Top news stories this week
- Time for action. Biden signs Executive Order on cybersecurity, UK government launches consultation on banning ransom payments, and EU presents plan for healthcare organizations.
- Sticky business. US data broker Gravy Analytics and Spanish multinational Telefónica suffer data breaches.
- Forti-dump. Data from 15,000 firewall appliances leaked on dark web as Fortinet warns of new zero day.
- Class-ified. Sensitive data of millions of students and teachers impacted during PowerSchool data breach.
- Deepfake. Hong Kong busts syndicate involved in romance investment scam.
- Bucket of tricks. Hackers use native AWS encryption in cloud ransomware attacks.
1. Governments on both sides of Atlantic announce new cybersecurity measures
Outgoing US President Joe Biden has signed an Executive Order increasing the power of the federal government to enforce compliance with cyber security standards and to impose sanctions on foreign hackers.
Separately, the UK government has launched a public consultation on proposals for legislation to tackle ransomware, including banning public sector entities paying ransoms and enforcing new mandatory reporting requirements.
Finally, the EU Commission has presented an EU action plan aimed at strengthening the cybersecurity of hospitals and healthcare providers. The plan aims to improve resiliency by enhancing focus on prevention, detection, and response capabilities, and is anticipated to be rolled out over the next two years.
So What?
It is important to know your obligations and reporting requirements under new cybersecurity legislation in the face of a rapidly changing policy landscape.
[Researcher: Adelaide Parker ]
2. Gravy Analytics and Telefónica hit by major data breaches
A hacker on a dark web forum obtained precise location data of millions of users from apps including Tinder, Spotify, and Citymapper from US data broker firm Gravy Analytics after compromising its Amazon Web Services (AWS) cloud storage environment.
Separately, Spanish multinational Telefónica confirmed that the Hellcat ransomware group used info-stealing malware and social engineering to steal customer data and nearly half a million Jira tickets.
So what?
Organizations should implement comprehensive security practices that include secure key management and robust employee training to guard against cloud compromises and social engineering attacks.
[Researcher: Waithera Junghae]
3. Mass dump of FortiGate firewall data posted on dark web and new zero day reported
A threat actor called Belsen Group has leaked configuration data and IP addresses from over 15,000 Fortinet firewall appliances on the dark web. The dataset is from 2022, but security researchers have warned that it could still be exploited to gain access to networks if passwords or configurations have not been changed.
Separately, Fortinet has also disclosed a zero day vulnerability affecting appliances with FortiOS and FortiProxy, which allows threat actors to bypass authentication and to gain super-admin privileges.
So what?
Customers with Fortinet appliances should patch immediately and consider threat hunting to determine if they have been compromised as a result of either issue.
[Researcher: Lena Krummeich]
4. Sensitive data of millions of students and teachers impacted during PowerSchool data breach
US school districts affected by a recent data breach on education technology software PowerSchool have indicated that the threat actors accessed “all” historical student and teacher data stored in their student information systems. PowerSchool didn’t reveal how many of its school customers are affected, however its software is used to support more than 50 million students across the United States.
So what?
Organizations should establish retention policies to store and process only the information that is required for their operations, removing the historical data that is no longer required.
[Researcher: Milda Petraityte]
5. Hong Kong arrests 31 in deepfake scam syndicate targeting Taiwan, Singapore, and Malaysia
Hong Kong police arrested 31 members of a syndicate that used deepfake technology to create romance and investment scams, defrauding victims in Taiwan, Singapore, and Malaysia, of over HKD 34 million (USD 4.37 million). The syndicate operated from two premises in Hong Kong, recruiting young people, including students, to carry out the scams.
SO WHAT?
Users should take steps to verify contacts through real-life or direct interactions to avoid altered media, and manage their digital exposure to prevent misuse of their identities.
[Researcher: Nor Liana Kamaruzzaman]
6. Hackers use built-in AWS tools to encrypt cloud data and hold victims to ransom
A new ransomware group has been using stolen AWS credentials to gain access to S3 buckets and encrypt data. This new technique leverages AWS’ legitimate Server-Side Encryption with Customer-Provided Keys (SSE-C) to generate their own AES-256 encryption keys locally. AWS does not store copies of these keys, making it impossible for victims to recover the files without paying a ransom.
SO WHAT?
Organizations should regularly review permissions for AWS keys and consider disabling SSE-C from being applied to S3 buckets if not required.
[Researcher: Blanche MacArthur]
