Phishing threats unleashed.

Attackers lock up Azure accounts with MFA. Bank of America alerts customers to a third party data breach. Malicious cyber activity targets elections worldwide. CISA highlights a vulnerability in Roundcube Webmail. Lawmakers introduce a bipartisan bill to enhance healthcare cybersecurity. Siemens and Schneider Electric address multiple industrial vulnerabilities. Perception in tech gender parity still has a ways to go. Dave Bittner speaks with Guests Andrew Scott, Associate Director of China Operations at CISA, and Brett Leatherman, Section Chief for Cyber at the FBI, about Chinese threat actor Volt Typhoon. And the scourge of online obituary spam. 

Today is February 13th, 2024. I’m not Dave Bittner. And this is your CyberWire Intel Briefing.

Attackers lock up Azure accounts with MFA.

An ongoing campaign is targeting hundreds of Microsoft Azure accounts, including those of senior executives, aiming to steal data and financial assets. Security firm Proofpoint discovered the attackers use sophisticated phishing techniques to compromise Azure environments, affecting a broad spectrum of roles globally. Once they gain access, attackers secure accounts with multifactor authentication (MFA) to hinder password changes or access review by victims. Post-compromise actions include data exfiltration, internal and external phishing for lateral movement, financial fraud attempts, and creating mailbox rules to hide malicious activities. The attackers use proxies to match their IP's geographical location with their targets and employ compromised domains and data hosting services to obfuscate their operations. Indicators of compromise involve specific user agents and domains, with some proxy services tracing back to Russia and Nigeria, though no specific threat actor has been identified by Proofpoint. Organizations are advised to monitor user agents and source domains for signs of compromise and employ security defenses against both initial and post-compromise activities.

Bank of America alerts customers to a third party data breach. 

Bank of America has alerted its customers to a data breach at Infosys McCamish Systems (IMS), a service provider, exposing personal information like names, social security numbers, and financial details of potentially 57,028 individuals. The breach, attributed to a cybersecurity event in November 2023, led to unauthorized access to IMS systems but did not compromise Bank of America's own systems. The LockBit ransomware gang claimed responsibility for encrypting over 2,000 IMS systems during the breach. This incident is part of a larger trend of cyberattacks by LockBit, which has targeted numerous organizations worldwide since 2019. Additionally, financial information of Bank of America customers was also exposed in a separate breach of the MOVEit Transfer platform by the Clop cybercrime gang in May 2023. Infosys, the parent company of IMS, has yet to comment on the breach.

Malicious cyber activity targets elections worldwide. 

Security firm Resecurity reports a significant uptick in malicious cyber activities aimed at influencing sovereign elections globally. 2024 sees an unprecedented number of voters participating in elections across 64 countries, including a pivotal U.S. presidential election. This cyber activity, which has doubled since the previous analysis period, targets nations worldwide, aiming to disrupt democratic processes and manipulate public opinion through cyberespionage and the dissemination of targeted propaganda. Threat actors, driven by profit, ideology, or under the direction of nation-states, seek to undermine the integrity of elections by exploiting leaked voter data and personal information (PII). Resecurity emphasizes the urgent need for robust identity protection measures to safeguard the democratic process against evolving cyber threats and foreign interference campaigns.

CISA highlights a vulnerability in Roundcube Webmail. 

CISA has alerted users to an actively exploited Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, identified by Zscaler researcher Niraj Shivtarka, with a CVSS score of 6.1. This flaw risks exposing sensitive data via malicious links in plain text emails. The issue  on September 15 of last year, affects a widely used PHP-based IMAP [eye-map] email client compatible with various web servers and databases. Over 132,000 Roundcube servers are publicly accessible online, raising concerns about potential security risks. CISA has urged vendors to apply mitigations or discontinue using vulnerable versions to protect against this security threat.

Lawmakers introduce a bipartisan bill to enhance healthcare cybersecurity. 

U.S. lawmakers are introducing a bipartisan bill aimed at enhancing cybersecurity in the healthcare sector amidst a surge in cyberattacks. The Strengthening Cybersecurity in Health Care Act, proposed by Senators Angus King and Marco Rubio, mandates the Department of Health and Human Services (HHS) to conduct biennial cybersecurity reviews and tests of its IT systems. This requirement comes in response to the Department's management of data for 65 million Medicare patients and the record 734 breaches reported in 2023, affecting over 135 million people. The bill seeks to update HHS's cybersecurity strategy to address evolving threats, requiring biannual reports to Congress on progress and plans. 

Siemens and Schneider Electric address multiple industrial vulnerabilities.

Siemens and Schneider Electric have released 18 security advisories addressing a combined total of 275 vulnerabilities for their industrial products. Siemens' advisories cover 270 vulnerabilities across various products, including Scalance switches, the Sinec industrial network management solution, and several others, with most issues rated as 'critical' or 'high' severity. These flaws could lead to arbitrary code execution, denial of service attacks, or information disclosure, with updates available for most affected products. Schneider Electric's three advisories detail five vulnerabilities in products like EcoStruxure Control Expert and Harmony Relay NFC, addressing issues such as unauthorized access to PLCs and authentication bypass. Siemens is also implementing CVSS 4.0 severity ratings.

Perception in tech gender parity still have a ways to go. 

An article in Euronews outlines that despite 80% of men in the tech industry believing in gender parity, women in tech challenge this perception, pointing out structural challenges and biases that still exist. A survey by recruitment company Nigel Frank International revealed that only a small fraction of men disagree with the notion that there is currently gender equality in tech, contrasting sharply with women's experiences of sexism and inequality in the workplace. The issue extends to venture funding, where women founders face significant hurdles due to a male-dominated investor landscape. Recommendations for improvement include hiring and properly compensating women, calling out sexism, ensuring inclusive decision-making, and increasing the presence of women in senior and investor roles to combat deep-rooted gender biases and foster equality in the tech industry.

 

Next up, I’m joined by CISA’s  Andrew Scott and the FBI’s Brett Leatherman. They share the latest joint advisory  from their respective agencies on the People's Republic of China  and Volt Typhoon and offer some living off the land guidance. You can find the link to the advisory in the show notes. 

 

The scourge of online obituary spam. 

And finally, Mia Sato reports for The Verge about the ghoulish trend of online obituary spam. 

In late December 2023, Brian Vastag was shocked to find fake obituaries online claiming both he and his late partner, Beth Mazur, had died. While Mazur did pass away on December 21, 2023, Vastag was very much alive, contrary to the misleading reports spread by several spammy websites. These sites exploited Mazur's death for clicks, using SEO tactics to appear at the top of Google Search results. The misinformation, suspected to be generated by AI tools, included over a dozen sites and YouTube videos, impacting Vastag and friends deeply. This case highlights the broader issue of "obituary scraping," where low-quality, often inaccurate obituaries are published at scale, sometimes even affecting private individuals not in the public eye. Despite efforts to correct the record, platforms like Google struggle to manage the deluge of such deceitful content, underscoring the challenges in combating digital misinformation and respecting the deceased's legacy.

Here’s looking forward to the day when we can write the obituary for this kind of despicable online misiinformation. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Tré Hester. Thanks for listening.