- The Infosec Monitor
- Posts
- A record breaking $75M ransom was paid, everyone is suing CrowdStrike, and the Azure outage was caused by a DDoS attack.
A record breaking $75M ransom was paid, everyone is suing CrowdStrike, and the Azure outage was caused by a DDoS attack.
Infosec Monitor: No. 37
No. 37, Aug 2, 2024
Welcome back to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.
In this week's edition of the Infosec Monitor — A record breaking $75M ransom was paid, everyone is suing CrowdStrike, and the Azure outage was caused by a DDoS attack.
Get The Infosec Monitor every Friday in your inbox
Subscribe 👉 https://infosecmonitor.beehiiv.com
Highlight of the Week
Fortune 50 company pays Dark Angels ransomware $75 million, setting new record
A Fortune 50 company paid Dark Angels ransomware a record $75 million ransom. Likely victim Cencora, attacked in February 2024, underscores the "Big Game Hunting" trend targeting large companies for huge payouts. This surpasses the previous $40 million ransom record. Dark Angels has used a Linux encryptor since Ragnar Locker's 2023 disruption. Bleeping Computer
News
Australia to mandate ransomware payment disclosure
Australian companies with over $3 million AUD in revenue will soon need to report ransomware payments, according to the proposed Cyber Security Act. Noncompliance fines are $15,000. This aims to track funds to criminals and mirrors US CIRCIA regulations. Dark Reading
Investors sue CrowdStrike over massive outage, stock drops sharply
Investors filed a class action suit against CrowdStrike, alleging it misled them about its software's reliability following a global IT outage. The outage, caused by an error in a Windows update, led to a sharp drop in CrowdStrike's stock and significant financial losses for Delta Air Lines. Cybersecurity Dive
Related: The outage cost Delta $500M. Cybersecurity Dive
DNS weaknesses leave over a million domains vulnerable to takeover
More than a million domains are vulnerable to cybercriminal takeovers due to DNS authentication weaknesses. This issue, still present at major providers, allows attackers to hijack domains for malicious purposes. Providers like Digital Ocean and Hostinger are working on solutions to mitigate this threat. Krebs on Security
European Central Bank’s first cyber stress test
The ECB’s first cyber resilience stress test on over 100 European banks found existing response and recovery frameworks but noted room for improvement. Recommendations included better business continuity, backups, and scrutiny of external providers. Results will inform 2024 health checks. Cybernews
AI & Security
NIST launches Dioptra for AI security
NIST introduced Dioptra, an open-source tool to evaluate AI model vulnerabilities to adversarial attacks. It helps developers understand and mitigate performance drops. Infoworld
CISA appoints Lisa Einstein as first chief AI officer
CISA has appointed Lisa Einstein as its first chief AI officer, highlighting the importance of AI in cybersecurity. Previously a senior adviser, Einstein has led AI initiatives at CISA and will now head a dedicated office to optimize AI use in critical infrastructure. Axios
Offensive AI: cybersecurity’s new frontier. The Hacker News
Cybersecurity Incidents
DDoS attack causes Azure outage
A DDoS attack caused a nine-hour outage of Microsoft 365 and Azure services, affecting various applications. An error in Microsoft's DDoS defenses worsened the impact. The company is investigating and will release a detailed report soon. Previous outages were linked to configuration changes and threat actor attacks. Bleeping Computer
35K domains hijacked via Sitting Ducks DNS attack
Hackers have hijacked over 35,000 domains via Sitting Ducks attacks, exploiting weak registrar configurations and poor DNS ownership verification. Vulnerable domains exceed a million daily. Attackers, including Russian groups, use these domains for spam, malware, and phishing. GoDaddy and six other providers are affected. Bleeping Computer
Simpli data leak exposes 10,000 employee credentials from 900 companies
A data leak from Simpli exposed 10,000 employees' credentials from around 900 companies, including Dell and Verizon. Discovered by Cybernews on March 25, the leak involved a publicly accessible web directory containing website backups. Cybernews
Zeus hackers leak Israeli Olympic athletes' data on Telegram
A hacker group named "Zeus" leaked sensitive data of Israeli athletes at the Paris Olympics on Telegram, including blood test results and military status. France's Anti-Cybercrime Office is working to remove the data. Increased security measures have been implemented for both Israeli and Palestinian athletes due to the Gaza conflict. Dark Reading
Ransomware attack cripples OneBlood's operations
OneBlood Inc. has suffered a ransomware attack, significantly reducing its capacity to operate. The attack impacts blood product shipments across multiple states, forcing manual labeling. Hospitals are urged to activate critical blood shortage protocols. The specific ransomware and potential data theft remain undisclosed. siliconANGLE
Proofpoint email flaw exploited to send millions of spoofed emails
An unknown actor exploited Proofpoint's email routing flaw, sending millions of spoofed emails from companies like IBM and Nike. The EchoSpoofing campaign, which began in January, used authenticated SPF and DKIM signatures, making emails appear legitimate. Proofpoint has since enacted countermeasures, emphasizing the need for strict email and VPS security. The Hacker New
HealthEquity data breach affects 4.3 million, hides notification from search engines
HealthEquity's data breach impacted 4.3 million people, exposing personal and health information. The breach stemmed from a compromised third-party vendor account. HealthEquity labeled it an isolated incident but included "noindex" code on the breach notice page, hindering search engine visibility. TechCrunch
Fresnillo reveals cyberattack, operations unaffected
Fresnillo PLC, the top global silver producer, disclosed a cyberattack with unauthorized data access. Operations and finances remain unaffected. The incident is under investigation with internal and external specialists. Fresnillo's mining activities continue as usual. Bleeping Computer
Selenium grid instances exploited for cryptomining
Cloud security firm Wiz has uncovered the SeleniumGreed campaign, where threat actors exploit exposed Selenium Grid instances to mine Monero cryptocurrency. With over 30,000 vulnerable instances and attacks spanning over a year, Wiz advises securing instances and provides indicators of compromise and recommendations. SecurityWeek
Attackers claim to have stolen 6.5TB of data from City of Columbus
Columbus, Ohio, halted a ransomware attack on July 18, disrupting city services but sparing 911 and 311 systems. An investigation is ongoing to assess data exposure. The Rhysida group claims to have stolen 6.5TB of data. Columbus is collaborating with federal authorities to fortify its systems. SecurityWeek
FBCS data breach now up to 4.2M, up from 3.2M. Bleeping Computer
Large pornography website exposes 12 million records Cybernews
20K VMware ESXi servers exposed to active exploitation. SecurityWeek
ServiceNow RCE vulnerabilities exploited: over 105 databases compromised and 42K at risk. Dark Reading
1M HotJar users vulnerable to XSS attacks. SC Magazine
Threat Intel
Sidewinder targets maritime facilities with spear-phishing and old office exploits
SideWinder, linked to India, is targeting maritime facilities in the Indian Ocean and Mediterranean via spear-phishing. The attacks use emotional lures and exploit old Microsoft Office vulnerabilities (CVE-2017-0199, CVE-2017-11882) to gather intelligence. The Hacker News
North Korean cyber espionage campaign expands to macOS, Linux, targets developers globally
North Korean cyber espionage group uses fake job interviews to target developers globally, deploying RAT and infostealer malware via a trojanized Node.js project. The campaign, dubbed DEV#POPPER, now affects Windows, Linux, and macOS. Developers' machines are targeted for their sensitive data and credentials, with widespread global impact. CSO Online
New Android malware BingoMod steals funds, wipes devices. Bleeping Computer
China-backed phishing attack targets India Post users via iMessage. Dark Reading
Interesting Reads
Judge narrows charges but keeps SEC oversight on SolarWinds cyber disclosures
A judge's dismissal of most charges against SolarWinds affects SEC's cyber risk regulation. Key fraud claims on misrepresented security practices remain, suggesting ongoing SEC scrutiny. Recent settlements, like with R.R. Donnelley, highlight active enforcement. SolarWinds pretrial set for August 14. Cybersecurity Dive
Sophisticated Mandrake spyware evades detection on Google Play for two years
Mandrake spyware hid in five Google Play apps for two years, targeting users in several countries and collecting device data for espionage. Despite over 32,000 downloads, it remained undetected due to its sophistication. Google has since removed the apps and improved security measures. The malware is linked to Russian actors. The Record
CrowdStrike update crash underscores tech industry’s need for software quality guarantees
Will the massive outage turn the tide in the standard terms of service? CSO Online
UK Electoral Commission's 2021 breach due to unpatched Exchange server vulnerabilities. Bleeping Computer
EPSS enhances vulnerability prioritization amidst rising CVE numbers
New research shows that EPSS is getting stronger in it’s ability to predict exploitation. Tenable
Deepfake threats prompt 73% of US companies to develop response plans. Help Net Security
Google fixes Workspace flaw enabling domain impersonation. Krebs on Security
Top cloud security threats and solutions. CSO Online
Data & Research
Some companies are paying ransomware attackers multiple times
Nearly one-third of companies targeted by ransomware paid ransoms four or more times in the past year, with 48% of German companies affected compared to 20% in the U.S., according to Semperis. Over a third of those who paid received no usable decryption keys. Companies must assume constant breaches. Cybersecurity Dive
IBM’s Cost of a Data Breach 2024 Report
Average cost of a breach up to $4.88M, up 10% y/y
Most organizations take over 100 days to recover
Data breach lifecycle down to 258 days, from 277
Stolen/compromised credentials is the most common initial attack vector
And a whole lot more. Help Net Security
40% of BEC emails are AI-generated. SC Magazine
Russian ransomware gangs account for 69% of all ransom proceed. Bleeping Computer
Cybersecurity Mergers, Acquisitions, and Funding
VC Funding
Cowbell, cyber insurance, raises $60M in Series C funding. siliconANGLE
Lineaje, software supply chain management, raises $20M in Series A funding. TechCrunch
ZeroTier, networking solutions, raises $13.5M in Series A funding. SecurityWeek
Evo Security, identity and access management, raises $6M in Series A funding. SecurityWeek
Endari, cybersecurity maturity model, raises $4M in Seed funding. SecurityWeek