Welcome back to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week's edition of the Infosec Monitor — Leaked Chinese documents reveal inside view of state-sponsored APTs, ConnectWise’s “comically easy to use” vulnerability, and more on LockBit’s takedown.

Highlight of the Week

Leaked documents show massive inside view of Chinese government-sponsored hacking

The documents appeared on GitHub earlier this week and appear to be related to the Chinese hacking group I-SOON. "The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China's cyber espionage ecosystem," SentinelLabs' Dakota Cary and Aleksandar Milenkoski wrote in an analysis of the leak. One major revelation of the leak is that it's clear how involved private Chinese companies are in aiding Chinese APT groups. SecurityWeek

News

What we've learned from the LockBit takedown

Lots of new details are out a week after the announcement of the takedown of LockBit. Since then, associated affiliates have also been arrested. The ransomware gang is responsible for over 2,000 successful ransomware attacks and, to date, has received more than $120 million in ransom payments. Unsurprisingly, it also appears that the data promised to be deleted was never deleted. TechCrunch HelpNetSecurity

US ports over-exposed to China, Biden EO to increase port security over five years

The White House issued an executive order to increase the security of US ports. The EO will allow the US Coast Guard to crack down on ports that fail to improve. Notably, in the report, 80% of cranes in US ports are Chinese-manufactured and can be operated remotely. Part of the port upgrades will begin moving away from Chinese-built cranes. The Record CSO Online

CISA releases guidance for securing water systems. SecurityWeek CISA

A major vulnerability in ConnectWise is being exploited in the wild

ConnectWise, a popular IT screen share tool, has been hit by a major vulnerability characterized as "comically easy to use." 80% of ConnectWise users are cloud-based and already patched. However, the tool is extremely popular, and the 20% not in the cloud must be patched immediately. CSO Online

AI & Security

Microsoft releases Red teaming tool for AI

The tool allows organizations to evaluate the security of their large language models (LLMs). The tool attempts to provide a holistic approach, covering fabrication, misuse, and prohibited content (such as malware generation and jailbreaking). The Hacker News

Cyber Security Incidents

U-Haul breached using stolen credentials

The company says that no credit card data was breached, but customer data was accessed by an unauthorized 3rd party using stolen credentials. How many customers have yet to be determined. BleepingComputer

21.58GB of Iraqi voter information leaked

The voter information was found online for sale by researchers. The data appears to be Iraqi voter information from Iraq's Independent High Electoral Commission (IHEC). It's believed that a supply chain attack is the cause of the data breach. Dark Reading

Change Healthcare hit with cyberattack possibly by nation-state

Change Healthcare, a subsidiary of United Health, says they've been hit by a cyberattack, perhaps originating from a nation-state. The healthcare billing provider says they process billions of healthcare transactions annually and have not disclosed the attack's impact. TechCrunch

1.5TB of data stolen via ransomware attack from Schneider Electric

The data, confirmed by Schneider Electric, a larger OT manufacturer, contains a wide assortment of data, copies of passports, legal agreements, and more PII data. Schneider Electric is still determining how widespread the data breach is and if it also includes customer data. SC Magazine

Australian telco, Tangerine, breached, impacting 230K customers

The telco was breached using the login credentials of a contractor. Tangerine has stated that while PII was stolen, no IDs or payment data was stolen. SecurityWeek

German battery manufacturer Varta AG is still down two weeks after the attack. The Record

28,500 Exchange servers are vulnerable to an actively exploited bug. Bleeping Computer

Washington DC area school district hit by ransomware impacting 100,000 people. The Record

Data & Research

Covering a new report on AppSec from Veracode, researcher Wade Baker points out that not all software flaws are created equal. 3% is security debt that should be your team's priority—followed by 12% that is new and should be resolved. The remainder includes non-critical flaws and non-security-related flaws. LinkedIn

Cybersecurity Mergers, Acquisitions, and Funding

Kolide, an endpoint security platform, was acquired by 1Password owner AgileBits for an undisclosed amount. TechCrunch

BreachQuest, incident response, acquired by Resilience for an undisclosed amount. ReadITQuik

ExactTrack, data protection, raises £1m in seed round. Fintech Global

Thank you for reading Infosec Monitor. This post is public so feel free to share it.