Hello and welcome back to our blog. Here's the latest recap of the biggest cybersecurity news in the last week.
The LockBit ransomware operation, which is normally focused on attacking others, is getting a taste of its own medicine after experiencing a data breach. An allegedly disgruntled developer is responsible. According to Bleeping Computer, the LockBit ransomware operation released version 3.0 of their encryptor in June, codenamed LockBit Black. The new version promised to 'Make Ransomware Great Again,' adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods. But, LockBit suffered a breach, with someone leaking the LockBit 3.0 builder on Twitter.
With cyber attacks bombarding business and consumers seemingly every minute, governments worldwide are losing patience. At the WSJ CIO Network Summit this week, Cybersecurity and Infrastructure Security Agency's Brandon Wales said that over time properly addressing cybersecurity - and investing in it - "should become standard for every publicly traded company." The UK's National Cyber Security Centre Chief Executive Lindy Cameron, who also attended the WSJ event, said it is "too often that an organization wasn't prepared" for a cyber incident and "are all too ready to pay to restore their data, which in turn feeds the issue."
American Airlines has reported a breach of a “limited number” of employees’ email accounts. The disclosure, which was made on September 16th, said the breach was discovered in July. In the incident, the hacker may have had access to certain medical information the employee provided, as well as date of birth, mailing address, phone number, email address, driver’s license number and passport numbers. The airline has also said that it is aware of a phishing campaign that impacted only a very small number of customers and employees.
Since at least mid-2019, threat actors have been impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors. The attackers have been sending phishing messages spoofing various departments, including the US Departments of Commerce, Labor, or Transportation to target organizations in various sectors, with a focus on energy and professional services, including construction. The threat actors have created emails which claim to request bids for government projects that appear legitimate.
The security breach that impacted Uber last week was not only the work of Lapsus$, but of an 18-year-old who has also claimed responsibility for breaking into video game maker Rockstar Games. That hack took place last weekend. Lapsus$ is known for carrying out attacks against large technology companies. It's been successful this year, with hacks at Microsoft, Cisco, Samsung, Nvidia and Okta.
That's a wrap! Have a great weekend.
Top Global Security News
The Cyberwire (September 22, 2022) Threat actors have their insider threats, too.
The builder for LockBit's new encryptor, version 3.0 or "LockBit Black," released just this past June in the criminal-to-criminal market, has been leaked online, BleepingComputer reports. Researcher "3xp0rt" tweeted early this morning that "Unknown person @ali_qushji [which account has been temporarily restricted due to "unusual activity"] said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://github.com/3xp0rt/LockBit-Black-Builder..."
LockBit says it was an insider leak, and not an external attack.
After 3xp0rt's tweet, VX-Underground reported that someone using the nom-de-hack "protonleaks" contacted on September 10th by a user named 'protonleaks,' who at that time had shown them a copy of the builder. It's unclear whether protonleaks and ali_gushji are one person or two people, or whether perhaps their name is really legion. LockBit reached out to VX-Underground to deny that they had been hacked, that the leak was the work of a disgruntled developer unhappy with LockBit's leadership.
Wall Street Journal (September 21, 2022) Cybersecurity Investments Are No Longer Optional, Officials Warn
A mix of regulation, investor demands and insurance requirements is pushing companies to elevate the oversight of cybersecurity, officials from the U.S. and other countries say.
While some companies in specific critical infrastructure sectors, such as energy and banking, must already comply with certain cybersecurity requirements, greater investment in digital defenses is needed across the board, said Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency.
“There are companies that already have to address this level of cybersecurity and demonstrate this level of cybersecurity investment. But I think, over time, this should become standard for every publicly traded company,” Mr. Wales said, speaking Tuesday at the WSJ CIO Network Summit.
Cyberscoop (September 20, 2022) American Airlines discloses data breach
A “limited number” of American Airlines’ employees’ email accounts were compromised by an “unauthorized actor,” who had potential access to a range of those employees’ personal data, the company said in a disclosure Sept. 16.
The notice said the company discovered the breach in July, and that the hacker may have had access to employees’ name, date of birth, mailing address, phone number, email address, driver’s license number, passport number and “certain medical information you provided,” the company said in the notice signed by Russell Hubbard, American Airlines deputy general counsel and chief privacy and data protection officer.
Andrea Koos, senior manager for corporate communications for American Airlines, told CyberScoop in an email that the company is “aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts.”
Bleeping Computer (September 20, 2022) US Government Contractors Targeted in Evolving Phishing Campaign
Threat actors are impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors.
Since at least mid-2019, the attackers have been observed sending phishing messages spoofing the US Departments of Commerce, Labor, or Transportation to target organizations in various sectors, with a focus on energy and professional services, including construction.
These targeted emails, which claim to request bids for government projects, are well crafted and very convincing, and were seen bypassing protections offered by secure email gateways (SEGs).
According to phishing prevention and detection firm Cofense, the phishing campaigns have evolved with improved emails and lure PDFs, as well as with updated appearance and behavior of the employed phishing pages.
ZDNet (September 19, 2022) Lapsus$, says it bought credentials on the dark web
The security breach that hit Uber last week was the work of Lapsus$, Uber said in a blog post Monday. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, and Okta.
Uber said it is in close coordination with the FBI and US Justice Department on the matter.
While the attackers accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn't appear that the attackers accessed any customer or user data stored by its cloud providers.
Bleeping Computer (September 18, 2022) GTA 6 source code and videos leaked after Rockstar Games hack
Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker breached Rockstar Game's Slack server and Confluence wiki.
The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.
The videos appear to be created by developers debugging various features in the game, such as camera angles, NPC tracking, and locations in Vice City. In addition, some of the videos contain voiced conversations between the protagonist and other NPCs.
Other Top Security News