This week
SEC’s Twitter account was compromised, posted ‘approval’ of Bitcoin EFTs
- The US Securities and Exchange Commission (SEC) suffered an embarrassing incident this week when the regulator’s X/Twitter account was compromised. The attackers used their access to make legitimate-sounding posts about the regulator approving the used of BitCoin exchange-traded funds (EFTs). The unauthorised post caused the value of the cryptocurrency to rise.
- An X spokesperson said the social network’s investigation concluded that the cause of the incident was an “unidentified individual” gaining control over a phone number associated with the @SECGov account, which “did not have two-factor authentication enabled at the time”. The disclosure surprised some analysts, though there is no love lost between Musk and the SEC
- SEC chair Gary Gensler, who has made cyber security a key priority for the SEC, disavowed the post and confirmed the compromise about 10 minutes later.
- Market manipulation like this is a potential way for criminals to make returns that may significantly outstrip scamming an individual or ransoming an organisation.
- POP QUIZ: How much did the BitCoin price swing by? A) 0.5%, B) 2.5%, C) 17% (answer below)
Pro-Ukraine group launches retaliatory attack against Russian ISP
- A pro-Ukraine group called Blackjack has claimed responsibility for an attack against Russian ISP M9com. The group says that it is a direct response for the December attack by Russia against Ukraine telco Kyivstar (vol. 6, iss. 51). In a message to Telegram, Blackjack claimed to have disrupted M9com’s services, stolen confidential data, and defaced the company’s website.
- Screenshots posted by the hacktivist group show deleting file servers and backup devices, wiping configurations, and M9com’s public key infrastructure dashboard.
- Blackjack may be related to the Security Service of Ukraine (SBU).
Interesting stats
30% reduction in global trust and safety staff at X/Twitter, with 80% reduction in engineers dedicated to trust and safety issues, since Elon Musk’s takeover of the social media company, according to Australia’s eSafety Commissioner, who is fining X for failing to report how it is meeting rules concerning child sexual exploitation and abuse material.
1 million virtual servers were spun up by a 29-year-old Ukrainian man to mine $2 million in cryptocurrency. The cryptojacking individual was arrested following a Europol operation.
Other newsy bits / in brief
-
AirDrop: China’s Beijing Wangshendongjian Judicial Appraisal Institute says it has developed a technique to crack iOS’s encrypted device log and identify the phone numbers and email addresses of users sharing content. Chinese protestors use Apple’s AirDrop features to share peer-to-peer content that state censors would otherwise detect and block on mobile or internet connections.
-
Forescout says it disagrees with Denmark’s nonprofit SektorCERT and doesn’t think Russia’s Sandworm was behind two waves of attacks against Danish critical infrastructure (vol. 6, iss. 47).
-
Raptor Technologies, a vendor of school attendance and emergency management software, inadvertently made 4 million records (totalling 800GB) publicly available last month, including response plans to school shooter situations.
-
The accountancy firm engaged by laptop manufacturer Framework was duped into sharing the personal information of an undisclosed number of customers with an attacker impersonating Framework’s CEO.
-
Healthcare provider HMG Healthcare has admitted losing unencrypted personal data of thousands of staff and patients. The Texas-based providers of rehabilitation, memory care and assisted living services said the incident occurred in August and was detected in November, involving unauthorised access to a server that “likely contained medical records and personal information, including names, dates of birth, contact information, general health information, information regarding medical treatment, social security numbers and/or employment records.”
-
Filthy animals: BlackBasta cybercrime group compromised Toronto Zoo.
-
Linux-based devices are being targeted by a customised version of the Mirai worm. Akamai, who discovered the new variant, says it differs from traditional Mirai-variants, which target telnet servers, by instead focussing on weak passwords on SSH servers.
-
Ivanti has published security advisories for its Connect Secure VPN appliance, which a suspected Chinese actor is exploiting. Ivanti (formerly MobileIron)’s VPN devices are a result of acquiring Pulse Secure. The vulnerabilities, CVE-2024-21887 (9.1/10) and CVE-2024-46805 (8.2) will be patched in the week commencing 22nd January at the earliest, and so customers are warned to take other “critical” mitigation actions “immediately” in advance of a patch being available.
-
Juniper Networks is warning of a critical pre-auth remote code execution vulnerability — CVE-2024-21591 (9.8/10) — in its SRX firewalls and EX switches.
-
GitLab has released an update to address a zero-click account hijacking vulnerability in its Community and Enterprise Edition source code management software. CVE-2023-7028 (10/10) allows password reset requests to be sent to arbitrary, unverified email addresses. Accounts with MFA would still require a second factor to log in.
-
HelloFresh has been fined £140,000 by the UK Information Commissioner for sending over 80 million spam messages based on an age confirmation statement that was “likely to unfairly incentivise customers to agree”.
-
Law & Order: The US has accused a man living in Turkey of T-Mobile’s 2021 data breach (vol. 4, iss. 34). Sebastien Raoult, a core member of the ShinyHunters cybercrime gang, is facing three years in prison and having to return $5 million in ill-gotten gains.
-
Industry news: SentinelOne is acquiring Indian startup PingSafe for its cloud application protection platform in a deal that values the two-year-old company at over $100 million, according to TechCrunch.
-
In broader AI news, the European Commission is “checking whether Microsoft’s investment in OpenAI might be reviewable under the EU Merger Regulation”, over concerns that Redmond, as OpenAI’s biggest investor, may be surreptitiously pulling the strings. It comes as the company told the UK House of Lords that “[because] copyright today covers virtually every sort of human expression—including blogposts, photographs, forum posts, scraps of software code, and government documents—it would be impossible to train today’s leading AI models without using copyrighted materials”. At the Consumer Electronics Show, Volkswagen announced that it is adding ChatGPT to its infotainment system. Meanwhile, spam products with AI-generated names and descriptions of variations on “I cannot fulfil that request” are cropping up on Amazon.
And finally
- Ratchet up: Security researchers from Nozomi have exploited 23 vulnerabilities to install ransomware on a connected wrench from Bosch.
Answer
- The price of BitCoin swung by 2.5% following the unauthorised announcement that the SEC had approved BitCoin EFTs. (return).