Baby Food, Lapsus$, Anonymous Vs. Printers, UEFI Rabbit Holes, & Browser-In-Browser – PSW #733
In the Security News: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, just another sabotage, & more!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. Most NASA Systems at Risk From Insider Threats: AuditNASA’s Inspector General has concluded an audit of the agency’s information technology systems that found its classified platform has effective insider threat countermeasures. However, the agency’s unclassified systems (which do contain sensitive information) possess substantial insider threat risks and require attention.
- 2. Emotet malware campaign impersonates the IRS for 2022 tax seasonThe Emotet malware crew, reared its head in 2014 and has become the world’s most feared financial crime-oriented hacking group. They are ramping up their malware campaign as America’s tax season escalates. Their phishing emails emulate something that would be sent from the Internal Revenue Service, with malicious file attachments that the reader is urged to immediately open.
- 3. Exotic Lily initial access broker works with Conti gangResearchers say they have linked the new initial access broker "Exotic Lily," which provides access to previously compromised entities, to operations being conducted by the "Conti" ransomware group. Exotic Lily is currently exploiting the Microsoft Windows MSHTML vulnerability (CVE-2021-40444) in phishing campaigns that have distributed more than 5,000 phishing emails per day targeting some 650 organization from around the world.
- 4. FBI: Avoslocker ransomware targets US critical infrastructureThe FBI, U.S. Treasury Department, and the Financial Crimes Enforcement Network (FinCEN) have issued a TLP:WHITE joint security advisory warning that the "AvosLocker" ransomware-as-a-service (RaaS) is being actively used in attacks targeting various U.S. critical infrastructure sectors.
- 5. High-Severity Vulnerabilities Patched in BIND ServerThe Internet Systems Consortium (ISC) has released security updates to address three high-severity flaws (CVE-2022-0635, CVE-2022-0667, CVE-2021-25220) affecting the Berkeley Internet Name Domain (BIND) server software.
- 6. Anonymous leaked data stolen from Russian pipeline company TransneftAnonymous hacked Omega Company, the in-house R&D unit of Transneft, the Russian oil pipeline giant, and leaked stolen data. Anonymous collective claims it has 79GB of stolen emails, and leaked those emails on the "Distributed Denial of Secrets" whistleblower site.
- 7. White House issues call to action in light of new intelligence on Russian cyberthreatThe Biden administration once again urged private sector firms to address known vulnerabilities and harden their cyber defenses given the increased possibility of Russian cyber attacks targeting U.S. critical infrastructure.
- 8. Microsoft investigating claims of hacked source code repositoriesMicrosoft has revealed it is now investigating claims from the "Lapsus$" data extortion gang that it breached Microsoft's internal Azure DevOps source code repositories on March 20 and stole data.
- 9. Okta investigating claims of customer data breach from Lapsus$ groupAccording to Lapsus$, it was able to steal "superuser/admin" access to Okta.com, which allowed it to access the customer data. Per CEO Todd McKinnon, "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."