Tuesday Morning Threat Report: Oct 24, 2023
Where the news is always bad, but the analysis is always good.
Good morning all and happy Tuesday!
Millions of 23AndMe records leaked, Okta is hacked again, and QRJacking attacks are on the rise. Let’s dive in!
Top Stories:
This week’s biggest headlines. Analysis section below.
Genetic Data Stolen: Due to a hack on ancestry and genetic firm 23AndMe, 4 million customers genetic information has been leaked online. Allegedly, 20 million records total were stolen and the 4 million records posted publicly are to drum up sales for the full set.
Hacking Campaign Goes After Female Politicians: Cybersecurity firm Trend Micro has unveiled a hacking campaign, dubbed “Romcomlite,” which targets female politicians. Victims of the campaign are specifically targeted and malware is delivered to them via virtual meeting invites.
Israeli’s Told To Secure Their Home Cameras: The Israeli government has issued instructions to its citizens regarding the cybersecurity of home surveillance cameras. Instructions include rotating the default password and enabling multifactor authentication.
Signal Disputes Zero-Day: Signal is a popular encrypted communication platform that has faced allegations that a vulnerability allows for device takeover. Signal has disputed those claims and says there is no evidence of that.
Iranian Campaign Uncovered: Symantec’s Threat Hunter group unveiled that an Iranian hacking group, Crambus, conducted an eight month intrusion of a Middle Eastern government. Crambus is notorious for hacking governments for spying campaigns.
Navy Leaker Jailed: Former U.S. Navy IT Manager, Marquis Hooper, has been sentenced to 5 years in jail for cybercrimes. Hooper downloaded and sold a database containing thousands of records containing personal data.
Okta Hacked (Again, Again, Again, Again): Identity and Access Management company, Okta, revealed threat actors stole authentication data. Okta has notified all customers that this impacts and is working to remediate the issue.
Sideloading Protection: Sideloading is when apps are installed to phones, but not from the typical sources (App Store or Google Play). Google has announced they will begin vulnerability scanning apps sideloaded to Android devices.
My Takeaways
Analysis based on this week’s news and my experience in the industry. More headlines below in the Lower Echelon.
Vulnerabilities On All Sides: Apple iPhones and Android phones both come preloaded with software to download other apps. For iPhones, it is the App Store, and for Android devices it is the Google Play store. Apple and Google both maintain control of their respective stores and work to prevent malware apps from appearing. Although they are not perfect at stopping apps with malicious intentions, by and large, they do a good job at only allowing safe apps to be present in their stores.
Apple and Android take different approaches when it comes to “sideloading.” Sideloading allows users to download apps from sources other than the default app store. Apple does not support sideloading for iPhones, where Android does support it. Apple alleges that if they allow apps to be installed directly on iPhones that the iPhone would become significantly less secure. Many argue that the lack of sideloading support gives Apple a monopoly, which they abuse. For example, Apple charges 30% fees to app makers for in-app purchases.
Beginning in 2024, as part of iOS 17, Apple will begin supporting sideloading on iPhones. This decision was forced on them to comply with European laws. Apple fought a long PR campaign to prevent this day from coming, and published a white paper detailing how detrimental sideloading will be to security. They cited statistics about Android devices having 15–47x the number of malware infections and that sideloading was a contributing factor to that.
The sideloading debate juxtaposes two difficult issues: antitrust action versus security. Forcing iPhones to support sideloading will definitely weaken the monopoly Apple currently maintains for apps. Conversely, I agree with Apple’s assessment that supporting sideloading will make all iPhones less secure: even for customers that never sideload. While it is a tricky balance to strike, this feels like over-regulation to me. Previously, customers had the option to choose between more secure but more monopolistic or less secure and less monopolistic. Now, thanks to regulation, the individual’s ability to choose for themselves has been removed.
The Lower Echelon:
Interesting cybersecurity news that didn’t quite make the cut to be a top story.
Old Trick, New UI: Using browser messages to cause users to install a fake update is an old technique, yet is becoming increasingly popular. Researchers who monitor these attacks noticed a spike in the past few months.
QRJacking Attacks: QRJacking attacks involve a QR code that takes victims to login to a malicious replica of popular websites, but the site steals login credentials. As QR codes have become increasingly ubiquitous, QRJacking attacks have spiked.
Feds Hit Ragnar Locker: Ragnar Locker is a ransomware group that targets critical infrastructure. A joint law enforcement operation conducted by Western governments led to the seizure of Ragnar Locker’s servers and the arrest of the alleged leader.
Ukrainian Telecoms Hacked: Russian hacking group Sandworm breached 11 Ukrainian telecommunication service providers from May-Sept this year. The hack involved a service disruption and information gathering attacks on victims.
Casio Data Breach: Casio, a Japanese electronics giant, had its education platform, ClassPad, breached. The breach resulted in the theft of information on clients in over 148 countries.
WinRAR Under Attack: WinRAR is a Windows software used to unzip compressed files, that was revealed to have a vulnerability earlier in 2023. In spite of a patch for the vulnerability being out, numerous threat groups have had success attacking WinRAR.
Plastic Surgeons Targeted: Security researchers have warned that plastic surgery offices are being targeted with hacking campaigns. The attackers seek to steal compromising photos of patients and extort the office for ransom to not post the photos publicly.
5G Vulnerabilities: 5G technology has numerous cybersecurity challenges, including increased complexity and attack surface. This thought piece examines the vulnerabilities which underlie 5G.
NoEscape Targets Healthcare?: NoEscape is a ransomware group that emerged in 2023 and quickly became a prominent threat actor. The U.S. Department of Health is warning NoEscape will likely increasingly target healthcare.
On the right side of this page, you can follow and subscribe to receive this newsletter to your inbox weekly (no Medium account needed, just sign in with Google)!
Thanks for reading! See everyone next week!
About the author: Mark is a cybersecurity architect and consultant for leading cybersecurity consultancy Aujas.
