Top news stories this week
- Phone-y business. 3CX supply chain attack after installer compromised with malware.
- Artificially secure. Microsoft announces AI-powered cyber security assistant days after ChatGPT data breach.
- The grey zone. Leaked documents offer rare glimpse into Russian cyber warfare.
- Fine print. Law firm fined for poor cyber security that led to a ransomware attack.
- Operation Power Off. NCA sets up fake DDoS-for-hire sites to catch criminals.
- Stepping up. Cyber security education becomes mandatory in North Dakota schools.
- Patch perfect. Patches released for Apple iOS and Veeam VBR.
Due to the Easter break, there will be no Cyber Intelligence Briefing next Friday. We will return with our regular update on 14 April 2023.
1. 3CX desktop app compromised in major supply chain attack
Threat actors have compromised an installer for the 3CX VoIP (Voice over Internet Protocol) desktop client and have been using it to push malware to the communication company’s customers. Security researchers have linked the attack to the North Korean state-backed hacking operation Lazarus Group.
If you have recently installed one of the impacted 3CX desktop applications, immediate containment actions are advised.
2. Microsoft announces AI-powered Security Co-pilot on heels of ChatGPT data breach
Microsoft has announced Security Copilot, a new AI-powered assistant based on OpenAI’s newest generative AI model GPT-4. Microsoft claims it will help cyber security professionals better identify and respond to breaches.
The news coincides with OpenAI’s confirmation that ChatGPT suffered a data breach that exposed user chat history and payment-related information and Italy’s announcement that it has banned ChatGPT over privacy concerns.
As AI becomes increasingly integrated into daily life, it is important to exercise caution when disclosing sensitive information and be aware of the risks.
3. Whistleblower sheds lights on Russian cyber warfare
A series of leaked documents have been published that detail secret links between a private cyber security consultancy and Russian military and intelligence agencies. The leak offers a rare insight into Russia’s weaponisation of the digital sphere and how it leverages cyber capabilities in pursuit of its geopolitical aims.
As the Russia-Ukraine conflict continues, it is important to be aware of how spillover might impact your organisation’s risk profile.
4. Law firm fined after poor data security led to ransomware attack
New York’s attorney general has fined law firm Heidell, Pittoni, Murphy & Bach (HPMB) USD 200,000 for its ‘poor data security’. The firm suffered a ransomware attack in 2021 that resulted in the leak of sensitive data relating to 114,000 of its hospital clients. The attacker exploited a known vulnerability in the email server, which HPMB had failed to patch.
Failing to have a functioning patch management programme will increase the risk that vulnerable systems are exploited and, in the case of HPMB, have ransomware deployed.
5. NCA sets up fake DDoS for hire sites to catch cyber criminals
The UK’s National Crime Agency (NCA) announced that they used fake DDoS-for-hire websites to catch would-be cyber criminals as part of Operation Power Off. Upon engaging with the fake websites, a warning page informs the user of data collection and notifies them of future contact from law enforcement.
Distributed Denial of Service (DDoS) attacks can cause major disruption by making online resources inaccessible. Ensure your organisation has suitable protection in place, particularly if you have low tolerance for service downtime.
6. Cyber security education bill passed in North Dakota
North Dakota became the first US state to mandate cyber security education after the state governor signed a bill requiring the teaching of cyber security and computer science for all children aged 5 to 18. The curriculum is expected to be finalised in 2024.
Human negligence is regularly exploited by an attacker to gain system initial access, making cyber security awareness for all ages important. Providing cyber security training can improve employee preparedness and reduce the risk of human error.
7. Patches released for Apple IOS and Veeam VBR
Apple has recently released the iOS 16.4 update, which addressed 33 security vulnerabilities. The update includes a fix for a critical kernel vulnerability that could allow threat actors to execute arbitrary code, as well as a sandbox vulnerability that could enable an app to bypass privacy settings.
Separately, Veeam released a patch for its Backup and Replication (VBR) software in response to a publicly disclosed exploit that could allow threat actors to interact with backup infrastructure and remotely execute code.
A timely patch management process significantly reduces the risk of threat actors exploiting known vulnerabilities. If your organisation makes use of Apple iOS or Veeam VBR software, install the latest update and patches immediately.