This week
- Sisense, maker of a data analytics and dashboard platform, appears to have lost a lot of data. Reportedly, attackers accessed several terabytes of access tokens, email account passwords and SSL certificates via an S3 bucket. The company is investigating and encouraging customers to reset access credentials on affected systems. CISA has also issued an advisory. LINK, CISA
- Two prominent UK trade unions — the Communications Workers Union (CWU) and train drivers union Aslef — have suffered cyber attacks in the past month. The ‘disruptive’ attack against CWU sounds like ransomware, while Aslef’s was a ‘malicious attempt’ to disrupt their website. LINK
- Instagram will automatically blur nudity in images sent via direct messages on the platform as part of new features aimed at safeguarding young people. “Nudity Protection in DMs” will also warn users against sharing naked images. LINK
- Apple sent warnings to users in 92 countries that it believes were targeted in ‘mercenary spyware’ attacks. The Apple support site notes that “mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals” — think NSO Group et al. — before making the point that “the vast majority of users will never be targeted by such attacks.” LINK, APPLE
- The former CEO of the special purpose acquisition company used by the Trump Media & Technology Group to go public is accusing a current board member of breaking into another executive’s computer and stealing files in a “coup d’état” to out them from their position and role on the board of the Truth Social owner. LINK
Interesting stats
£1,206 ($1,529) is the average cost to businesses that suffer any kind of security breach, rising to £10,830 ($13,731) when focussing on medium and large companies. When looking at material breaches, the costs rise further: £6,940 ($8,799) on average across businesses of all sizes, and £40,400 ($51,221) for medium and large businesses, according to the Department for Science, Innovation and Technology’s Cyber Security Breaches Survey 2024. LINK
22 ‘hunt forward’ missions were executed by US Cyber Command in 2023 to 17 different countries. Hunt forward missions see personnel deployed to a partner nation to aid cyber defence. LINK
96% of 100 websites for non-federal acute care hospitals analysed by the University of Pennsylvania transmitted data on visitors to third parties, with only 71% of them having a privacy policy. LINK
Other newsy bits / in brief
⚠️ Incidents:
- A threat actor called IntelBroker stole the personal information of approximately 10,000 Home Depot employees. Full names, work email addresses and user IDs were stolen from a third-party SaaS provider that “inadvertently made public,” a spokesperson told Bleeping Computer, the data “during testing of their systems”. LINK
- AIM-listed UK veterinary group CVS Group told the market that it has suffered a cyber incident that required it to take its IT systems offline. The group operates around 500 practices in the UK and three other territories and has also notified the ICO “due to the risk of malicious access to personal information”. LINK
- The Paris Saint-Germain (PSG) football club has told fans that its ticketing system was targeted in a cyberattack last week. Additional security measures were implemented to address a vulnerability in “less than 24 hours”, though the incident has been reported to the Commission Nationale Informatique et Libertés (CNIL), France’s data protection regulator. LINK
- Taxi firm iCabbi has fixed an unprotected database that exposed the personal info of almost 300,000 people, including senior managers at the BBC, three government departments and members of parliament. LINK
- The US Environmental Protection Agency (EPA) says that its systems have not been breached and that a reported data breach is touting already public information. LINK
🏴☠️ Ransomware:
- The Hunters International ransomware gang is demanding $10 million from Hoya Corporation, a Japanese company that makes specialist optical instruments. LINK
- Change Healthcare can’t catch a break: now a second group, RansomHub, claims to have four terabytes of stolen data. LINK
🕵️ Threat Intel:
- Kobold letters: Devious technique using cascading style sheets (CSS) in HTML emails to selectively display content only after it’s been forwarded on. Send a plausible email to someone’s boss that they forward to someone on their team for action, at which point different content is displayed to the user. It’s difficult to fix without just blocking all HTML emails. Thunderbird, Outlook (web) and Gmail are all affected (Microsoft doesn’t intend to do anything). LINK
- Varonis has detailed a technique for downloading files from Sharepoint without generating ‘FileDownloaded’ audit logs. Links generated by Sharepoint to Open in App appear as access (rather than download) and so may not be picked up in SIEM platforms, and can be scripted to exfiltrate large quantities of files quickly. LINK
- LastPass says one of its employees was targeted with a deep fake audio phishing attempt. Fortunately, the target ignored the messages, impersonating the company’s CEO. LINK
- Roku, who makes streaming dongles, is warning that credential stuffing attacks compromised 576,000 customer accounts. Detection and blocking of credential stuffing attacks is fast becoming a ‘must have’ feature for online platforms. LINK
🪲 Vulnerabilities:
- Palo Alto Networks says attackers are exploiting a zero-day vulnerability in its GlobalProtect VPN product. CVE-2024-3400 (perfect 10/10) is an OS-level command injection vulnerability, and a patch was released today (Sun 14th). LINK, ADVISORY
- Around 92,000 D-Link network attached storage devices that contain a backdoor account with hardcoded credentials, which is now being actively exploited. The devices affected by CVE-2024-3272 and CVE-2024-3273 “have reached their End of Life,” D-Link says, before recommending that the devices “be retried and replaced” as no patch will be forthcoming. LINK, ADVISORY
- LG’s WebOS, which powers the company’s smart TVs, contains four vulnerabilities that may allow attackers to control the devices. The four vulnerabilities allow the creation of a user account, escalating the privileges of that account to administrator, and the final too allow the installation of malware, respectively CVE-2023-6317, CVE-2023-6318, CVE-2023-6319 and CVE-2023-6320 (the first three 9.1/10). LINK
- Perfect 10 for Rust on Windows: CVE-2024-24576 affects its standard library doesn’t properly escape arguments being passed to its std::process::Command function. LINK, ADVISORY
🧰 Guidance and tools:
- Google Workspace customers can now enable multi-party approvals for high-risk environment changes. Once turned on, sensitive actions initiated by one admin require approval from a second before they are applied. LINK
🛠️ Security engineering:
- ~Twitter~ X implemented a poorly tested change to replace links to twitter.com with ones to x.com this week. The problem? It was only on what was displayed to users and applied anywhere that twitter.com appeared. So the domain netflitwitter[.]com would be displayed to users as netflix[.]com, while clicking it would redirect to the original link. Ripe for phishing, and thankfully, now fitwittered. LINK
🧿 Privacy:
- OpenTable is adding first names and profile pictures to previously anonymous reviews, starting 22nd May, in the name of “trust and transparency”. These are laudable aims, but this kind of retrospective adjustment doesn’t sit right. LINK
📜 Policy & Regulation:
- The US Congress is finally getting in gear with a bipartisan data privacy bill to improve US consumers’ privacy rights and get ahead of the sprawling patchwork of state legislation. A new bureau at the Federal Trade Commission would regulate organisations, and the bill would give people the right to see, correct, erase and export their data. LINK
- The FCC is asking auto manufacturers for information on the data they collect and steps they might take to protect the victims of domestic and sexual abuse. LINK
- The UK ICO is launching a consultation on the accuracy of generative AI models and how data protection law is applied to the technology. LINK
💰 Investments, mergers and acquisitions:
- Compliance management platform Sprinto has raised a $20 million Series B to improve its automation and expand its customer base. LINK
- Cyera has raised a $300 million Series C round, nearly tripling the company’s valuation to $1.4 billion in less than a year. The firm is building an ‘agentless platform’ to discover, classify and protect data. LINK
🏭 Industry news:
- Google has built ‘context-aware access’ and data loss prevention features into a paid version of its web browser. Google Chrome Enterprise Premium will cost customers $6/user/month. LINK
And finally
- The DragonForce ransomware group tried calling a victim company to extort it in what looks to be a pretty hilarious transcript with ‘Beth’ from HR. It’s worth a chuckle with your Monday morning coffee. Then make sure you’ve got ‘cybercriminal calls the front desk’ in your response plan. LINK