Weekly Cybersecurity Wrap-up 5/29/23

It was a short week this week, missing Monday in the US. If you are new here, every week I publish a post containing the progress and learning that I did in the past week. The short week made it more difficult to fit in webinars and podcast, but I have a fun webinar set up for next week!

Articles

Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers – Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week.
Pentagon Leaks Emphasize the Need for a Trusted Workforce – Tightening access controls and security clearance alone won’t prevent insider threat risks motivated by lack of trust or loyalty.
Toyota finds more misconfigured servers leaking customer info – Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners’ personal information for over seven years.
SAS Airlines hit by $3 million ransom demand following DDoS attacks – Scandinavian Airlines (SAS) has received a US $3 million ransom demand following a prolonged campaign of distributed denial-of-service (DDoS) attacks against its online services.
Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months – Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices.
WordPress force installs critical Jetpack patch on 5 million sites – WordPress.com owner Automat has started force installing a security patch on millions of websites today with the help of the WordPress Security Team to address a critical vulnerability in the Jetpack plug-in.
Harvard Pilgrim Health Care ransomware attack hits 2.5 million people – Harvard Pilgrim Health Care (HPHC) has disclosed that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, with the threat actors also stealing their sensitive data from compromised systems.
Russia says US hacked thousands of iPhones in iOS zero-click attacks – Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits.
Streamers Ditch Netflix for Dark Web After Password Sharing Ban – Disgruntled users are pursuing offers for “full Netflix access” at steeply discounted rates.
Burton Snowboards discloses data breach after February attack – Leading snowboard maker Burton Snowboards confirmed notified customers of a data breach after some of their sensitive information was “potentially” accessed or stolen during what the company described in February as a “cyber incident.”

Projects

TryHackMe – SOC Level 1 – Network Miner – Completed.

Weekly Cybersecurity Wrap-up 5/22/23

Every week I publish a post containing the progress and learning that I did in the past week. Again, no podcasts or webinars. I have been very busy at work and I have not had the time to fit them into my schedule.

Webinars

No webinars this week.

Articles

OpenAI Confirms ChatGPT Data Breach – OpenAI, the creator of ChatGPT, has confirmed that a bug in the AI’s source code resulted in a breach of sensitive data. The vulnerability was in the Redis memory database, which OpenAI uses to store user information. Actors were able to access the open-source library and view users’ chat history.
U.K. Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes – A U.K. national responsible for his role as the administrator of the now-defunct iSpoof online phone number spoofing service has been sentenced to 13 years and 4 months in prison.
China Bans U.S. Chip Giant Micron, Citing “Serious Cybersecurity Problems” – China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks.
Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations – The technology conglomerate has until later this year to end its transfer of European user’s data across the Atlantic.
IT employee impersonates ransomware gang to extort employer – A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.
130K+ Patients’ Social Security Numbers Leaked in UHS of Delaware Data Breach – Approximately 130,000 patients in Texas — and an untold number of others nationwide — are being notified that their protected health information was compromised when hackers breached the computer system of Universal Health Services of Delaware, Inc. (“UHS”) earlier this year.
Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints – Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.
Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives – Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.
Mozilla stops Firefox fullscreen VPN ads after user outrage – Firefox users have been complaining about very intrusive full-screen advertisements promoting Mozilla VPN displayed in the web browser when navigating an unrelated page.

Podcasts

No podcasts this week.

Projects

TryHackMe – SOC Level 1 – Snort Challenge – Live Attacks completed!

Weekly Cybersecurity Wrap-up 5/15/23

Every week I publish a post containing the progress and learning that I did in the past week. I’m so far behind on podcasts at this point I’m not sure I’ll ever catch up! Also, I had meetings conflict with the scheduled webinars I wanted to attend so I hope to have time to watch the replays later.

Webinars

No webinars this week.

Articles

Discord discloses data breach after support agent got hacked – Discord is notifying users of a data breach that occurred after the account of a third-party support agent was compromised.
Russian Ransomware Perp Charged After High-Profile Hive, Babuk & LockBit Hits – Russian national Mikahail Pavlovich Matveev has been charged by the US Department of Justice (DoJ) for launching ransomware attacks on critical organizations including law enforcement agencies, healthcare operations, and more.
This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide – A cybercrime enterprise known as Lemon Group is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks.
18-year-old charged with hacking 60,000 DraftKings betting accounts – The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022.
Sunday Paper Debacle: Philadelphia Inquirer Scrambles to Respond to Cyberattack – It’s still unclear when systems for Pennsylvania’s largest media outlet will be fully restored, as employees were told to stay at home through Tuesday.
Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs – The second generation version of Belkin’s Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by a threat actor to inject arbitrary commands remotely.
U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator – A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against “thousands of victims” in the country and across the world.
ASUS routers knocked offline worldwide by bad security update – ASUS has apologized to its customers for a server-side security maintenance error that has caused a wide range of impacted router models to lose network connectivity.
3 Common Initial Attack Vectors Account for Most Ransomware Campaigns – The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors made up the top three techniques — exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%) — but that ransomware actors tended to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.
Luxottica confirms 2021 data breach after info of 70M leaks online – Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.
KeePass Vulnerability Imperils Master Passwords – A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target’s master password — and proof-of-concept code is available.

Podcasts

No podcasts this week.

Projects

TryHackMe – SOC Level 1 – Snort Challenge – The Basics completed!

Weekly Cybersecurity Wrap-up 5/8/23

Every week I publish a post containing the progress and learning that I did in the past week. Still no podcasts this week. I really have to find some time to fit those in! I miss them!

Webinars

SANS – 2023 Report: Digital Forensics – 5/10/23 – This webcast aims to dissect some of these disciplines and get a feel from the experts why they chose their specific field and what it takes to thrive as a practitioner in niche forensic fields.

Articles

MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web – The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company’s private code signing keys on their dark website.
QR codes used in fake parking tickets, surveys to steal your money – A woman in Singapore reportedly lost $20,000 after using a QR code to fill out a “survey” at a bubble tea shop, whereas cases of fake car parking citations with QR codes targeting drivers have been observed in the U.S. and the U.K.
Uber’s ex-CSO avoids prison after data breach cover up – After covering up a data breach that impacted the personal records of 57 million Uber passengers and drivers, the company’s former Chief Security Officer has been found guilty and sentenced by a US federal judge.
1M NextGen Patient Records Compromised in Data Breach – BlackCat ransomware operators reportedly stole the sensitive data
FBI seizes 13 more domains linked to DDoS-for-hire services – The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as ‘booter’ or ‘stressor’ services.
U.S. Government Neutralizes Russia’s Most Sophisticated Snake Cyber Espionage Tool – The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia’s Federal Security Service (FSB).
Top 5 Password Cracking Techniques Used by Hackers – An overview of password cracking, discuss the importance of strong passwords, and detail the top 5 password cracking techniques hackers use.
Hacker ‘PlugwalkJoe’ pleads guilty to 2020 Twitter breach – Joseph James O’Connor, aka ‘PlugwalkJoke,’ has pleaded guilty to multiple cybercrime offenses, including SIM swapping attacks, cyberstalking, computer hacking, and hijacking high-profile accounts on Twitter and TikTok.
Food distribution giant Sysco warns of data breach after cyberattack – On March 5, 2023, Sysco became aware of a cybersecurity event perpetrated by a threat actor believed to have begun on January 14, 2023, in which the threat actor gained access to our systems without authorization and claimed to have acquired certain data
Spanish Police Takes Down Massive Cybercrime Ring, 40 Arrested – The National Police of Spain said it arrested 40 individuals for their alleged involvement in an organized crime gang called Trinitarians.
Google brings dark web monitoring to all U.S. Gmail users – Google announced today that all Gmail users in the United States will soon be able to use the dark web report security feature to discover if their email address has been found on the dark web.
North Korean hackers breached major hospital in Seoul to steal data – The Korean National Police Agency (KNPA) warned that North Korean hackers had breached the network of one of the country’s largest hospitals, Seoul National University Hospital (SNUH), to steal sensitive medical information and personal details.
Billy Corgan Paid Off Hacker Who Threatened to Leak New Smashing Pumpkins Songs – Corgan got FBI involved to track down the cybercriminal, who had stolen from other artists as well, he said.
Toyota: Car location data of 2 million customers exposed for ten years – Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
Six years prison for ex-Ubiquiti staffer who stole data and attempted to extort millions of dollars – A former software engineer at Ubiquit Networks has been sent to prison for six years after stealing gigabytes of data from the firm, attempting to extort millions of dollars, and harming the company’s reputation in the media.

Podcasts

No podcasts this week.

Projects

TryHackMe – Completed the first Snort room in the SOC Analyst training path.

Weekly Cybersecurity Wrap-up 5/1/23

Every week I publish a post containing the progress and learning that I did in the past week. I was sick this week, but still made some good progress.

Webinars

The Hacker News – Tour of the Underground: Master the Art of Dark Web Intelligence Gathering

Articles

Hackers use fake ‘Windows Update’ guides to target Ukrainian govt – CERT-UA believes that the Russian state-sponsored hacking group APT28 (aka Fancy Bear) sent these emails and impersonated system administrators of the targeted government entities to make it easier to trick their targets.
Hackers leak images to taunt Western Digital’s cyberattack response – BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company’s systems even as the company responded to the breach.
Vietnamese Threat Actor Infects 500,000 Devices Using ‘Malverposting’ Tactics – A Vietnamese threat actor has been attributed as behind a “malverposting” campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer.
Cold storage giant Americold outage caused by network breach – Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night.
ViperSoftX info-stealing malware now targets password managers – A new version of the ViperSoftX information-stealing malware has been discovered with a broader range of targets, including targeting the KeePass and 1Password password managers.
T-Mobile discloses second data breach since the start of 2023 – T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.
FBI Focuses on Cybersecurity With $90M Budget Request – Never before has cyber been higher on the FBI’s list of priorities. Will more money allow the Feds to make a greater impact?
International police just made a huge dark web bust – Operation SpecTor spanned nine countries and brought down the illegal dark web marketplace Monopoly Market.
FBI seizes 9 crypto exchanges used to launder ransomware payments – The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.
CFPB says employee breached data of 250,000 consumers in ‘major incident’ – CFPB spokesperson Sam Gilford said the bureau has referred the matter to the inspector general and is “taking appropriate action to address this incident.”
City of Dallas hit by ransomware attack impacting IT services – The City of Dallas, Texas, has suffered a ransomware attack, causing it to shut down some of its IT systems to prevent the attack’s spread.
Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts – Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI’s ChatGPT as a lure to propagate about 10 malware families since March 2023.
Russian hackers use WinRAR to wipe Ukraine state agency’s data – when WinRar is executed, the threat actors use the “-df” command-line option, which automatically deletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the device.
Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges – Tell other CISO’s “you got a break,” judge says in handing down a three-year probation sentence to Joseph Sullivan.

Podcasts

No time for podcasts this week.

Projects

New Term: Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to “amplify” their posts.
Splunk Training: Completed “Working with Time”
Installed Splunk on Ubuntu VM and uploaded data to Splunk
LinkedIn – Learning VirtualBox

Splunk

One of the goals I have set myself is becoming core user certified for splunk. I’ve already begun taking the classes, but I found them a bit lacking and I’m someone who learns best by doing so I decided to install a Ubuntu VM and get Splunk up and running on it. It was simpler than I thought. Here is how I did it.

I followed this video for the install

I followed this great youtube video that is only 5 minutes long! I know! Insane. It really is not that difficult. The image above shows the download.

You set up the username and password for Splunk during the installation that happens in terminal.

In order to actually do anything with Splunk you need data to query. So I followed these instructions on splunks site.

They were okay but I ran into an issue where the upload kept timing out, so I found this troubleshooting guide also on their support site. How to resolve error “Upload failed with ERROR : Read Timeout for the log file” when uploading a generated alert log to Splunk?

These instructions worked like a charm!

And lastly, I was able to query Splunk successfully. Now, I can go back through the training on Splunk’s site and do the examples at the same time as the online instructors. I’m very happy this was easier than I thought.

Weekly Cybersecurity Wrap-up 4/23/23

This is my weekly post containing the progress and learning that I worked on in the past week. Most of my week was spent working on internal training that my company offers. So less listed here this week.

Webinars

None this week.

Articles

Hackers can breach networks using data on resold corporate routers – Enterprise-level network equipment on the secondary market hide sensitive data that hackers could use to breach corporate environments or to obtain customer information.
Decoy Dog malware toolkit found after analyzing 70 billion DNS queries – Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.
Google ads push BumbleBee malware used by ransomware gangs – Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach – Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application.
TP-Link Archer WiFi router flaw exploited by Mirai malware – The Mirai malware botnet is actively exploiting a TP-Link Archer A21 (AX1800) WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS (distributed denial of service) swarms.
Hackers are breaking into AT&T email accounts to steal cryptocurrency – AT&T says cyber criminals exploited an API issue to take control of victims’ email addresses
Hackers Leaked Minneapolis Students’ Psychological Reports, Allegations of Abuse – In a hacking episode that is spiraling from bad to worse, cyber criminals have leaked highly sensitive documents related to droves of Minneapolis students.
Ukrainian arrested for selling data of 300M people to Russians – The Ukrainian cyber police have arrested a 36-year-old man from the city of Netishyn for selling the personal data and sensitive information of over 300 million people, citizens of Ukraine, and various European countries.
New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets – Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.
Major UK banks including Lloyds, Halifax, TSB hit by outages – Websites and mobile apps of Lloyds Bank, Halifax, TSB Bank, and Bank of Scotland have experienced web and mobile app outages today leaving customers unable to access their account balances and information.
Israel’s Prime Minister has his Facebook account hijacked, website knocked offline – the Facebook account of Israel’s Prime Minister was hijacked (albeit briefly) by unauthorized parties who managed to update it with a video of prayers at a mosque, accompanied by Arabic verses from the Quran.