James Azar, host of the CyberHub Podcast, delivered a comprehensive overview of the latest cybersecurity incidents on October 21, 2024. Below are detailed summaries of the key stories, with actionable takeaways for IT and cybersecurity professionals.
Cisco’s DevHub Data Breach
Intel Broker, a well-known data broker, claims to have breached Cisco’s DevHub environment, gaining access to critical information including source code, API tokens, AWS private buckets, encryption keys, and internal documents. Screenshots of Jira tickets and customer data management systems were also posted online. Cisco responded by stating that the breach occurred in a third-party DevHub environment and that no sensitive information like Personally Identifiable Information (PII) or financial data had been compromised. However, Intel Broker also claimed to have breached source code from companies like Microsoft, Verizon, Chevron, and others.
Takeaway:
Cisco’s response downplayed their role by claiming it wasn’t an internal breach. However, as the data handler, Cisco is responsible for securing third-party environments under its control, and the breach demonstrates a lack of proper monitoring. Admin access appears to have been compromised, giving Intel Broker extensive control over the data. Cisco’s communication needs to be transparent to restore trust in their security measures.
NIDEC Ransomware Attack and Data Leak
Global manufacturer NIDEC Corporation, which produces precision motors and industrial parts, confirmed a ransomware attack that led to the exfiltration of over 50,000 files. The attack, launched by the Eight Base ransomware group, targeted NIDEC’s Vietnam-based precision division. The stolen files include internal documents, contracts, procurement records, and labor policies. Despite attempts to negotiate a ransom, the data was eventually leaked on the dark web. While the attack didn’t result in data encryption, it could lead to targeted phishing attacks.
Takeaway:
Ransomware attacks continue to expose organizations to significant risks, even when encryption is not involved. The leak of confidential business information can damage company reputation and lead to targeted attacks on employees. NIDAC’s global presence and valuable data made it an attractive target.
Internet Archive Email Breach
While recovering from a recent cyberattack, the Internet Archive faced another breach involving their Zendesk customer support instance. Hackers used a compromised API token to access 800,000 support tickets from 2018, including sensitive customer inquiries. The hackers also issued a public statement criticizing the Archive for not rotating its API keys after the initial breach, suggesting a delay in their security response. The attack is attributed to a pro-Palestinian hacktivist group named Black Meta, although the true threat actors remain unidentified.
Takeaway:
This incident underscores the importance of rotating API keys after security incidents and ensuring a thorough post-incident review. Public-facing platforms with extensive user data must be continuously monitored for vulnerabilities.
Veeam Backup Software Exploit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that a vulnerability in Veeam’s backup and disaster recovery software (CVE-2023-27532) is being actively exploited by ransomware attackers. This vulnerability allows remote access to sensitive backup information. While Veeam released a patch in early September, some systems remain unpatched, leaving organizations vulnerable. The vulnerability is of particular concern for businesses relying on Veeam for critical infrastructure backups.
Takeaway:
Organizations using Veeam should immediately apply the available patches and ensure continuous vulnerability scanning of backup systems, given the critical role they play in data recovery during ransomware incidents.
Roundcube Webmail Attacks in Former CIS Countries
Governments in former CIS (Soviet Union) countries using Roundcube webmail systems are facing targeted attacks exploiting vulnerabilities in unpatched servers. Attackers are using these vulnerabilities to gain access to sensitive government emails and attached documents, employing the ManageSieve plugin to execute code on servers.
Takeaway:
For organizations using Roundcube webmail, especially in critical government or infrastructure sectors, applying the latest security patches is essential to prevent data theft.
Microsoft’s Log Data Loss
Microsoft disclosed a security bug in its internal monitoring agents that resulted in the loss of two weeks' worth of security log data across several platforms, including Entra (formerly Active Directory), Sentinel, and Defender for Cloud. Although the issue has been resolved, some customers reported they were not informed about the loss of their logs, raising concerns about communication and transparency in the response process.
Takeaway:
Organizations relying on Microsoft services for logging and monitoring should verify their own security logs and ensure they receive proper notifications from vendors. Security teams should prepare for such incidents by implementing backup log retention systems.
ESET Israeli Partner Breached in Phishing Attack
ESET’s partner in Israel, ComSecure, was breached, resulting in a phishing campaign aimed at Israeli businesses. The phishing emails, disguised as security alerts from ESET, delivered destructive wiper malware instead of antivirus software. The attack leveraged legitimate ESET logos and the company's domain, making the phishing emails highly convincing. Wiper malware is particularly destructive, as it deletes critical files and can disrupt entire business operations.
Takeaway:
Organizations should educate employees on the growing threat of phishing attacks, especially those exploiting trusted partners. Regular reviews of email filtering and anti-phishing measures should be conducted.
Chinese Disinformation Campaign Targets Senator Marco Rubio
Chinese state-backed disinformation campaigns are increasing in sophistication. A new campaign against U.S. Senator Marco Rubio involved using hijacked social media accounts to amplify anti-Rubio content across multiple platforms, including Twitter, Reddit, and Medium. The campaign escalated in the 2024 election cycle, using fewer but more authentic-looking accounts to spread disinformation.
Takeaway:
Organizations, especially those involved in political or sensitive industries, must actively monitor for disinformation and social media manipulation. Security teams should be trained to recognize signs of coordinated disinformation campaigns.
SIM-Swap Attack on SEC X (Twitter) Account
An Alabama man was arrested for conducting a SIM-swap attack to hack the SEC’s official X (formerly Twitter) account. The attacker used the account to falsely announce that Bitcoin ETFs had been approved, causing temporary disruption in the cryptocurrency market. SIM-swap attacks, which allow attackers to take control of phone numbers, are increasingly used to hijack social media and financial accounts.
Takeaway:
Implement multi-factor authentication (MFA) using non-SMS methods to protect critical accounts from SIM-swap attacks. Social media managers should ensure they follow best security practices to protect organizational accounts.
Atlassian Bitbucket and Jira Vulnerabilities
Atlassian issued patches for two critical vulnerabilities affecting Bitbucket, Confluence, and Jira Service Management products. These vulnerabilities (CVE-2022-24785 and CVE-2022-31129) could allow attackers to exploit flaws in Java and execute unauthorized commands, compromising critical data and systems.
Takeaway:
Update all Atlassian products to the latest versions and ensure security patches are applied promptly across all instances of Bitbucket, Confluence, and Jira.
Action Items for Cybersecurity and IT Professionals:
Monitor Third-Party Environments: Ensure that third-party systems connected to your network are secured and actively monitored, as seen in the Cisco breach.
Apply Security Patches Immediately: Whether for Veeam, Roundcube, Atlassian, or other products, ensure that all systems are updated to prevent exploitation of known vulnerabilities.
Educate Employees on Phishing: Phishing campaigns like the ESET breach demonstrate the importance of employee training in identifying and avoiding malicious emails.
Enhance API Key Rotation Practices: After incidents, ensure all exposed API keys and tokens are rotated promptly, as seen with the Internet Archive breach.
Implement Multi-Factor Authentication (MFA): MFA should be applied to all critical accounts, particularly social media and financial platforms, to prevent SIM-swap attacks.
Prepare for Disinformation Campaigns: Organizations, especially in political or high-stakes sectors, should monitor for disinformation and adopt strategies to counter manipulation on social media.
Backup Log Retention: Ensure redundant systems are in place to retain security logs, as seen with Microsoft’s log data loss, to avoid gaps in monitoring critical events.
✅ Story Links:Â
https://www.securityweek.com/cisco-confirms-security-incident-after-hacker-offers-to-sell-data/
https://www.securityweek.com/new-internet-archive-hack-conducted-during-service-restoration-efforts/
https://therecord.media/veam-vulnerability-exploited-ransomware-cisa-kev
https://www.securityweek.com/roundcube-webmail-vulnerability-exploited-in-government-attack/
https://www.cybersecuritydive.com/news/microsoft-loss-security-log-data/730285/
https://www.securityweek.com/atlassian-patches-vulnerabilities-in-bitbucket-confluence-jira/
https://therecord.media/china-spamouflage-operation-testing-techniques-marco-rubio
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1 Â
✅ Important Links to Follow:Â
👉Substack:
👉Listen here: https://linktr.ee/cyberhubpodcast  Â
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/Â
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/Â
👉Twitter (X): https://twitter.com/cyberhubpodcastÂ
👉Instagram: https://www.instagram.com/cyberhubpodcastÂ
✅ For Business Inquiries: info@cyberhubpodcast.com
=============================
✅ About The CyberHub Podcast.
The Hub of the Infosec Community.Â
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.Â
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post