TeamViewer and APT29 go toe to toe.
TeamViewer tackles APT29 intrusion. Microsoft widens email breach alerts. Uncovering a malware epidemic. Google's distrust on Entrust. Safeguarding critical systems. FTC vs. MGM. Don’t forget to backup your data. Polyfill's accidental exposé. Our guest is Guest Caitlyn Shim, Director of AWS Cloud Governance, and she recently joined N2K’s Rick Howard at AWS re:Inforce event, they’re discussing cloud governance, the growth and development of AWS, and diversity. And a telecom titan becomes telecom terror.
Today is Friday, June 28th, 2024. I am THE Tré Hester on the mic for Dave Bittner today. And this is your CyberWire Intel Briefing.
TeamViewer tackles APT29 intrusion.
Remote access software provider TeamViewer is investigating a breach of its internal corporate IT environment, the Record reports. The company said in an update this morning, "Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data."
The Health Information Sharing and Analysis Center (H-ISAC pronounced H-eyesack) issued a threat bulletin yesterday "alerting the health sector to active cyberthreats exploiting TeamViewer." The Record also notes that cybersecurity firm NCC Group notified its customers that it "has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group."
Microsoft widens email breach alerts.
Microsoft is notifying additional customers whose email correspondence with Microsoft was accessed by the Russian threat actor Midnight Blizzard, according to Engadget. The number of those affected was not disclosed. Microsoft stated, "This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor. This is increased detail for customers who have already been notified and also includes new notifications."
Hospital hack causes compromised data for 791,000.
In a follow up to a story we’ve followed over the past few months, SecurityWeek reports that the Ann & Robert H. Lurie Children’s Hospital of Chicago is notifying 791,000 people that their personal and medical information was accessed during a January ransomware attack. The hospital said in a breach notification that it refused to pay a ransom, and the Rhysida ransomware group subsequently marked the stolen data dump as "sold" on its website. SecurityWeek says the breached information includes "name, address, date of birth, dates of service, driver’s license number, Social Security number, email address, phone number, health claims information, medical condition or diagnosis, medical record number, medical treatment, and prescription information."
Uncovering a malware epidemic.
Outpost24 has published a report on a malware distribution campaign that's spreading "hundreds of thousands of malware samples, infecting each victim with up to ten of them at the same time." The campaign is run by a suspected criminal group based in Eastern Europe, which is likely providing the distribution operation as a service for numerous malware operators. The researchers believe the threat actor is paid per infection and is attempting to "spread as much malware as possible to as many victims as possible." The malware is distributed via phishing emails and malware loaders. Once the initial file is executed on a machine, it "unfurls" by installing up to ten strains of information-stealing malware.
Google's distrust on Entrust.
Google has announced that Chrome will no longer trust digital certificates issued by Entrust, a major certificate authority (CA). This decision follows multiple compliance violations by Entrust, which have eroded confidence in its competence and reliability. The move will impact numerous organizations, including major banks and corporations, starting November 1, 2024. Google recommends affected entities transition to a new CA. Despite Entrust's recent efforts to address these issues, the response has been deemed insufficient. The company is urged to demonstrate significant improvements to regain trust.
Safeguarding critical systems.
The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing to address vulnerabilities in critical infrastructure and the role of cyber insurance in enhancing resilience. Key witnesses emphasized the importance of cyber insurance in recovery and risk mitigation, highlighting its potential to support both private and federal responses to cyber threats. The discussion underscored the necessity of proactive planning, clearer coverage standards, and enhanced public-private collaboration to protect critical infrastructure from evolving cyber threats.
FTC vs. MGM.
The Federal Trade Commission (FTC) is pushing back against MGM Resorts International's efforts to block its investigation into a significant cyberattack that occurred last September. The breach compromised the personal information of 1.5 million guests and disrupted MGM's operations for over a week. MGM has been resisting the FTC's investigative demands, leading the FTC to seek a court order to enforce compliance. The FTC's stance underscores the importance of regulatory oversight in addressing cybersecurity breaches and ensuring accountability in protecting consumer data.
Don’t forget to backup your data.
A recent cyberattack on an Indonesian data center severely disrupted public services, including airport immigration systems, and exposed significant shortcomings in data backup practices. With 98% of the government's data not backed up, the incident has prompted a national audit to improve cyber resilience and data security. Officials blame poor governance and budget constraints for the lack of backups. The breach highlights the critical need for robust backup strategies and proactive data protection to prevent similar disruptions in the future. Come on people, back up that data!
Polyfill's accidental exposé.
Continuing our coverage of a story we are following this week, a large-scale supply chain attack on multiple Content Delivery Networks (or CDNs), including Polyfill.io, BootCDN, Bootcss, and Staticfile, has been traced to a single operator. Researchers discovered exposed Cloudflare keys in a public GitHub repository, which linked the attacks to a common entity. This breach affected tens of millions of websites, highlighting severe vulnerabilities in the supply chain. The attack is likely to have been ongoing since June 2023
Coming up, we’ve got N2K’s Rick Howard talking with guest Caitlyn Shim. Caitlyn is AWS’ Director of AWS Cloud Governance. Rick caught up with her at the AWS re:Inforce event recently. They spoke about cloud governance, the growth and development of AWS, and diversity.
Welcome back, you can find more information about Caitlyn, AWS and re:Inforce in our show notes.
Telecom titan becomes telecom terror.
And finally we dive into a cyber scandal straight out of a dystopian thriller but with a distinctly real-world twist. JTBC, a leading Korean news outlet, has blown the whistle on KT Corporation, one of South Korea’s largest telecom providers, for deliberately infecting over 600,000 users with malware to deter them from using torrent services.In May 2020, Webhard, a Korean cloud service reliant on BitTorrent, started drowning in user complaints about bizarre system errors. As it turned out, KT Corporation had decided to moonlight as a digital vigilante. Their malware operation, straight from their data center south of Seoul, wreaked havoc. Users saw strange folders appearing, files vanishing, and in severe cases, entire PCs rendered useless.
The police traced the malware back to KT’s data center and have charged 13 individuals, including KT employees and subcontractors, with violating South Korea’s Protection of Communications Secrets Act and the Information and Communications Network Act. The investigation is ongoing, and more heads might roll as authorities dig deeper. So, next time your computer acts up, remember—it might not be a bug. It could just be your friendly neighborhood telecom company trying to teach you a lesson!
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Be sure to check out Research Saturday tomorrow, where Dave sits down with Ismael Valenzuela, Vice President of Threat Research & Intelligence, from the Blackberry Threat Research and Intelligence team to discuss their work on "Transparent Tribe targeting the Indian Government, Defense, and Aerospace Sectors and Leveraging Cross-Platform Programming Languages.” That’s Research Saturday, check it out!
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.