Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.
If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Ryan Bachman, evp and global CISO, GM Financial.
To get involved you can watch live and participate in the discussion on YouTube Live https://youtube.com/live/3XI0UxGnFyM or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.
Here are the stories we plan to cover, time permitting:
Okta’s security chief speaks out
An interesting interview with Okta Chief Security Officer David Bradbury in Recorded Future News last week. Speaking to Jonathan Grieg, Bradbury highlighted the fact that identity-based attacks are shifting from pre-authentication, coming after your password, to post-authentication, in which threat actors bypass the login page and go straight to stealing a browser’s session token cookie. Bradbury also advised companies to maximize their transparency efforts during an attack – based in part on Okta’s own recent experiences, as well as to be aware of the improvements in the quality of attack techniques such as correctly spelled phishing emails and pitch-perfect deepfake voice messaging thanks to AI.
(The Record)
Volt Typhoon demonstrates a new form of tradecraft in cyberthreats, say Feds
Speaking at RSA last week, Eric Goldstein, CISA’s executive assistant director for cybersecurity told reporters that the techniques practiced by Volt Typhoon represent a sinister new level of cyberthreat that has permanently altered the landscape. Referring to China specifically he said, “if the end goal objective is to have placement and access to the United States for an attack at the time of their choosing, they’re probably going to continue that path” pointing out the desire “to compromise insecure or end-of-life devices to then pivot into more sensitive networks.” These comments are in line with a report issued in February by the U.S. and its allies which showed that the group has maintained access and other footholds in victim networks for “at least” the last five years “Volt Typhoon is not over,” the NSA’s Dave Luber added.
(The Record)
FBI seizes BreachForums
On the morning of March 15th, the US FBI announced its seizure of the illicit clear-net hacking forum as well as its Telegram channel, updating the BreachForums homepage with a takedown notice. It also said it obtained and began reviewing the site’s backend data. The FBI sent a Telegram message from BreachForum’s admin Baphomet, but its unclear if it arrested the individual operating the account. BreachForums began operation in March 2022, leaking stolen data from Europol, AT&T, 23andMe, HPE, Home Depot, and many other breaches.
(Bleeping Computer)
Google to use GenAI to help identify phone scams
At the Google I/O 2024 developer conference on Tuesday, Google previewed a Generative AI-driven feature that will alert users to potential phone scams in real-time. The feature will be built into a future version of Android and will use Gemini Nano, which can run entirely on-device. The system effectively listens for “conversation patterns commonly associated with scams” such as fraudsters claiming to be bank representatives, offering gift cards or making requests for passwords. When a potential scam is detected, a pop up notification will alert the user that they may be falling prey to unsavory characters. No specific release date has been set for the feature.
(TechCrunch)
Security flaws discovered in GE Ultrasound machines
Researchers from Nozomi Networks have discovered 11 flaws in the Vivid T9 Ultrasound series of products, including its pre-installed Common Service Desktop web application. These flaws could result in the installation of malware, manipulation of patient data, and could also affect a software program called EchoPAC, installed on a doctor's Windows workstation to access the ultrasound images. According to Nozomi, successful exploitation of these flaws does require prior access to the hospital environment through stolen VPN credentials or physical insertion of an infected USB device. Advisories from GE state that existing mitigations and controls reduce the risks posed by these flaws to acceptable levels, and “in the unlikely event a malicious actor with physical access could render the device unusable, there would be clear indicators of this to the intended user of the device." it noted,"the vulnerability can only be exploited by someone with direct, physical access to the device."
(The Hacker News andGE advisory)
Crypto heist by MIT grads nets $25M in 12 seconds, shakes the foundations of blockchain
This has all the makings of a classic heist movie: two brothers who were educated in mathematics and computer science at MIT, then plotted for months to steal $25 million in Ethereum cryptocurrency, which they did in just 12 seconds. They achieved this by “by fraudulently gaining access to pending private transactions and then altering the transactions to obtain their victims' cryptocurrency.” This is now being referred to as “The Exploit” by prosecutors and others at the Department of Justice and the IRS. U.S. Attorney Damian Williams said in a statement on Wednesday, "the defendants' scheme calls the very integrity of the blockchain into question."
(BBC News)
Black Basta weaponizes Quick Assist
Microsoft began tracking a social engineering campaign, which sees Black Basta operatives email bombing targets with numerous email subscription services, then approaching them as a either Microsoft or company-based help desk staff to fix spam proliferation. In this approach, the attackers attempt to get victims to launch Windows Quick Assist, which allows for a subsequent downloading of ZIP files to deliver a malicious payload. Ultimately the approach attempts to deploy Black Basta’s ransomware using the Windows PSExec telnet-replacement tool. Microsoft recommends blocking or uninstalling Quick Assist if not regularly used.
(Bleeping Computer)
MITRE releases threat-modeling framework for embedded devices
The MITRE Corporation has officially released a new threat-modeling framework named EMB3D. According to MITRE, this framework was designed to enhance the security of embedded devices in critical infrastructure by providing a comprehensive knowledge base of cyber threats and mitigation strategies. Similar to the ATT&CK framework, EMB3D is designed to evolve over time to address emerging threats, vulnerabilities, and attack vectors specific to embedded systems. The initial release of the framework includes the device properties and threats enumerations. The full set of mitigations is expected to be released in the summer 2024 update.
(The Hacker News),(MITRE EMB3D)
