Hewlett Packard Enterprise (HPE) attacked through Microsoft 365 email system
HPE has stated that alleged Russia-linked cyberespionage group Midnight Blizzard got in through its Microsoft Office 365 cloud-based email environment, where they collected information on the company’s cybersecurity division. This is the same group that last week breached Microsoft itself – a story that is still reverberating. HPE discovered their intrusion in December. Their investigation shows that the attackers had been exfiltrating data May of last year, accessing “a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”
(Security Affairs)
Study reveals 18,000 exposed API secrets, including $20 million in vulnerable Stripe tokens
The API security platform Escape, on Wednesday announced the results of its 2024 API Secret Sprawl research, which is based on its scanning and analysis of one million most popular domains at the beginning of 2024. Amongst its findings from 189.5 million URLs were more than 18,000 exposed API secrets, 41% of which were deemed highly critical, meaning they could lead to significant financial risks for their organizations. These took the form of exposed financial tokens and API keys, and included $20 million in vulnerable Stripe Tokens. Also on this list were GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch secret keys, cryptocurrency exchange keys, X (formerly Twitter) tokens, and Slack and Discord webhooks. A link to the report is available in the show notes to this episode.
(Escape.tech press release)
Ukrainian energy, postal, and transportation services hit by cyberattacks
A number of critical infrastructure companies suffered cyberattacks, yesterday including the state-owned oil and gas enterprise Naftogaz, whose website and call centers remain out of service at the time of this recording. Naftogaz supplies gas to 12 million Ukraine citizens and runs 60 subsidiaries. The country’s postal service Ukrposhta also reported a cyberattack which disrupted some of its services. The agency responsible for transport safety, DSBT also announced an attack on its data center which disrupted the system called “Shlyah,” used by drivers to cross the Ukrainian border or deliver cargo abroad. Also Ukraine’s state railway, Ukrzaliznytsia, noted an attack that prevented passengers in Kyiv from buying train tickets online. It is currently not clear if these attacks are connected or who is behind them.
(The Record)
UK water supplier Southern Water breached by Black Basta
The water company confirmed the attack after scans of passports, drivers’ licenses, HR-related material and corporate car leasing documents related to the company were released on the gang’s Tor leak site. The utility, which serves 4.5 million customers in southern England confirmed that normal operations have not been affected. InfoSecurity Magazine notes that Jamie Akhtar, co-founder and CEO at CyberSmart has suggested the breach could have been the result of a supply chain attack, given that some of the leaked documents bear the logo of Southern Water’s parent company. Akhtar said, “this suggests that the breach could have happened through any number of Southern Water’s subsidiaries or suppliers.”
(InfoSecurity Magazine)
Huge thanks to this week’s episode sponsor, Conveyor
January update jams some Google Pixel Phones
Problems reported by users of many different models, including the Google Pixel 5, 6, 6a, 7, 7a, 8, and 8 Pro, include the inability to access their internal storage, open the camera, take screenshots, or even open apps. According to Bleeping Computer, “the root cause is unknown but is likely a software issue with the January 2024 Play system update that Google hasn’t pinpointed or fixed yet.” It is suggested that users who are still using the November 1 update stick with that for the time being.
(Bleeping Computer)
Watch for increasing sophistication from threat actors, says Experian
Experian’s 11th annual Data Breach Industry Forecast includes six predictions that they suggest will cause even more excitement in the cybersecurity industry this year. In short, these are the expansion of third-party vendor breaches will extend to fourth, fifth and even sixth party breaches, manipulating tiny bits of data such as transportation coordinates to cause chaos, attacks on supply chains for rare earth materials, and insider activities such as learning stock market insights early to earn cash in through legitimate markets. A link to the report is available in the show notes to this episode.
(ITSecurityGuru.org and Experian’s 11th annual Data Breach Industry Forecast)
UK Parcel company disables chatbot after it swears at customer
The parcel delivery company DPD, which has been using an AI-enabled chatbot for customer service successfully for years, is retooling its automated service after frustrated customers essentially tricked it into making negative statements about the company, including in haiku form, as well as encouraging it to swear in its comments. The outcomes of these naturally went viral on social media. These types of erroneous and often user driven prompts are recognized as an ongoing risk in the early years of AI-chatbots, as the BBC points out, stating “it comes a month after a similar incident happened when a car dealership’s chatbot agreed to sell a Chevrolet for a single dollar – before the chat feature was removed.”
(BBC News)
Microsoft launches immersive space called Mesh
Although not directly a cybersecurity story, the release of a mixed reality platform from Microsoft represents another large step towards VR-based working environments, and working environments always need security. The Mesh environment is now being integrated into Teams business plans and allows people to gather and collaborate. A VR headset is not necessary.
(The Verge)