No. 37, Aug 2, 2024

Welcome back to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week's edition of the Infosec Monitor — A record breaking $75M ransom was paid, everyone is suing CrowdStrike, and the Azure outage was caused by a DDoS attack.

Get The Infosec Monitor every Friday in your inbox

Subscribe 👉 https://infosecmonitor.beehiiv.com

Highlight of the Week

Fortune 50 company pays Dark Angels ransomware $75 million, setting new record

A Fortune 50 company paid Dark Angels ransomware a record $75 million ransom. Likely victim Cencora, attacked in February 2024, underscores the "Big Game Hunting" trend targeting large companies for huge payouts. This surpasses the previous $40 million ransom record. Dark Angels has used a Linux encryptor since Ragnar Locker's 2023 disruption. Bleeping Computer

News

Australia to mandate ransomware payment disclosure

Australian companies with over $3 million AUD in revenue will soon need to report ransomware payments, according to the proposed Cyber Security Act. Noncompliance fines are $15,000. This aims to track funds to criminals and mirrors US CIRCIA regulations. Dark Reading

Investors sue CrowdStrike over massive outage, stock drops sharply

Investors filed a class action suit against CrowdStrike, alleging it misled them about its software's reliability following a global IT outage. The outage, caused by an error in a Windows update, led to a sharp drop in CrowdStrike's stock and significant financial losses for Delta Air Lines. Cybersecurity Dive

Related: The outage cost Delta $500M. Cybersecurity Dive

DNS weaknesses leave over a million domains vulnerable to takeover

More than a million domains are vulnerable to cybercriminal takeovers due to DNS authentication weaknesses. This issue, still present at major providers, allows attackers to hijack domains for malicious purposes. Providers like Digital Ocean and Hostinger are working on solutions to mitigate this threat. Krebs on Security

European Central Bank’s first cyber stress test

The ECB’s first cyber resilience stress test on over 100 European banks found existing response and recovery frameworks but noted room for improvement. Recommendations included better business continuity, backups, and scrutiny of external providers. Results will inform 2024 health checks. Cybernews

AI & Security

NIST launches Dioptra for AI security

NIST introduced Dioptra, an open-source tool to evaluate AI model vulnerabilities to adversarial attacks. It helps developers understand and mitigate performance drops. Infoworld

CISA appoints Lisa Einstein as first chief AI officer

CISA has appointed Lisa Einstein as its first chief AI officer, highlighting the importance of AI in cybersecurity. Previously a senior adviser, Einstein has led AI initiatives at CISA and will now head a dedicated office to optimize AI use in critical infrastructure. Axios

Offensive AI: cybersecurity’s new frontier. The Hacker News

Cybersecurity Incidents

DDoS attack causes Azure outage

A DDoS attack caused a nine-hour outage of Microsoft 365 and Azure services, affecting various applications. An error in Microsoft's DDoS defenses worsened the impact. The company is investigating and will release a detailed report soon. Previous outages were linked to configuration changes and threat actor attacks. Bleeping Computer

35K domains hijacked via Sitting Ducks DNS attack

Hackers have hijacked over 35,000 domains via Sitting Ducks attacks, exploiting weak registrar configurations and poor DNS ownership verification. Vulnerable domains exceed a million daily. Attackers, including Russian groups, use these domains for spam, malware, and phishing. GoDaddy and six other providers are affected. Bleeping Computer

Simpli data leak exposes 10,000 employee credentials from 900 companies

A data leak from Simpli exposed 10,000 employees' credentials from around 900 companies, including Dell and Verizon. Discovered by Cybernews on March 25, the leak involved a publicly accessible web directory containing website backups. Cybernews

Zeus hackers leak Israeli Olympic athletes' data on Telegram

A hacker group named "Zeus" leaked sensitive data of Israeli athletes at the Paris Olympics on Telegram, including blood test results and military status. France's Anti-Cybercrime Office is working to remove the data. Increased security measures have been implemented for both Israeli and Palestinian athletes due to the Gaza conflict. Dark Reading

Ransomware attack cripples OneBlood's operations

OneBlood Inc. has suffered a ransomware attack, significantly reducing its capacity to operate. The attack impacts blood product shipments across multiple states, forcing manual labeling. Hospitals are urged to activate critical blood shortage protocols. The specific ransomware and potential data theft remain undisclosed. siliconANGLE

Proofpoint email flaw exploited to send millions of spoofed emails

An unknown actor exploited Proofpoint's email routing flaw, sending millions of spoofed emails from companies like IBM and Nike. The EchoSpoofing campaign, which began in January, used authenticated SPF and DKIM signatures, making emails appear legitimate. Proofpoint has since enacted countermeasures, emphasizing the need for strict email and VPS security. The Hacker New

HealthEquity data breach affects 4.3 million, hides notification from search engines

HealthEquity's data breach impacted 4.3 million people, exposing personal and health information. The breach stemmed from a compromised third-party vendor account. HealthEquity labeled it an isolated incident but included "noindex" code on the breach notice page, hindering search engine visibility. TechCrunch

Fresnillo reveals cyberattack, operations unaffected

Fresnillo PLC, the top global silver producer, disclosed a cyberattack with unauthorized data access. Operations and finances remain unaffected. The incident is under investigation with internal and external specialists. Fresnillo's mining activities continue as usual. Bleeping Computer

Selenium grid instances exploited for cryptomining

Cloud security firm Wiz has uncovered the SeleniumGreed campaign, where threat actors exploit exposed Selenium Grid instances to mine Monero cryptocurrency. With over 30,000 vulnerable instances and attacks spanning over a year, Wiz advises securing instances and provides indicators of compromise and recommendations. SecurityWeek

Attackers claim to have stolen 6.5TB of data from City of Columbus

Columbus, Ohio, halted a ransomware attack on July 18, disrupting city services but sparing 911 and 311 systems. An investigation is ongoing to assess data exposure. The Rhysida group claims to have stolen 6.5TB of data. Columbus is collaborating with federal authorities to fortify its systems. SecurityWeek

FBCS data breach now up to 4.2M, up from 3.2M. Bleeping Computer

Large pornography website exposes 12 million records Cybernews

20K VMware ESXi servers exposed to active exploitation. SecurityWeek

ServiceNow RCE vulnerabilities exploited: over 105 databases compromised and 42K at risk. Dark Reading

1M HotJar users vulnerable to XSS attacks. SC Magazine

Threat Intel

Sidewinder targets maritime facilities with spear-phishing and old office exploits

SideWinder, linked to India, is targeting maritime facilities in the Indian Ocean and Mediterranean via spear-phishing. The attacks use emotional lures and exploit old Microsoft Office vulnerabilities (CVE-2017-0199, CVE-2017-11882) to gather intelligence. The Hacker News

North Korean cyber espionage campaign expands to macOS, Linux, targets developers globally

North Korean cyber espionage group uses fake job interviews to target developers globally, deploying RAT and infostealer malware via a trojanized Node.js project. The campaign, dubbed DEV#POPPER, now affects Windows, Linux, and macOS. Developers' machines are targeted for their sensitive data and credentials, with widespread global impact. CSO Online

New Android malware BingoMod steals funds, wipes devices. Bleeping Computer

China-backed phishing attack targets India Post users via iMessage. Dark Reading

Interesting Reads

Judge narrows charges but keeps SEC oversight on SolarWinds cyber disclosures

A judge's dismissal of most charges against SolarWinds affects SEC's cyber risk regulation. Key fraud claims on misrepresented security practices remain, suggesting ongoing SEC scrutiny. Recent settlements, like with R.R. Donnelley, highlight active enforcement. SolarWinds pretrial set for August 14. Cybersecurity Dive

Sophisticated Mandrake spyware evades detection on Google Play for two years

Mandrake spyware hid in five Google Play apps for two years, targeting users in several countries and collecting device data for espionage. Despite over 32,000 downloads, it remained undetected due to its sophistication. Google has since removed the apps and improved security measures. The malware is linked to Russian actors. The Record

CrowdStrike update crash underscores tech industry’s need for software quality guarantees

Will the massive outage turn the tide in the standard terms of service? CSO Online

UK Electoral Commission's 2021 breach due to unpatched Exchange server vulnerabilities. Bleeping Computer

EPSS enhances vulnerability prioritization amidst rising CVE numbers

New research shows that EPSS is getting stronger in it’s ability to predict exploitation. Tenable

Deepfake threats prompt 73% of US companies to develop response plans. Help Net Security

Google fixes Workspace flaw enabling domain impersonation. Krebs on Security

Top cloud security threats and solutions. CSO Online

Data & Research

Some companies are paying ransomware attackers multiple times

Nearly one-third of companies targeted by ransomware paid ransoms four or more times in the past year, with 48% of German companies affected compared to 20% in the U.S., according to Semperis. Over a third of those who paid received no usable decryption keys. Companies must assume constant breaches. Cybersecurity Dive

IBM’s Cost of a Data Breach 2024 Report

• Average cost of a breach up to $4.88M, up 10% y/y

• Most organizations take over 100 days to recover

• Data breach lifecycle down to 258 days, from 277

• Stolen/compromised credentials is the most common initial attack vector

And a whole lot more. Help Net Security

40% of BEC emails are AI-generated. SC Magazine

Russian ransomware gangs account for 69% of all ransom proceed. Bleeping Computer

Cybersecurity Mergers, Acquisitions, and Funding

VC Funding

Cowbell, cyber insurance, raises $60M in Series C funding. siliconANGLE

Lineaje, software supply chain management, raises $20M in Series A funding. TechCrunch

ZeroTier, networking solutions, raises $13.5M in Series A funding. SecurityWeek

Evo Security, identity and access management, raises $6M in Series A funding. SecurityWeek

Endari, cybersecurity maturity model, raises $4M in Seed funding. SecurityWeek