Hundreds of thousands of routers are wiped, warnings to Okta and Snowflake administrators, and more.
Welcome to Cyber Security Today. It’s Friday May 31st, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
Over 600,000 small office and home routers used by customers of an unnamed internet service provider were wiped last October by an unknown threat actor. That’s according to researchers at Lumen Technologies. They said Thursday that 49 per cent of the ISP’s modems were hit by a commodity remote access trojan dubbed Chalubo, which likely implanted a fatal firmware update to the modems. So fatal they all had to be replaced. Lumen believes the modems affected were particular models from ActionTec and Sagemcom. The report doesn’t say how the attacker was able to plant the update. This particular ISP served rural and under-served communities in an unnamed country. However several news agencies said the ISP was in the United States. Experts are puzzled why one ISP would be targeted. Roger Grimes at KnowBe4 wonders if the attacker tried to extort the internet provider. Lumen warns ISPs that manage customers’ routers to make sure the devices don’t have common default passwords and that the providers’ device management interfaces aren’t open to the internet. Users should regularly reboot their routers to flush malware and they should also install security updates.
Identity and access management provider Okta has warned customers of another credential stuffing attack. Vulnerable are implementations that have the cross-origin authentication feature enabled in Okta Customer Identity Cloud. Attacks started as far back as April 15th. IT departments are urged to look for suspicious activity in logs from that date forward. Signs include failed cross-origin authentication and an alert that someone attempted to login with a leaked password.
A threat actor is using stolen credentials to break into organizations using the Snowflake cloud database. The warning comes from researchers at Mitiga. The threat actor, dubbed UNC5537 by some researchers, has mainly exploited environments that haven’t implemented two-factor authentication as an extra login step. The attacker steals data, then tries to extort organizations to pay up or the information will be put up for sale on hacker forums. Administrators are urged to check logs for suspicious activity.
Over 100 servers distributing malware in 10 countries including the U.S., Canada and Europe have been taken down and four people were arrested this week in an operation co-ordinated by the Europol police co-operative. The IT infrastructures were distributing well-known malware droppers such as Trickbot, IcedID, SystemBC as well as ransomware. In addition to closing the servers, over 2,000 criminal domains are now under the control of law enforcement. It’s alleged one suspect earned at least 69 million euros in cryptocurrency by renting out IT infrastructure to deploy ransomware.
The U.S. now says it seized the IT infrastructure running the 911 S5 botnet as well as arrested two people allegedly behind it. You may recall that on Wednesday I reported on suspects being named and sanctioned. This botnet of millions of hacked home computers helped crooks hide their tracks. The botnet was controlled through 150 servers around the world, including 76 leased from U.S.-based online service providers.
The dark website known as BreachForums is back after being seized by the FBI earlier this month. Well, maybe it’s back. Researchers at Malwarebytes say at least one BreachForums domain is now live. It’s selling data of 560 million people allegedly copied from Ticketmaster. The price? A half a million dollars. This wouldn’t be the first time a seized criminal operation has resurfaced. But is it real or a trap set by law enforcement?
The consumer spyware app called pcTattletale closed after a hacker published links to large amounts of customer data from the company’s servers. According to TechCrunch, the company’s founder said he deleted all of its data because the data breach could have exposed information of customers from screenshots taken by the app.
Finally, an American debt collection company called Financial Business and Consumer Solutions has updated the number of victims of a February data breach. It now says data on 3.2 million people was stolen. The original estimate was just over 1.9 million victims.
That’s it for now. But later today the Week in Review podcast will be out. Guest commentator Terry Cutler of Cyology Labs will discuss whether Microsoft’s controversial new tool is helpful or a privacy risk, the lessons learned from the hack of the MITRE organization and how to implement a zero-trust model.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.