Happy new year and welcome back to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week's edition of the Infosec Monitor — Merck settles NotPetya case, 23andMe points finger at users, and leaks galore, merry “Leaksmas” anyone?

News

Mandiant and other X (formerly Twitter) accounts hijacked

Mandiant, a Google subsidiary, had its Twitter account hijacked to impersonate Phantom crypto wallet and promote a cryptocurrency scam. The attackers used the account to spread a fake airdrop of $PHNTM tokens, leading to a phishing website. The scam aimed to install a fraudulent Phantom Wallet, which would then drain the victims' cryptocurrency. Mandiant is actively working to regain control and resolve the issue. This incident highlights a broader trend where cybercriminals target verified Twitter accounts, selling them on the Dark Web for scams and disinformation campaigns. Bleeping Computer Dark Reading

Merck Settles NotPetya case with Insurers over $1.4B claim

Merck settled with its insurers over a $1.4 billion claim for damages caused by the NotPetya malware attack in 2017. The legal debate centered around whether NotPetya, attributed to Russia and initially targeting Ukraine, constituted an act of cyberwar. This classification was crucial as Merck's 'all-risks' insurance policy excluded damages from traditional warfare but did not clearly define cyberwar. New Jersey courts ruled in favor of Merck, interpreting the war exclusion clause as not applicable to the NotPetya attack. The settlement between Merck and its insurers, reached just before a potential New Jersey Supreme Court review, leaves the legal definition of cyberwar and its insurance implications unresolved. SecurityWeek

UK’s Radioactive Waste Management targeted via LinkedIn

Noteworthy because of the target and the increased use of social media in phishing. Radioactive Waste Management (RWM), a UK government-owned company involved in the Geological Disposal Facility nuclear waste-storage project, was recently targeted by cyberattackers using LinkedIn. The attackers attempted to exploit recent business changes following RWM's merger with two other companies to form Nuclear Waste Services. They used social engineering tactics on LinkedIn, creating fake accounts and sending malicious links to gain access to the company's systems. However, these attempts were thankfully unsuccessful. DarkReading

Who’s fault is the 23andMe breach? Surely it’s the users…

When your system can’t detect a stuffing attack and didn’t enforce two-factor auth, is it really the user’s fault? 23andMe thinks so. They’re facing over 30 lawsuits due to their massive data breach, and are deflecting responsibility onto the victims, according to a letter obtained by TechCrunch. The breach, which exposed the genetic and ancestry data of 6.9 million users, began with credential stuffing attacks on 14,000 accounts. Hackers then exploited the DNA Relatives feature to access additional user data. 23andMe's response includes blaming users for reused passwords and failing to update them. In the aftermath, the company reset all customer passwords and enforced multi-factor authentication. Additionally, 23andMe altered its terms of service to make it harder for victims to file legal claims collectively, a move criticized by lawyers and affected customers as self-serving and desperate. TechCrunch

DoJ finishes xDedic investigation: 20 charged, a dozen already sentenced

The U.S. Department of Justice announced the culmination of its investigation into the xDedic cybercrime marketplace, resulting in the charging of nearly 20 individuals, with more than a dozen already sentenced. xDedic facilitated the illegal sale of over 700,000 compromised servers and personal information, used for various criminal activities. Arrests were made across multiple countries, and key figures in the operation, including administrators, sellers, and buyers, have received significant prison sentences. The Record

The US Air Force is trying new pay structures, civilian work force, and more to bridge recruitment gap

The 67th Cyberspace Wing of the U.S. Air Force is exploring new strategies to recruit and retain top cyber warfare talent amid increasing global competition. With the need to add six more teams to the cyber mission force, the focus is on both attracting and keeping experts, especially since the Air Force is now authorized to expand the force to 147 teams. The wing is addressing the challenge of retaining personnel in the face of lucrative private sector opportunities by adjusting pay structures and considering a more significant role for a civilian workforce. Additionally, the wing is focusing on identifying individuals with a natural interest in technology and strengthening community engagement to discover talent at younger ages. Defense Scoop

Google’s Cybersecurity Forecast 2024

No surprise AI is a major focus. They expect to see more zero-days used, more disruptive hactivisism, election interference, and a whole lot more. Google

AI & Security

FTC offers $25,000 prize in Voice Cloning Challenge

The Federal Trade Commission (FTC) has launched the Voice Cloning Challenge, offering a $25,000 prize for the best solution to detect AI-enabled voice cloning. The competition aims to address the risks associated with sophisticated voice cloning, including voice phishing and social engineering scams. Submissions, open until January 12, will be evaluated based on practicality, impact on corporate accountability, consumer burden, and adaptability to future technological advances. The challenge serves as both a search for solutions and an early warning to policymakers about the need for stricter AI technology regulations. Bleeping Computer

NIST’s new report on Adversarial Machine Learning

The National Institute of Standards and Technology (NIST) has released a new publication addressing the vulnerabilities of AI and machine learning systems to various types of cyberattacks. Titled "Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations," it details the types of attacks AI systems can face, including evasion, poisoning, privacy, and abuse attacks, and suggests mitigation strategies. However, it acknowledges that no complete defense currently exists against AI misdirection. The publication aims to support the development of trustworthy AI and assist in implementing NIST’s AI Risk Management Framework. NIST.gov

What’s AI mean for cybersecurity in 2024?

Everyone knows that AI is rapidly changing nearly every facet of work and cybersecurity isn’t being left out. What are cybersecurity professionals saying is coming in 2024? Dr. Ian Pratt of HP says we’re going to see hyper individualized phishing campaigns ran by AI using public data from LinkedIn. Crowdstrike’s CTO, Elia Zaitsev, worries about the vulnerabilities in the many new sanctioned AI tools companies use, let along the blind spots the many unsanctioned ones bring ing. And Michael DeBolt of 471 worries that AI will facilitate cybercrime-as-a-service will be bolstered. On a positive many also pointed out that AI is also helping cybersecurity professionals, at first with the mundane tasks that often overwhelm teams, but now starting with better detection and automation as well. SC Magazine

Cyber Security Incidents

“Leaksmas” event impacts 50 million

Cybercriminals released 50 million stolen consumer records in a 'Free Leaksmas' event, impacting individuals and entities across several countries. The data spill included credit card and personal information from companies and governments. The majority of leaked records originated from Peru, the U.S., and the Philippines, highlighting the global scale and serious implications of these cybercrimes. The threat group SiegedSec, known for the Idaho National Laboratory data breach, was prominently involved in this activity. SC Magazine

18,689 impacted by San Bernardino Housing Authority breach

Better late than never I guess, the San Bernardino County Housing Authority in California experienced a cyberattack in June, compromising the personal information of nearly 19,000 people. Hackers accessed an employee's email account, leading to the leak of names and Social Security numbers. According to their notification to Maine’s attorney general they breach was not detected till December 26th. The Record Maine.gov

4.5 million impacted by breach of HealthEC’s population health management platform

HealthEC disclosed on December 22nd that they were breached between July 14 and 23, 2023. Interestingly they originally reported to the Maine Attorney General only 112,005 records were breached, however, the Breach Portal by the DHHS now shows 4,452,782. Breached data included SSN, taxpayer ID’s, medical record numbers, medical information including diagnoses and prescription information. SC Magazine Maine.gov HHS.gov

U.S. division of Xerox Business Solutions breached

The U.S. division of Xerox Business Solutions (XBS) experienced a data breach, with the INC Ransom ransomware gang claiming responsibility and leaking sensitive data. The incident exposed limited personal information but did not impact XBS or Xerox's operations. Data samples released by the hackers included email communications, payment details, and other confidential documents. The Xerox entry has since been removed from the ransomware group's leak portal, suggesting possible ongoing negotiations. Bleeping Computer

637,000 impacted by law-firm breach (for a firm that handles breaches)

Orrick, Herrington & Sutcliffe, a San Francisco-based international law firm specializing in handling data breaches, fell victim to a cyberattack. The breach, which occurred in March 2023, exposed sensitive health information of more than 637,000 individuals. A wide set of data points were stolen including names, birth dates, addresses, government-issued IDs, medical information, insurance details, and financial data. Clients affected include EyeMed Vision Care, Delta Dental, MultiPlan, Beacon Health Options (Carelon), and the U.S. Small Business Administration. TechCrunchSecurityWeek

25 million disrupted in Ukraine with Kyivstar attack by Russian hackers

Russian hackers targeted Kyivstar, Ukraine's largest telecommunications service provider, in a significant cyberattack. The attack, which took place in December after initial network breach in May 2023, led to the wiping of thousands of servers and computers, "completely" destroying the network's core. This resulted in service outages for most of Kyivstar's 25 million subscribers. The Solntsepek group, believed to be connected to the Russian military hacking group Sandworm, claimed responsibility for the attack, stating their aim was to disrupt communications of the Ukrainian Armed Forces and government agencies. Bleeping Computer

912,000 impacted by Transformative Healthcare breach

Transformative Healthcare experienced a data breach impacting nearly 912,000 individuals, related to its subsidiary, Fallon Ambulance Services. The breach, detected in April 2023, began in February and involved unauthorized access to a wide range of personal information, including Social Security numbers and medical details. Additionally, the law firm Wolf Haldenstein Adler Freeman & Herz LLP has announced an investigation on behalf of former patients, suggesting the compromised data might be available on the dark web. The Record

$86 million in cryptocurrency stolen from Orbit Chain

Orbit Chain, a blockchain infrastructure project, suffered a security breach resulting in a loss of $86 million in across multiple cryptocurrencies. The attack, a series of drain attacks conducted by unidentified hackers, occurred on December 31, 2023. The exploit used remains unknown, but the nature of the attack and previous similar incidents suggest the involvement of sophisticated state-sponsored actors, potentially from North Korea. Orbit Chain is collaborating with Korean law enforcement agencies specialized in North Korean threats. The blockchain community is actively tracking and attempting to freeze the stolen assets. Bleeping Computer

The semester start is postponed

The Memorial University of Newfoundland experienced a cyberattack in late December, leading to the postponement of the winter semester start at its Grenfell campus. Services at the Marine Institute campus have been restored, but challenges remain at Grenfell, including non-operational internet and payment terminals. Bleeping Computer

Gallery Systems hit by ransomware attack

Gallery Systems, a museum software solutions provider, experienced a ransomware attack on December 28th, causing significant IT outages and taking its services, including the eMuseum platform, offline. The attack affects over 800 museum clients, disrupting online collections and exhibitions. Gallery Systems is working to restore access and data. The identity of the ransomware group responsible for the attack remains unknown. Bleeping Computer

AboutCybersecurity is at a crossroads, changing more rapidly than we believed was possible just a few years ago. Stay informed on what's going on, what's happened, and what's coming next.I'm Bryan Smith, the author of the Infosec Monitor. I've spent over a decade pioneering changes in how cybersecurity is managed. From helping create the first cyber risk quantification (CRQ) software to advising how to approach cybersecurity pragmatically and proactively.

Data & Research

Mobile banking under attack

29 malware families targeted 1,800 banking applications across 61 countries last year. Help Net Security

11 million SSH servers vulnerable to Terrapin

Nearly 11 million (52%) of known SSH servers vulnerability to Terrapin attack. The attack requires adversary-in-the-middle (AitM) as well as the unpatched vulnerability to be used. Bleeping Computer

Cybersecurity Mergers, Acquisitions, and Funding

Airbus looking to acquire Atos cybersecurity unit for nearly $2 billion Dark Reading

SonicWall acquires Banyan Security for undisclosed sum CSO Online

Driven Technolgies acquires ieMentor for undisclosed sum ETCIO

Aqua Security raises $60m and “remains a unicorn” TechCrunch

Thank you for reading Infosec Monitor. This post is public so feel free to share it.