Top cybersecurity stories for the week of 04-29-24 to 05-03-24

Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.

If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Phil Beyer, former CISO, Etsy.

To get involved you can watch live and participate in the discussion on YouTube Live
https://www.youtube.com/live/Z71Hv1MSxvM or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.

Here are the stories we plan to cover, time permitting:

Dropbox discloses breach of digital signature service
The company announced on Wednesday that its Dropbox Sign service, formerly called HelloSign, has been breached by unidentified threat actors, who “accessed emails, usernames, and general account settings associated with all users of the digital signature product.” The breach was discovered on April 24. The announcement also said that for “subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication." This intrusion “also affects third parties who received or signed a document through Dropbox Sign, but never created an account themselves, specifically exposing their names and email addresses.” This is a developing story.
(The Hacker News)

Cybersecurity consultant arrested after allegedly extorting IT firm
Vincent Cannady, 57, has been assigned by a staffing agency to find and fix potential vulnerabilities within the systems of a New York-based multinational IT infrastructure services provider. After being terminated for “performance reasons,” Cannady allegedly used a company-issued laptop to download proprietary and confidential information, including architectural maps, trade secrets, and lists of potential vulnerabilities, from the victim company's network, to which he still had access and which he threatened to disclose unless they paid him $1,500,000. He also cut off the staffing firm's access to the laptop, threatened lawsuits for emotional distress. If found guilty, Cannady faces a maximum of 20 years.
(BleepingComputer)

Anti Ukraine hack exploits seven-year-old Microsoft Office vulnerability
According to security experts at Deep Instinct Threat Lab, a recent campaign targeting Ukraine used a Microsoft Office vulnerability to deploy Cobalt Strike. In this case it was a malicious PowerPoint Slideshow PPSX file. Its filename included the word signal and made it look like it was shared through the Signal app. It was based on an outdated U.S. Army manual for tank mine clearing blades. The payload included a DLL file that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike. The researchers could not attribute the attacks to a known threat actor.
(Security Affairs)

UK bans bad IoT credentials
Enforcement of the UK’s Product Security and Telecommunications Infrastructure Act 2022 came into effect on April 29th, setting new minimum security requirements for IoT manufacturers in the country. The law specifically bans use of weak or guessable passwords like “admin” and “12345.” Manufacturers must also publish contact details for reporting bugs. The Office for Product Safety and Standards will regulate the law, able to issue recalls and fines of up to 4% of their global revenue for violations.
(The Record)

UnitedHealth Group CEO faces congress & cause of hack revealed
The CEO of UnitedHealth Group, the parent company of Change Healthcare, is set to testify before a congressional committee today, Wednesday May 1st, 2024. A transcript of CEO Andrew Witty’s statements was released ahead of the hearing, revealing significant details about the events leading up to the February attack by the Black Cat ransomware gang. According to the transcript, the hackers gained initial access through stolen credentials used on a Citrix portal that did not have multi-factor authentication enabled. It was revealed the threat actor used these compromised credentials to remotely access the company’s system for nine days before deploying the ransomware. During that time, the cybercriminals stole files containing sensitive patient information, including Protected Health Information (PHI) and Personally Identifiable Information (PII) of most Americans. In his statement, Witty takes sole responsibility for the decision to pay the ransom, saying, 'This was one of the hardest decisions I’ve ever had to make, and I wouldn’t wish it on anyone.' You can find Witty’s full statement below.
(UHG's Witty House Testimony), (Bleeping Computer), (The Cyber Wire)

Chinese disinformation proving ineffectual
We’ve had several election cycles haunted by the threat of Chinese disinformation campaigns, made only more ominous with the advent of modern generative AI tools. But Wired’s David Gilbert recently profiled that despite operating a campaign dubbed Spamouflage Dragon since 2017, real world impact remains negligible. Analysts say that despite the volume and scale of posts, these lack the cultural context to make them effective. Some compared Chinese disinformation sophistication as 10 years behind Russia. The Great Firewall seems to play a roll in this, with Chinese government actors lacking a broader global awareness to make messaging effective. For AI, the story says the tools haven’t led to more sophistication, just great efficiency.
(Wired)

Goldoon botnet exploits D-Link routers
The exploit involves a security flaw that is almost 10 years old, specifically CVE-2015-2051 which has a CVSS score of 9.8. It affects D-Link’s DIR-645 routers and allows remote attackers to execute arbitrary commands by means of specially crafted HTTP requests. The exploit was announced by Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li, following a spike in the botnet activity on April 9 of this year. After setting up contact with a C2 server, Goldoon provides 27 different ways to launch DDoS attacks via protocols such as DNS, HTTP, TCP, and others.
(The Hacker News) submitted by /u/CISO_Series_Producer
[link] [comments]


http://dlvr.it/T6NJjq