Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Two groups of threat actors, SEABORGIUM (Russia-based), and TA453 (Iran-based), have launched spear-phishing campaigns that are impacting organisations in the UK. Reports suggest these attacks are being carried out for “information-gathering purposes.”, and are most commonly targeting organisations in the academia, defence, and government sectors; other reports have shown that individuals such as politicians and journalists have also been hit. In response to these attacks, the NCSC has published a security advisory detailing the “techniques and tactics” employed by the threat actors, as well as recommendations for mitigating the risk of an attack.
For more details on these campaigns, we advise reading this official advisory from the NCSC.
By NCSC.gov.uk
The UK has suffered heavily in the early weeks of 2023; while Royal Mail continue their recovery from the recent cyber incident, Yum Brands falls victim to ransomware. Yum Brands is most commonly known as the owner of KFC and Pizza Hut, two of the largest fast-food chains in the UK. News of this attack was publicised earlier this week, and the company is “actively engaged in fully restoring effected systems”; it is believed that no customer data was compromised in this attack.
Yum! Brands official statement on the recent attack can be found here.
By DigitalJournal.com
The IoT Security Foundation’s latest report covers the vulnerability disclosure policies of IoT product sellers. This is the fifth report from IoT Security Foundation, and while it shows good improvements since 2018, vulnerability disclosure practices are still lacking for a large number of businesses. In 2022, just 27.1% of businesses had a disclosure policy. Understandably, this is a constantly evolving practice, and there has been steady 4-5% increase per year since these reports began, however this is still “far below the near-100% the researchers would like to see.”.
The full IoTSF report can be downloaded and viewed here.
By iotsecurityfoundation.org
Popular password vault vendor, Bitwarden, has been heavily criticised recently over news of their flawed encryption scheme that is in place to protect user’s encryption keys. A recent report from Wladimir Palant suggests that their seemingly impressive 100,001 server-side PBKDF2 hash iterations were “ineffective”, and, on top of this, older accounts were stuck with the original 5,000. The public backlash from this news has only gotten worse since the recent LastPass breach, with customers hoping that Bitwarden would learn from the failures of their competitors.
Bitwarden’s response to the recent backlash was also questioned by users, stating that:
“They [Bitwarden] give no indication on the timeline for this change and are vague about whether existing accounts will automatically be upgraded to the new, higher default.”
Reports suggest that “Bitwarden is treating this criticism as a feature request”; while this is not the ideal response that the community were expecting, It hopefully means that changes are on the way.
By Portswigger.com
Arnold Clark have been hit by a cyber-attack. Information such as addresses, passports and national insurance numbers has been leaked over the festive period. The Mail has reported that the international hacking ring Play is now threating Arnold Clark with a huge dump of customer data onto the Dark Web after leaking some of the details taken from the attack. Newspapers have reported that 15 gigabytes of data have been posted. The hackers are intending to upload 467 gigabytes more unless a multi-million-pound ransom is paid in cryptocurrency.
By am-online.com
Over 4,500 WordPress sites have been hacked to redirect customers to sketchy ad pages. This is part of a long-running operation that has been going on since 2017. According to GoDaddy the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named “track[.]violetlovelines[.]com”. The latest operation has said to been going on since December 26, 2022. This has impacted more than 3,600 sites while another set of attacks recorded in September 2022 affected more than 7,000 sites.
By TheHackerNews.com
Federal agencies have been hacked using legitimate and reliable remote desktop tools. CISA, the NSA, and MS-ISAC have been warned today that attackers are increasingly using legitimate remote monitoring and management software for malicious purposes. More concerning is that CISA discovered malicious activity within the networks of multiple federal civilian executive branch agencies using the EINSTEIN intrusion detection system after the release of a silent push report in October 2022. The attackers have been sending phishing emails to the federal staff’s government and personal email addresses since at least mid-June 2022.
By BleepingComputer.com
Riot Games recently disclosed news of a cyber incident that saw source code for two of their biggest games stolen; League of Legends, and Teamfight Tactics. Source code also appears to have been stolen from their anticheat platform, which has sparked concerns that new cheats may emerge for their games. Riot's twitter thread very clearly states that:
"there is no indication that player data or personal information was obtained".
Their latest tweet also states that a ransom note was received, but Riot's response made it certain that they will not be paying this.
More details on the impact of this attack can be found in Riot Games' 7 part twitter thread.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #220 – 27th January 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
