven-point "Polaris security and resilience framework" aimed at helping countries prevent cyberattacks on the emerging Central Bank Digital Currencies (CBDC). With about 130 countries exploring CBDCs, the BIS emphasized the elevated risks due to their complexity and large attack surface. The BIS also highlighted that the average time for hackers to successfully compromise a blockchain-type setup is only around 10 months. The framework urges central banks to understand the new threat landscape, adopt appropriate security technologies, and utilize the MITRE ATT&CK database of past cyberattacks to strengthen their security measures.

The National Security Agency (NSA) has released a new guide to assist in the hardening of Cisco Firepower Threat Defense (FTD) systems, also known as Cisco Secure Firewall. These next-generation firewalls (NGFWs) offer a combination of application and network layer security features, including application visibility and controls, URL filtering, user identity and authentication, malware protection, and intrusion prevention. The NSA's guide emphasizes the importance of proper configuration to maximize these defenses and advises organizations to follow their recommendations to enhance network security against rising sophisticated threats.

👀 Curated Finds

Research from Veeam indicates that 80% of 1,200 organizations impacted by ransomware chose to pay the demanded ransom, yet 21% of these were still unable to recover their lost data. The survey also found that 74% of organizations with cyber-insurance cover reported an increase in premiums. Despite the decision to pay being complex, paying ransom primarily benefits the cybercriminals, empowering them to continue their attacks. Proper data security and resilience are paramount to prevent such incidents.

Push has unveiled a SaaS attack matrix that catalogues techniques used to exploit SaaS applications, focusing on networkless attacks that bypass traditional network and endpoint detection. The new attack methods target user identities and use legitimate SaaS apps to create shadow workflows, hiding in plain sight from responders. Attacks also exploit SaaS features that enable easy user sign-ups and integrations with other apps. The report highlights the need for stronger phishing-resistant account security across all SaaS platforms, as detection of such attacks remains challenging.

Comcast Business reports that while technology is providing security teams with more tools to fend off cyberattacks, the tactics used by cybercriminals are also becoming more sophisticated. Approximately 67% of all breaches now start with a click on a seemingly safe link, with social engineering being the primary tactic used to infiltrate corporate networks. The data, gathered from 23.5 billion cybersecurity attacks, highlights the significant threat of the Apache Log4j vulnerability and shows an increase in DDoS attacks, particularly in IT, education, finance, and healthcare sectors. The report underscores the importance of understanding cybersecurity risks and implementing comprehensive, multi-layered security solutions.

Burger King's French website exposed sensitive credentials due to a misconfiguration, potentially putting systems and job applicants' data at risk. The publicly accessible environment file contained various credentials, including those for a database likely storing job posts and applicant data. The file also included a Google Tag Manager ID and a Google Analytics ID, which, if exploited, could allow attackers to execute arbitrary JavaScript code on the site or disrupt the site's performance analysis. This is the second time Burger King has leaked sensitive data due to similar misconfigurations.

Thank you 🙏
Ali Abidi