Here is the rundown of news and events that happened this week in the world of cybersecurity.
14 Million Customer Details Breached In Latitude Financial Firm
A significant security breach took the personal data of 14 million Australians and New Zealanders. On Monday, consumer loan provider Latitude Group’s systems indicated that the information was stolen two weeks earlier. 7.9 million driver’s licenses and 53,000 passport numbers were stolen. According to Latitude Financial, this month’s hack grabbed 6.1 million more names, addresses, phone numbers, and birthdates from 2005.
A breach stole 14 million Australian and New Zealand Latitude Financial clients’ data. A famous New Zealand beach receives a shoe-encased foot. The CEO, Ahmed Fahour, expressed his disappointment that so many more clients and candidates had been affected and promised a comprehensive investigation. The company apologized and admitted that today’s message might offend many customers. We’re writing to all affected customers, applicants, and others. Latitude Financial promised refunds if customers updated their IDs. Read more
OpenAI: ChatGPT Payment Data Leak Caused By Open-Source Bug
The widely used language model OpenAI’s ChatGPT payment’s open-source software leaked a lot of data. The problem exposed ChatGPT paying users’ payment credentials and random users’ conversation histories, according to OpenAI. On March 20, consumers trying to subscribe to ChatGPT Plus saw unrelated email addresses in the payment form. The ChatGPT data dump was more enormous and compromised more premium subscriber data.
According to the firm, a fault in the open-source library redis-py caused a caching problem that allowed active users to read another user’s last four credit card digits, expiration date, name, email address, and payment address. Users might also view other users’ chat histories. Caching issues that let users see each other’s data aren’t new. On Christmas Day 2015, Steam users saw other users’ account information. Ironically, a publicly known security weakness affected OpenAI, which spends much on AI security and safety. Read more
Pwn2Own Hacking Competition Awards Over $1 Million In Vancouver
Pwn2Own Vancouver 2023 winners won $1,035,000 and a Tesla Model 3 after exploiting 27 zero-day vulnerabilities between March 22 and 24. The hacking competition targeted existing and default-configured enterprise applications and communications devices, the local elevation of privilege (EoP), virtualization, servers, and cars. Team Synacktiv won about $1,000,000 and a Tesla Model 3 at Pwn2Own Vancouver 2023. After compromising Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and the Tesla Model 3, hackers gained code execution on fully patched systems.
After Pwn2Own exploits and discloses zero-day vulnerabilities before TrendMicro’s Zero Day Initiative, vendors have 90 days to release security fixes. Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) of Synacktiv won $80,000 for demonstrating a three-bug chain to escalate privileges on an Oracle VirtualBox host, while Tanguy Dubroca (@SidewayRE) won $30,000 for an incorrect pointer scaling zero-day on Ubuntu Desktop. Thomas Imbert (@masthoon) of Synacktiv won $30,000 for a Use-After-Free (UAF) zero-day by compromising a fully patched Windows 11 system on the third day.
Team Viettel won $115,000 for hacking into Microsoft Teams and VMWare Workstation, while STAR Labs received $195,000 for exploiting Oracle VirtualBox and Microsoft Teams vulnerabilities. Read more
New IcedID Variants Switch From Delivering Malware To Bank Fraud
Security researchers have seen two new variants of IcedID, a banking Malware used to disseminate ransomware. As some functionality has been eliminated, the two new variants are lighter than the original. One may be linked to the Emotet botnet. Proofpoint researchers found that a group of threat actors is likely using updated variants to shift the malware’s focus from banking Trojan and banking fraud activity to payload distribution, which likely prioritizes ransomware delivery.
Proofpoint researchers also suspect that the original Emotet creators and IcedID operators have collaborated to expand. Utilizing the Lite version of new IcedID variations has unique functionality and likely testing it via active Emotet infections. Timing, codebase artifacts, and Emotet infections support this idea. New IcedIDs Proofpoint linked five threat actors to hundreds of Trojan attacks between 2022 and 2023. Most of these threat actors are initial access brokers, giving cybercriminals, mostly ransomware gangs, access to corporate networks. Read more
Executive Order Limiting Usage Of Commercial Spyware Signed
On Monday, US President Joe Biden issued an executive order prohibiting federal agencies’ use of commercial spyware. The spyware ecosystem “poses major security or counterintelligence concerns to the United States Government or significant risks of unauthorized use by a foreign government or foreign person,” the order states. The document requires the government to use these tools by the rule of law and democratic ideals. The directive lists many rules to prevent U.S. government organizations from using commercial spyware. These include:
Buying commercial malware to attack the US government. A commercial spyware vendor operates as an agent for an anti-American government and uses or distributes sensitive cyber surveillance instrument data without permission. A foreign threat actor uses commercial spyware to censor activists and dissidents or violate human rights. A foreign threat actor observes an American using commercial spyware without their consent, protection, or supervision. Distributing commercial malware to countries having a history of political repression and human rights violations. Read more
France Bans TikTok And Other ‘Fun Apps’ On Government Devices
France will next restrict TikTok and other “Fun Applications” on government-controlled smartphones. Stanislas Guerini, Minister of Public Transformation and Service, explained the shift. The French government has banned all recreational apps from work computers, including TikTok. The U.S. Parliamentarians’ government-issued phones cannot use TikTok. The European Commission ordered all work devices to delete TikTok. Data privacy is always a concern for governments. Since ByteDance owns TikTok, several governments worry that the Chinese government may access user data.
TikTok Europe general manager Rich Waterworth says TikTok is “minimizing data flows outside of Europe; lowering employee access to European user data” in addition to this data sovereignty policy. Naturally, countries must trust TikTok, which France doesn’t appear to do. The Ministry of Public Transformation and Service announced that public officials’ business phones would no longer be able to download or install entertainment software due to security concerns. Read more
New Fake Tor Browser Theft Campaign Steals Over $400,000 In Crypto
Fake Tor Browser installs that steal cryptocurrency transactions from clipboards target Russians and Eastern Europeans. Kaspersky scientists warn that this attack, however not original, infects many individuals worldwide. Kaspersky says these malicious Tor installations typically target Russia and Eastern Europe. According to Kaspersky, the Tor Project may link this to Russia blocking the website in late 2021. In 2021, Russia had over 300,000 daily Tor users, 15% of all Tor users.
Tor Browser hides IP addresses and encrypts traffic to allow anonymous online browsing. Tor can also access the “black web,” or onion domains, which are inaccessible to browsers and search engines. Cryptocurrency owners can use the Tor browser to transact anonymously or access dark web market services that accept cryptocurrencies. Read more
North Korean APT43 Group Finances Spy Activities Via Cybercrime
Mandiant produced a study on the North Korean APT43 cybercrime gang, which it believes finances espionage. Hidden Cobra has been involved in many cyberattacks, including the 2017 WannaCry ransomware outbreak. This affected 200,000 machines in 150 countries. The group is suspected of cyberespionage and close ties to North Korea. APT43 is a North Korean state-sponsored cyber espionage group. The group, active since 2012, may work for North Korea. The organization has targeted automobile, aerospace, and financial services companies. Read more
US Gives Costa Rica $25M For Eradication Of Conti Ransomware
The US gives Costa Rica $25 million to eliminate Conti ransomware. The US is giving Costa Rica $25 million to get back from a devastating ransomware attack that crippled many vital agencies last year. The now-defunct Conti ransomware group severely affected the Costa Rican Social Security Fund in May 2022. Costa Rica’s new president, Rodrigo Chaves declared a state of emergency. The group demanded $20 million after calling for the government’s overthrow. On Wednesday, a senior White House spokesperson said the State Department would provide $25 million to Costa Rica’s cybersecurity operations at Chaves’ request.
Money protects the nation’s critical network infrastructure. We immediately sent an American recovery team to Costa Rica. Since then, we’ve engaged closely with the country and determined that extra support is needed.” Using Ministry of Science, Innovation, Technology, and Communications funds, a central security operations center will stop, identify, and respond to cyberattacks. The center will coordinate cybersecurity initiatives across Costa Rica’s ministries and authorities and assist in cybersecurity training, capacity building, strategic and technical planning, and tool, software, hardware, and licensing purchases. Read more
Supply Chain Attack By Hackers On 3CX Desktop App
A supply chain attack targets 3CX clients with a digitally signed and trojanized desktop program. 3CX a VoIP IPBX software firm, with over 12 million daily users and 600,000 companies globally. On Wednesday, cybersecurity organizations warned that state-sponsored threat actors had modified with the official Windows desktop application for the popular 3CX softphone solution. CrowdStrike found “unanticipated hazardous behavior” in the 3CXDesktopApp softphone, a signed binary. This entailed beaconing to actor-controlled infrastructure, launching second-stage payloads, and some “hands-on” keyboard work. It observed this on macOS and Windows computers.
3CX, a major unified communication service, created the 3CX Desktop App. The software offers phone and video calls, instant messaging, and presence information in one place. The program’s Windows, macOS, Linux, Android, iOS, Chrome extension, and PWA versions can be used with a 3CX phone system or as an independent communication platform. Its user-friendly interface manages all communication routes. Read more
Ukraine Cyberpolice Dismantles Fraud Ring That Stole $4.3 million
The Ukraine cyberpolice arrested members of a fraud ring that duped over 1,000 EU citizens of $4,300,000. The criminal group created over 100 “phishing” websites offering inexpensive goods from France, Spain, Poland, the Czech Republic, Portugal, and other European countries. The threat actors collected the victims’ credit card information from the fraudulent websites, and their orders didn’t sell. Phishing emails, social network postings, or fraudulent advertising may have led victims to these sites.
The thieves used stolen credit cards to shop online. Reselling and money mule networks move these goods. The authorities found two contact centers in Vinnytsia and Lviv that helped the scam by convincing customers to buy. The Ukrainian police conducted 30 searches of members’ homes, contact centers, and vehicles, seizing computer gear, mobile devices, and SIM cards for investigation. After detention, the suspects are being prosecuted for violating Article 190, Section 4 (fraud) and Article 255, Section 1. (establishment, leadership of a criminal community or criminal organization, and participation in it). Read more
FDA Sets New Medical Devices Cybersecurity Standards
The FDA announced on March 29 that it would “refuse to accept” medical devices and systems on October 1 owing to cybersecurity concerns. New device submissions require complete cybersecurity plans starting March 29. Device manufacturers must submit plans to monitor, identify, and resolve post-market cybersecurity vulnerabilities and exploits in a “reasonable timeframe,” including coordinated vulnerability reports and tactics. Developers must now establish and maintain methods to certify “that the device and connected systems are cyber secure” and post-release upgrades and patches that repair “known unacceptable vulnerabilities on a fairly justified regular cycle.”
Healthcare delivery organizations have long secured the massive, complicated device ecosystem, but even the best-equipped must catch up. In December, healthcare stakeholders, who have long sought federal aid to address systemic medical equipment protection issues, overwhelmingly endorsed the move. The final guideline, “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Associated Systems,” contains all additional submission criteria, and the December Omnibus required the FDA to take the March 29 actions within 90 days of the law’s passage. The FDA’s “refuse to accept” decisions for premarket submissions based solely on cybersecurity factors will not take effect until October 1. Read more