SolarWinds seeks dismissal of SEC lawsuit. Midnight Blizzard abused OAuth apps in Microsoft attack.

Summary

By the CyberWire staff

At a glance.

SolarWinds seeks dismissal of SEC lawsuit.
Midnight Blizzard abused OAuth apps in Microsoft attack.
Italy's data protection authority claims ChatGPT violates GDPR.
Jenkins issues patch for critical vulnerability.

SolarWinds seeks dismissal of SEC lawsuit.

SolarWinds is seeking the dismissal of a US Securities and Exchange Commission (SEC) lawsuit that alleges the company and its CISO defrauded investors by concealing poor cybersecurity practices, Bloomberg Law reports. SolarWinds claims that the SEC "is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs and, with the controls charges, claim a mandate for regulating those programs that the agency does not have."

The company maintains that it made clear that its systems were vulnerable to sophisticated nation-state attacks before they were compromised by a Russian state-sponsored threat actor in December 2020. The company adds, "The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings. But that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers."

Optimize the value of your biggest investment – your cyber talent.

Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.

Midnight Blizzard abused OAuth apps in Microsoft attack.

Microsoft has shared additional details on how its senior executives' email accounts were compromised by the Russian threat actor Midnight Blizzard (also known as "Cozy Bear" or "APT29"), offering guidance for organizations to defend themselves against similar attacks. The threat actor launched password spray attacks from a distributed residential proxy infrastructure, enabling it to compromise "a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled."

After gaining access to the test account, the threat actor abused OAuth to establish persistence and access additional email accounts: "Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes."

RSA Conference™ 2024—Where the Cybersecurity Community Unites

Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.

Italy's data protection authority claims ChatGPT violates GDPR.

The Italian Data Protection Authority (Garante per la protezione dei dati personal) has informed OpenAI that its ChatGPT application violates GDPR's data privacy regulations, Reuters reports. The Garante says OpenAI has thirty days to submit counterclaims concerning the alleged breaches.

Jenkins issues patch for critical vulnerability.

Software automation server Jenkins has received a patch for a vulnerability that could allow "unauthenticated attackers to read arbitrary files on the Jenkins controller file system." The flaw was discovered by researchers at SonarSource, who warn that "[a]ttackers could leverage this vulnerability, by reading Jenkins secrets, to escalate privileges to admin and eventually execute arbitrary code on the server."

BleepingComputer notes that proof-of-concept exploits for the flaw are publicly available, and some researchers have reported that the vulnerability is already being exploited in the wild.

Notes.

Today's issue includes events affecting Italy, Russia, and the United States.

Attacks, Threats, and Vulnerabilities

Kansas State, Clackamas Community College respond to cyberattacks (The Record) Kansas State University and a large community college near Portland, Oregon, each spent this week overcoming IT problems linked to cyberattacks.

Freehold Township district: All schools and offices closed Monday due to cybersecurity incident (News 12 - New Jersey) School officials sent out emails and voicemails to families and staff explaining the district was experiencing technical issues due to the cybersecurity incident.

How a mistakenly published password exposed Mercedes-Benz source code | TechCrunch (TechCrunch) Mercedes accidentally exposed a trove of sensitive data after a leaked security key gave “unrestricted access” to company’s source code.

Security Patches, Mitigations, and Software Updates

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins (Sonar) This blog uncovers two vulnerabilities, a Critical and High severity, recently discovered by our research team. Exploiting these vulnerabilities, attackers have the potential to gain Remote Code Execution on a Jenkins instance.

Marketplace

Airbus in talks to acquire big data and cybersecurity branch of Atos (InCyber) On January 3, 2024, Atos provided an update on the situation, confirming they had entered negotiations with Airbus about their BDS (big data and cybersecurity). In their press release, the French tech group explained the financial constraints weighing on the company, particularly the settlement and refinancing of its debt.

Products, Services, and Solutions

Fortinet introduces secure networking solution with WiFi 7 integration - Back End News (Back End News) Fortinet's Secure Networking solution promises to not only support WiFi 7 but also offer enterprise-grade protection and AI-powered security.

ExtraHop expands partnership with CrowdStrike for enhanced cloud security (ChannelLife Australia) ExtraHop expands its partnership with CrowdStrike, enabling Reveal(x) customers to store records in CrowdStrike Falcon LogScale as businesses seek efficient security tools amidst shifting cybersecurity threats.

Technologies, Techniques, and Standards

HHS debuts voluntary cybersecurity performance goals to enhance healthcare sector resilience - Industrial Cyber (Industrial Cyber) US HHS debuts voluntary cybersecurity performance goals to enhance healthcare sector resilience, improve security posture.

Litigation, Investigation, and Law Enforcement

DHS employees jailed for stealing data of 200K U.S. govt workers (BleepingComputer) Three former Department of Homeland Security (DHS) employees were sentenced to prison for stealing proprietary U.S. government software and databases containing the personal data of 200,000 federal employees.

Lawyer gets 10-year sentence for laundering OneCoin scam proceeds (The Record) A lawyer convicted of laundering more than $400 million of proceeds from the fraudulent OneCoin cryptocurrency scam was sentenced to 10 years in U.S. federal prison on Thursday.

Police Arrest Teen Said to Be Linked to Hundreds of Swatting Attacks (WIRED) A California teenager who allegedly used the handle Torswats to carry out a nationwide swatting campaign is being extradited to Florida to face felony charges, WIRED has learned.

Don’t Delete Slack or Signal Chats, US Agencies Warn Companies (Bloomberg Law) As more employees use instant messaging at work in lieu of email, federal antitrust enforcers issued a warning Friday: Companies under investigation must turn over those records.

Dark Web Drugs Vendor Forfeits $150m After Guilty Plea (Infosecurity Magazine) Drug trafficker Banmeet Singh made $150m in cryptocurrency from dark web sales

SolarWinds Seeks Dismissal of ‘Unfounded’ SEC Cybersecurity Suit (DataBreaches.net) Skye Witley reports: SolarWinds Corp. issued a full-throated denial of wrongdoing in how it handled one of the worst cyberattacks in history in a Friday court...

US court rejects NSO Group's plea to dismiss Apple's Pegasus suit (MediaNama) NSO had asked the court to dismiss the complaints, stating that it was based in Israel and Apple should have sued them there instead.

OpenAI's ChatGPT breaches privacy rules, says Italian watchdog (Yahoo Finance) MILAN (Reuters) -Italy's data protection authority has told OpenAI that its artificial intelligence chatbot application ChatGPT breaches data protection rules, the watchdog said on Monday as it presses ahead with an investigation started last year. The authority, known as Garante, is one of the European Union's most proactive in assessing AI platform compliance with the bloc's data privacy regime. Last year it banned ChatGPT over alleged breaches of EU privacy rules.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

Improve Spear Phishing Detection With AI (Virtual, Jan 30 - 31, 2024) Phishing remains one of the costliest attack vectors. Spear phishing, a more targeted form of phishing, is very convincing and poses a great risk to organizations. As threat actors crank up the volume of spear phishing attacks, companies are increasingly embracing AI for cybersecurity. Join this webinar to learn how NVIDIA’s AI technologies, along with ecosystem partners, can help organizations build powerful solutions to defend against cyber threats.

Insider Threat Program Development, Management & Optimization Training Course (Laurel, Maryland, USA, Jan 30 - 31, 2024) This highly sought after and very comprehensive 2 day training course will ensure that the Insider Threat Program (ITP) Manager and others who support the ITP (Insider Threat Analyst, FSO, CSO, CISO, Human Resources, CIO - IT, Network Security, Counterintelligence Investigators, Behavioral Science Professionals, Legal Etc.), have the Core Knowledge, Blueprint, Resources needed for developing, managing, enhancing an ITP / ITP Working Group.

SANS Tysons Corner – NOVA 2024 (Tysons Corner, Virginia, USA, Feb 5 - 10, 2024) At SANS Tysons Corner-NOVA 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

SANS San Diego 2024 (San Diego (and virtual), California, USA, Feb 12 - 17, 2024) At SANS San Diego 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

SANS Security East New Orleans 2024 (New Orleans, and virtual, Louisiana, USA, Feb 19 - 24, 2024) At SANS Security East New Orleans 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 01.29.24