top of page
    • Mar 28, 2023

Cyber Outlook Rundown 3/28/23

Cybersecurity News


A Cybersecurity briefing on recent noteworthy Cyber Attacks, Vulnerabilities, and InfoSec news. Each rundown also highlights new tips and resources to help improve Information Security.

 

Noteworthy Cyber Attacks Reported

  1. OpenAI has confirmed a ChatGPT data breach caused by a bug in the Redis-py open-source library, exposing user information and affecting 1.2% of ChatGPT Plus subscribers' payment-related data. Separately, threat intelligence company GreyNoise has warned of a new ChatGPT feature's vulnerable component, which uses a docker image for the MinIO distributed object storage system affected by an actively exploited information disclosure vulnerability (CVE-2023-28432). https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/

  2. Twitter's source code was leaked on GitHub and they're attempting to identify the culprit. The leak was discovered by the New York Times and removed after Twitter filed a DMCA request. The leaked code included proprietary information about Twitter's platform and internal tools, which could expose vulnerabilities to potential attackers and give competitors an advantage. In response, Twitter submitted a court filing in California to uncover the person responsible and gather information on other GitHub users who may have downloaded the data. The company suspects that a former employee may be behind the leak, and as a result, Twitter has implemented code freezes ahead of layoffs. This incident follows a series of outages and interruptions experienced by the social media platform since its acquisition by Elon Musk. https://www.theverge.com/2023/3/27/23657928/twitter-source-code-leak-github

  3. Latitude Financial disclosed that a cyber-attack on its system resulted in the theft of 14 million customer records, including 7.9 million Australian and New Zealand driver’s license numbers, 53,000 passport numbers, and customer financial statements. The breach, which was worse than initially reported, has raised concerns about data storage practices and the retention of old customer records by businesses. https://www.theguardian.com/australia-news/2023/mar/27/latitude-financial-cyber-data-breach-hack-14m-customer-records-stolen

  4. The National Basketball Association (NBA) has reported that an unauthorized third party has accessed a database containing the names and email addresses of its fans. The data was held by a newsletter service that the NBA partners with, highlighting the risks of third-party vendors that aren't properly vetted. The affected fans should expect targeted email phishing attacks related to NBA topics, warned the NBA. Although sensitive information was not included in the breach, social engineers could use this data to create more appealing phishing attacks. https://www.darkreading.com/risk/cyberattackers-hoop-nba-fan-data-third-party-vendor

Noteworthy Vulnerabilities / Threats Discovered

  1. An emergency security patch was rolled out by Microsoft to address the "Acropalypse" privacy vulnerability affecting the Windows 10 and Windows 11 Snipping tool. The company has urged users to apply the patch to fix the CVE-2023-28303 bug. The flaw was rated low on the severity scale owing to requiring uncommon user interaction and other factors affecting it, but similar issues have been found across other products and software, so this is something to monitor closely. https://www.bleepingcomputer.com/news/microsoft/microsoft-pushes-oob-security-updates-for-windows-snipping-tool-flaw/

  2. Apple has released a fresh set of updates to address an actively exploited zero-day vulnerability, identified as CVE-2023-23529, which affects older versions of iOS, iPadOS, and macOS. The vulnerability can be exploited by a third party to execute arbitrary code or cause the susceptible operating system to crash. https://securityaffairs.com/144114/hacking/cve-2023-23529-apple-zero-day.html

  3. Researchers have developed a novel attack called "Near-Ultrasound Inaudible Trojan" (NUIT) that can silently target devices with voice assistants like smartphones and smart speakers. The attack uses near-ultrasound waves undetectable to the human ear, making it an effective and stealthy method to send malicious commands to devices such as Siri, Google Assistant, Cortana, and Alexa. https://www.bleepingcomputer.com/news/security/inaudible-ultrasound-attack-can-stealthily-control-your-phone-smart-speaker/

  4. Microsoft has discovered evidence of Russian APT actors exploiting the recently patched Outlook zero-day vulnerability (CVE-2023-23397) since April 2022, targeting European organizations in government, transportation, energy, and military sectors. The company has released a detection script, mitigation guidance, and urged defenders to adopt a comprehensive threat hunting strategy, as the critical-severity bug leaves few forensic artifacts in traditional endpoint forensic analysis. https://www.securityweek.com/microsoft-no-interaction-outlook-zero-day-exploited-since-last-april/

Noteworthy InfoSec News

  1. Pwn2Own Vancouver 2023, a hacking competition, concluded with contestants earning $1,035,000 and a Tesla Model 3 for exploiting 27 zero-day vulnerabilities between March 22 and 24. Some of the successfully hacked systems include Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and Tesla Model 3. Vendors are given 90 days to release security fixes after the vulnerabilities are reported during Pwn2Own, before TrendMicro's Zero Day Initiative publicly discloses them. Team Synacktiv dominated the contest, winning with 53 Master of Pwn points and $530,000 earned in total. https://www.bleepingcomputer.com/news/security/hackers-earn-1-035-000-for-27-zero-days-exploited-at-pwn2own-vancouver/

  2. The UK government has published a new cybersecurity strategy for the National Health Service (NHS), aiming to significantly harden the healthcare sector against cyberattacks by 2030. This comes after the 2017 WannaCry ransomware attack and other incidents that exposed the sector's vulnerabilities, with the government acknowledging ransomware as the most significant threat faced by the sector. https://therecord.media/uk-national-health-service-cyberattacks-strategy

  3. The UK’s leading cybersecurity agency has launched two new services designed to help the nation’s small businesses to more effectively enhance their cyber-risk management. The National Cyber Security Agency (NCSC) today announced a Cyber Action Plan – a questionnaire for small organizations and individuals/families, which delivers a free personalized security to-do list depending on the answers it receives. The GCHQ-run agency’s second new service is Check Your Cyber Security. Accessible via the action plan, it can be used by non-technical employees to find and fix a small range of security issues in their organization. Links to the two services are provided below. https://www.infosecurity-magazine.com/news/ncsc-two-new-tools-small/

Highlighted Security Tips & Resources

  1. The Cybersecurity and Infrastructure Security Agency, CISA, has released a free threat hunting and incident response utility called Untitled Goose Tool to help detect signs of compromise in Microsoft Azure and M365 cloud deployments. Developed in collaboration with Sandia National Laboratories, the tool offers novel authentication and data gathering methods for managing full investigations against enterprise deployments of Microsoft Azure, Azure Active Directory, and Microsoft 365. https://github.com/cisagov/untitledgoosetool

  2. Free Cyber Action Plan from the UK's National Cyber Security Centre - Answer a few simple questions to get a free personalized action plan that lists what you or your organization can do right now to protect against cyber attack. https://www.ncsc.gov.uk/cyberaware/actionplan

  3. Check your cyber security, from the UK's National Cyber Security Centre - This free government service for UK organizations performs a range of simple online checks to identify common vulnerabilities in your public-facing IT. All checks are remote, without the need to install software and uses the same kind of publicly available information as cyber criminals use to find easy targets. https://checkcybersecurity.service.ncsc.gov.uk/


Check our Twitter and Discord Server for more information:

If you missed the last rundown, check it out here:

 

References:

  1. The Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/

  2. The CIS Benchmarks are community-developed secure configuration recommendations for hardening organizations' technologies against cyber attacks. https://www.cisecurity.org/benchmark

  3. The CIS Controls is a publication of best practice guidelines for information security. https://www.cisecurity.org/

  4. Cyware - provides threat intelligence, security orchestration and other cybersecurity resources https://cyware.com/

blockchain concept illustration in 3d, connected blocks in blockchain_edited.jpg

Check out our Twitter feed!

pngegg.png
  • Discord
  • Twitter
  • LinkedIn
bottom of page