Cyber News Roundup for June 21, 2024

Welcome to our latest cybersecurity roundup. This week, Microsoft President Brad Smith admitted security failures that allowed Chinese hackers to access US officials’ emails. Truist Bank confirmed a breach affecting 65,000 employees. CISA led its first AI cybersecurity tabletop exercise, and Spanish authorities arrested a key member of the Scattered Spider hacking group. D-Link urged customers to update routers to fix a critical backdoor vulnerability. Stay informed on these pressing cybersecurity developments.

 

1. Microsoft’s President admits security failures in congressional testimony

In congressional testimony yesterday, Microsoft President Brad Smith admitted security failings that enabled Chinese state hackers to access emails of US officials in 2023. Smith accepted responsibility for issues cited in a Cyber Safety Review Board (CSRB) report. The report blamed Microsoft for security failures that let Chinese hackers, Storm-0558, access 25 organizations’ email accounts, including US officials. The hackers used a Microsoft encryption key and exploited flaws in the authentication system to gain global access to Exchange Online accounts. The CSRB found an inadequate security culture and gaps in Microsoft’s security processes.

Smith acknowledged Microsoft’s crucial cybersecurity role and the increased cyber threats from geopolitical conflicts. He apologized to those impacted by the Storm-0558 attack and outlined steps Microsoft is taking to enhance security. This includes implementing CSRB recommendations, transitioning to a new key management system, and enhancing token validation processes.Smith added that Microsoft has added security engineers and created the Office of the CISO to ensure security is prioritized. The company’s Secure Future Initiative aims to design and operate products with security in mind.Following harsh feedback from security experts, Microsoft has delayed its Recall AI feature for further security testing. This feature, intended for Copilot and Windows PCs, faced privacy concerns for recording users’ activities. The roll-out will now start with the Windows Insider Program for additional testing. (infosecurity magazine)

 

2. Truist commercial bank confirms a data breach

U.S. commercial bank Truist confirmed a breach in its systems from an October 2023 cyberattack. A threat actor, known as Sp1d3r, posted Truist’s data for sale on a hacking forum, claiming to have information on 65,000 employees, bank transactions, and IVR funds transfer source code. Truist, formed from the 2019 merger of SunTrust Banks and BB&T, quickly contained the breach, secured systems with outside consultants, and notified affected clients. The ongoing investigation has found no evidence of fraud. Truist denies any connection to the recent Snowflake incidents. (bleepingcomputer)

 

3. CISA leads first tabletop exercise for AI cybersecurity

The exercise was led by the Joint Cyber Defense Collaborative, which is a branch of CISA that works closely with industry. Fifty AI experts from 15 companies and several international cyber defense agencies were involved. This was a four-hour exercise intended to contribute knowledge to the security incident collaboration playbook, which is set to be released at the end of 2024. The goal of the exercise was to understand “what makes up AI-enabled or AI-related cybersecurity incidents, determining what types of information-sharing is needed and how industry can best work with the government, and vice versa. “A cyber incident could mean an AI system itself is jeopardized, or another system created by an AI is under threat,” said Clayton Romans, associate director of the Joint Cyber Defense Collaborative at CISA. (Cyberscoop)

 

4.  New Linux malware controlled through Discord emojis

Named DISGOMOJI, the malware has been observed using emojis to execute commands on infected devices in attacks on government agencies in India. According to BleepingComputer, “the malware was discovered by cybersecurity firm Volexity, which believes it is linked to a Pakistan-based threat actor known as UTA0137.” This is a group that is known for conducting cyberespionage activities. Volexity discovered a UPX-packed ELF executable in a ZIP archive, which they believe was distributed through phishing emails. “Volexity believes that the malware targets a custom Linux distribution named BOSS that Indian government agencies use as their desktop.” (BleepingComputer)

 

5. Spanish authorities snag a top Scattered Spider hacker

Spanish authorities, with assistance from the FBI, have arrested 22-year-old Tyler Buchanan, a key figure in the Scattered Spider hacking group, notorious for attacking organizations like MGM Resorts, Twilio, and Apple. Buchanan was apprehended in Palma de Mallorca while attempting to fly to Italy. He controlled $27 million in bitcoin at the time. This marks the second major arrest of a Scattered Spider member in 2024, following Michael Noah Urban’s earlier capture. Despite these successes, experts warn that the group’s decentralized nature means they are likely to continue their activities, with new leaders ready to step in. (ITPro)

 

6. D-Link urges customers to upgrade routers against a factory installed backdoor

A critical vulnerability (CVE-2024-6045) in several D-Link routers allows unauthenticated attackers to gain administrative access. With a CVSS score of 8.8, this issue stems from a factory testing backdoor. Attackers can enable Telnet and obtain admin credentials. D-Link has released firmware updates; users should promptly update to secure their devices. (GBHackers)

 

7. Snowflake breach escalates with ransom demands and death threats

As many as 10 companies are facing ransom payments between $300,000 and $5 million following a breach against cloud-based data analytics firm Snowflake earlier this month. According to Mandiant, who has helped lead Snowflake’s case, the hacking scheme has “entered a new stage” as the ransom demands flow in, as well as death threats against the cybersecurity experts investigating the breach. The hackers gained access to the information by targeting Snowflake users using single-factor authentication techniques. Mandiant has said it anticipates the ransomware group to “continue to attempt to extort victims.” (Bloomberg)

 

8. Velvet Ant maintains three-year cyber espionage campaign 

This threat actor wasn’t going down without a fight. Researchers at Sygnia have uncovered a prolonged, sophisticated cyber-espionage campaign by China’s “Velvet Ant” group targeting a large company in East Asia. Despite repeated eradication attempts, the threat actor maintained persistence for about three years by exploiting legacy and unmonitored systems, particularly using an old F5 BIG-IP appliance for internal command and control (C&C). (Dark Reading), (Sygnia), (The Hacker News)

 

9. Empire Market operators face life for $430 million Scheme

Two of the suspected operators behind the prominent dark web marketplace, Empire Market, face life in prison for their part in facilitating more than $430 million in dark web sales. While users could buy everything from illicit drugs to counterfeit currency, the DOJ has charged the pair with helping cybercriminals conduct nearly four million transactions. 38-year-old Thomas Pavey and 28-year-old Raheim Hamilton operated the platform from 2018 to 2020. Prior to starting Empire Market, they sold counterfeit U.S. currency on the now-shut down AlphaBay. (The Record)

 

10. Nvidia becomes world’s most valuable company

Not directly a cybersecurity story, but undeniably central to the business, Nvidia has just become the world’s most valuable company following a new share price surge on Tuesday. The company is now worth $3.34TN, surpassing Microsoft and Apple. The rise in its value has largely been driven by the need for the chips used for artificial intelligence (AI). For some context, eight years ago, the company’s stock was worth less than 1% of its current price and at that time was mostly in competition with AMD, in a race to make the best graphics cards. (BBC News)

 

11. G7 to develop cybersecurity framework for energy sector

In an announcement made on Tuesday, the member nations of the G7 have agreed to develop a cybersecurity framework for operational technologies in energy systems that targets manufacturers and operators. Its intention is to “bolster the cybersecurity of the global supply chain for critical technologies used in the management and operation of electricity, oil, and natural gas systems worldwide. The [G7] comprises Canada, France, Germany, Italy, Japan, the UK, and the U.S. (InfoSecurity Magazine)

 

12. Gym chain Total Fitness suffers breach

The UK fitness group has been exposed by researcher Jeremiah Fowler, who says he discovered “an unsecured database containing the images of 470,000 members and staff – all accessible to anyone on the internet, no password required.” Speaking to The Register, he added that he had “also uncovered images of members’ identity documents, banking and payment card details, phone numbers, and even – in some cases – immigration records.” Representatives of Total Fitness disputed the extent of the data breach, saying that members’ images comprised a “subset” of the database, and that most images did not contain personally identifiable information, but Fowler claims that members’ images took up roughly 97% of the database. The company has now secured the database, and has reported the breach to the UK’s data regulator, the Information Commissioner’s Office (ICO), for investigation. (BitDefender)

 

13. Cybersecurity burnout costing firms more than $700M annually

A report from Hack the Box, a cybersecurity training center, suggests that “British and U.S. enterprises may be throwing away as much as $756m each year through lost productivity due to burned-out cybersecurity staff.” The research claims 84% of responding cybersecurity professionals are “experiencing stress, fatigue and burnout due to the rapid pace of technological change, mounting threat volumes and being forced to perform outside their skillset, and that that three-quarters (74%) have taken time off due to work-related mental well-being problems.” (InfoSecurity Magazine)

 

14. Hackers derail Amtrak Guest Rewards accounts

In a breach-disclosure notice it filed in Massachusetts, the passenger rail service said an unauthorized third party gained access to a customer database between May 15-18. Amtrak said its systems were not hacked, but that accounts were likely compromised using usernames and passwords from prior breaches. Affected data includes customer names, contact information, Amtrak Guest Rewards account numbers, date of birth, partial payment details (such as partial credit card number and expiration date), gift card info (such as card number and PIN) and other transaction and trip data. In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak took quick action to restore accounts and reset passwords and also urged riders to rotate their passwords and implement multifactor authentication. (Dark Reading)