British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers


British sports fashion retail firm JD Sports on Monday revealed that it has discovered a data breach impacting roughly 10 million of its customers. 

According to the company, the cyber incident affects information provided by customers who placed online orders between November 2018 and October 2020. The JD, Size, Millets, Blacks, Scotts and MilletSport brands are impacted.

Based on the company’s brief description of the incident, it’s possible that hackers stole names, billing addresses, delivery addresses, phone numbers, email addresses, order details, and last four digits of the customers’ payment cards. 

There is no indication that full payment card data or account passwords were compromised. 

The company has called in external cybersecurity experts to investigate the incident and authorities in the UK have been notified. The investigation is ongoing. 

In its statement, JD Sports warned customers that they may be targeted in scams and phishing attacks.

Related: Fashion Retailer Guess Notifies Users of Data Breach

Related: German Privacy Watchdog Investigates Clothing Retailer H&M

Related: Clothing Retailer Fallas Hit by Payment Card Breach

The post British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers appeared first on SecurityWeek.

Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data


Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.

OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.

Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).

“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns.

The first of the identified issues is described as an unauthenticated arbitrary file read and exists because the OpenEMR installer does not delete itself after the installation is completed.

Because the installation process is divided into several steps, an unauthenticated attacker could abuse a user-controlled parameter to perform some of these steps (but not a complete setup).

The attacker can invoke a function to read the current theme from the database, which results in a database connection being established using attacker-controlled properties.

A MySQL statement can be used to load the contents of a file to the database table, and a modifier can be supplied so that the file is read from the client instead of the server.

“A malicious server can request the content of another file, even in response to a totally different query from the client,” Sonar notes.

This allows an unauthenticated attacker to use a rogue MySQL server to read OpenEMR files such as backups, certificates, passwords, and tokens.

Sonar also discovered that an attacker could abuse a cross-site scripting (XSS) flaw to execute JavaScript code in the victim’s browser. The attacker can upload a PHP file and exploit a local file inclusion (LFI) to achieve RCE.

The XSS exists because, when requesting a PHP file, the browser first renders the HTML code, and only then the JavaScript context, which allows the attacker to use HTML entities within an event handler.

The LFI, Sonar explains, exists because a user-controlled variable is concatenated to a path and not sanitized, which allows an attacker to upload a PHP file and use a path traversal via the LFI to execute the file.

Sonar reported the security defects in October 2022. One month later, the vendor patched all bugs by adding sessions and CSRF checks and restricting the installation process, by encoding the character ‘&’ for an HTML entity to prevent the XSS, and by sanitizing the user-controlled parameter to prevent the LFI.

OpenEMR version 7.0.0 resolves all vulnerabilities. Users are advised to update their installations as soon as possible.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Exploitation of Control Web Panel Vulnerability Starts After PoC Publication

The post Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data appeared first on SecurityWeek.

Russia-Linked APT29 Uses New Malware in Embassy Attacks


Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.

Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.

In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador.

A compromised site containing the text “Ambassador’s schedule November 2022” was used as a lure to infect visitors with new malware called GraphicalNeutrino.

The threat, which uses the US-based business automation service Notion for command and control (C&C), is a loader that packs numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption.

According to Recorded Future, which tracks the activity as BlueBravo (PDF), the staging and deployment of the malware is similar to previously observed tactics, techniques, and procedures (TTPs) attributed to APT29.

The lure webpage contained within HTML code an obfuscated ZIP file set to be automatically downloaded on the visitors’ system, showing overlaps with previous observed deployment of the EnvyScout dropper.

The ZIP file contains two DLLs and a benign executable masquerading as a PDF, which was designed to load the libraries using DLL search order hijacking. One of the DLLs contains the GraphicalNeutrino malware, implemented in a thread spawned when the library is initialized.

When launched, GraphicalNeutrino attempts to remove API hooks from specific modules, checks whether persistence is required (which it achieves by creating a new registry key), and then establishes communication with the C&C.

The malware creates a unique identifier for the victim, based on username and computer name, adds the ItIEQ prefix to it, and then uses a Notion API database query filter to determine whether the victim has previously connected to the C&C.

A second, nearly identical GraphicalNeutrino sample that Recorded Future identified and which was compiled only two days after the first, contained only small changes, such as a different Notion database ID, a new identifier prefix, a new key for string decryption, a renamed DLL export function, and modified wait time for C&C communication.

“While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures,” Recorded Future notes.

Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

Related: Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies

The post Russia-Linked APT29 Uses New Malware in Embassy Attacks appeared first on SecurityWeek.

Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability


A researcher has disclosed the details of a two-factor authentication (2FA) vulnerability that earned him a $27,000 bug bounty from Facebook parent company Meta. 

Gtm Manoz of Nepal discovered in September 2022 that a system designed by Meta for confirming a phone number and email address did not have any rate-limiting protection.

A fix was rolled out by Meta in October 2022 and the company highlighted Manoz’s findings in its annual bug bounty program report. The tech giant has paid out more than $16 million through its program since 2011, with $2 million awarded in 2022.

In a blog post published earlier this month, Manoz said he discovered the vulnerability while analyzing a new Meta Accounts Center page in Instagram. Here, users can add an email address and phone number to their Instagram account and the Facebook account linked to their Instagram. In order to verify the email address and phone number, users have to enter a six-digit code received via email or SMS. 

The researcher’s analysis revealed that the system verifying the six-digit code did not have rate-limiting in place, which could have allowed an attacker to enter every possible code until they got the right one.

Specifically, a hacker would have needed to know the phone number assigned by the targeted user to their Instagram and Facebook account. By exploiting the vulnerability, the attacker could have obtained the six-digit verification code through a brute-force attack and assigned the victim’s phone number to an account they controlled.

This resulted in the phone number being removed from the victim’s Facebook and Instagram account and 2FA getting disabled due to security reasons — if a phone number is verified by another user, that user would be getting the SMS containing the 2FA code, and Meta is trying to prevent that. 

Manoz showed that Facebook users did receive a notification when their phone number was removed due to being verified by a different person. 

Based on the maximum potential impact of the vulnerability, Meta decided to pay out $27,200 for the researcher’s findings.

Related: Facebook Patches Vulnerability Exposing Page Admin Identity

Related: Twitter Finds No Evidence of Vulnerability Exploitation in Recent Data Leaks

Related: Facebook Pays Out $40,000 for Account Takeover Exploit Chain

The post Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability appeared first on SecurityWeek.

The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment


On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000… This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy – and some will be cybersecurity professionals.

Layoffs are not limited to the tech giants. Smaller cybersecurity vendor firms are also affected. OneTrust has laid off 950 staff (25% of employees); Sophos has laid off 450 (10%); Lacework (300, 20%); Cybereason (200, 17%); OwnBackup (170, 17%); OneTrust (950, 25%) and the list goes on.

SecurityWeek examined how this layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity.

The skills gap

The skills gap is a mismatch between the skills available in the workforce, and the skills required by employers. Required skills are continuously evolving with new technology and business transformation. People can learn how to use computers, and many staff currently being laid off will already have done so. But it is far easier to learn how to use computers than it is to learn how computers work. It is in the latter area that the skills gap becomes a talent gap for cybersecurity.

So, the first observation is that current large-scale layoffs may slightly reduce the skills gap at the computer usage level but will likely have little effect on the cybersecurity-specific talent gap where employment requires a knowledge of how computers work. The talent gap is simply too large, and layoffs in these areas are likely to be readily absorbed by new security startups and expanding companies. Many of the companies involved in cybersecurity reductions will almost certainly need to rehire next year or soon after.

Mark Sasson, managing partner and executive recruiter with the Pinpoint Search Group, agrees with this. “Maybe it’s going to be a little easier for organizations to recruit, because you’re getting an influx of experience into the market. However, I don’t think that’s a fix for the talent gap – it’s not going to have a mid to long term discernible impact. There are too few people that have the skills that organizations need today. And so, people are going to get scooped up and we’re still going to have the same situation with the talent gap.”

Cyber threats are still increasing and the demand for cyber defenders is still growing. Criminals are recruiting, not contracting. 

Reducing the talent gap in cybersecurity will more likely depend on changing attitudes with employers than adding numbers from those that have been laid off. You could almost say that the cybersecurity talent gap is a self-inflicted wound: employers want experience plus certifications plus new university degrees – which rarely exists in the real world.

Michael Piacente, managing partner and co-founder at Hitch Partners recruitment firm, takes a similar view. “The internal definition on scope and goals often varies greatly resulting in shifts, time delays, and often rendering the position ‘unfillable’,” he told SecurityWeek. “Perhaps it is time to stop focusing so much on resumes and job descriptions. We see these tools as outdated and too often used as a crutch resulting in bad habits, and inconsistent behavior – and they are horribly unfair for under-experienced or diversity candidates.”

He takes this to the extreme and has never supplied resumes with his candidates. “Instead, we build a storyboard about the candidate created as a result of multiple meetings, interactions, and back channels in order to focus on the candidate’s journey, the human character elements as well as their matching and gaps for the particular role.” In short, the talent gap will more likely be reduced by redefining the gap than by seeking to match unrealistic demands to the existing work pool.

Dave Gerry, CEO of Bugcrowd, has a specific recommendation based on diversity candidates. He believes organizations need to be more open to the diversity pool – including neurodiversity (see Harnessing Neurodiversity Within Cybersecurity Teams). “Organizations,” he said, “need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships and on-the-job training, to help create the next generation of cyber-talent.”

However, even if the influx of laid-off experience will have little overall or lasting effect on the macrocosm of the skills gap, it will almost certainly have an immediate effect on recruitment in the microcosm of the cybersecurity talent gap.

Recruitment in cybersecurity

Cybersecurity is not immune to the current round of staff trimming – and it includes security leaders as well as security engineers. Ultimately, it’s a cost cutting exercise; and organizations can save as much money by cutting one leader’s position as they can by cutting two engineers. “Organizations are asking themselves if they can survive letting one person go but still get the job done with the remaining team,” explains Sasson. “If the answer is yes or even maybe, they’re tending to let go of the more highly paid and highly skilled people because they think maybe they can do more with less.”

That’s a top-down approach to staff reductions, but the same argument is used in a bottom-up approach. Joseph Thomssen is senior cybersecurity recruiter at NinjaJobs (a community-run job platform developed by information security professionals). “A company that is not security focused may feel like they can rely on their senior employees to pick up lower-level responsibilities,” he said, “and this can be detrimental to a security team.”

The overall result is that we now have laid off cybersecurity engineers looking for new employment, and we have employed cybersecurity leaders looking for alternative and safer positions. “Many of these layoffs in cybersecurity seem to be short-term attempts to save money,” adds Thomssen – but he fears it may backfire on companies reducing their security workforce. Expecting fewer staff to take on more responsibility will likely have a detrimental effect – it may cause burnout. “I call it the layoff/quit combination,” he said.

Piacente also notes the cuts are not simply targeted at weeding out under performing employees. “There are great candidates impacted due to them being in the wrong place at the wrong time; and we are seeing this industry wide.”

Of course, there are many cybersecurity experts who believe this is a false and dangerous approach, and that cybersecurity is a necessity that should be expanded rather than cut. But that is an argument put forward by every business department in times of economic stress.

One effect of the cybersecurity layoffs and the accompanying increase in the number of experienced people seeking employment is that the recruitment market is moving from a candidate market toward a hirer market – just like home buying fluctuates between a buyer and a seller market depending on supply (properties available) and demand (money to buy). For many years, experienced cybersecurity engineers have been able to pick and choose their employer, and demand somewhat inflated salaries and conditions; but that is no longer the case. 

This is beginning to be apparent in the salaries offered. “They’re leveling off,” says Sasson, “maybe even going down. But this needs to be taken in the context of pretty dramatic increases from just a few quarters ago, during the candidate-driven market.” Sasson thought at the time that these were unsustainable. But now, “Folks that are looking for those massive compensation packages from just a year ago are going to have to adjust their expectations.”

Sam Del Toro, senior cybersecurity recruiter at Optomi, has seen a similar growing misalignment between compensation expectation and realization – especially in the more senior positions. Because of the layoffs, there are now more mid to senior level candidates looking for new opportunities. 

“On the other hand,” he said, “over the past couple of years we have seen cybersecurity compensation rise significantly. Now, as organizations are tightening their budgets and being more fiscally aware, it is making it tough to align candidate and client compensation.”

Thomssen sees another and different effect of the evolving hirer’s market. “I have seen security staff recruitment switch from direct hires to roles based on shorter term project contracts. In the past you would not see security professionals entertain such contracts, but the security staff recruitment landscape has seen a shift that way.”

It’s not clear whether this will develop into a common long term approach to cybersecurity recruitment or will just be a short-term solution to economic uncertainty. Is the gig economy coming to cybersecurity? It’s been growing in many other segments of employment, and perhaps the current economic climate will boost an existing trend just as Covid-19 boosted remote working.

One visible sign might come with an increase in the employment of virtual CISOs (vCISOs). This would retain access to high level expertise while reducing costs. Another might be an increased use of managed security service providers (MSSPs). “We’re seeing more and more security operations outsourced to consultants and contractors, or to vCISOs and Global CISOs, or whatever you’d like to call it,” comments Mika Aalto, co-founder and CEO at Hoxhunt. But he adds, “This can work with smaller companies, but it’s risky. Security should be looked at as a competitive advantage and a growth strategy, not a luxury.”

Piacente’s firm has seen a 20% increase in the new candidate flow. While the primary cause is the economy, the detailed cause is difficult to isolate. Cybersecurity has always experienced rapid churn with staff from all levels regularly moving to a new company for promotion or improved remuneration. This churn continues, but is complicated by employed people just looking around – not because they are being laid off, but just in case they will be laid off.

At the same time, some people who might normally be on the lookout for better opportunities are choosing to keep what they have until more stable conditions return. “One other observation in these cycles,” adds Piacente, “is that candidates who fall into the diversity category tend to be more resistant to making a change. Since there are already significantly less candidates in this category it makes it more difficult for companies to achieve their goals of creating a more diverse organization or program. This is when companies really need to place care, attention, and a dose of reality into their change initiatives.”

Bugcrowd is a firm that has actively sought to recruit from the ‘diversity’ pool. “Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high-potential,” comments Gerry.

It could be expected that with some companies laying off experienced staff and others simply not hiring new staff, breaking into cybersecurity for new, inexperienced or diverse people will become even more difficult. After all, companies reducing staff levels to save money are not likely to spend money on in-house training for new inexperienced staff.

Del Toro doesn’t see it quite like that – it has always been almost impossible. “I do not think that the influx of [experienced] candidates on the market has much of an impact on newcomers finding opportunities because there are simply not enough entry level cybersecurity roles in general,” he said. “Organizations are almost always looking for mid-level candidates and above rather than bringing on competent and excited newbies, because the latter takes much more than fiscal resources.”

Recruitment going forward

It’s difficult to determine the actual number of experienced cybersecurity professionals being laid off among the overall staff reductions, but it is likely to be substantial. Although boards have become more open to the idea that security is a business enabler, there is nevertheless no discernible line between security and profit. There is, however, a direct line between security and cost. It is almost a no-brainer for security to be heavily featured among staff reductions. But this may be bad thinking.

For all layoffs, companies should proceed with caution. When large numbers of staff need to be cut for economic reasons, those same economic reasons may cause it to be done swiftly and perhaps brutally. These suddenly unemployed people will have inside knowledge of the company and its systems; and some will have thoughts of retaliation. At the same time, the company may have reduced the effectiveness of its cybersecurity team to counter a new threat from malicious recent insiders.

“Layoffs are affecting much of the tech industry and cybersecurity isn’t immune,” comments Mike Parkin, senior technical engineer at Vulcan Cyber. “While no department should really be immune when companies have to tighten their belts, the threat from losing skilled personnel in security operations can have a disproportionate effect.”

Overall, we’ve had a candidate market in cybersecurity recruitment but we’re shifting toward an employer market. Del Toro offers this advice for security people laid off and looking for a new position: “I would tell job seekers to be prepared for longer interview processes and longer time before offers are extended. Hiring managers are under more pressure to be diligent so candidates will need to be more cognizant of interview etiquette. Most importantly make sure you are keeping your skills sharp – use your time off to find passion projects and get better at your craft, not only to stay relevant in the security space but to renew your love for what you do!”

Related: Dozens of Cybersecurity Companies Announced Layoffs in Past Year

Related: US Gov Cybersecurity Apprenticeship Sprint: 190 New Programs, 7,000 People Hired

Related: How Will a Recession Affect CISOs?

Related: Four Ways to Close the OT Cybersecurity Talent Gap

The post The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment appeared first on SecurityWeek.

Critical Vulnerability Impacts Over 120 Lexmark Printers


Printer and imaging products manufacturer Lexmark this week published a security advisory to warn users of a critical vulnerability impacting over 120 printer models.

The issue, tracked as CVE-2023-23560 (CVSS score of 9.0), is described as a server-side request forgery (SSRF) flaw in the Web Services feature of newer Lexmark devices, which could be exploited to execute arbitrary code.

“Successful exploitation of this vulnerability can lead to an attacker being able to remotely execute arbitrary code on a device,” Lexmark warns in an advisory (PDF).

The manufacturer lists roughly 125 device models that are impacted by the security defect, including B, C, CS, CX, M, MB, MC, MS, MX, XC, and XM series printers.

The company has announced firmware updates that resolve the vulnerability on all impacted devices and encourages users to find update instructions on its support website.

Additionally, Lexmark says that exploitation of CVE-2023-23560 can be blocked by disabling the Web Services feature on the vulnerable printers (TCP port 65002).

To block TCP port 65002, users would have to go to Settings > Network/Ports > TCP/IP > TCP/IP Port Access, uncheck TCP 65002 ( WSD Print Service ), and then click Save.

Lexmark also warns that, while it is not aware of any malicious attacks targeting the vulnerability, proof-of-concept (PoC) code exploiting it has been made public.

Given that it is not unusual for threat actors to target unpatched printers and other Internet of Things (IoT) devices, users are advised to apply the available patches as soon as possible.

Related: Hundreds of Thousands of Konica Printers Vulnerable to Hacking via ​​Physical Access

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Related: Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers

The post Critical Vulnerability Impacts Over 120 Lexmark Printers appeared first on SecurityWeek.

BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws


The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.

The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.

According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.

For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.

Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.

The third vulnerability, CVE-2022-3924, impacts the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. If the number of clients waiting for recursion to complete is high enough, a race may occur between providing a stale answer to the longest waiting client and sending an early timeout SERVFAIL, causing named to crash.

All three vulnerabilities were resolved with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9. ISC says it is not aware of any of these vulnerabilities being exploited, but encourages all users to update their BIND installations as soon as possible.

ISC also warns of CVE-2022-3488, a bug impacting all supported BIND preview edition versions (a special feature preview branch provided to eligible customers).

The issue can be triggered by sending two responses in quick succession from the same nameserver, both ECS pseudo-options, but with the first response broken, causing the resolver to reject the query response. When processing the second response, named crashes.

BIND preview edition version 9.16.37-S1 resolves all four security defects. Additional information on the addressed vulnerabilities can be found in the BIND 9 security vulnerability matrix.

Related: BIND Updates Patch High-Severity Vulnerabilities

Related: High-Severity Vulnerabilities Patched in BIND Server

Related: High-Severity DoS Vulnerability Patched in BIND DNS Software

The post BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws appeared first on SecurityWeek.

Industry Reactions to Hive Ransomware Takedown: Feedback Friday


Authorities in the United States and Europe have announced the results of a major law enforcement operation targeting the Hive ransomware. 

Agencies from around the world worked together to take down Hive’s leak website and servers. In addition, agents hacked into Hive systems in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files without paying a ransom.

Authorities continue to investigate Hive in an effort to identify the cybercriminals involved in the operation, including developers, administrators and affiliates. The US announced that it’s offering rewards of up to $10 million for information on these and other hackers. 

Several industry professionals have commented on various aspects of the Hive takedown, many noting that while Hive may have fallen, the threat actors behind the operation will likely continue their malicious activities. 

And the feedback begins…

Kimberly Goody, Senior Manager, Mandiant Intelligence, Google Cloud:

“We’ve seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727. Their operations are notable because they have commonly impacted the healthcare sector. Hive also hasn’t been the only ransomware in their toolkit; in the past we’ve seen them employ Conti and MountLocker among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations.”

Crane Hassold, former FBI cyber psychological operations analyst, Head of Research, Abnormal Security:

“Unlike some other cyber threats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks. The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. Since Hive has been one of the biggest players in the ransomware space over the past year, I would expect this takedown to have a noticeable impact on ransomware volume, at least in the short-term.

Because of the increased pressure from global law enforcement and the likely regulatory controls of cryptocurrency, one of the biggest drivers of today’s ransomware landscape, it’s very possible that we’ll start to see ransomware actors pivot to other types of cyber attacks, like BEC. BEC is the most financially-impactful cyber threat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks.”

Satnam Narang, Senior Research Engineer, Tenable:

“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today. While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind. Affiliates, which are typically responsible for conducting most of these attacks, can easily pivot to other affiliate programs of groups that remain operational and ransomware group members can also take their knowledge to these groups. One of the key ways ransomware groups gain attention and notoriety is by publishing their successful attacks on data leak sites on the dark web. It wouldn’t surprise me if ransomware groups see the threat posed by maintaining these sites and stop publicly listing these attacks in an attempt to stay under the radar.”

Kurt Baumgartner, Principal Researcher, Kaspersky:

“The frequency of ransomware attacks have been up, while victim payments have reportedly gone down. This is a great trend, and this coordinated effort is what we need to see more of from law enforcement around the world. Some of this effort in letting the activity progress may seem somewhat controversial, but generating decryption keys for victims over time helps to exhaust the group’s resources. 

Yes, in all likelihood, another gang is going to fill the void. It takes time and effort, but the incentives are in the hundreds of millions of dollars.

It’s somewhat surprising that the group housed their server resources in-country in Los Angeles. Apparently they thought everything was secured and hidden by the Tor network. Law enforcement put on display some impressive capabilities in infiltrating, seizing, and disrupting some of the gang’s resources. The actors behind this group have shown a reckless disregard for human life in their efforts to victimize schools and hospitals.”

Austin Berglas, Global Head of Professional Services, BlueVoyant:

“True dismantlement comes only when law enforcement can “put hands on” or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task.  Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure – often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process. 

There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, but this will not make an overall, noticeable impact on global ransomware attacks. History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name. Conti, one of the most active ransomware gangs in recent history, shuttered operations soon after one of their members leaked internal Conti communications. Former members of the group are suspected of spinning off into newer groups such as BlackBasta and BlackByte.”

Jan Lovmand, CTO, BullWall:

“What is a significant win for law enforcement, could in reality be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for the gang to surface with new extortion sites and ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business – similar to when a drug cartel has a shipment seized. They lose some income, get disrupted but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have in the past recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI have been able to help and for how long.”

Eric O’Neill, National Security Strategist, VMware:

“The disruption of the notorious Hive ransomware group demonstrates that the FBI has increased its ability to investigate and track threat actors across the Dark Web. This supports the commendable work the FBI’s IC3 is doing to track cybercrime attacks and coordinate efforts to repatriate stolen funds from cybercriminals, further reinforcing the importance of notifying the IC3 when a ransomware attack occurs.

It’s also worth noting how large the Dark Web has grown and how well-resourced new cyber crime syndicates, such as Hive, have become. The Dark Web is currently the third largest economy on Earth measured by GDP, which is larger than Japan or Germany. By 2025, this will grow larger than both countries combined. The FBI’s work to shut down Hive servers and repatriate encryption keys is a great step in the right direction, but it is only a step along a distant marathon to stop Dark Web-resourced cyber crime.”

Julia O’Toole, CEO, MyCena Security Solutions:

“When CISOs are reading the news about Hive’s takedown, it would be wise for them to also focus on the data being revealed about the gang’s victims and the financial losses they inflicted. The alarming numbers may be about Hive, but other ransomware gangs that have even more victims under their belt are still in operation and still pose a very real and credible threat today.

Organizations should use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, network infrastructure access must be the number one priority.

When it comes to defense tools, access segmentation and encryption provide the greatest protection. These solutions stop data breaches from propagating through networks and morphing into ransomware attacks, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”

Alfredo Hickman, Head of Information Security, Obsidian Security:

“Today’s news sends a very loud message to all cybercrime groups that if you are on this administration’s radar, they are going to be proactive – and if you get within reach of the American legal and justice system, they will hold you accountable. Some experts believe this approach still lacks teeth due to the risk/reward calculous that heavily favors cybercrime organizations operating outside the reach of the US justice system. 

However, this more aggressive and proactive approach to disrupting cybercrime operations should cause pause and recalculation within some organizations. As these announcements continue to roll out and as related cybercrime operations continue to be disrupted and pressure is applied to host nations, I believe there will be fewer attacks on at least the most sensitive establishments, such as hospitals or critical infrastructures due to the near-universal condemnation and political blowback.”

The post Industry Reactions to Hive Ransomware Takedown: Feedback Friday appeared first on SecurityWeek.

Microsoft Urges Customers to Patch Exchange Servers


Microsoft this week published a blog post to remind its customers of the continuous wave of attacks targeting Exchange servers and to urge them to install the latest available updates as soon as possible.

“Attackers looking to exploit unpatched Exchange servers are not going to go away,” Microsoft says, reminding customers that both a cumulative update (CU) and a security update (SU) are available for Exchange.

“There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts,” the company continues.

Attackers, the tech giant notes, are after not only the sensitive information that user mailboxes may contain. They are also looking to access the copy of the company address book stored on the Exchange server, which they can then use in social engineering attacks.

On top of that, Microsoft notes, “Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.”

Almost every set of Patch Tuesday updates coming out of Redmond includes security fixes for Exchange, some of which address already-exploited vulnerabilities, such as ProxyNotShell and ProxyShell. For other bugs, proof-of-concept (PoC) code was published shortly after patches were released.

“To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU),” Microsoft notes.

Because the CUs and SUs are cumulative, only the latest needs to be installed. However, Exchange customers are advised to check whether a security update has been released after they installed the latest CU, and install that as well.

The tech giant also notes that mitigations that it might automatically release for a vulnerability prior to pushing an SU are only meant to provide temporary protection and might not provide protection against all variations of an attack, meaning that customers should install the SU instead.

After installing an update, customers should also run Health Checker to verify if there are any manual tasks that need to be performed. The tool provides links to step-by-step guidance for the necessary actions.

To update an Exchange server, customers should start by reading the announcement about that update, follow the available guidance for CUs or SUs, inventory all servers using Health Checker, and use the Exchange Update Wizard, which offers a step-by-step guide to Exchange updates.

Windows Server and other software running on the Exchange server should also be updated, along with dependency servers that Exchange uses, such as Active Directory and DNS.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed

Related: Microsoft Adds On-Premises Exchange, SharePoint, Skype to Bug Bounty Program

The post Microsoft Urges Customers to Patch Exchange Servers appeared first on SecurityWeek.

Iranian APT Leaks Data From Saudi Arabia Government Under New Persona


The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona.

Also referred to as Cobalt Sapling, Moses Staff has been likely active since November 2020, but its existence was not revealed until September 2021.

A declared anti-Israeli and pro-Palestinian group, the APT has posted on its leaks website 16 activities as of December 2022, mainly consisting of data stolen from Israeli companies, or the personal information of individuals affiliated with an Israeli intelligence unit of the Israel Defense Forces.

The group was previously linked to the use of the PyDCrypt custom loader, the DCSrv cryptographic wiper that encrypts data and displays a bootloader message, the StrifeWater remote access trojan (RAT), and the DriveGuard auxiliary tool deployed to monitor the RAT’s execution.

In November 2022, a seemingly new hacktivist group claiming affiliation to the Hezbollah Ummah Lebanese Shia Islamist political party and militant group announced their existence under the Abraham’s Ax name, but Secureworks believes that this new persona is operated by Cobalt Sapling, the same APT that operates Moses Staff.

Connections between the two groups, the cybersecurity firm says, are plenty, starting with the use of a similar logo, similarities in leak sites (both of which have Tor versions), and the hosting of these sites on the same subnet, nearly adjacent to each other.

Like Moses Staff, Abraham’s Ax uses a biblical figure for their persona, and their claimed affiliation to Hezbollah has yet to be proven, Secureworks says.

As part of their activities, both groups have released videos, often depicting “Hollywood-style hacking involving satellites, CCTV, 3D building models, and fast scrolling through documents allegedly stolen as part of their operations”.

The videos show repetition and evolution of visual themes, with Abraham’s Ax reusing stock video elements from Moses Staff, with additional visual embellishments on top.

To date, Abraham’s Ax has leaked data allegedly stolen from Saudi Arabia’s Ministry of the Interior and a video purportedly depicting an intercepted phone conversation between Saudi Arabian government ministers.

“Rather than attacking Israel directly, Abraham’s Ax attacks government ministries in Saudi Arabia. […] The group may be attacking Saudi Arabia in response to Saudi Arabia’s leadership role in improving relationships between Israel and Arab nations,” Secureworks notes.

The cybersecurity firm also notes that Abraham’s Ax does not appear to replace the Moses Staff persona, which has remained active, claiming in late November the hack of a CCTV system monitoring the site of a terrorist attack in Israel.

“Malware and technical indicators from Abraham’s Ax operations have not been identified. Assuming that both personas are operated by Cobalt Sapling, it is plausible that the threat actors use the same tools and techniques in their intrusions,” Secureworks notes.

Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

The post Iranian APT Leaks Data From Saudi Arabia Government Under New Persona appeared first on SecurityWeek.