Hello and welcome to the final news round-up of the year. Here's what has been happening in cybersecurity in the last week.
On Thursday "The Declaration on Digital Rights and Principles" became official. The Declaration was signed by European Commission President Ursula von der Leyen, the President of the European Parliament Roberta Metsola and Czech Prime Minister Petr Fiala. The Declaration aims to promote European values during the process of digital transformation, as well as put people at the center of it, and be sure digital technology benefits all individuals, businesses, and society as a whole.
The U.S. Department of Justice (DoJ) announced this week it is seizing 48 internet domains, and charging six people who allegedly ran distributed denial of service (DDoS) or "booter" or "stresser" services from the US. The DoJ says the 48 websites were used to launch millions of DDoS attacks against victims around the world, but were being promoted as a legitimate service to stress-test a customer's network.
While the DoJ did have that win, one of their programs did not. InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, has discovered that its database of contact information on more than 80,000 members is up for sale on an English-language cybercrime forum.
Also this week, U.S. National Security Agency (NSA) said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control. Citrix has released patches to address the vulnerability. Citrix is urging customers to install the updates immediately.
Meanwhile, a massive scale phishing attack was identified this week. It involves more than 144,000 phishing-related packages that were uploaded by unknown threat actors on open source package repositories such as NPM, PyPi and NuGet. The attack promotes fake apps, prize-winning surveys, gift cards, giveaways, and more. And the whole operation was automated.
It's unlikely anybody in cybersecurity could forget the severe attack that took place against Ireland's healthcare system last year. More than 80% of IT infrastructure was affected, patient information was lost and the entire system was impacted for many months. Now, the costs of that massive attack are being tallied. Officials at the Irish Health Service caused 80 million euros in damages. That number could even go higher since the government is still notifying victims of the incident.
Finally, Twitter confirmed this week a data leak occurred after a breach last year. Through a bug bounty report, the company learned about an API vulnerability involving members' email addresses and phone numbers and also allowing people to get an associated Twitter ID for a registered account. Of course the email addresses and phone numbers should never become public. Unfortunately, by the time Twitter created a fix, a threat actor had already leveraged the API vulnerability to input millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.
That's a wrap for the week. Thanks for stopping by our blog, and have a great weekend.
Amy
Top Global Security News
My Europe (December 15, 2022) The EU just signed its Declaration on Digital Rights and Principles - but what is it?
The European Union on Thursday concluded its work on a declaration to enshrine its commitment for a secure, safe and sustainable digital future.
"The Declaration on Digital Rights and Principles", signed by Commission President Ursula von der Leyen, the President of the European Parliament Roberta Metsola and Czech Prime Minister Petr Fiala, is part of what institutions in Brussels have called the bloc's "digital DNA".
The aim, they say, is to place people at the centre of an increasingly digital world.
ZDNet (December 15, 2022) Prosecutors charge six, seize 48 domains over DDoS-for-hire services
The Department of Justice (DoJ) has been authorized to seize 48 internet domains and has laid criminal charges against six individuals who allegedly ran distributed denial of service (DDoS) or "booter" or "stresser" services from the US.
The FBI is seizing the 48 domains that facilitated DDoS attacks for paying customers against targeted computers. The DDoS attacks prevented the targeted computers from accessing the internet.
According to the DoJ, the 48 websites were used to launch millions of DDoS attacks against victims around the world. The sites promoted themselves as a "stresser", or a legitimate service to stress-test the customer's network. But the FBI found this mechanism was a cover after viewing communications between the site administrators and customers, which indicated both parties were aware that the customer was not attempting to stress-test their own computers.
Bleeping Computer (December 14, 2022) Open-source repositories flooded by 144,000 phishing packages
Unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.
The large-scale attack resulted from automation, as the packages were uploaded from accounts using a particular naming scheme, featured similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 phishing pages.
The campaign supported by this operation promotes fake apps, prize-winning surveys, gift cards, giveaways, and more. In some cases, they take victims to AliExpress via referral links.
Krebs on Security (December 13, 2022) FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
Cybersecurity Dive (December 13, 2022) Threat actor exploits critical Citrix vulnerability
Citrix on Tuesday released patches to address the vulnerability, which affects Citrix ADC and Citrix Gateway versions 12.1 and 13.0.
There are no workarounds available for the vulnerability and Citrix urged customers to install the updates immediately. The vulnerability only applies to customer hosted Citrix ADC or Citrix Gateway appliances.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” Peter Lefkowitz, VP and chief security and trust officer at Citrix, said in a blog post.
Healthcare Info Security (December 12, 2022) Irish Healthcare Ransomware Hack Cost Over 80 Million Euros
A ransomware attack on the Irish healthcare system in 2021 has caused 80 million euros in damages and counting as the government continues to notify victims of the incident that their personal information was illegally accessed and copied.
Costs totaled 42 million euros during 2021 and 39 million euros this year through October, Irish Health Service Executive interim Chief Information Officer Fran Thompson said in a letter to an opposition member of Parliament, The Irish Times reported. The member, Aontú Party leader Peadar Tóibín, has been critical of government officials, accusing them of "negligence in their duty of care for patients' health and their data."
Bleeping Computer (December 12, 2022) Twitter confirms recent user data leak is from 2021 breach
In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed email addresses or phone numbers and get an associated Twitter ID for a registered account.
As members' phone numbers and email addresses are not meant to be public, this could pose a significant privacy risk for Twitter users who wish to post anonymously.
By the time Twitter remediated the problem, a threat actor had already leveraged the API vulnerability to input millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.
Other Top Security News
FuboTV goes kaput during World Cup semifinals, blames “criminal cyber attack” - Ars Technica
Email Hack Hits 15,000 Business Customers of Australian Telecoms Firm TPG - Security Week
GitHub to require all users to enable 2FA by the end of 2023 - Bleeping Computer
EU Moves Closer to Sewing Up New Data Transfer Deal With US - SecurityWeek
Most of the 10 largest healthcare data breaches in 2022 are tied to vendors - SC Media
