Free technical content sponsored by SANS
 Virtual Event: AI Summit Solutions Track on October 29th | Join us for our upcoming free virtual event to learn how industry leading technologies and techniques can enhance your ability to examine and analyze incidents like never before using AI. Save your seat today! https://www.sans.org/info/230565 | |
|
|
Globe Life Says Threat Actor is Attempting to Extort Funds Following Data Breach
(October 17, 2024)
In an October 17 filing with the US Securities and Exchange Commission, Texas-based insurance company Globe Life disclosed that “an unknown threat actor” contacted them, demanding payment in exchange for not releasing customer data. Globe Life believes the data “can be traced to the Company’s subsidiary, American Income Life Insurance Company.”
Editor's Note
[Dukes]
Most likely a ransomware attack on the subsidiary company. This reinforces the need for the parent, Globe Life in this case, to enforce and monitor a cybersecurity program across the entirety of the company and its subsidiaries. The cyber incident only adds fuel to the fire on lack of management controls.
[Neely]
The threat actor is releasing personal and health data to short sellers and plaintiffs' attorneys in an attempt to impact claims and policies, rather than executing a traditional ransomware or extortion attack. This follows reports in June of improperly implemented access controls which would allow access to sensitive data; Globe Life is not commenting on their possible connection. Names, email addresses, phone numbers, addresses, SSNs and heath data were stolen, but no financial information was exfiltrated.
Read more in:
- therecord.media: Insurance giant Globe Life facing extortion attempts after data theft from subsidiary
- www.theregister.com: Troubled US insurance giant hit by extortion after data leak
- www.sec.gov: Form8-K | Globe Life Inc. | |
|
|
Fraudulent IT Employees Turn to Extortion
(October 16, 18, & 20, 2024)
Analysts in the Secureworks Counter Threat Unit (CTU) have documented a pattern of fraudulent employment, data theft, and now extortion by alleged North Korean operatives posing as IT contractors. The structure of the scheme and certain technical details, including use of Astrill VPN IP addresses, align with previous efforts by a known threat group to "generate revenue for the North Korean regime" through "theft of intellectual property with the potential for additional monetary gain through extortion." One example timeline showed an employee being hired, exfiltrating proprietary information, being terminated for poor performance, and then sending evidence of the stolen data alongside demands for a "six-figure ransom." Investigators show how these agents interfere in the provision of equipment, either insisting on using personal machines or re-routing their company computers to be delivered to a facilitator at a laptop farm to provide a "credible IP address space." The report also suggests collaboration among agents: providing references, filling their conspirators' empty positions, potentially sharing the employee identities, and/or managing multiple identities each while avoiding or counterfeiting webcam use. CTU stresses caution and verification in companies' hiring processes, and asks employers to be on the lookout for unusual or frequent changes in addresses and banking details.
Editor's Note
[Dukes]
KnowBe4 shed light on this set of TTPs back in July when it fell victim to fraudulent employment. One surefire way to avoid this scam is to require in-person interviews and do not deviate from well-established security practices for remote workers.
[Neely]
This parallels fraud schemes associated with the Nickel Tapestry threat group, who are motivated to make money for North Korea. Consider carefully in-person validation of new-hires and/or applicants. Besides vetting, use restraint in granting access to sensitive data.
Read more in:
- www.secureworks.com: Fraudulent North Korean IT Worker Schemes: From Insider Threats to Extortion
- www.theregister.com: Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began
- thehackernews.com: North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data | |
|
|
ESET Partner’s Domain Spoofed to Send Wiper Malware
(October 18 & 21, 2024)
A domain belonging to one of ESET's partners based in Israel was spoofed and used to send malicious emails containing wiper malware. The impersonation attack claimed to be from ESET Advanced Threat Defense Team warning that state-sponsored threat actors were targeting the recipients’ devices and offering advanced antivirus software to protect the recipients’ devices. ESET said the malicious messages were blocked within 10 minutes; an investigation is underway.
Editor's Note
[Neely]
This is what we need protective DNS for. Coupled with our existing attachment filtering/vetting, it’s one more tool in our belt to thwart BEC. You still need EDR, blocking of bad/malicious sites, and even mechanisms for users to report suspicious email. In this case the stakes are high as the payload is a data wiper. Regardless of the impact, implement as many technical levels as possible to reduce the likelihood such a payload makes it to the targeted user. | |
|
|
|
|
|
|
|
Sponsored Links
Join a live threat briefing with Permiso detailing how attackers are hijacking GenAI infrastructure to power their own LLM applications and how to defend against it. https://www.sans.org/info/230615
Survey: 2025 SANS Detection Engineering Survey | This survey aims to understand the current landscape of Detection Engineering, capturing the experiences, challenges, and aspirations of professionals in the field. Our goal is to provide insights that will benefit the entire cybersecurity community while highlighting the evolving nature of detection strategies in modern environments. Complete the survey for a chance to win a $250 Amazon gift card! https://www.sans.org/info/230570
Virtual Event | SANS 2024 Detection & Response Survey: Transforming Cybersecurity Operations: AI, Automation, and Integration in Detection and Response | November 20, 10:30 AM ET | Join SANS Certified Instructor Josh Lemon and guest speakers as they provide insights into the prevalence of organizations maintaining separate detection and response teams, shedding light on the reasons behind such decisions and their implications for overall security posture. https://www.sans.org/info/230575 | |
|
|
|
|
Microsoft Lost More Than Two Weeks of Cloud Customers’ Security Logs
(October 17, 2024)
Microsoft has notified some customers that it has lost more than two weeks of security logs. The missing data are due to “a bug in one of Microsoft’s internal monitoring agents result[ing] in a malfunction in some of the agents when uploading log data to our internal logging platform.” The issue, which was first reported by Business Insider on October 4 (paywall), affects certain cloud products, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. The incident comes a year after Microsoft was criticized for withholding log information from some US federal government agencies; that information could have helped identify serious intrusions sooner. In September 2023, Microsoft began providing log data to customers with lower-cost cloud services.
Editor's Note
[Honan]
This issue highlights that while migrating to the cloud can bring many benefits, it can also from a security aspect bring many negatives. Relying on a third party to ensure the security logs for your systems in their environment are available and accurate is something you need to put on your risk register. You also need to look at what other mitigating controls you can put in place to manage that risk, such as alerts being raised when traffic from certain log sources falls below a certain known normal rate or stops altogether, or implementing third party tools to augment the vendor's own solution.
[Neely]
The lost data will make it harder to determine if you’ve had nefarious access to your resources during the two week window of September 2-19. Consider having monitoring that alerts when logs aren’t flowing or there is a noticeable change in volume.
[Ullrich]
In particular the missing Entra logs may be a problem for some organizations. Ask yourself why you didn't detect the missing logs and how to detect issues like this in the future.
Read more in:
- techcrunch.com: Microsoft said it lost weeks of security logs for its customers’ cloud products | |
|
|
Some Chrome Extensions Not Longer Supported Following Move to New Extension Specification
(October 13, 15, & 21, 2024)
As part of its move to the Manifest V3 extension specification, Google has begun ending support for some older, albeit popular extensions, including the uBlock Origin ad blocker. The Chrome Web Store’s uBlock Origin page reads, “This extension may soon no longer be supported because it doesn't follow best practices for Chrome extensions.”
Editor's Note
[Honan]
Hmm, call me cynical but when I read this story, I see a browser developed by a company that relies on advertising and is disabling adblockers. Adblockers are a key defence against web-based malware attacks. I have worked on incidents where the initial compromise was via a malicious web advertisement. If you haven't done so already, ensure your perimeter and end-point defences include the ability to block web adverts.
[Dukes]
This is a bad look for Google as they generate enormous revenue from serving up advertisements, yet no longer support a well-known ad blocker extension. Yes, move to MV3 is a net win as it removes support for remotely-hosted code and execution of arbitrary strings, but Google should be flexible as to not draw more attention to itself and its business practices.
[Neely]
Some sites are claiming that uBlock Origin works best in Firefox, which is a bummer if you’re looking to have the same ad block extension in both browsers. Consider an alternative, AdBlock plus, or installing a proxy such as Privproxy or Pi-Hole to provide the services you’re used to. | |
|
|
Study Finds Vulnerabilities in E2EE Cloud Storage
(October 20 & 21, 2024)
Researchers at ETH Zurich have published a paper outlining serious flaws in the end-to-end-encrypted (E2EE) services of several major cloud storage providers, many of which are severe enough and simple enough to execute to "directly oppose the marketing promises of the platforms, [and] create a deceptive and false premise for customers." The study focuses on five companies: Sync, pCloud, Icedrive, Seafile, and Tresorit, which collectively serve about 22 million users. Given that threat actors control a malicious server, all studied providers are vulnerable to varying numbers of "attacks and leakages," including unauthenticated key material and public keys; protocol downgrade; link-sharing leakage; unauthenticated encryption and chunking; tampering with files, file names, and metadata; file and folder injection; and leakage of plaintext information, metadata, and directory structure. The companies were notified of the report in April, 2024, but uneven responses given to ETH Zurich and to journalists indicate only some intend to fix the vulnerabilities, and Icedrive openly has no plans to do so.
Editor's Note
[Ullrich]
These vulnerabilities are no big surprise, and most "end-to-end" encrypted systems suffer from these issues. You often implicitly trust that code loaded from the trusted site is implementing the end-to-end encryption as intended. A malicious actor able to manipulate the endpoint will be able to alter the code to bypass the end-to-end encryption implementation.
[Neely]
So you picked E2EE so the cloud provider would not have access to your data, but did you vet their implementation? While these attacks largely depend on a MitM, it’s not clear you’d be able to detect that middleman, given the complexity of the E2EE implementation, let alone all the moving parts in cloud storage. If you’re using one of the identified providers, make sure you’re on the fixed implementation. If you have a different one, consider contacting the researchers to schedule analysis. | |
|
|
Cisco DevHub Offline after Data Breach
(October 18 & 21, 2024)
Cisco has "disabled public access" to DevHub, an environment providing customers access to code and other developer resources, after claims of a data breach surfaced online. The data alleged to have been exfiltrated and posted for sale may include "source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP," though the company's official report characterizes the contents of the breach as "a small number of files that were not authorized for public download," explicitly ruling out Personally Identifiable Information (PII) and financial data, barring further discoveries. Cybersecurity professionals commenting on the breach emphasize that any stolen data, no matter how apparently significant, can be leveraged in unpredictable ways for intelligence or exploitation in future attacks, potentially allowing attackers to "pivot to more sensitive systems" from public-facing ones.
Editor's Note
[Neely]
Last week, threat actors were spotted offering this information for sale on the DarkWeb. The takeaway is to validate the security of your public facing services, not only ensuring they are patched and secure, but also that they can survive an attack. | |
|
|
Casio Says Deliveries Delayed Due to Ransomware Attack
(October 18 & 21, 2024)
Japanese electronics company Casio is struggling to recover from an October 5 ransomware attack. Casio confirmed the attack on October 11 and said at the time that some data have been compromised and some of their systems had been rendered unusable. Casio has temporarily stopped accepting items for repair.
Editor's Note
[Neely]
Beyond production impacts, the personal information of contract and temporary employees was pilfered, along with some data from interviewees/job candidates. Casio is expecting remediation to extend into November.
Read more in:
- therecord.media: Japanese watchmaker Casio warns of delivery delays after ransomware attack
- www.techradar.com: Casio recovery from ransomware attack uncertain, 'no prospect of recovery yet'
- world.casio.com: Notice of Partial Service Outage and Information Leak Caused by Ransomware Attack | |
|
|
CISA Adds Critical Veeam Flaw to Known Exploited Vulnerabilities Catalog
(September 4, October 8 & 18, 2024)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical deserialization of untrusted data vulnerability in various Veeam products to their Known Exploited Vulnerabilities (KEV) catalog. The flaw was initially disclosed in early September; CISA says that ransomware groups are now actively exploiting the vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until November 7 to mitigate the issue.
Editor's Note
[Neely]
CVE-2024-40711, unauthenticated RCE flaw, CVSS score 9.8, affects all versions of Veeam backup version 12 & 12.1 (build 12.1.2.172 and below). The solution is to upgrade to version 12.2 (build 12.2.0.334 or higher).
Read more in:
- censys.com: Unauthenticated RCE in Veeam Backup & Replication [CVE-2024-40711] (September 4, 2024)
- www.veeam.com: Veeam Security Bulletin (September 2024)
- therecord.media: CISA confirms Veeam vulnerability is being used in ransomware attacks
- www.cisa.gov: Known Exploited Vulnerabilities Catalog
- nvd.nist.gov: CVE-2024-40711 Detail | |
|
|
Swiss Vocational School is Recovering from Ransomware Attack
(October 21, 2024)
A vocational school in the Swiss canton of Schaffhausen experienced a cyberattack on October 2. The Berufsbildungszentrum (BBZ) Schaffhausen said that the attackers gained initial access to the institution’s systems through a gap in their firewall. BBZ Schaffhausen has not responded to the ransom demand. Officials are investigating the scope of the attack.
Editor's Note
[Dukes]
A ‘gap in their firewall’ is mostly likely attributable to poor configuration management. The Center for Internet Security offers free benchmark guidance for several commercial firewalls (Cisco, Checkpoint, Fortinet, etc.), to help you configure to a known security standard.
[Neely]
This is the latest in a string of attacks targeting German-speaking schools in the region, leveraging flaws in their perimeter. Make sure you’re testing, validating, and updating ALL of your boundary control devices regularly.
Read more in:
- therecord.media: Spate of ransomware attacks on German-speaking schools hits another in Switzerland | |
|
|
|
|
|
|
|
|
|
|
|
|
|
