Cyber Intelligence Briefing: 8 July 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1. SHANGHAI POLICE BREACH

A threat actor has claimed to have breached a database of the Shanghai police, exfiltrating sensitive data of around one billion Chinese residents. The stolen data allegedly includes names, addresses, birthplaces, national IDs, phone numbers, and criminal case information. If true, this is the largest data breach in China’s history.

The breach allegedly occurred because a government developer wrote a technology blog that included credentials for the system where the database was stored. The data is currently being offered on the dark web for 10 bitcoin.

SO WHAT?

Data breaches can pose a significant ongoing threat to affected data subjects because various threat actors can use the leaked data to commit fraud or launch tailored social engineering attacks against them.

2. MARRIOTT HACKED AGAIN

Hotel giant Marriott has confirmed a data breach involving the exfiltration of 20GB of data, including credit card details and internal company documents. Marriott intends to notify between 300 and 400 people, including both customers and employees, that their data was impacted. The incident occurred after an unknown threat actor social engineered a Marriott employee into granting the actor access to their computer.

The incident follows two notable Marriott data breaches. In November 2018, the organisation revealed a data breach involving around 339 million guest records, and which resulted in the UK ICO imposing an GBP 18.4 million fine. In March 2020, Marriott revealed a separate breach that involved the data of around 5.2 million guests.

SO WHAT?

Threat actors continue to leverage social engineering techniques in their attacks. Organisations should ensure they implement a phishing awareness programme for their employees, including conducting regular phishing simulation campaigns.

3. VULNERABLE UK PUBLIC ORGANISATIONS

A recent investigation by ITV News revealed a significant disparity in the cyber security budgets of UK public services. While one council allocated over GBP one million per year, another council, with a larger population, allocated only GBP 32,000. The investigation follows a report in October 2021 that UK councils suffered 33,645 data breaches caused by human error in a recent five year period.

Separately, the British Army suffered a cyber incident, with its Twitter and YouTube accounts hijacked to promote cryptocurrency and NFT scams.

SO WHAT?

S-RM has found similar cyber budget disparities in commercial organisations from its own research. While the overall cyber budget is an important metric when preparing a cyber strategy, how individual budgets are allocated across different cyber investment areas is equally important.

4. HIGH-PRIORITY PATCHES

Google released a patch for a high severity vulnerability (CVE-2022-2294) in its Chrome browser that has been actively exploited in the wild. The vulnerability allows threat actors to execute code and bypass certain security controls. This is the fourth Chrome vulnerability to be patched in 2022.

CISA ordered US organisations to implement Microsoft’s patch for a Windows Local Security Authority vulnerability (CVE-2022-26925) that allows threat actors to access a Microsoft Active Directory domain controller without authentication, which in turn may allow attackers to take control of the entire Active Directory domain. The vulnerability has also been actively exploited in the wild.

SO WHAT?

A proper patch management policy is critical to ensuring the security of an organisation’s IT estate. Apply these patches as soon as possible.

5. NETWORK ACCESS

Access to 50 US networks has been made available for sale on the cybercriminal forum XSS. Researchers suggest that the seller, whose claims are assessed to be reliable, gained access to these organisations by exploiting internet-facing systems vulnerable to the widely-discussed Atlassian Confluence vulnerability (CVE-2022-26134). In addition to this access, the seller is also offering a list of ten thousand vulnerable devices that have not yet been exploited.

SO WHAT?

Conduct regular external scans of your infrastructure to identify public-facing services and limit these where possible. Organisations should also determine if they are exposed to this vulnerability and if so, apply the patch and conduct an investigation to identify indicators of compromise.

6. SQUISH!

Monash University has created a bug bounty programme to support the cyber security of its digital platforms. The university is offering USD 2,500 for individuals who report valid vulnerabilities within certain systems, including their website domain, mobile applications, and file shares.

The US Department of Defense also launched a short bug bounty programme for vulnerabilities in its internet-facing systems. The Department has allocated up to USD 110,000 for the programme, with individual rewards ranging from USD 500 to USD 5000.

SO WHAT?

It is estimated that the combined value of bug bounty programmes is set to increase to USD 5.4 billion by 2027. These programmes are useful to identify vulnerabilities in an organisation’s infrastructure but they also provide an incentive to threat actors to report vulnerabilities, instead of exploiting them and causing significant damage.

6. DEEPFAKE PHISHING

The FBI's Internet Crime Complaint Center (IC3) has reported an increase in a novel phishing approach employed by threat actors: using AI and machine-learning technologies to generate “deepfake” content to apply for fully-remote roles at the technology firms. If they are accepted to the role, the threat actor gains access to the target organisation’s corporate network.

SO WHAT?

Organisations advertising vacancies for fully-remote positions should be aware of visual indicators such as distortions and inconsistencies in images and video to detect if deepfake technology is being employed against them.