The Good, the Bad and the Ugly in Cybersecurity – Week 2
The Good
The Federal Communications Commission (FCC) has proposed a number of reforms to breach reporting requirements for U.S. telecoms providers to better protect customers and reduce the impact of security incidents.
With the severity and frequency of data breaches up since the rules were last updated in 2007, the new ones would eliminate the seven-day timeframe for reporting breaches, moving instead to reports filed within a 24 to 72 hour window. Further, providers would need to send data breach reports to agency staff as well as the FBI and Secret Service.
FCC data breach rules are 15 years old. An update is way overdue. It starts now. https://t.co/Lzul0Fkfja
— Jessica Rosenworcel (@JRosenworcel) January 6, 2023
The proposed updates follow several cyber intrusions on leading global telecoms providers. In 2022 alone, Australian telecoms giant, Optus, disclosed a data breach in which customer data was stolen, Comcast Xfinity faced their second data breach within a two-year span, and Verizon notified their prepaid customers of account breaches leading to SIM swapping and unauthorized changes on their credit cards. The year before saw T-Mobile suffer a major breach that affected 77 million individuals and resulted in more than 100 million private records posted for sale in underground forums.
Telecommunications is an oft-targeted industry by threat actors for its direct access to their clients. Providers are earmarked by nation state-backed actors seeking to conduct espionage on political critics. For cyber criminals, providers hold the keys to customer PII (personally identifiable information) that is not only valuable amongst dark marketplace buyers, but also leveraged in social engineering attacks and identity theft. The FCC’s recent proposals will be a welcome update to U.S. data breach regulations with its next steps focusing on helping telecom carriers enforce stricter data security practices and combat industry-wide vulnerabilities.
The Bad
More than 1300 domains have been compromised this week in an ongoing threat using AnyDesk’s brand name to distribute Vidar info-stealer malware. The impersonation campaign banks on the popularity of the remote desktop solution, used by IT professionals globally for remote connectivity and administrative tasks.
In this active campaign, those accessing the compromised domains are led to a fake, cloned AnyDesk site prompting them to download Vidar malware masquerading as a software installation .zip
file. Then, they are redirected to a Dropbox folder which delivers the info-stealing malware payload – a technique used by the threat actor to evade detection since Dropbox is safelisted by many AV solutions.
News outlets report that many of the domains have since been taken offline and for the sites that remain online, the Dropbox links no longer work. However, given that all 1300 domains lead to the same spoof site, the threat actors can keep the campaign going by simply updating the download URL address.
Vidar malware has been around since 2018, responsible for stealing credentials, saved passwords, crypto wallet and banking information, as well as browser history. Info-stealing malware has grown in popularity with cyber criminals as a dedicated means of prying legitimate credentials and cookies out of users’ hands.
Increasingly, info-stealer source code has been placed up for sale, bought by ransomware operators for low-cost, quick access and for use in MFA-fatigue attacks. Users are best protected from the rise in info-stealing malware by downloading from trusted sites only, using an endpoint protection security solution, avoiding browser-based password managers, and regularly clearing their browser cookies.
The Ugly
This week, the pro-Russian hacktivist group known as NoName057(16) continues to launch distributed denial-of-service (DDoS) attacks against NATO countries and Ukraine.
Linking their attacks tightly to political events, the pro-Russian group has been attributed to attacking the websites of Czech presidential candidates in the country’s 2023 election, the Polish government, and Latvia’s parliament. NoName057(16)’s attacks on Poland line up with the latter’s official recognition of Russia as a state sponsor of terrorism. Lithuania being caught in a dispute with Russia over train and port usage was cause enough for the hacktivists to attack the Lithuanian cargo and shipping sector.
SentinelLabs researchers report that the group makes instant messaging app, Telegram, their home base for communications and have used GitHub to host their DDoS tool website for free before their accounts were disabled for violating the company’s acceptable use policies.
NoName057(16) employs a collaborator payment program where the group coordinates with volunteers to carry out its attacks on targets. This model is lucrative to those who are compelled to join attacks for financial gain rather than for political reasons. Top DDoS performers are rewarded in cryptocurrency and followers are encouraged to add skin to the game by contributing more technical resources for the next attack.
Though researchers say that the DDoS attacks from NoName057(16) have little to no wider consequence, volunteer-powered attacks with modelized incentive are a cause for concern as threat actors continue to take advantage of a highly volatile political landscape.
Leave a Reply
Want to join the discussion?Feel free to contribute!