Your Daily Decrypt

8/17/2023 - Today’s news and insights for cybersecurity pros and leaders

📸 Cybersecurity Snapshot

📰 Top Stories 

Summary

Who's Behind the Attacks: Unknown phishing actors.

What They Did: Targeted a major U.S. energy company, along with firms in manufacturing, insurance, technology, and financial services, using QR codes to bypass email security and deliver malicious phishing emails.

How They Did It: Approximately 29% of the 1,000 emails were aimed at the energy company. The phishing emails contained PNG or PDF attachments with QR codes, prompting recipients to scan for account verification. Redirects in Bing, Salesforce, and Cloudflare's Web3 services were used to lead targets to a Microsoft 365 phishing page.

Why It Matters:

  • Innovation in Tactics: First large-scale use of QR codes in phishing, indicating potential trend.

  • Bypassing Protections: QR codes evade detection by hiding redirection URLs, abusing legitimate services, and using encoding.

  • Security Implications: Despite effectiveness, QR codes require user action, so well-trained personnel can mitigate the risk.

Why it’s important to you

Stay Informed: QR code phishing is emerging; awareness can foster preparedness.

Enhance Security: Consider implementing image recognition tools and educating staff on the risks associated with QR codes.

Think Strategically: Evaluate how these tactics may affect your sector or organization.

Summary

Who's Behind the Event: Air Force Research Laboratory, Space Systems Command, Aerospace Corporation, and Cromulence.

What They Did: Organized the first-ever capture the flag (CTF) in space at the DEF CON hacking conference in Las Vegas, with five teams of hackers competing to overtake a satellite known as "Moonlighter."

How They Did It: Challenges included leaving regular orbit, hacking into the camera to take a photo from space, and tricking the GPS receiver through script injection. The competition operated with real-world conditions, so the satellite was only available for limited windows.

Why It Matters:

  • Innovation in Cybersecurity: First time hackers have been openly encouraged to break into a satellite.

  • Real-world Implications: Highlights the threats facing space systems and the need for strengthened cybersecurity measures.

  • Community Engagement: Brings together cybersecurity and space experts in a competition that fosters collaboration and skill development.

Why it’s important to you

Stay Informed: Understanding emerging challenges in space cybersecurity is essential for those involved in related sectors.

Think Strategically: Consider how the evolving risks to space systems may impact critical areas like energy and agriculture.

Embrace Innovation: Explore opportunities to learn and adapt from cutting-edge events like Hack-A-Sat.

🚨 Threat Alerts

Summary

Who's Behind the Attacks: Clorox: Unknown; HCPF: Clop ransomware gang.

What They Did:

  • Clorox: Disrupted business operations, ongoing investigation.

  • HCPF: Stole data from over 4M health program patients via MOVEit.

How They Did It:

  • Clorox: Details unclear, third-party cybersecurity firms hired.

  • HCPF: Exploited MOVEit used by IBM to access data.

Why It Matters:

  • Clorox: Temporary operational impairment, financial risk.

  • HCPF: Sensitive health information at risk, identity theft potential.

Why it’s important to you

Stay Alert: These incidents underscore the continuous threats to both corporate and healthcare data.

Assess Your Security: Consider evaluating your own cybersecurity measures, including third-party relationships, to minimize risks.

Understand the Landscape: Recognizing the prevalent types of cyber attacks can help in preparing and responding effectively.

Summary

Who's Behind the Attacks: Unknown actors targeting Citrix ShareFile flaw (CVE-2023-24489).

What They Did: Exploited a critical vulnerability in Citrix ShareFile to potentially compromise customer-managed storage zones.

How They Did It: The flaw, caused by errors in AES encryption, allows unauthenticated attackers to upload a web shell to gain full access to storage and files.

Why It Matters: This vulnerability poses a significant risk to federal enterprises and businesses, as it could be exploited for widescale data theft, similar to previous attacks by Clop ransomware.

Why it’s important to you

Stay Alert: Be aware of this critical flaw and the active attempts to exploit it.

Patch Promptly: Apply updates as soon as possible, especially if you use Citrix ShareFile.

Assess Risks: Evaluate if your organization could be a target and take necessary precautions.

⚖️ Regulatory Updates

Summary

Who's Investigating: California Privacy Protection Agency's (CPPA) enforcement division.

What They're Doing: Examining how automakers and associated companies handle data collected from internet-connected vehicles.

Why It Matters: The investigation is focused on ensuring that these companies are complying with California law regarding the collection and use of consumers' data. The large amount of potentially sensitive data collected from internet-connected vehicles can reveal personal information like location, travel behavior, health status, and religion.

Why it’s important to you

Stay Informed: If you own or use an internet-connected vehicle, be aware of how your data may be collected and used.

Know Your Rights: Understand your rights under the California Consumer Privacy Act of 2018, such as the ability to delete personal data or block its sale or sharing.

Global Perspective: Note that California is attempting to align with European regulators, who have already compelled automakers to disclose more information about data practices.

👀 Curated Finds

Summary

What's Happening: Mark Ryland, director of the Office of the CISO at AWS, has highlighted a common issue in cloud security: organizations often fail to do least-privilege work with their identity systems, leading to misconfigurations.

How It Happens: When creating a principle for an application or workload that needs to call APIs, many organizations give full permissions from the start. This can present a weak spot for cyberattacks, especially with software integrations.

Why It Matters: Misconfigurations play a central role in cyber intrusions, with poor identity and access management linked to more than 3 in 5 cloud compromises. These mistakes are avoidable, and AWS dominates the public cloud infrastructure market.

Why it’s important to you

Stay Aware: If you're using AWS or other cloud services, be mindful of the permissions and access levels you're granting.

Limit Exposure: Follow the principle of least privilege, giving only necessary permissions to minimize risk.

Consider Automation: AWS is looking into features to automatically lock down privileges based on past usage, but organizations must weigh the risk of potential disruptions.

Summary

What's Inside: Wireshark Cheat Sheet Guide

What It Covers: This guide provides a comprehensive reference for Wireshark, a popular tool used for capturing, analyzing, and troubleshooting network traffic. It includes details on default columns, logical operators, filtering packets, filter types, capturing modes, keyboard shortcuts, protocols, common filtering commands, and more.

Why It Matters:

  • For Network Administrators: Quick reference for Wireshark's commands and functions.

  • For Security Professionals: Insights into filtering and analyzing network traffic for security purposes.

  • For Learners: Foundational guide for understanding how to use Wireshark effectively.

Why it’s important to you

Stay Informed: If you work with network monitoring or cybersecurity, this guide will be an essential tool.

Enhance Skills: Learn or refresh your knowledge on how to capture, filter, and analyze packets with Wireshark.

Stay Compliant: Understand how to use Wireshark in line with security protocols and best practices.

Please let me know if you have any comments or feedback by replying to this email or messaging me on twitter!

Thank you 🙏
Ali Abidi