Another day, another Blizzard attack.

Cozy Bear breaches Hewlett Packard Enterprise. An investigation reveals global surveillance based on digital advertising. Cisco patches critical vulnerabilities. Meta aims to enhance the online safety of minors. iOS notifications are exploited for tracking. EquiLend’s systems go offline after a cyberattack.  A DC theater faced financial crisis after seeing their bank account drained. Critical infrastructure is targeted in Ukraine.  The latest insights on ransomware. Guest Lance Hood joins us from TransUnion to share how fraud attacks on financial industry call centers are rising. And Teslas get POwned in Tokyo.

Today is January 25th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cozy Bear breaches Hewlett Packard Enterprise.

Hewlett Packard Enterprise Co. (HPE) disclosed to the SEC that they suffered a data breach by Russia’s Cozy Bear, also known as Midnight Blizzard or APT29. The breach was reported on December 12 and involved unauthorized access to HPE's cloud-based email environment, starting from May 2023. Cozy Bear is linked to Russia’s Foreign Intelligence Service (SVR) and has been responsible for significant cyber attacks, including the 2020 SolarWinds hack and the 2016 Democratic National Committee attack.

HPE initiated an immediate response with external cybersecurity experts to investigate, contain, and remediate the incident. The attackers targeted a small number of HPE mailboxes across various company functions. The company believes this incident is connected to a previous unauthorized access in June 2023, involving a limited number of SharePoint files.

Despite the breach, HPE reported no material impact on their operations or financial condition. They are continuing their investigation in collaboration with law enforcement and plan to notify affected individuals. This breach follows a similar incident at Microsoft, where Cozy Bear hacked senior leaders' email accounts starting in November 2023.

An investigation reveals global surveillance based on digital advertising. 

An investigation led by Joseph Cox at  404 Media has revealed that hundreds of thousands of common apps, including 9gag, Kik, and various caller ID apps, are part of a global surveillance system. This system begins with in-app ads and culminates in a mass monitoring tool called Patternz, which is marketed to national security agencies. Patternz can track users' locations, hobbies, family members, and build extensive profiles. The surveillance capability stems from the real-time bidding data supply chain in digital advertising, involving both small ad firms and giants like Google.

Patternz, created as a homeland security platform, can gather detailed information about individuals from app data, including GPS coordinates, app usage, phone type, and even the individual's interests. This tool monitors on a massive scale, processing over 90 terabytes of data daily from around 600,000 apps. Unlike traditional app tracking, Patternz does not require direct involvement from app developers; instead, it operates through ad networks and platforms integrated into the apps.

Google and PubMatic have severed ties with a company linked to Patternz following queries from 404 Media. Despite this, the investigation raises significant concerns about the misuse of advertising technology for government surveillance and the lack of oversight in data sharing within the real-time bidding ecosystem. 

Cisco patches critical vulnerabilities.

Cisco has released patches for a critical vulnerability in several of its Unified Communications and Contact Center Solutions products. This flaw arises from improper processing of user-provided data, which can lead to arbitrary command execution with web services user privileges. Attackers exploiting this vulnerability could potentially gain root access to devices. Affected products include Packaged Contact Center Enterprise, various Unified Communications Manager versions, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser. While there are no workarounds, Cisco recommends updating to the patched versions immediately and suggests using access control lists (ACLs) as a mitigation strategy. Additionally, Cisco released patches for medium-severity flaws in Business 250 and 350 series switches, and an XSS vulnerability in Unity Connection. Cisco is currently unaware of any malicious exploitation of these vulnerabilities.

Meta aims to enhance the online safety of minors. 

Meta is implementing new measures it claims will enhance the online safety of minors on Instagram and Facebook Messenger. The updates will automatically restrict users under 16 (or under 18 in certain regions) from receiving messages or being added to group chats by individuals they don't follow or aren't connected with. These rules apply to all users, regardless of age, expanding beyond the previous limitations that only affected adults over 19. Instagram will notify users about these changes through a message in their Feed.

Additionally, Meta is enhancing parental supervision tools on Instagram. Parents will now have to approve or deny their child's requests to change safety and privacy settings, giving them direct control over whether their child can switch their profile from private to public.

Furthermore, Meta is developing a feature to shield users from receiving unwanted or inappropriate images in messages, even in encrypted chats. This feature aims to protect users from such content from people they are already connected with and discourage senders from sharing such material. While there's no set launch date, more details are expected later this year.

iOS notifications are exploited for tracking.

Security researcher Tommy Mysk has revealed that several popular iOS apps, including TikTok, Facebook, Twitter, LinkedIn, and Bing, are covertly using iPhone push notifications to send data about users. These apps are using the short background execution time allowed for notification customization to transmit analytics information. This practice bypasses iOS's usual limitations on background app activities, which are in place to protect user privacy and optimize device performance. The data sent includes unique device information for fingerprinting, a technique for creating user-specific identifiers based on hardware and software configurations. This identifier can track user activities across different apps for purposes like targeted advertising. Apple, which traditionally opposes fingerprinting, plans to require developers to justify their need for access to APIs commonly used for this purpose in an upcoming release.

EquiLend’s system go offline after a cyberattack. 

EquiLend, a financial technology firm established by major global financial institutions, has experienced a cyberattack, leading to several of its systems going offline. The company, which plays a key role in the securities finance industry with its NGT platform handling over $2.4 trillion in transactions monthly, identified the issue on January 22 and later confirmed it as a cyberattack. Immediate steps were taken to secure systems and efforts to restore services are ongoing, with external cybersecurity firms assisting in the investigation and recovery. Clients have been informed that the recovery process may take several days. During this downtime, financial institutions may need to resort to manual processes.

A DC theater faced financial crisis after seeing their bank account drained.

The GALA Hispanic Theatre in Northwest Washington D.C. faced a financial crisis after hackers drained its bank account on January 11, stealing over $250,000. The cyberattack severely impacted the theater's operations, leaving them unable to pay their artists and crew. The recovery process for the stolen funds was expected to be lengthy, with the theater's bank indicating it could take up to eight months. However, following widespread media coverage, the theater’s bank has agreed to restore access to their funds. 

Critical infrastructure is targeted in Ukraine. 

Turning to Russia’s war on Ukraine, Several state-owned Ukrainian critical infrastructure companies, including the national postal service provider, Ukraine's largest state-owned oil and gas company, and the state railway, have reported cyberattacks on their systems. 

The National Cyber Army, a Russian group of cyber volunteers, claimed responsibility for the attack on Ukraines’s transportation safety agency,  but did not mention the other incidents. This wave of cyberattacks follows recent attacks on Ukraine’s online bank Monobank and the largest telecom operator, Kyivstar, both attributed to Russian state-sponsored hackers. The aim of these attacks appears to be causing disruption, psychological impact, and intelligence gathering.

The latest insights on ransomware.

The ransomware threat landscape is detailed in a report by the Symantec Threat Hunter Team. The report notes a pivotal shift in attack strategies, with cybercriminals now favoring the exploitation of vulnerabilities in public-facing applications over using botnets. Additionally, there's a growing trend of attackers using legitimate software and operating system features, particularly within the Windows environment, employing tools like PsExec, PowerShell, and WMI. This 'living off the land' technique is complemented by the introduction of remote desktop and administration software into targeted networks. Notably, the Snakefly group (Clop) has showcased a novel extortion approach by exploiting zero-day vulnerabilities in enterprise software to simultaneously attack multiple organizations.

Staying with ransomware,  a study led by Tom Meurs from the University of Twente which analyzed ransomware attacks in the Netherlands from 2019 to 2022 found several key factors that influence whether a company is likely to pay a ransom. The study found that companies working with third-party incident response firms were more inclined to pay ransoms, with a significantly higher likelihood compared to those that only reported incidents to the police. Additionally, companies with insurance coverage tended to pay substantially higher ransoms, potentially due to the moral hazard posed by insurance. Interestingly, companies with data backups were less likely to pay, but when they did, their payments were higher than those without backups. This trend suggests that companies with valuable data are more prepared for cyberattacks yet face higher ransom demands. The study also observed that companies are more likely to pay ransoms in cases of data exfiltration, with these payments being considerably higher. Furthermore, IT companies, despite having high rates of backups, were identified as lucrative targets for ransomware actors due to their critical role and the cascading impact of attacks on their clients. 

 

Coming up is my discussion with Lance Hood of TransUnion about the rise in fraud attacks on financial industry call centers.

 

Teslas get POwned in Tokyo.

And finally, at the Pwn2Own Automotive event, held alongside the Automotive World conference in Tokyo, the Synacktiv team has taken a notable lead, earning $430,000 in the first two days, with significant achievements in exploiting Tesla vehicles. On day one, they successfully hacked the Tesla modem, earning them $100,000, followed by another $100,000 on day two for breaching the Tesla infotainment system. Additionally, they secured $35,000 for exploiting Automotive Grade Linux using a three-bug exploit chain.

Other participants also earned notable rewards, though smaller in comparison. Successful exploits of Phoenix Contact, ChargePoint, Autel, and JuiceBox EV chargers each garnered $30,000. Hacks involving the Alpine infotainment system and a partially successful Autel EV charger exploit were awarded $20,000 each.

Lower bounties, ranging from $10,000 to $15,000, were given for partially successful EV charger and infotainment exploits, especially those involving previously known vulnerabilities.

The event's final day includes seven attempts to hack EV chargers and two infotainment system exploits. This inaugural automotive-focused Pwn2Own has already seen payouts exceeding $1 million in just its first two days.

It goes to show that no matter how fast a Telsa may be, it still cannot outrun the speed of the Synacktiv hacking team. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.