6 February 2024

8 min read

Deepfake video call impersonating CFO costs firm USD 25 million | Cyber Intelligence Briefing: 6 February

February 2024
Cyber Briefing News

 

Top news stories this week

  1. Phoney CFO. Employee transfers USD 25 million after deepfake video call. 
  2. Open sesame. AnyDesk suffers breach as attackers obtain source code and signing keys. 
  3. Access all areas. Credentials stolen from Okta compromise used to gain access to Cloudflare’s internal infrastructure.
  4. Bullseye. FBI operation disrupts botnet utilised by Chinese-backed hacking group.
  5. Cheque please. Citibank sued for negligent data security practices.
  6. Friendly-fire. Mercedes-Benz and Football Australia leave private keys exposed to the internet.
  7. Data deception. Europcar denies purported breach of customer data.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. Deepfake video call impersonating CFO costs firm USD 25 million 

A Hong Kong-based employee of an unnamed multinational firm sent USD 25 million to fraudsters after they were instructed to make the payment by a deepfake impersonation of the UK-based CFO on a video conference call. The employee believed they recognised other members of staff on the call, but these were also deepfake impersonations likely generated from publicly available footage of past meetings.

So what?

It is becoming increasingly difficult to spot malicious AI-generated content. Organisations should consider how to make payment approvals and other sensitive functions resilient against this rapidly emerging threat.

[Researcher: James Tytler] 


2. AnyDesk urges password reset after hackers access production systems 

Global remote access software company AnyDesk has confirmed it suffered a security breach after threat actors gained access to company production systems, stealing source code and code signing certificates. Although AnyDesk assessed its application was safe to use, as there was no evidence of end-user devices being compromised, it revoked all login credentials to its web portal and urged users to reset passwords following reports that cyber criminals were selling stolen data on hacking forums.

So what?

If your organisation utilises AnyDesk software, reset your credentials and closely monitor for suspicious activity.

[Researcher: Amy Gregan]


3. State-backed hackers used Okta credentials to access Cloudflare’s internal server 

Cyber security firm Cloudflare disclosed that hackers breached their internal Atlassian server in November 2023, using credentials stolen from a previous attack on access management service provider Okta. Cloudflare confirmed they failed to rotate service tokens and the credentials of three service accounts that were leaked during the Okta compromise.

So what?

Following a data breach notification from a third-party supplier, organisations should conduct thorough investigations and internal security reviews to mitigate downstream impacts to your organisation.

[Researcher: Amy Gregan]

 

Download now

 

4. FBI shuts down botnet targeting US critical infrastructure 

The FBI announced the takedown of a botnet used by a Chinese state-linked group, known as Volt Typhoon. The botnet, comprised of end-of-life (EOL) small office and home office (SOHO) routers infected with KV Botnet malware, concealed the origin of attacks on the communications, energy, transportation, and water sectors in the US.

This comes in the wake of an announcement by FBI director Christopher Wray that cyber criminals affiliated with the Chinese government are likely to target US critical infrastructure.

So what?

Ensuring that EOL software is isolated or discontinued will help reduce the risk of your network being compromised and exploited by hacking groups.

[Researcher: Adelaide Parker]


5. Citibank sued for failing to protect fraud victims  

The New York Attorney General has sued Citibank for weak online security practices that contributed to the unauthorised access of customer accounts. The bank reportedly refused to reimburse victims of fraud, responded poorly to fraud notifications, and lacked key critical security controls such as logging and alerting on customer accounts.

So what?

Organisations should implement robust data governance programmes which define key roles and responsibilities for protecting data and ensure accountability and compliance with relevant regulations.     

[Researcher: Adelaide Parker]


6. Mercedes-Benz and Football Australia leave private keys exposed to the internet 

The German car manufacturer Mercedes-Benz inadvertently exposed an authentication token to its internal GitHub repository on the internet, allowing unrestricted access to the company's intellectual property and internal data.

Separately, Football Australia left their Amazon Web Services (AWS) private keys exposed, granting access to player contract details and ticket purchase data. Both organisations attributed these breaches to human error and revoked the exposed tokens upon detection.

So what?

Managing access to critical systems through multi-factor authentication, automated monitoring and the implementation of comprehensive cyber security awareness programmes can significantly reduce the risk of human error.

[Researcher: Aditya Ganjam Mahesh]


7. Europcar denies alleged data breach affecting 50 million customers and blames AI 

Europcar has denied it suffered a breach after a threat actor claimed to be selling the personal information of 50 million Europcar customers on the dark web. Europcar claims the data has likely been generated by AI, citing inconsistencies between available sample data and Europcar’s customer databases. Security experts suggested the data may instead derive from several prior unrelated breaches.

So what?

Organisations should be skeptical of claims made by cyber criminals on dark web marketplaces. The proliferation of recycled data makes it difficult to verify the origin and authenticity of breaches.

[Researcher: Waithera Junghae]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.