No. 50, November 8, 2024

Welcome to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week's edition of the Infosec Monitor — Canada orders TikTok shutdown, Google’s AI discovers zero-day in SQLite, and a major arrest in Snowflake breach.

One Year of the Infosec Monitor — Thank you for supporting the first year of the Infosec Monitor. When I started I wasn’t sure where this newsletter would go, nor how many read it. It’s now on LinkedIn and in inboxes. Some exciting news is coming soon that I can hardly wait to share. ~ Bryan Smith.

Get the Infosec Monitor in your inbox Same great news in your inbox every Friday morning.

Highlight of the Week

Canada orders TikTok to close business operations over security risks

Canada orders ByteDance-owned TikTok to shut down its Canadian business operations citing national security concerns. While Canadians can still use the app, the company must dissolve TikTok Technology Canada, Inc. TikTok plans legal action against the order. This follows global trends of increased scrutiny on Chinese-owned social media platforms. The Record

ChatGPT for your business

No more, “Sorry to interrupt…” for you. Save time by using AskJack, your companies internal knowledge base built from your documents and data and not by you. Learn More

News

TSA proposes cyber rules for Transport and Pipeline sectors

TSA proposes mandatory cyber risk management programs for surface transportation and pipeline operators. The rule requires high-risk operators to develop comprehensive security programs and report incidents to CISA. Physical security concerns must be reported to TSA. Comments due February 2025. Cybersecurity Dive

Interpol operation disrupts 22,000 malicious servers in global cybercrime sweep

INTERPOL's Operation Synergia II dismantled over 22,000 malicious servers and arrested 41 cybercriminals between April-August 2024. The operation targeted phishing, ransomware, and information stealers across multiple countries. Private sector partners helped identify thousands of malicious IPs, with 65 additional suspects under investigation. The Hacker News

Canada arrests hacker behind major Snowflake data breaches

Canadian authorities arrested Alexander Moucka, a hacker behind massive Snowflake data breaches affecting 165+ companies including AT&T and Ticketmaster. The hackers exploited weak security by using stolen passwords without multi-factor authentication. Both Moucka and his co-conspirator John Binns are now in custody. TechCrunch Krebs on Security

Germany drafts law to shield Security Researchers from Prosecution. Bleeping Computer

Top US cyber official says 'no evidence of malicious activity' impacting election. The Record

City of Columbus drops case on cyberattack whistleblower. Dark Reading

AI & Security

Google's AI model discovers first-ever SQLite security flaw

Google's AI model "Big Sleep" discovered a buffer overflow vulnerability in SQLite's "seriesBestIndex" function - a world first for AI-detected security flaws. The collaboration between Project Zero and DeepMind used variant-analysis to find the bug before it could be exploited in official releases. siliconANGLE

OWASP launches AI security guides to combat emerging threats

OWASP unveiled comprehensive security guidance for organizations implementing AI and LLM technologies. The project, involving 500+ global experts, released three key guides covering deepfake defense, AI security best practices, and solution landscapes. The initiative aims to help organizations combat sophisticated AI-driven threats. Dark Reading

Gartner survey shows AI attacks, IT vendor risks top executive concerns

AI-enhanced attacks remain the top emerging enterprise risk for the third straight quarter, according to Gartner's Q3 2024 survey of 286 executives. New concerns focus on over-reliance on IT vendors and regulatory uncertainty. Help Net Security

New framework Mantis targets LLM-powered cyber attacks

Researchers introduced Mantis, a defense framework countering LLM-powered cyberattacks. The system plants adversarial inputs that disrupt attacking LLMs, offering both passive defense and active counter-measures. Using decoy services and prompt injections, Mantis achieved 95% effectiveness in tests and is now available as open-source. Corenell University

Cybersecurity Incidents

Texas oilfield supplier Newpark hit by ransomware, operations continue

Texas-based Newpark Resources, a $658M oilfield supplier, detected ransomware on October 29. While some business and financial reporting operations were disrupted, manufacturing continues under downtime procedures. The company expects minimal financial impact. No threat actor has claimed responsibility. Cybernews

Washington courts offline after weekend cyber incident

Washington state courts' systems remain offline following detected unauthorized network activity on Sunday. While essential court functions continue, many digital services are disrupted. The Administrative Office of the Courts proactively shut down systems and is working with experts to restore services. Some courts maintain limited operations. Bleeping Computer

Malicious Python package steals AWS credentials through 37k downloads

A malicious Python package "Fabrice" has been stealing AWS credentials since 2021 by impersonating the popular Fabric SSH library. With 37,000+ downloads, it uses sophisticated techniques including obfuscated URLs and VPN proxies to exfiltrate data. The package remained undetected for three years before discovery. SC Media

Malware attack on SelectBlinds exposes 200,000 customer payment records

SelectBlinds discovered malware on their website that compromised 200,000 customers' data, including payment details and personal information, between January and September 2023. The Record

Hellcat Ransomware targets Schneider Electric's Jira System, demands $125K

Hellcat ransomware group has breached Schneider Electric's Jira system, stealing 40GB of sensitive data including 400,000 user records. They're demanding $125,000, offering to halve it if the breach is acknowledged. This marks Schneider's third breach in two years, following Cactus ransomware and MOVEit incidents. Dark Reading

Hacker exploits CoD anti-cheat to ban innocent players

A hacker exploited Call of Duty's Ricochet anti-cheat system to ban thousands of legitimate players by sending messages containing cheat-related terms. The system flags specific phrases in device memory regardless of context. Activision acknowledged the issue but downplayed its impact, while affected players report significant losses. Cybernews

Georgia hospital faces Embargo ransomware attack, threatens patient data leak

Memorial Hospital in Georgia suffered a ransomware attack, disrupting electronic health records and forcing paper-based operations. Embargo ransomware gang claimed responsibility, threatening to leak 1.15TB of data. The Record

Irish tech university suspends classes after cyber incident

South East Technological University in Ireland suspended classes at Waterford campuses following a cybersecurity incident. While no data breach is confirmed, investigations are ongoing with both internal and external experts. Full impact assessment could take a week. The Record

Nokia investigates IntelBroker's claim of third-party data breach

Nokia is investigating claims by notorious threat actor IntelBroker who allegedly stole internal data through a third-party contractor and listed it for $20,000 on BreachForums. Nokia finds no evidence of breach yet. Dark Reading

Threat Intel

Sophisticated SteelFox Malware infects 11K users through fake activation tools

A sophisticated malware campaign dubbed "SteelFox" has infected 11,000+ victims by masquerading as software activation tools. The malware combines cryptomining and data theft capabilities, using advanced encryption and persistence mechanisms that make detection challenging. It primarily spreads through forum posts and illegal torrents. Dark Reading

Attackers leverage DocuSign API to send fake invoices at scale

Cybercriminals are exploiting DocuSign's legitimate API infrastructure to mass-distribute fake invoices. Using paid accounts, attackers create authentic-looking templates impersonating major brands. The campaign bypasses traditional security measures since it operates within DocuSign's trusted system. Reports of these attacks have surged in recent months. CSO Online

Okta patches critical authentication flaw in AD/LDAP system

A critical authentication bug in Okta's AD/LDAP DelAuth system allowed passwordless login for certain usernames, exposing a gap in their security practices. The vulnerability, active since July 2024, was discovered and patched on October 30, just before Okta published its CISA "secure by design" progress report. CSO Online

Chinese hackers use TP-Link routers in Microsoft-discovered botnet campaign

Microsoft revealed a Chinese botnet utilizing 8,000 hijacked TP-Link routers for covert password-spraying attacks. The network, operated by threat group Storm-0940, targets government organizations across North America and Europe. Using one daily login attempt per account, it evades detection through legitimate IP addresses. Cybernews

Interesting Reads

Global scam losses exceeded $1.03 trillion in the past year

Global scam losses hit $1.03 trillion last year, with Americans losing $3,520 on average. Nearly half of people face weekly scam attempts, particularly in Brazil, Hong Kong, and South Korea. While 70% of victims don't report losses, scammers increasingly use AI and social media for sophisticated attacks. Cybernews

Microchip Technology reports $21.4M expense from August cyberattack. Cybersecurity Dive

Data & Research

Report shows half of financial sector apps carry critical security debt

• 76% of financial services organizations have security debt (flaws unfixed for >1 year)

• 50% of organizations have critical security debt

• Only 5.5% of financial sector applications are flaw-free

• 84% of security debt affects first-party code

• 78.6% of critical security debt comes from third-party dependencies

Help Net Security

Microsoft report shows high cost of SMB cyberattacks

• 33% of SMBs experienced a cyberattack in the past year

• Average cyberattack cost: $255,000, with some reaching $7M

• Less than 33% of SMBs manage security internally

Cybersecurity Dive

Cybersecurity Mergers, Acquisitions, and Funding

Mergers and Acquisitions

Adaptive Shield, SaaS security posture management, to acquire by CrowdStrike for $300M. SecurityWeek

AzireVPN, VPN provider, acquired by Malwarebytes for an undisclosed amount. SecurityWeek

VC Funding

• Noma Security, AI security platform, raises $32M in Series A funding. siliconANGLE

• Embed Security, agentic security platform, raises $6M in Seed funding. SecurityWeek

Get the Infosec Monitor in your inbox Same great news in your inbox every Friday morning.