Top news stories this week
- Phoney CFO. Employee transfers USD 25 million after deepfake video call.
- Open sesame. AnyDesk suffers breach as attackers obtain source code and signing keys.
- Access all areas. Credentials stolen from Okta compromise used to gain access to Cloudflare’s internal infrastructure.
- Bullseye. FBI operation disrupts botnet utilised by Chinese-backed hacking group.
- Cheque please. Citibank sued for negligent data security practices.
- Friendly-fire. Mercedes-Benz and Football Australia leave private keys exposed to the internet.
- Data deception. Europcar denies purported breach of customer data.
Listen to the Cyber Intelligence Briefing
1. Deepfake video call impersonating CFO costs firm USD 25 million
A Hong Kong-based employee of an unnamed multinational firm sent USD 25 million to fraudsters after they were instructed to make the payment by a deepfake impersonation of the UK-based CFO on a video conference call. The employee believed they recognised other members of staff on the call, but these were also deepfake impersonations likely generated from publicly available footage of past meetings.
It is becoming increasingly difficult to spot malicious AI-generated content. Organisations should consider how to make payment approvals and other sensitive functions resilient against this rapidly emerging threat.
[Researcher: James Tytler]
2. AnyDesk urges password reset after hackers access production systems
Global remote access software company AnyDesk has confirmed it suffered a security breach after threat actors gained access to company production systems, stealing source code and code signing certificates. Although AnyDesk assessed its application was safe to use, as there was no evidence of end-user devices being compromised, it revoked all login credentials to its web portal and urged users to reset passwords following reports that cyber criminals were selling stolen data on hacking forums.
If your organisation utilises AnyDesk software, reset your credentials and closely monitor for suspicious activity.
[Researcher: Amy Gregan]
3. State-backed hackers used Okta credentials to access Cloudflare’s internal server
Cyber security firm Cloudflare disclosed that hackers breached their internal Atlassian server in November 2023, using credentials stolen from a previous attack on access management service provider Okta. Cloudflare confirmed they failed to rotate service tokens and the credentials of three service accounts that were leaked during the Okta compromise.
Following a data breach notification from a third-party supplier, organisations should conduct thorough investigations and internal security reviews to mitigate downstream impacts to your organisation.
[Researcher: Amy Gregan]
4. FBI shuts down botnet targeting US critical infrastructure
The FBI announced the takedown of a botnet used by a Chinese state-linked group, known as Volt Typhoon. The botnet, comprised of end-of-life (EOL) small office and home office (SOHO) routers infected with KV Botnet malware, concealed the origin of attacks on the communications, energy, transportation, and water sectors in the US.
This comes in the wake of an announcement by FBI director Christopher Wray that cyber criminals affiliated with the Chinese government are likely to target US critical infrastructure.
Ensuring that EOL software is isolated or discontinued will help reduce the risk of your network being compromised and exploited by hacking groups.
[Researcher: Adelaide Parker]
5. Citibank sued for failing to protect fraud victims
The New York Attorney General has sued Citibank for weak online security practices that contributed to the unauthorised access of customer accounts. The bank reportedly refused to reimburse victims of fraud, responded poorly to fraud notifications, and lacked key critical security controls such as logging and alerting on customer accounts.
Organisations should implement robust data governance programmes which define key roles and responsibilities for protecting data and ensure accountability and compliance with relevant regulations.
[Researcher: Adelaide Parker]
6. Mercedes-Benz and Football Australia leave private keys exposed to the internet
The German car manufacturer Mercedes-Benz inadvertently exposed an authentication token to its internal GitHub repository on the internet, allowing unrestricted access to the company's intellectual property and internal data.
Separately, Football Australia left their Amazon Web Services (AWS) private keys exposed, granting access to player contract details and ticket purchase data. Both organisations attributed these breaches to human error and revoked the exposed tokens upon detection.
Managing access to critical systems through multi-factor authentication, automated monitoring and the implementation of comprehensive cyber security awareness programmes can significantly reduce the risk of human error.
[Researcher: Aditya Ganjam Mahesh]
7. Europcar denies alleged data breach affecting 50 million customers and blames AI
Europcar has denied it suffered a breach after a threat actor claimed to be selling the personal information of 50 million Europcar customers on the dark web. Europcar claims the data has likely been generated by AI, citing inconsistencies between available sample data and Europcar’s customer databases. Security experts suggested the data may instead derive from several prior unrelated breaches.
Organisations should be skeptical of claims made by cyber criminals on dark web marketplaces. The proliferation of recycled data makes it difficult to verify the origin and authenticity of breaches.
[Researcher: Waithera Junghae]