14-Jul-23: In Security News Today

NCSC Proposes Alternative Approaches to Traditional SOCs

The UK’s National Cyber Security Centre (NCSC) has suggested strategies that could reduce or negate the need for Security Operations Centers (SOCs), which require significant time and resources. Techniques used in government, such as 100% cloud-native/serverless architecture, zero-touch production, segregated functions in separate cloud accounts, cloud-native services with integrated logs, secure development practices, and alert systems for interrupted logging can all limit attack vectors and decrease the need for dedicated SOCs. However, NCSC acknowledges that traditional SOCs remain necessary for certain enterprise IT systems and can provide advantages in identifying broad attacks across multiple organizational services.

TeamTNT Expands Cloud Credential Theft Campaign to Azure and Google Cloud

The notorious TeamTNT cyber threat group, known for its AWS-targeted credential stealing campaigns, has broadened its scope to include Azure and Google Cloud Platform (GCP) services. Security companies SentinelOne and Permiso report finding numerous versions of a credential harvesting script, indicating a rapidly evolving campaign, with the newest iterations designed to gather credentials from various platforms and services, including AWS, Azure, GCP, and Docker, among others. As the threat actor actively fine-tunes and enhances their tools, researchers suggest they are likely preparing for larger-scale campaigns.

AIOS WordPress Plugin Criticized for Storing User Passwords in Plaintext

The All-In-One Security (AIOS) WordPress plugin, installed on over a million sites, has come under fire for a bug that caused user passwords to be stored in plaintext. The issue, identified in version 5.1.9 of the plugin, allows a malicious site administrator to read the plaintext passwords, presenting a risk particularly for services not protected by two-factor authentication. While the updated version removes the logged passwords and ceases plaintext password logging, it is recommended that users enable two-factor authentication and change their passwords, particularly if used across multiple sites.

Critical Vulnerabilities Discovered in Honeywell’s Experion Platforms

Researchers from Armis have discovered nine new vulnerabilities, seven deemed critical, in Honeywell’s Experion Distributed Control Systems (DCS) platforms. Dubbed “Crit.IX,” these vulnerabilities could allow unauthorized remote code execution on Honeywell servers and controllers, enabling an attacker to alter DCS controller operations and hide these changes. These findings emphasize the need for robust cybersecurity measures, with a patch now available and customers advised to update their systems immediately.

Ransomware Attacks Cost Financial Services $32bn in Downtime Over Five Years
A new report reveals that ransomware attacks have resulted in over $32 billion in downtime losses for financial services firms since 2018. This figure is based on 225 confirmed attacks in the sector over the last five years, with each incident leading to an average of two weeks of downtime. Of all sub-sectors within the financial industry, insurance companies have experienced the highest number of attacks (65), with 2021 seeing the most ransomware attacks on finance companies, recording a total of 86 incidents.

British Teens Allegedly Conducted High-Profile Hacks Under LAPSUS$ Banner

Two British teenagers are facing trial in London, accused of carrying out extensive hacks that caused millions of dollars in damage to companies like Uber, Revolut, and Rockstar Games. The most notable hack led to the leak of over 90 unreleased videos from the forthcoming “Grand Theft Auto 6”. The teenagers, allegedly linked to the notorious LAPSUS$ hacking gang, are also accused of hacking and blackmailing BT and NVIDIA, releasing employees’ hashed passwords, and defrauding cryptocurrency investors through SIM Swap scams.

Global SOHO Router Infection Exposed by Black Lotus Labs

Black Lotus Labs has discovered a substantial multi-year campaign, dubbed “AVrecon,” that leverages infected small-office/home-office (SOHO) routers to create a covert network for criminal activities such as password spraying and digital advertising fraud. The malware, which operates without disrupting service or bandwidth, has reportedly infiltrated over 70,000 machines, securing a persistent presence in more than 40,000 IPs across 20+ countries. Despite successfully null-routing the command and control nodes and thwarting the botnet’s traffic, the security researchers emphasize the threat’s potential to bypass standard network-based detection tools and underscore the critical importance of constant vigilance against such innovative cyber threats.

Advanced Vishing Attack Exploits Voice Traffic Routing and Social Engineering in Micro-loan Scam

The “Letscall” malware, targeting South Koreans, uses advanced vishing (voice phishing) techniques, which includes a combination of hi-tech malware, voice traffic routing, and social engineering to manipulate victims into securing micro-loans. The malware reroutes calls through a malicious app downloaded from a fraudulent Google Play Store website, redirecting them to a call center where criminals impersonating bank employees extract sensitive information. The operation, sophisticated in its use of evasion techniques, is currently confined to South Korea, but there are no technical barriers to prevent its spread to other regions, underscoring the continuous evolution of cybercriminal tactics and technology exploitation.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.