Hello and welcome to our weekly wrap-up of the week's most impactful cybersecurity stories. Let's dive right in.
The big story of the week is what may be the largest data breach in history. And it appears to be due to human error. According to Secure World, a government developer wrote a blog post on a popular forum that included the credentials to a Shanghai police database. Naturally, threat actors took advantage of this unprecedented opportunity. They swooped right in and posted the 23 terabytes of data for sale on the Dark Web. In total, the leak includes the personal information of roughly one billion Chinese citizens.
Another important development this week comes from the U.S. National Institute of Standards and Technology (NIST). As expected, NIST announced the four algorithm candidates to replace current asymmetric encryption and signing systems. The computing industry has been waiting for NIST's announcement as the current asymmetric encryption and signing systems are vulnerable to quantum computers. The four new algorithms will replace the most common asymmetric systems such as RSA and elliptic curve cryptography (ECC) which form the backbone of traditional secure communications.
In other news, North Korean hackers are targeting US healthcare providers with Maui ransomware. That's according to the Cybersecurity and Infrastructure Security Agency (CISA). CISA, along with the U.S. Department of the Treasury, allege state-sponsored cyber gangs have been involved in this campaign for more than a year.
You may recall that, last week, it was reported that chipmaker AMD had possibly been breached. The story appears to have some merit, as now it appears "terrible passwords" may have been at least partly to blame. The RansomHouse crime gang is purportedly behind the attack.
Meanwhile, The British Army's YouTube account was hijacked and used to promote NFT and cryptocurrency schemes. This included YouTube videos posted with the image of entrepreneur Elon Musk. In addition, the account name was changed and screenshots also appeared to show the Army's Twitter account, its name changed, retweeting promotions for NFT projects, complete with images of a cartoon monkey. It is unknown who is behind the intrusion.
Finally, MITRE recently published the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous software bugs list, highlighting that enterprises still face a raft of common weaknesses that must be protected from exploitation. The CWE Top 25 is the work of the Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE. The top 10 software issues included in the list are:
- CWE-787 – Out-of-bounds Write
- CWE-79 – Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
- CWE-89 – Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
- CWE-20 – Improper Input Validation
- CWE-125 – Out-of-bounds Read
- CWE-78 – Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
- CWE-416 – Use After Free
- CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
- CWE-352 – Cross-Site Request Forgery (CSRF)
- CWE-434 – Unrestricted Upload of File with Dangerous Type
That's all for this week. Thanks for stopping by our blog, and have a great weekend!
Top Global Cybersecurity News
Infosecurity (July 6, 2022) North Korean Hackers Target US Health Providers With 'Maui' Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory suggesting North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organizations in the US.
According to the document – a joint effort between CISA, the Federal Bureau of Investigation (FBI) and the Department of the Treasury (Treasury) – the threat actors have been engaging in these campaigns since at least May 2021.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services,” reads the advisory.
computing (July 6, 2022) Winners of NIST's post-quantum cryptography competition announced
Four candidates selected to replace current asymmetric encryption and signing systems which are vulnerable to quantum computers will now be standardised and ratified.
US National Institute of Standards and Technology (NIST) has selected four candidates to be standardised as public key post-quantum cryptography (PQC) algorithms.
These algorithms will be lined up to replace the most common asymmetric systems such as RSA and elliptic curve cryptography (ECC) which form the backbone of current secure communications, but which are vulnerable to the massive parallel computing power of the sorts of quantum computers that may soon be available.
Security Info Watch (July 5, 2022) Report: Hacker gang broke into chipmaker AMD because of workers' terrible passwords
A Silicon Valley tech powerhouse has reportedly faced a data breach, in part, due to employees' purported use of terrible passwords like, er, "password" and "123456."
AMD, the microchip manufacturer headquartered in Santa Clara, fell prey to an increasingly notorious hacker crew known as RansomHouse, according to reports by TechCrunch and Restore Privacy.
The semiconductor giant confirmed the digital break-in a statement to media outlets. "On June 27, we became aware that a cybercriminal organization by the name of RansomHouse claimed to be in possession of data stolen from AMD," the statement, sent to SFGATE on Thursday morning, reads. "We are investigating the claim and are in contact with law enforcement officials."
Portswigger (July 5, 2022) These are the most dangerous software weaknesses of 2022
MITRE has published the 2022 CWE most dangerous software bugs list, highlighting that enterprises still face a raft of common weaknesses that must be protected from exploitation.
The 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list was made public last week. The CWE Top 25 is the work of the Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE.
The list attempts to provide a comprehensive guide for developers, researchers, and executives in prioritizing and mitigating risk regarding exploitable software issues.
ZDNet (July 4, 2022) The British Army is investigating after its Twitter and YouTube accounts were hijacked
The British Army is investigating after its Twitter and YouTube accounts were both breached.
On July 3, as reported by the BBC, Army accounts were taken over and used to promote NFT and cryptocurrency schemes. This included YouTube videos posted with the image of entrepreneur Elon Musk.
The British Army's YouTube account name was changed. Screenshots also appeared to show the Army's Twitter account, its name changed, retweeting promotions for NFT projects, complete with images of a cartoon monkey.
It is unknown who is behind the intrusion. The British Army confirmed the security incident and apologized "for the temporary interruption to our feed" on Sunday night.
Bleeping Computer (July 4, 2022) Hacker claims to have stolen data on 1 billion Chinese citizens
An anonymous threat actor is selling several databases they claim to contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approximately $195,000).
The announcement was posted on a hacker forum by someone using the handle 'ChinaDan,' saying that the information was leaked from the Shanghai National Police (SHGA) database.
Based on the information they shared regarding the allegedly stolen data, the databases contain Chinese national residents' names, addresses, national ID numbers, contact info numbers, and several billion criminal records.
ChinaDan also shared a sample with 750,000 records containing delivery info, ID information, and police call records. These records would allow interested buyers to verify that the data for sale is not fake.
Other Thought-Provoking Stories
Marriott Confirms Small-Scale Data Breach - Security Week
UK Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands - InfoSecurity
Cyberattack Disrupts Unemployment Benefits in Some States - Security Week
Wegmans’ $400,000 fine for exposed customer data should leave all retailers on high alert - SC Media
Ransomware: Why it's still a big threat, and where the gangs are going next - ZDNet
Ukrainian Authorities Arrested Phishing Gang That Stole 100 Million UAH - The Hacker News
Emergency Chrome 103 Update Patches Actively Exploited Vulnerability - SecurityWeek
Dutch university wins big after Bitcoin ransom returned - DW
5G and IoT Security: Proliferation of Devices Open Huge Attack Edge for Hackers - Formtek Blog