AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/05/2024

Chinese APTs Cash In on Years of Edge Device Attacks 

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices. Networking devices are a known favorite of China’s advanced persistent threats (APT), and why wouldn’t they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers.  

 

HIPAA Not ‘Strong Enough’ for Health Care’s Cybersecurity Needs 

Health-care organizations need to up their defenses as cyber attacks increasingly hit the sector. Focusing on identity and access management, patching key vulnerabilities, providing training on phishing and adopting strong backup practices can all go a long way. Ransomware attacks on the sector rose 128 percent year-over-year in 2023, and the April attack on Change Healthcare compromised health-care information on an estimated 100 million people. The sector relies on connected systems, and providers cannot tolerate long disruptions. Those are both factors that make health care vulnerable to cyber attacks, said Keith Busby, acting CISO for the Centers for Medicare and Medicaid Services, during a recent FedInsider webinar. 

 

Thousands of hacked TP-Link routers used in years-long account takeover attacks 

Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday. The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777. 

 

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned 

Cybersecurity researchers have flagged a “massive” campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon. “The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services,” Sysdig said in a report. “Phishing and spam seem to be the primary goal of stealing the credentials.” 

 

Canada lists India as cyber threat for the first time 

Canada’s Communications Security Establishment (CES) has listed India as a cyber threat to the nation for the first time in its National Cyber Threat Assessment (NCTA) on Wednesday. The CES, which releases the NCTA biennially, has said that India has joined states such as China, Russia, Iran, and the Democratic People’s Republic of Korea as state cyber threats. The report alleged that while the other state cyber threats remain the more significant threat, India is building a cyber program that can present varying levels of threat to Canada. CES also claimed that states like India were focusing their efforts on tracking and surveilling activists and dissidents living in Canada.  The group also claimed that state adversaries of Canada are getting bolder and more aggressive. 

 

6 IT contractors arrested for defrauding Uncle Sam out of millions 

The US Department of Justice has charged six people with two separate schemes to defraud Uncle Sam out of millions of dollars connected to IT product and services contracts. The two cases, involving three individuals each, were the first time the DoJ issued charges connected to an ongoing investigation involving IT manufacturers, distributors and resellers and their deals with the federal government. The Department of Defense is among the agencies ripped off by the two groups of fraudsters, the DoJ noted, as were unspecified parts of the intelligence community.  

 

210,000 Impacted by Saint Xavier University Data Breach 

Saint Xavier University last week started notifying over 210,000 individuals that their personal information was compromised in a data breach in July 2023. The incident was discovered on July 21, 2023, but the investigation into the matter revealed that the unauthorized access to the university’s systems occurred weeks before. Between June 29 and July 18, SXU says, the attackers downloaded certain files from its systems, including files containing personal information. According to the university, the review of the compromised data was thorough and time-consuming and was followed by significant efforts “to enrich necessary address information and reconcile the records to further the notification assessment and process”. 

 

X is allowing people you’ve blocked to see your posts 

This weekend, X, the platform formerly known as Twitter, announced it’s “starting to launch” a controversial change to how blocking works on its platform. Company owner Elon Musk first revealed the change in September, which will allow people you’ve blocked to continue to see your posts, and, as noted by TechCrunch, your following and followers lists. Musk claimed that stopping people from seeing your public posts “makes no sense,” but due to a post-Musk change that stops logged-out users from scrolling even a public profile, this could make it easier for blocked users to continue harassing someone. 

 

Related Posts