There are now over 270 MOVEit hack victims, a record number of Patch Tuesday fixes, and more
Welcome to Cyber Security Today. It’s Wednesday, July 12th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The number of organizations victimized by the hack of the MOVEit file transfer platform is now up to 272. That’s the count according to cybersecurity analyst Brett Callow of Emsisoft. Among the latest publicly confirmed victims are Choice Hotels, part of the Radisson hotel chain, American National Insurance, and TD Ameritrade. The Clop/CL0p ransomware gang discovered and exploited the vulnerability. Interestingly, it didn’t drop ransomware into the IT systems of the organizations it hit. Instead, the gang seems content enough to copy files from MOVEit servers and slowly release the names of victims to extort them for cash. Researchers at Huntress Labs say that suggests the gang has so much stolen data it can take time to monetize it.
Separately, Germany’s Deutsche Bank told Bleeping Computer that a data breach at one of its service provider exposed bank customer information. It sounds like a MOVEit hack because the bank’s statement says more 100 other companies were potentially infected in related attacks.
The trial of an 18-year-old British teenage member of the Lapsu$ hacking group started this week. He is accused of hacking Uber and a financial firm called Revolut in 2022 as well as hacking Rockstar Games and threatening to release the code of the game Grand Theft Auto. He is also accused with a 17-year-old of hacking chip maker Nvidia last year. The 18-year-old has been declared not fit to stand trial so a jury will determine if he committed the alleged acts rather than if he is guilty of criminal offences.
NATO, the North Atlantic Treaty Organization, winds up a two-day summit today in Lithuania. It has already issued a joint communique promising to step up activity to fight cyber attacks against the 31 member countries. That includes further integrating political, military and technical defences to fight cyber attacks. Each country also is committed to new national goals to further their cyber resilience. And NATO will hold a Cyber Defence Conference in Berlin this November. For more insight this pre-conference interview with The Record with the head of NATO’s cyber and hybrid policy sector.
Meanwhile Microsoft and BlackBerry issued reports that the Russian-based RomCom group sent infected documents to those interested in or possibly attending the NATO conference. Microsoft said the email messages involved exploiting a previously unknown Office vulnerability.
CORRECTION: This vulnerability wasn’t patched in yesterday’s Patch Tuesday round. instead Microsoft issued mitigations.
As part of Patch Tuesday 142 security fixes for Windows and other products were released, a record for this year. IT leaders should prioritize any patches released by any vendor and install the most critical as soon as possible. One fixes a vulnerability in Windows’ Remote Desktop Gateway. Researchers at Cyolo note this vulnerability poses a substantial security risk to organizations using outdated security protocols like DTLS 1.0. Another patch, noted by researchers at Action1, fixes an Office and Windows HTML remote code execution vulnerability. A third fixes a hole in an Outlook security feature.
Infosec security teams want to know about the latest security threats. But there are interesting nuggets in short-term trends. For example, this week researchers at ESET put out a report that analyzed data for the six months ending in May with some noteworthy conclusions. Here are a few: As you may know, Microsoft has been clamping down on the ability of users to open hacker-created documents with malicious macros. In response, attackers are creating malicious OneNote files. Microsoft countered that, so threat actors are intensifying brute-force attacks on Microsoft SQL servers. Meanwhile, more ransomware groups are appearing, using previously leaked source code to build new ransomware variants. Other trends were an increase in sextortion and in deceptive Android ads and web sites offering personal loan services.
An Australian cybersecurity firm is the latest to conclude that the hacktivist group calling itself Anonymous Sudan isn’t an independent threat actor. Instead, say researchers at CyberCX, there is a “real chance” this group or individual is affiliated with the Russian state. Anonymous Sudan has taken credit for denial of service attacks last month that disrupted Microsoft services such as Outlook, and attacks against some Australian organizations in March. The researchers note that Anonymous Sudan publicly supports Russia and is a member of the pro-Russian Killnet hacktivist collective.
Finally, I was off last week, which gave me the opportunity to do what I love when I’m on vacation: Read foreign newspapers. One article in the Wall Street Journal caught my eye: How the CEO of a German biotech company responded when his company was hacked. The BlackCat ransomware gang took credit. On the IT side, the CEO quickly decided to take all systems temporarily offline. But what the CEO also did was communicate with business partners about what was going on, publish an open letter about the attack and regularly meet with employees to provide updates. That way he looked like the company was on top of things. Experts say organizations should create an IT incident response team with playbooks to handle the nitty-gritty of responding to an attack. That team will need the CEO to make some, but not all, decisions. Meanwhile the CEO should be talking to critical customers and partners, giving them updates on how the company is dealing with the attack. Keeping an attack secret won’t help your firm’s reputation.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.