Table of Contents:
New York Sues Citibank Over Poor Data Security
Surveillance Apps PhoneSpector and Highster Shut Down After Legal Settlement
AnyDesk suffers cyberattack, source code and signing keys stolen
Clorox’s Cyberattack Costs Exceed $49 Million
CISA Issues Urgent Removal Order for Insecure Ivanti Products
Company Tracked Visits to 600 Planned Parenthood Locations for Anti-Abortion Ads
FCC Implements Stricter Rules for Telcos Regarding Data Breach Reporting
Staying Ahead of Threat Actors in the Age of AI
US military notifies 20,000 of data breach after cloud email leak
Atlassian vulnerability exploited in Government Accountability Office breach affecting 6,600 individuals.
Cyberattack Hits German Battery Maker Varta, Halts Production
Hackers Gained Access to Prudential’s Computer Systems
Nation-State Hackers Use AI to Boost Cyber Operations
Pig Butchering Scam Exposed: How Scammers Are Duping Victims for Millions
Microsoft Rolls Out Expanded Logging Six Months After Chinese Breach
Avast Ordered to Stop Selling Browsing Data from its Privacy Apps
New York Sues Citibank Over Poor Data Security
What happened:
New York Attorney General Letitia James has filed a lawsuit against Citibank for alleged failures in protecting customers from hackers and fraudsters who have stolen millions, as well as their refusal to reimburse victims.
What to know:
The lawsuit cites specific examples of individuals losing significant sums after falling victim to cybercriminals.
Threat actors primarily used social engineering tactics to trick victims into granting access to their accounts and executing unauthorized transfers without exploiting software vulnerabilities or system access.
The attorney general believes Citibank should have more efficient fraud detection systems, such as identifying unrecognized device locations, suspicious password or username changes, and suspicious transfers.
Citibank was accused of being slow in responding to fraud reports from customers.
Citibank allegedly exploits a legal loophole to deny reimbursement claims under the Electronic Fund Transfer Act (EFTA), arguing that they are not obligated to reimburse customers who follow fraudsters' instructions without any indication of deception.
Business Impact:
Companies should consider the risks associated with benefiting from fraudulent activity against their customers or through their platforms.
What to do:
Provide training to employees on recognizing and defending against social engineering techniques against your clients.
For more information, check out this article.
Surveillance Apps PhoneSpector and Highster Shut Down After Legal Settlement
What happened:
PhoneSpector and Highster, two secret phone surveillance services, have shut down after their owner settled New York state accusations of promoting illegal spyware.
The settlement in February 2023 required the companies to pay $410,000 in penalties and modify the apps to alert device owners that their phones were being monitored.
What to know:
These apps, often referred to as stalkerware or spouseware, allowed covert surveillance of smartphones by individuals with knowledge of the device passcode, usually spouse or domestic partner. They continuously collected and uploaded messages, photos, and real-time location data to a dashboard accessible by the abuser.
PhoneSpector's website stopped functioning after the settlement and was redirected to an Indonesian lottery website. Highster's website also stopped loading months later.
The domains, servers, and infrastructure used by PhoneSpector and Highster are no longer online. Their customer service lines have also been disconnected.
It remains uncertain whether the companies have paid the $410,000 penalty as agreed in the settlement.
Several other stalkerware apps, including Retina-X and SpyFone, have ceased operations in recent years following regulatory actions.
Business Impact:
Businesses developing stalkerware and individuals using them should reconsider the ethical implications of such practices.
What to do:
Users of PhoneSpector and Highster may need to consider the legality and ethics of using such apps for monitoring purposes.
Regularly check your devices for potential spyware.
For more information, check out this article.
AnyDesk Suffers Cyberattack- Source Code and Signing Keys Stolen
What happened:
AnyDesk, a remote access solution, experienced a recent cyberattack where hackers gained access to the company's production systems and stole source code and private code signing certificates.
What to know:
AnyDesk allows users to access computers remotely over the internet.
AnyDesk serves 170,000 customers, including notable organizations like 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations.
The attack was detected after indications of an incident on their servers, leading to a security audit that confirmed the compromise.
The cybersecurity firm CrowdStrike assisted in responding to the incident, and AnyDesk revoked security-related certificates and replaced systems as necessary.
While they assured customers that AnyDesk was safe to use, they recommended using the latest version with the new code signing certificate.
AnyDesk stated that no authentication tokens were stolen as they exist only on the end user's device, not the AnyDesk system. Still, they decided to revoke all passwords to their web portal as a precaution.
Business Impact:
If your company uses AnyDesk, they assert that your authentication tokens and password remain unaffected. However, it's essential to remain vigilant and monitor for any signs of potential incidents.
What to do:
If you use AnyDesk, switch to the new version, as the old code signing certificate will be revoked.
Update your AnyDesk passwords and any other accounts if you're using the same passwords.
For more information, check out this article.
Clorox’s Cyberattack Costs Exceed $49 Million
What happened:
Clorox suffered a cyberattack in August 2023, resulting in system shutdowns, order processing delays, and product shortages. The attack incurred $49 million in costs by the end of 2023.
What to know:
Costs included losses from disruptions and expenses related to third-party experts engaged for investigation and remediation.
Clorox anticipates additional costs of approximately $50-$60 million ($38-$46 million after tax) in FY24.
The company has not recognized insurance proceeds, and timing may differ from expense recognition.
Specific details of the attack, including data theft, remain undisclosed.
Security researcher Dominic Alvieri stated that the cyberattack was attributed to the BlackCat (a.k.a Alphv) ransomware group, but this has yet to be confirmed.
Business Impact:
Clorox's customers may experience potential data breaches, and Clorox’s share price is down 2.4% over the past 12 months.
What to do:
Invest in robust security protocols and incident response plans to minimize impacts.
For more information, check out this article.
CISA Issues Urgent Removal Order for Insecure Ivanti Products
What happened:
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an unprecedented directive on Jan 31, 2024 requiring federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products with only 48 hours notice.
What to Know:
This move is in response to at least three actively exploited Ivanti security vulnerabilities.
Ivanti is an IT software company that develops software solutions for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management, and supply chain management.
Federal Civilian Executive Branch (FCEB) agencies were urged to conduct threat hunting on affected systems and monitor authentication or identity management services.
Within the 48-hour timeframe, network administrators must isolate the systems from enterprise resources and continue auditing privilege-level access accounts.
CISA outlines steps to bring Ivanti products back into service, including exporting device configuration settings, performing a factory reset following Ivanti's instructions, and upgrading to a fully patched software version.
Volexity identified exploitations of these Ivanti’s vulnerabilities, warning of Chinese nation-state hackers leveraging them to breach US organizations.
Cybercriminal groups have also taken advantage of these vulnerabilities to deploy malicious software.
Business Impact:
Organizations relying on Ivanti’s products face potential security risks and should take immediate action to comply with CISA's directive.
What to Do:
Federal agencies must follow CISA’s directive to bring the product back into service.
Organizations should also be vigilant for any signs of compromise.
For more information, check out this article.
Company Tracked Visits to 600 Planned Parenthood Locations for Anti-Abortion Ads
What happened:
Near Intelligence allegedly tracked visits to 600 Planned Parenthood locations across 48 states, fueling a significant anti-abortion ad campaign.
What to Know:
Near Intelligence, a location data provider, allegedly gathered and sold information on visitors to Planned Parenthood locations without their consent.
This data was utilized for a national anti-abortion ad campaign between 2019 and 2022, targeting individuals who had visited these locations.
The company claims to have information on 1.6 billion people across 44 countries
Near Intelligence filed for bankruptcy in December, raising concerns about the fate of the collected data, which could be sold off as part of its assets.
Senator Ron Wyden has called on the Federal Trade Commission (FTC) to block Near Intelligence’s data sales and the Securities and Exchange Commission (SEC) to investigate the company’s misleading filings.
Business Impact:
Businesses investing in, partnering with, or using Near Intelligence's services should be mindful of the legal and ethical implications associated with the data collected and sold by the company.
What to Do:
This case highlights the need for stronger privacy regulations and compliance measures
Companies should review data collection practices to ensure compliance.
Businesses should ensure accurate representation of data practices in filings.
Individuals should be mindful of sharing location data and consider privacy tools.
For more information, check out this article.
FCC Implements Stricter Rules for Telcos Regarding Data Breach Reporting
What happened:
The FCC has enforced new rules mandating telecom companies in the US to report any security breaches to the agency, FBI, and Secret Service within seven days. The mandatory waiting period before informing consumers has also been eliminated.
What to know:
Telecom companies must now inform customers of data breaches without undue delay, with a maximum of 30 days following confirmation of a breach.
The scope of data exposure types requiring customer notification has been expanded to include personally identifiable information (PII) such as names, government ID numbers, authentication data, email addresses/passwords, and biometric data.
An exception to customer notifications exists if the carrier determines that no harm is reasonably likely to occur.
The FCC's definition of a breach now includes "inadvertent access, use, or disclosure of customer information," broadening the scope of incidents requiring reporting.
Business impact:
Telcos now have more compliance requirements related to breach disclosure.
Businesses that are telcos’ customers will now be promptly informed of any breaches, allowing them to take immediate steps to remediate potential harms.
What to do:
Telecom companies should review and update breach notification protocols to align with the FCC's new requirements.
Ensure that all relevant personnel are aware of the updated regulations and receive appropriate training.
Monitor developments from regulatory agencies like CISA to stay informed about potential changes in breach reporting standards.
For more information, check out this article.
Staying Ahead of Threat Actors in the Age of AI
What happened:
Microsoft and OpenAI collaborated to publish research on how cybercriminals are using advanced technology like AI for attacks, such as attempted misuse of large language models (LLMs) and fraud.
What to know:
The use of LLM technology by threat actors has shown them utilizing AI for reconnaissance, coding assistance for improving malware, and social engineering.
While there haven't been big AI-powered attacks yet, Microsoft and OpenAI are watching closely.
Microsoft outlined principles to mitigate risks associated with the use of AI tools by threat actors, including identification and action against malicious use, collaboration with stakeholders, and transparency in reporting actions taken.
Business Impact:
Businesses should recognize the evolving landscape of cyber threats enhanced by AI and prioritize implementing robust cybersecurity measures.
Understanding potential misuse of AI by threat actors is crucial for devising effective defense strategies and safeguarding against emerging threats.
What to do:
Utilize resources provided by Microsoft and OpenAI to stay informed about emerging threats and best practices for mitigating risks associated with AI-enabled attacks.
Implement comprehensive AI safety and security standards aligned with industry best practices and regulatory requirements.
Foster collaboration with other stakeholders to exchange information and enhance collective responses to ecosystem-wide risks posed by AI-enabled threats.
For more information, check out this article.
US Military Notifies 20,000 of Data Breach After Cloud Email Leak
What happened:
The U.S. Department of Defense (DOD) is informing thousands of individuals about their personal information being exposed in an email data leak from last year.
The breach occurred between February 3 and February 20, 2023, due to an unsecured U.S. government cloud email server hosted on Microsoft's cloud platform.
What to know:
Around 20,600 individuals are receiving breach notification letters.
The exposed emails included sensitive military information, such as personnel data and security clearance questionnaires.
The server was accessible without a password, allowing anyone with the public IP address to view the emails.
The breach was initially discovered by security researcher Anurag Sen, who alerted TechCrunch to report it to the U.S. government.
The affected server was identified and removed from public access on February 20, 2023, and the vendor addressed the issues that resulted in the exposure.
Business Impact:
Businesses engaged with the department should verify whether their sensitive data was compromised in the breach and take necessary measures to mitigate potential risks.
What to do:
Organizations should regularly audit their cloud configurations and security protocols to ensure data protection.
Promptly report any security vulnerabilities or breaches to the relevant authorities and take immediate action to address them.
For more information, check out this article.
Atlassian Vulnerability Exploited in Government Accountability Office Breach Affecting 6,600 Individuals.
What happened:
A breach of the Government Accountability Office (GAO) occurred through a contractor, CGI Federal, resulting in the compromise of data of approximately 6,600 current and former GAO employees from 2007 to 2017, along with some companies engaged with GAO.
The breach was attributed to a vulnerability in the Atlassian Confluence workforce collaboration tool, which malicious hackers actively exploited.
What to know:
The GAO conducts investigations into taxpayer spending for Congress and federal agencies.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in October 2023 about the vulnerability affecting certain versions of Atlassian Confluence Data Center and Server, warning of active exploitation.
CGI Federal took immediate remediation actions following the CISA advisory and is cooperating with authorities and clients to address the impact of the breach.
Atlassian alerted its customers of the vulnerability on October 4 and emphasized the importance of taking immediate action to safeguard data.
Business Impact:
Companies involved with the GAO and/or using Atlassian should assess if their data was compromised and take appropriate measures to enhance their cybersecurity posture.
For more information, check out this article.
Cyberattack Hits German Battery Maker Varta, Halts Production
What happened:
Varta AG experienced a cyberattack on February 12, leading to the suspension of production in five of its facilities.
The company's information technology systems were temporarily shut down and disconnected from the internet.
What to know:
VARTA AG is a German-based company specializing in battery manufacturing for automotive, industrial, and consumer markets, with subsidiaries in over 75 countries worldwide.
The extent of the damage caused by the cyberattack is still under evaluation.
Varta has activated its emergency plan to manage the situation and has formed a task force to expedite the restoration of operations.
Varta shares went down 3.6% at the close of European trading the following day.
Business Impact:
Companies doing business with Varta should be aware of the potential risks associated with cyberattacks.
Interruptions in production due to cyber incidents can lead to financial losses and damage to reputation.
What to do:
Companies with ties to Varta should assess their own cybersecurity measures and consider implementing additional safeguards to mitigate the risk of similar incidents.
Hackers Gained Access to Prudential’s Computer Systems
What happened:
Hackers accessed Prudential Financial Inc.'s information technology systems.
A small percentage of user accounts linked to employees and contractors were compromised.
What to know:
No evidence of customer or client data theft has been found so far.
The unauthorized access occurred starting from February 4, with Prudential detecting the breach the following day.
The company is cooperating with law enforcement and regulatory authorities to address the breach.
Prudential is investigating the incident's extent and potential impact on additional information or systems.
Business Impact:
Companies that are Prudential’s customers or partners may have had their data leaked.
What to do:
Companies associated with Prudential should check if their data has been compromised and monitor the situation closely for any updates.
Companies should enhance their cybersecurity protocols and remain vigilant against potential cyber threats.
Nation-State Hackers Use AI to Boost Cyber Operations
What happened:
Russian, North Korean, Iranian, and Chinese-backed adversaries are incorporating large-language models (LLMs) into their cyberattacks.
These hackers are leveraging AI, such as OpenAI's ChatGPT, to enhance their operations, including phishing emails and vulnerability research.
What to know:
The use of LLMs by state-sponsored cyber-espionage groups signals a significant evolution in their tactics.
OpenAI has terminated accounts associated with state-sponsored hackers to mitigate the threat.
Although no major breaches utilizing LLM technology have occurred yet, security experts warn of its potential for more sophisticated cyberattacks.
Business Impact:
The increasing sophistication of cyber threats, particularly from nation-state actors poses significant risks to companies and governments.
What to do:
Monitor developments in AI technology and its potential applications in cyber operations.
Strengthen cybersecurity defenses to mitigate the risk of AI-enhanced attacks.
Pig Butchering Scam Exposed: How Scammers Are Duping Victims for Millions
What happened:
Scammers are employing a sophisticated scheme known as "Pig Butchering," targeting victims worldwide through social media and dating apps, stealing hundreds of millions of dollars.
They establish trust with victims through prolonged conversations, feigning interest, and offering investment opportunities in cryptocurrencies and other financial instruments.
What to know:
"Pig butchering" refers to scammers luring victims with romantic or investment promises to swindle them of large sums of money, either in fiat currency or cryptocurrency.
The scam has resulted in losses exceeding $429 million, per the FBI's 2021 Internet Crime Report.
Victims are lured into the scam through various platforms such as WhatsApp, Telegram, TikTok, X (formerly Twitter), Instagram, Tinder, Bumble, and Hinge.
Scammers use fake profiles, stolen images, and AI-generated photos to create convincing personas to gain victims' trust.
The scheme involves "herders" who initiate contact and "pig butchers" who conduct prolonged conversations to persuade victims to invest.
Business Impact:
Companies should be aware of the potential for employees to become victims of financial scams through social media and dating apps.
What to do:
Victims of the scam should report suspicious activity to the appropriate authorities and cease communication with potential scammers.
Platforms hosting these scams should implement stricter moderation and reporting mechanisms to prevent scammers from targeting unsuspecting users.
For more information, check out this article.
Microsoft Rolls Out Expanded Logging Six Months After Chinese Breach
What happened:
After Chinese state hackers used a stolen Microsoft signing key to breach US government officials' email accounts in June 2023, Microsoft faced criticism for not offering robust logging features by default.
What to know:
Microsoft's decision to charge a premium for security features, including logging, drew scrutiny following the Chinese hacking operation. The company removed this fee after that.
Federal officials announced progress in making expanded logs available to federal agencies, with plans to extend access to all agencies this month.
Microsoft is increasing the default log retention period from 90 to 180 days and making more detailed logs available.
Business Impact:
The delayed rollout of expanded logging features may have hindered federal agencies' ability to detect and respond to security threats effectively.
What to do:
Federal agencies should leverage the expanded logging capabilities to enhance their cybersecurity posture and better detect and respond to potential threats.
Technology vendors, including Microsoft, should prioritize security features by default and address concerns about cybersecurity readiness to mitigate risks to the government and other users.
Avast Ordered to Stop Selling Browsing Data from its Privacy Apps
What happened:
Avast collected users' browser information from 2014 to 2020 and sold it to over 100 companies through Jumpshot.
The Federal Trade Commission (FTC) ordered Avast to pay $16.5 million and cease selling browsing data.
What to know:
Avast acquired then-antivirus competitor Jumpshot in early 2014, rebranding it as an analytics seller, offering insights into the online habits of over 100 million consumers.
Avast's apps claimed to increase privacy but collected identifiable data, including job searches and map directions.
FTC found the data wasn't sufficiently anonymous, including unique device identifiers and specific browsing activities.
The connection between Avast and Jumpshot was revealed in January 2020, showing data purchases by major companies like Home Depot, Google, Microsoft, Pepsi, and McKinsey.
Avast is required to implement a comprehensive privacy program and obtain express consent for future data gathering.
Business Impact:
Businesses using Avast’s applications or have employees using Avast may have their data tracked.
What to do:
Companies may consider switching to alternative security providers with more stringent privacy policies.
Companies should review their data collection and sharing practices to ensure compliance with privacy regulations.