CyberBakery Chronicles
Your Weekly Cybersecurity Update (19 July 2024)
- AT&T Data Breach Exposes Call Records of Nearly All Mobile Customers
- 2024 SANS SOC Survey Unveils Top Cybersecurity Trends
- Hackers Exploit Newly Released Weaknesses in Minutes, Report Finds
- New Ransomware Gang Targets Unpatched Veeam Software
- Hackers Up Their Game in NuGet Supply Chain Attack
- Weak Security Defaults Enabled Squarespace Domain Hijacks
- Email addresses of 15 million Trello users leaked on a hacking forum
AT&T Data Breach Exposes Call Records of Nearly All Mobile Customers
https://krebsonsecurity.com/2024/07/hackers-steal-phone-sms-records-for-nearly-all-att-customers/
AT&T disclosed a major data breach affecting nearly all of its mobile customers, approximately 109 million people. Hackers accessed a cloud storage account on AT&T's Snowflake platform and stole call records between May 2022 and January 2023.
The breached data includes phone numbers, the frequency and duration of calls and texts, and some cell site location data. However, it does not include the content of calls or texts, customer names, Social Security numbers, or dates of birth.
AT&T says it is working with law enforcement and believes at least one suspect has been apprehended. The company is also improving its cybersecurity measures and will notify affected customers.
This breach highlights the growing risk of cloud-based data storage. Hackers recently targeted other companies using compromised credentials on Snowflake, a cloud data warehousing platform. AT&T says the stolen data has not been made public and is unrelated to a previous data breach earlier this year.
2024 SANS SOC Survey Unveils Top Cybersecurity Trends
https://www.sans.org/webcasts/sans-2024-soc-survey-facing-top-challenges-in-security-operations/
The SANS Institute published its annual SOC Survey, an essential resource for understanding the evolving landscape of Security Operations Centers (SOCs). This year's survey highlights critical trends and technologies in cyber defence.
A key takeaway is the growing importance of Endpoint Detection and Response (EDR) technology, which received the highest marks from survey participants. Conversely, AI Generative technologies were rated least effective, suggesting ongoing challenges integrating these tools into SOC workflows.
Another interesting finding is the decline in the use of TLS interception for inspecting encrypted traffic. This raises concerns about the ability of SOCs to monitor potential threats hidden within encrypted communications.
"These findings highlight both the advancements and persistent challenges within SOCs," said Chris Crowley, SANS Senior Instructor and SOC Survey Author. "Understanding which technologies are favored and which ones fall short is crucial for organizations aiming to enhance their cybersecurity posture."
The survey also explores communication between SOCs and senior management. The report found that 67% of SOCs provide metrics to justify their resource allocation.
Hackers Exploit Newly Released Weaknesses in Minutes, Report Finds
https://blog.cloudflare.com/application-security-report-2024-update
Hackers are getting faster at turning newly discovered software vulnerabilities into real-world attacks, according to a report by cybersecurity firm Cloudflare.
The report analyzed internet traffic data between May 2023 and March 2024 and found that attackers can exploit these vulnerabilities in as little as 22 minutes after they are publicly disclosed.
This rapid exploitation timeframe makes it difficult for companies to patch their systems before they are compromised. Cloudflare recommends using artificial intelligence (AI) to automate the creation of security rules to keep pace with attackers.
The report also found a significant increase in overall cyber threats, with 6.8% of all internet traffic being malicious. This includes distributed denial-of-service (DDoS) attacks, which aim to overwhelm websites and online services with junk traffic.
Cloudflare urges companies to proactively protect themselves, using AI-powered security solutions and staying up-to-date on the latest security threats. The full report, available for download, provides further recommendations for improving cybersecurity posture.
New Ransomware Gang Targets Unpatched Veeam Software
https://www.group-ib.com/blog/estate-ransomware/
A new ransomware gang, EstateRansomware, is exploiting a critical vulnerability (CVE-2023-27532) in Veeam backup software to deploy ransomware and extort victims. This vulnerability was patched over a year ago, in March 2023, but many users still need to install the update.
The flaw allows attackers to gain access to a Veeam system and potentially the entire backup infrastructure. EstateRansomware typically gains initial access through brute-force attacks against a vulnerable Fortinet firewall and then uses stolen credentials to move laterally within the network.
Security researchers believe the attackers then exploit the unpatched Veeam system to deploy a backdoor and gain further access to the victim's environment. Once they have a foothold, they can steal additional credentials and disable antivirus software before deploying LockBit ransomware to encrypt critical data.
This incident highlights the importance of timely patching. Organizations should prioritize applying security updates as soon as they become available to avoid falling victim to known vulnerabilities.
Hackers Up Their Game in NuGet Supply Chain Attack
https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.html
Hackers continue a year-long campaign targeting the NuGet software package manager with a new wave of malicious packages. Researchers at ReversingLabs identified roughly 60 new malicious packages disguised as legitimate software.
These packages deploy a remote access trojan (RAT) called SeroXen RAT. What makes this attack particularly concerning is the use of a technique called IL weaving. This technique injects malicious code directly into legitimate software packages, making them difficult to detect.
In some cases, attackers used homoglyphs, which are characters that look similar to legitimate letters, to create imposter versions of popular open-source packages. For instance, they might create a package named "Gսոa.UI3.Wіnfօrms" to mimic the real "Guna.UI2.WinForms" package.
This attack highlights the evolving tactics of cybercriminals and the importance of software developers being cautious when downloading packages from any source. Fortunately, all the malicious packages identified in this campaign have been taken down.
Weak Security Defaults Enabled Squarespace Domains Hijacks
The migration to Squarespace has left domain owners with limited options to secure and monitor their accounts. According to Taylor Monahan, the lead product manager at Metamask, Squarespace lacks support for user control and insight into account activity, including audit logs and email notifications. According to Monahan, the migration has left domain owners with fewer options to protect and monitor their accounts.
Monahan further stated, "Squarespace is unable to assist users who require control or insight into the activity taking place in their account or domain. The owner does not receive email notifications for actions performed by a 'domain manager.' This is incredibly frustrating for those who are accustomed to and rely on the controls provided by Google."
The researchers have released a detailed manual for securing Squarespace user accounts. The manual encourages users to enable multi-factor authentication (which was turned off during the migration), remove unnecessary Squarespace user accounts, and deactivate reseller access in Google Workspace. "If you purchased Google Workspace through Google Domains, Squarespace is now your authorized reseller," explains the manual. "This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It's simpler to secure one account than two." to secure Squarespace user accounts, it advises enabling multi-factor authentication, identifying email access, removing unnecessary user accounts, and disabling reseller access in Google Workspace if purchased via Google Domains.
15 Million Trello User Email Addresses Leaked
The data breach involved releasing over 15 million email addresses associated with Trello accounts, collected using an unsecured API. Although the leaked data mainly consisted of public information, it also included non-public email addresses related to the accounts. These details can be exploited in targeted phishing attacks and doxxing. Atlassian confirmed that the data was collected through a secured Trello REST API.
Unsecured APIs have become a popular target for threat actors, who misuse them to combine non-public information with public profiles. This misuse has occurred in similar breaches with Facebook, Twitter, and Twilio APIs. Organisations often attempt to secure APIs using rate limiting, but threat actors undermine this approach by constantly purchasing proxy servers to query the API.
