January 2024 Edition
Hi! We’re back after a short break with the essential cybersecurity and privacy news for executives.
Table of Contents
Microsoft network breached by Russia-state hackers
Cyber scams and their surprising connection to human trafficking and Myanmar's civil war
Nearly 25 million new unique login credentials stolen from various websites
Kaspersky Research Created a Lightweight Method to Detect Potential iOS Malware
SentinelOne Uncovers the Evolution of Undetected macOS InfoStealers | KeySteal, Atomic, and CherryPie
Facebook Users are Monitored by Thousands of Companies
Inside the $1 billion Walmart Gift Card Laundering Scheme
Critical GitLab vulnerability exposes 2FA-less users to account takeovers
GenAI could make KYC effectively useless
FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data
1. Microsoft network breached by Russia-state hackers
What happened:
In late November 2023, Russian state-backed hackers called Midnight Blizzard attacked Microsoft's network.
Microsoft only discovered the breach on January 12, 2024.
What to know:
The hackers breached a device within Microsoft’s network with a weak password and no two-factor authentication.
They tried various previously compromised or commonly used passwords until they succeeded.
After gaining access through this account, they assessed a small number of Microsoft corporate email accounts, including those of senior executives and employees in cybersecurity, legal, and other functions.
Microsoft hasn't shared details about the number of compromised email accounts or the accessed data, but it didn’t seem to affect customer environments, production systems, source codes, or AI systems.
Business Impact:
Microsoft business customers should be aware of the potential information leak through these compromised emails.
What to do:
Microsoft enhances security and applies current standards to legacy systems and internal processes. Organizations should consider reviewing and strengthening their own cybersecurity practices to mitigate similar threats.
For more information, check out this article.
2. Cyber scams and their surprising connection to human trafficking and Myanmar's civil war.
What happened:
Rebel groups called the Three Brotherhood Alliance launched "Operation 1027" in Myanmar's northern Shan state, capturing military outposts and towns.
These rebels aimed to overthrow the military government and eliminate telecom fraud and scam centers along the China-Myanmar border.
What to know:
Southeast Asia has seen a rise in abducting people for internet scams, known as "pig butchering" scams.
Criminal groups lure tech-savvy workers with fake tech jobs, forcing them into scam operations.
China's political ties and economic interests in Myanmar have led it to crack down on these scam centers.
China's involvement in Myanmar's civil war has created a complex situation where it may be playing both sides to ensure stability.
The cyberscam industry is growing, possibly using AI, and targeting a wider range of victims.
Business Impact:
Companies operating in Myanmar or with employees and customers there can face disruptions and risks due to the growth of conflict and cybercrime.
What to do:
A comprehensive approach is needed to combat transnational crimes like fraud, cybercrime, human trafficking, money laundering, and corruption.
As crime moves online, its ties to real-world conflicts persist.
For more information, check out this article.
3. Nearly 25 million new unique login credentials stolen from various websites
What happened:
Troy Hunt, creator of "Have I Been Pwned," reported a huge password dump on the dark web containing nearly 71 million unique login credentials, with 25 million of which had never been leaked before.
What to know:
The stolen data is collected in text files and images; each line consists of a login URL, its login name, and an associated stolen password.
Many passwords in the dataset are weak and duplicated, making them more vulnerable to simple password dictionary attacks.
The authenticity of the dataset was confirmed by contacting affected individuals.
What to do:
Change passwords for affected accounts. Encourage employees to do the same.
Use strong, unique passwords, activate two-factor authentication, and use passkeys for extra security. Encourage employees to do the same with personal accounts.
Regularly check for breached credentials and take necessary steps to secure accounts and data. Consider using software to do that for your organization.
If cryptocurrency is owned, consider transferring it to a different wallet not associated with that email address.
For more information, check out this article.
5. Kaspersky Research Created a Lightweight Method to Detect Potential iOS Malware
What happened:
A lightweight method for detecting potential iOS malware like Pegasus is to analyze the "Shutdown.log" file stored in sysdiag archives on iOS devices.
What to know:
Pegasus is a spyware for eavesdropping on mobile phones and harvesting their data.
Traditional methods for detecting iPhone infections are time-consuming or require expertise.
Shutdown.log is a text-based log file created on mobile iOS devices that records reboot events and multiple environment characteristics.
Anomalies detected include excessive reboot delays (more than 4) and the presence of Pegasus malware indicators.
Retrieving the Shutdown.log file is relatively straightforward from sysdiag archives, which are collections of system logs for debugging and troubleshooting.
Impact:
This discovery can help businesses identify iPhone malware more efficiently, improving their device and data security.
This method relies on the user rebooting the phone as often as possible.
For more information, check out this article.
5. SentinelOne Uncovers the Evolution of Undetected macOS InfoStealers | KeySteal, Atomic, and CherryPie
What Happened:
Despite Apple's updates to macOS's XProtect signature database, infostealer families like KeySteal, Atomic InfoStealer, and CherryPie are still active and continue to evolve.
What to Know:
Information stealer (or Infostealer) is a type of malware that gathers information like usernames and passwords from a system.
Infostealers targeting macOS have been on the rise, with variants like Atomic Stealer, macOS MetaStealer, and RealStealer.
Three active infostealers that are currently avoiding static signature detection.
KeySteal, initially noted in 2021, has undergone significant technical changes and steals Keychain information.
Atomic InfoStealer has multiple variants, avoids detection, and includes anti-analysis logic.
CherryPie, also known as Gary Stealer, is detected by Apple but not on VirusTotal in some cases and has cross-platform Windows/macOS capabilities.
Business Impact:
MacOS is vulnerable to attacks by various undetected infostealers, leading to data theft, privacy breaches, and potential damage to an organization's reputation.
Relying solely on signature-based detection is not enough.
Companies using macOS need to take security more seriously and allocate a security budget to implement more comprehensive security measures on MACs, such as installing tools like Endpoint Detection & Response (EDR).
What to Do:
Be vigilant about the persistent risk of undetected macOS InfoStealer and strengthen macOS security.
Prioritize proactive threat detection, improve detection rules, and stay informed about evolving tactics.
For more information, check out this article.
6. Facebook Users are Monitored by Thousands of Companies
What happened:
Consumer Reports, a non-profit consumer watchdog, conducted a study with 709 volunteers, revealing that 186,892 companies shared data about them with Facebook.
What to know:
The study exposed massive surveillance and server-to-server tracking, including the Meta tracking pixels on websites.
On average, each participant in the study had their data sent to Facebook by 2,230 companies. Some panelists' had over 7,000 companies providing their data to Facebook.
Data collection includes "events" and "custom audiences," tracking user interactions on websites and apps.
Users can access the list of companies that sent their data to Facebook and choose to disconnect future sharing via this link.
Business Impact:
The scale of data collection and sharing raises concerns about user privacy and transparency in data practices.
Users may stop using businesses that collect and sell their data.
Increased demand for privacy could impact marketing data brokers.
Facebook might also crack down on businesses, which could jeopardize your pixel tracking.
What to do:
Businesses using Meta pixel or data brokers should review data-sharing practices.
Ensure user data privacy and compliance with regulations.
For more information, check out this article.
7. Inside the $1 billion Walmart Gift Card Laundering Scheme
What happened:
Scammers have duped consumers out of more than $1 billion by exploiting Walmart’s lax security. The company has resisted taking responsibility while breaking promises to regulators and skimping on training.
What to Know:
Scammers used tactics like posing as IRS agents or creating fake online romances to trick victims into buying gift cards, then quickly transferring balances to other cards.
Walmart had a financial incentive to avoid banning card-for-card purchases, as it earns millions in profit from gift card usage, commissions on other brands of cards purchased, and money transfer fees.
Walmart continued to expand in financial services, acquiring One in 2022.
Despite claims of anti-fraud efforts, Walmart's training and security measures fell short, leading to legal action.
Technology like analytics and AI only capture a small fraction of fraud, and gift card theft remains an ongoing issue.
What to Do:
Exercise caution
Be aware of common scam tactics and report suspicious activities.
For more information, check out this article.
8. Critical GitLab vulnerability exposes 2FA-less users to account takeovers
What Happened:
GitLab disclosed a critical vulnerability with a severity score of 10 in May 2023, which allowed users to issue password resets through a secondary email address.
Multiple GitLab versions are affected and require patching.
A second critical vulnerability allowed attackers to execute slash commands in Slack or Mattermost.
What to Know:
Attackers can send password reset emails to unverified addresses.
Users without two-factor authentication (2FA) are at risk of account takeover.
All authentication methods are impacted, including some single sign-on (SSO) configurations.
Administrators can disable password authentication for self-managed customers.
Business Impact:
There is a significant risk of account takeover for GitLab users if your company is using GitLab or relies on vendors who use GitLab with sensitive data.
Organizations using GitLab for DevOps may have valuable intellectual property and source code at stake.
Depending on their function, organizations with custom apps and integrations that use slash commands could also leak sensitive data.
What to Do:
Apply the latest security patches promptly.
Enable two-factor authentication (2FA) for all accounts and ensure vendors using Gitlab are checked.
Regularly monitor logs for signs of exploitation.
GitLab has added new tests to validate the password reset logic to prevent similar vulnerabilities.
For more information, check out this article.
9. GenAI could make KYC effectively useless
What happened:
Recent viral posts on social media platforms showed how to use generative AI to manipulate ID images and pass KYC (Know Your Customer) tests.
What to know:
KYC (Know Your Customer) is a process used by financial institutions and banks to verify the identity of their customers. It often involves ID images and cross-checked selfies to confirm a person's identity.
Generative AI (GenAI) tools like Stable Diffusion can be used to create synthetic renderings of a person against various backdrops, including ones that appear to hold an ID document.
Android apps running on desktop emulators and web apps can be tricked into accepting deepfaked images instead of live camera feeds.
Some platforms implement "liveness" checks but can still be bypassed.
Deepfaked images and videos may soon reach the point where they can fool human reviewers.
Business Impact:
KYC could become useless as a security measure. Attackers can create convincing deepfake ID images, potentially undermining the security of platforms that rely on KYC.
What to do:
Businesses must enhance security beyond KYC in response to the deepfake threat.
For more information, check out this article.
10. FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data
What happened:
X-Mode Social and its successor Outlogic are prohibited from selling sensitive location data due to the Federal Trade Commission (FTC) settlement.
Allegations included selling location data linked to sensitive places without proper safeguards.
What to know:
X-Mode & Outlogic collected location data associated with mobile advertising IDs and sold it to various clients in different industries.
The company did not have policies to remove sensitive locations from the raw data it sold until May 2023, potentially exposing consumers to privacy violations and risks.
Users were not fully informed about how their location data would be used.
The company didn’t employ necessary technical safeguards and oversight to honor users’ opt-out requests.
X-Mode provided information for marketing purposes about consumers who had visited certain medical facilities and pharmacies, violating the FTC Act's prohibition against unfair and deceptive practices.
Business Impact:
Businesses using location data should be aware of the FTC settlement, which restricts X-Mode & Outlogic from sharing certain sensitive location data and requires them to take various measures to protect consumer data.
What to do:
If your company collects location data, you must create a program for sensitive location data, data deletion, supplier assessment, and privacy measures.
Simplify consent withdrawal and data deletion for consumers.
If there’s sensitive location data, ensure compliance with privacy regulations and standards to avoid potential legal issues.
For more information, check out this article.