Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A large number of LastPass users have reported receiving phishing emails over the last month. This appears to be part of a widespread phishing campaign, targeting LastPass employees and customers. Initially, all of the reported emails came from the sender firstname.lastname@example.org[.]th, and included a link to a themed phishing page. Shortly after learning of this campaign, LastPass worked with Fortra’s PhishLabs to take down the domains being used in the attacks. While this was successful, it wasn’t long before a second wave of attacks hit, utilising a new email address and scam page.
The second set of domains was taken down quickly, and no attempts to continue the campaign have been observed. We expect LastPass and PhishLabs remain vigilant for any signs of this campaign returning.
The latest announcement from Amazon Web Services states the organisation’s plans to enforce Multifactor Authentication for all user accounts. This change is expected to begin roll out in mid-2024, with a focus on root users. Once this change has been implemented for root users, AWS are expected to extend this mandate to all users.
The announcement from Amazon stated:
“We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys.”.
It is great to see organisations enforcing MFA as this will surely have a positive security impact for all AWS customers.
Tech giant Sony recently disclosed news of a data breach, in which the personal information of more than 6500 people was compromised. This total included current and former workers, and their US resident family members. The Cl0p ransomware group has claimed responsibility for this attack, as Sony was added to their list of victims on their dark web portal. This attack was reportedly made possible by a zero-day affecting the MOVEit file transfer platform. The latest statement from Sony says that “This event was limited to Progress Software’s MOVEit Transfer platform and did not impact any of our other systems”.
The exact information that was compromised was censored and is not currently public knowledge. Current and former Sony workers are being advised to monitor their payment card activity for any signs of potential fraud or unauthorised transactions.
A ransomware attack on KNP Logistics Group’s IT systems in June which affected the company’s key systems, processes, and financial information has caused it to go into administration. The attack damaged KNP’s financial position and ability to secure additional investment and funding. Joint administrator, Mr. Mittal, reported "Despite being one of the UK's largest privately owned logistics group, KNP fell victim of a ransomware attack earlier this year that caused significant disruption. Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue. We will support all affected staff through this difficult time."
Apple has released a patch to help protect iPhone and iPad users from a vulnerability being actively exploited. The vulnerability, tracked as CVE-2023-42824, results from a weakness in the XNU kernel that allows attackers to escalate privileges on iPhones and iPads. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," Apple said in a statement. This is the 17th zero-days fix Apple has pushed out since the start of the year.
A new android trojan seen targeting banking, e-wallet, and crypto wallet applications in Asia Pacific countries has been detected by Group-IB. The trojan, thought to have been operating since June 2023, abuses Android’s accessibility services to interact with targeted apps and extract personal information, stealing banking app credentials, intercept SMS messages, and other actions. If the user grants full permissions to the trojan it is also capable of viewing bank account balances, capturing multi factor authentication codes, and logging keystrokes, as well as facilitating device remote access. This has seen being distributed on websites impersonating the Google Play Store and corporate websites in Vietnam and requires users to enable “install from unknown sources” in the device's settings. "One of the main features of GoldDigger is its use of an advanced protection mechanism […] This presents a challenge in triggering malicious activity in sandboxes or emulators." Reported Group-IB.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #253 – 6th October 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.