VPN compromise causes concerns.

Global Affairs Canada investigates a major data breach. New York sues Citibank over inadequate online security. Alpha ransomware launches a dedicated leak site on the dark web. A leaked database with 50 million records may or may not be real. CISA and the FBI provide guidance for SOHO routers.Patch ‘em if ya got ‘em. Krustyloader exploits Ivanti weaknesses. Unit 42 tracks a large-scale scareware campaign. Alex Stamos calls Microsoft’s security strategies “morally indefensible”. Our guests are Gianna Whitver and Maria Velasquez from the Cybersecurity Marketing Society to talk about their new podcast "Breaking Through in Cybersecurity Marketing". And do you have what it takes to protect his majesty’s royal laptop?

Today is January 31st, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Global Affairs Canada investigates a major data breach.

Global Affairs Canada (GAC) is investigating a major data breach caused by the compromise of one of its Virtual Private Networks (VPN), affecting employee data and emails. The breach began around December 20, 2023, and was only discovered on January 24, just about a week ago. Hackers accessed emails and files on both personal and shared drives of employees who used SIGNET laptops to connect remotely to GAC servers during this period.

The department publicly acknowledged the breach following inquiries from the National Post, confirming it as a result of "malicious cyber activity." The exact scale and timeline of the breach are still under investigation.

In response, GAC disabled the compromised VPN and asked employees to reset passwords and encryption keys. Critical services and external communication channels remain operational. The breach was reported to the Federal Privacy Commissioner, as required for significant personal information breaches.

This incident marks the second major cyberattack on GAC in two years, with the previous one in early 2022 suspected to be a Russia-backed cyber threat, although not officially confirmed by the government.

New York sues Citibank over inadequate online security.

New York Attorney General Letitia James has filed a lawsuit against Citibank, accusing the bank of failing to reimburse scam victims and employing inadequate online security measures. The lawsuit alleges that Citi's weak protections have led to unauthorized account takeovers and that the bank has misled customers about their rights following hacks and thefts. Victims, including those who lost life savings and college funds, were denied reimbursement despite Citi's insufficient data security and ineffective response to fraud alerts.

The case cites instances where large wire transfers by scammers were approved without direct contact with customers. In one case, a woman lost $35,000, and in another, a customer lost $40,000 due to unauthorized wire transfers. Citi defends its practices, stating that banks are not obligated to refund clients who follow criminals' instructions, but acknowledges an increase in wire fraud.

The lawsuit argues that under the Electronic Fund Transfer Act, Citi is required to reimburse unauthorized debits and seeks a permanent injunction, an accounting of customer losses, restitution, damages, and civil penalties. Citibank claims to have implemented leading security protocols and fraud prevention tools, reducing client wire fraud losses.

Alpha ransomware launches a dedicated leak site on the dark web.

Security firm Netenrich notes that Alpha ransomware, a new group distinct from ALPHV ransomware, has recently launched its Dedicated/Data Leak Site (DLS) on the Dark Web, listing data from six victims. This group has been active since May 2023. As of now, Alpha ransomware isn’t prevalent, with low infection rates and no active sample available for analysis. The group's ransom demands lack consistency, suggesting they are skilled yet amateurish in the ransomware arena.

More victims are expected as Alpha ransomware gains visibility and leaves more digital footprints. Continued monitoring is crucial for understanding and countering this emerging threat. 

A leaked database with 50 million records may or may not be real. 

A database purportedly containing 50 million records from Europcar was offered for sale on a hacking forum, raising concerns about a major data breach. However, Europcar has declared the database fake, noting discrepancies and inconsistencies in the data. According to Europcar, the sample data, including email addresses, did not match their records. They suggested the data might have been generated using AI, pointing out anomalies like non-existent addresses and mismatched ZIP codes.

Security researcher Huseyin Can Yuceel from Picus Security suggested the incident was more of a social engineering attack than an actual data breach, possibly using AI-generated fake data to pressure Europcar into paying a ransom. While the authenticity of the data remains unverified, the incident has raised questions about AI's role in cyber-attacks and the need for businesses to adjust their incident response strategies accordingly.

Troy Hunt, founder of Have I Been Pwned, cautioned against concluding that AI was used, noting that many email addresses in the database were from previous breaches. 

CISA and the FBI provide guidance for SOHO routers.

Today, CISA and the FBI released guidance for small office/home office (SOHO) device manufacturers as part of the Secure by Design (SbD) Alert series. This guidance aims to shift the security burden away from customers by incorporating security into product design and development. The focus is on preventing the China-sponsored Volt Typhoon group from compromising SOHO routers. 

Additionally, manufacturers are encouraged to disclose vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program and provide accurate Common Weakness Enumeration (CWE) classifications. The Alert also emphasizes the importance of incentive structures that prioritize security in product design and development.

Patch ‘em if ya got ‘em.

Not quite a month into 2024, major tech companies have been busy addressing critical security vulnerabilities. Apple rolled out iOS 17.3, addressing an exploited WebKit flaw and introducing Stolen Device Protection. Meanwhile, Google patched several Android system vulnerabilities and addressed an actively exploited Chrome bug (CVE-2024-0519). Microsoft's January Patch Tuesday targeted around 50 vulnerabilities, including critical flaws in Office and Windows Kerberos. Mozilla Firefox fixed 15 issues, with five rated high severity. In the enterprise domain, Cisco and SAP released fixes for significant vulnerabilities, including a high-risk Cisco bug (CVE-2024-20253) allowing remote code execution. 

Krustyloader exploits Ivanti weaknesses.

Software firm Ivanti recently identified that hackers were exploiting two zero-day vulnerabilities in its Connect Secure and Policy Secure software. These vulnerabilities allowed remote command execution on targeted gateways. 

Researchers from cybersecurity firm Synacktiv say that threat actors are actively exploiting these vulnerabilities globally, targeting a wide range of industries including government, military, telecommunications, technology, finance, and aerospace. The attacks have resulted in the deployment of cryptocurrency miners and Rust-based malware, notably the KrustyLoader, which downloads a Golang-based Sliver backdoor. Sliver, gaining popularity among hackers, provides advanced control capabilities. Ivanti is working on patches, and cybersecurity researchers have released detection tools and rules for the KrustyLoader.

Unit 42 tracks a large-scale scareware campaign. 

Researchers from Palo Alto’s Unit 42 uncovered a large-scale campaign named ApateWeb, involving over 130,000 domains used to distribute scareware, potentially unwanted programs (PUPs), and scam pages. This campaign, active since 2022, employs deceptive emails and JavaScript on websites to redirect users to harmful content. ApateWeb's sophisticated infrastructure utilizes multiple redirections and is controlled by a central group employing tactics like cloaking and wildcard DNS abuse to evade detection.

The campaign has significant reach, impacting users globally, with millions of monthly hits from the U.S., Europe, and Asia. In November 2023 alone, about 3.5 million sessions were blocked across nearly 75 thousand devices. 

Alex Stamos calls Microsoft’s security strategies “morally indefensible”.

An editorial from Alex Stamos, Chief Trust Officer at SentinelOne and former Facebook CSO, discusses Microsoft's handling of a security breach, known as Midnight Blizzard, conducted by Russian intelligence services. Stamos criticizes Microsoft for downplaying the breach's severity, which involved exploiting vulnerabilities in Azure Active Directory and Microsoft 365, affecting multiple companies. He highlights the complexity of AzureAD and its vulnerability to hybrid deployment attacks. The editorial also accuses Microsoft of using the breach to upsell their security products, like Microsoft Entra ID Protection and Purview Audit, calling it morally indefensible. Stamos argues that Microsoft's approach to security, treating it as a separate profit center, undermines the safety of their products. He advocates for secure-by-default products with all necessary security features included. He urges Microsoft to reassess its approach to cybersecurity.

We note that the Microsoft is a CyberWire partner. 

 

Up next, I speak with the newest members of the N2K network, Gianna Whitver and Maria Velasquez from the Cybersecurity Marketing Society. Their podcast "Breaking Through in Cybersecurity Marketing" is joining the N2K network today.

 

Do you have what it takes to protect his majesty’s royal laptop?

And finally, Graham Cluely points out that the UK’s Royal Household is seeking a Cyber Security Manager to protect King Charles, his family, and staff from digital threats. Based in Buckingham Palace, the role entails leading the Cyber Risk Management strategy and the Cyber security framework in alignment with best practices. Responsibilities include managing an in-house team, fostering a secure by design culture in collaboration with the Enterprise Architecture team, and liaising with external experts like the National Cyber Security Centre. As a subject matter expert, the manager will also promote cybersecurity awareness and ensure compliance. Despite the high-profile nature of the job, the starting salary is £75,000 for a 37.5-hour workweek, which is modest considering London's cost of living. Perks include discounts at Royal Collection Trust Shops and free admission tickets, although these might not compensate for the demanding nature of the job and relatively low pay. 

One can only imagine what his majesty’s royal browser history contains…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.