The mother of all data breaches.
The mother of all data breaches. CISA director Easterly is the victim of a swatting incident. An AI robocall in New Hampshire seeks to sway the election. Australia sanctions an alleged Russian cyber-crime operator. Atlassian Confluence servers are under active exploitation. Apple patches a webkit zero-day. Black Basta hits a major UK water provider. Hackers who targeted an Indian ISP launch and online search portal. A Massachusetts hospital suffered a Christmas day ransomware attack. Ann Johnson host of the Afternoon Cyber Tea podcast, speaks with Caitlin Sarian, known to many as Cybersecurity Girl. And HP claims bricked printers are a security feature, not a bug.
Today is January 23rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The mother of all data breaches.
We begin today with reporting from CyberNews on a colossal data leak known as the "Mother of all Breaches" (MOAB) . It contains a staggering 26 billion records across 12 terabytes of data. This leak amalgamates information from numerous previous breaches, including major platforms like LinkedIn, Twitter, Weibo, and Tencent. Cybersecurity expert Bob Dyachenko, in collaboration with the Cybernews team, discovered this massive leak, which likely constitutes the largest of its kind to date.
The MOAB comprises data from over 3,800 distinct data breaches, each represented by a separate folder in the leak. Notably, this collection includes not only data from past breaches but potentially also previously unpublished information, raising serious concerns about the extent of its impact. Researchers speculate that the owner of the MOAB, possibly a malicious actor, data broker, or a data-intensive service, was likely aggregating this data for nefarious purposes.
The leak poses significant risks, as it includes sensitive information beyond mere credentials, making it a treasure trove for identity theft, phishing schemes, and other targeted cyberattacks. Among the leaked records are hundreds of millions from various companies and government organizations worldwide. The implications for consumers are alarming, especially considering the common practice of reusing usernames and passwords, which could lead to widespread credential-stuffing attacks.
Despite this particular proverbial horse being out of the barn, experts stress the importance of robust cyber hygiene practices, such as using strong, unique passwords, enabling multi-factor authentication, being vigilant against phishing attempts, and promptly updating security for accounts with reused passwords.
CISA director Easterly is the victim of a swatting incident.
In an alarming incident, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), became a victim of 'swatting' at her home in Arlington County, Virginia. This malicious act involved a false 911 call claiming a shooting at her residence. Fortunately, no injuries or actual incidents were reported. This case is part of a growing trend of swatting attacks targeting public officials and government figures across the United States.
White House Press Secretary Karine Jean-Pierre condemned these actions, and Senator Rick Scott proposed legislation for stricter penalties against such hoaxes. CISA, integral in safeguarding U.S. elections and infrastructure, has faced threats and conspiracy theories, particularly from far-right groups, due to its role in countering misinformation and protecting election integrity. This has led to legal challenges and debates over free speech and the role of government in regulating online content. The increasing use of swatting as a tool for targeting government officials and institutions raises significant concerns about its strategic and abusive use in the digital realm.
An AI robocall in New Hampshire seeks to sway the election.
The New Hampshire Attorney General's Office is investigating a robocall incident that used AI-generated voice technology to mimic President Joe Biden, aiming to dissuade voters from participating in the state's primary election. Here’s a sample of the call - This false message urged voters to "save your vote" for the November election, misleadingly stating that voting on Tuesday supports Donald Trump's re-election.
The call appeared to originate from Kathy Sullivan, a former state Democratic Party chair, but she denied any involvement, labeling it as election interference and harassment. The White House confirmed the call was fake, and Biden's campaign manager condemned the spread of disinformation, emphasizing the importance of combating attempts to undermine democracy.
This incident reflects a growing concern about the use of generative AI and deepfake technology in elections. The misuse of AI in political contexts has been observed globally, raising alarms about the potential impact on election integrity. U.S. lawmakers and federal agencies are yet to pass comprehensive legislation to regulate AI's role in politics, despite its increasing influence and the potential for misinformation.
Australia sanctions an alleged Russian cyber-crime operator.
Aleksandr Ermakov, a Russian national, has been sanctioned by Australia for his involvement in the country's most severe data breach at Medibank, affecting 9.7 million Australians. In this landmark cyber attack, sensitive information, including abortion records, was stolen and publicly leaked. Ermakov, believed to be part of the notorious Russian cyber-crime gang REvil, faces financial penalties and a travel ban. Australian Home Affairs Minister Clare O'Neil condemned the act as a cowardly and significant violation of privacy. This is the first application of Australia's 2021 cyber sanctions legislation, targeting individuals linked to major online attacks. The breach, which exposed a wide range of personal data including medical records, led to Medibank refusing to pay a ransom and subsequent publication of stolen data online. The incident has sparked multiple class actions, citing inadequate protection of sensitive information by the firms involved.
Atlassian Confluence servers are under active exploitation.
Security experts are witnessing increased attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. This remote code execution flaw, disclosed by Atlassian last week, affects versions released before December 5, 2023, including some unsupported ones. The vulnerability allows unauthenticated attackers to remotely execute code on vulnerable Confluence Data Center and Server endpoints across several versions.
Patches are available, and Shadowserver, a threat monitoring service, has recorded over 39,000 exploitation attempts, mainly from Russian IP addresses, targeting this flaw. These attackers typically use the 'whoami' command for callbacks to assess system access and privileges.
Currently, 11,100 Atlassian Confluence instances are detectable online, though not all are vulnerable. Given the high stakes, Confluence server administrators should urgently update their systems to versions released after December 5, 2023. For those using outdated instances, it's advised to assume potential compromise, check for exploitation signs, conduct thorough cleanups, and upgrade to secure versions.
Apple patches a webkit zero-day.
Apple has rolled out new versions of its operating systems, including iOS iPadOS, tvOS 17.3, and macOS Sonoma. Users are strongly advised to update their devices promptly due to a critical security concern in WebKit, the engine powering Apple's web browser. This flaw, already exploited in some instances, allows malicious content to execute arbitrary code.
Beyond this, the updates bring several additional security enhancements. iOS 17.3, in particular, resolves various issues in different system components, including the Neural Engine, kernel, Mail, Safari, and Shortcuts. While these vulnerabilities were not reportedly exploited, patching them significantly bolsters the security of Apple devices against potential threats.
Also new in iOS 17.3 is Stolen Device Protection, which makes it harder for crooks to alter an iPhone’s security settings.
Black Basta hits a major UK water provider.
Major UK water provider Southern Water has confirmed a breach in its IT systems by the Black Basta ransomware group, resulting in the theft of data. The compromised information includes scans of identity documents, HR-related files, and corporate car-leasing documents, potentially affecting both employees and customers. The company, serving 2.5 million water and 4.7 million wastewater customers, assures that customer relations and financial systems remain unaffected, with normal service operations.
The company had previously detected suspicious activities and had initiated an investigation with independent cybersecurity experts. While a small portion of the data has been published online, Southern Water is yet to confirm the extent of customer or employee data compromise. The incident has been reported to the UK government, regulators, and the Information Commissioner's Office (ICO).
Hackers who targeted Indian ISP launch online search portal.
Hackers responsible for the breach of major Indian ISP and cable TV operator Hathway have created a dark web search engine enabling potential victims to check if their personal information was compromised. The leaked database was initially offered for sale before being publicly released on Breach Forums. The breach, reportedly executed through a vulnerability in Hathway’s Laravel framework CMS, resulted in two files being leaked. The first, a 12GB file, supposedly contains personal details of over 41 million customers, though analysis suggests the actual number of unique, affected accounts is closer to 4 million after removing duplicates and dummy accounts. The second file, now deleted, also contained extensive personal and financial details of Hathway's employees and customers. The hackers go by the name 'dawnofdevil'.
A Massachusetts hospital suffered a Christmas day ransomware attack.
The Anna Jaques Hospital (AJH) in Massachusetts was the target of a ransomware attack by the Money Message gang on Christmas Day. The cyberattack led to the compromise of 600GB of data and disruptions to the hospital's electronic health records system, causing ambulances to be diverted. AJH has acknowledged the attack and confirmed its immediate response to secure the environment.
Despite these challenges, the hospital has maintained full operational capacity, continuing to provide safe and effective patient care.
Next up, we’ve got the host of Microsoft Security’s Afternoon Cyber Tea podcast, Ann Johnson, speaking with Caitlin Sarian (Sair-ee-an), known to many as Cybersecurity Girl, a leading influencer with a cybersecurity-focused social presence.
HP claims bricked printers are a security feature, not a bug.
And finally, last Thursday, HP CEO Enrique Lores addressed concerns over HP printers being rendered inoperable with third-party ink cartridges. He cited security risks, suggesting that viruses could be embedded in non-HP cartridges, potentially infecting printers and networks. This comes amidst a lawsuit against HP's Dynamic Security system, which prevents HP printers from working with cartridges lacking HP chips or circuitry.
Cybersecurity experts, however, express skepticism about the feasibility of such an attack. HP's own research through its bug bounty program suggested a theoretical risk, but there's no evidence of this kind of thing being executed in practice.
The lawsuit against HP alleges that customers weren't informed about firmware updates bricking printers with third-party ink. It questions whether HP's actions are more about protecting intellectual property and driving subscription models than genuine security concerns. HP has been pushing its Instant Ink subscription service, and CEO Lores acknowledged the company's focus on making printing a subscription-based model.
I’m going to say that one more time. HP’s CEO acknowledged the company's focus on making printing a subscription-based model.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.