Welcome to the November NewsScam from GlobalSign. Here’s a rundown of the top stories in cybersecurity over the last month. We begin with ongoing concerns about the safety of water systems in the US, while the UK has its own concerns, too.
A new report from the US main agency for water protection claims that nearly a third of the residents here rely on drinking water systems with cybersecurity flaws. The Environmental Protection Agency report found that, of 1,062 systems tested, 308 had vulnerabilities which could impact physical infrastructure or even the operations of water systems of 109.3 million US residents.
In the UK, there are increasing worries with Thames Water, which is relied upon by millions of Britons. A new story in The Guardian newspaper says that some of Thames Water computer systems are 50 years old and “have long been declared obsolete.” This makes the company’s systems an attractive target to hackers.
In Germany, where maybe the most unusual ransomware demand ever was made, cyber-criminal gang Hellcat, went after Schneider Electric’s data. The cyber criminals demanded $125,000 payment in baguettes. The incident occurred at the beginning of the month, but it is not clear at this point if a payment – whether in coins or bread – has been made.
Threat actor ‘Charming Kitten’ has been trying to lure aerospace employees by impersonating job recruiters on LinkedIn. Unfortunately, instead of the “dream job” opportunities advertised, job applicants get malware files from a fake recruiting site.
Google’s cloud division announced that Multi-Factor Authentication (MFA) will be mandatory for all users by the end of 2025. Part of its efforts to improve account security, the implementation will be rolled out in a phased approach worldwide next year.
There were several high profile data breaches this month, the most notable of which took place at Amazon. In that incident, the threat actor Nam3L3ss posted 2.8 million lines of employee data on the dark web. The hacker claimed it was all in the name of improving Amazon’s “poor security practice.” Somehow I think there’s more to it than trying to ‘help’ a multi-billion dollar organization.
Water, Water (Cyber Security) Concerns Everywhere
Nearly a third of US residents – more than 100 million people – are getting their drinking water from systems with known cybersecurity flaws. According to a new Office of Inspector General (OIG) report from the US Environmental Protection Agency (EPA) of 1,062 systems tested, 308 had vulnerabilities. The OIG concluded that if exploited, the flaws could impact the physical infrastructure or operations of these water systems. The November 13th report found 308 drinking water systems were lacking in terms of the security of their computer systems. About 64 percent of the 308 systems contained medium or low risk vulnerabilities in their IT environment. It goes on to say many reported "externally visible open portals." These systems serve approximately 82.7 million people. However, 97 of the 308 vulnerable systems were found to have critical or high-risk issues though the report did not go into detail. Even more concerning, the report didn’t include all of the US water systems, only those that serve 50,000 or more people. That means it is possible there are additional water systems that could be vulnerable but weren’t included in the OIG study.
In the UK, a new article in The Guardian claims the computer hardware of massive water services provider, Thames Water, is so old that it is obsolete –in some cases described as “Victorian” – which makes it a very attractive target for cyber criminals.
The problem of aging hardware at critical infrastructure companies has been a concern for many years. Researchers at US university Georgia Tech are now capable of hijacking the computers that control the physical systems. Programmable logic controllers (PLCs), are very exploitable via embedded webservers and browsers. If that happens, an attacker can exploit this approach and gain full access to the system – allowing them to perform actions such as turning off water pumps and spinning motors out of control.
The Most Unusual Ransomware Demand Ever? Hackers Demand Payment in Baguettes
When new ransomware group Hellcat hacked French multinational corporation Schneider Electric in early November, it demanded $125,000 in "baguettes" as payment. (According to Cyberscoop, “in reality, the attackers are looking for payment in Monero, a privacy-focused cryptocurrency.”) Hellcat has threatened to leak Schneider Electric’s sensitive customer and operational data if the payment isn’t made, about 40 GB of compressed data. The breach was confirmed by Schneider Electric on November 4th. According to the criminal's leak site, the breach “has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data,” stolen from Schneider Electric’s JIRA platform. Cyberscoop also says the group has taken responsibility for older incidents, such as data swipes from Jordan’s Ministry of Education and Tanzania’s College of Business Education – Hellcat is a new player in the ransomware world and as a result information about them is limited.
Old MOVEit Vulnerability Hits Third Party Vendor of Amazon, Leads to Data Breach of 2.8 Million Lines of Employee Data
It may seem hard to believe but it really was only last year the MOVEit Vulnerability was the talk of the cybersecurity world. First disclosed by Progress Software in May 2023, the flaw was a critical SQL injection vulnerability which allowed cyber criminals to access to the company’s “MoveIT” transfer instances. This became a problem for thousands of companies like British Telecom, 3M and many others. The situation had quieted down quite a bit, but now it’s back in the news after a threat actor posted 2.8 million lines of Amazon employee data this month, then boasted on the dark web to claim the hack took place “to raise awareness of poor security practice.” The data the attacker, Nam3L3ss, shared on the dark web was taken last year as result of the MoveIT flaw but only appeared recently. According to Amazon the employee data Nam3L3ss shared is legitimate, however the company is still determining just how sensitive the data is. It may not be severe since Social Security numbers or financial data were not compromised in the incident.
Charming Kitten Tries to Lure Aerospace Employees on LinkedIn
Hackers believed to have ties to the Iranian government are attempting to lure aerospace industry employees with jobs that don’t actually exist. The group, Charming Kitten, also known as TA455, APT35, Smoke Sandstorm and Bohrium, has been in existence for at least a decade. In its newest scheme, Charming Kitten appears to be targeting aerospace industry employees with fake job offers, the ultimate goal being infecting the victims with malware, according to a new report from cybersecurity firm, ClearSky. The report says that Charming Kitten draws people in via fake recruiters on LinkedIn offering opportunities of a “dream job”.
This type of campaign has previously been attributed to North Korean cybercrime gang APT Lazarus. Researchers at ClearSky say that Charming Kitten could be impersonating Lazarus to “cover its tracks” or it is using Lazarus’ attack methods/tools. The researchers came to this conclusion after antivirus tools indicated that the malware Charming Kitten is using actually belongs to Lazarus. Charming Kitten is known for conducting attacks through phishing emails from sources that appear legitimate, with the goal of stealing sensitive information, especially from targets in the aerospace industry. The group is also known for campaigns such as 2020’s “SpoofedScholars”, which sent fake invitations and malicious documents to academic institutions and researchers.
After Two Massive Hacks on Environments Lacking Multifactor Authentication, Google Cloud Makes it Mandatory
Earlier this year there were a spate of extremely disruptive, large-scale attacks stemming from a lack of Multi-Factor Authentication (MFA). They took place at Change Healthcare and then at Snowflake not long after. In the case of Change Healthcare, which impacted approximately 100 million Americans, the February attack occurred because its owner UnitedHealth wasn’t using MFA to secure one of their most critical systems. To date, the incident has cost the company billions of dollars in total cyberattack impacts. In the case of cloud provider Snowflake in March, major companies including AT&T, Advance Auto Parts, LendingTree, Ticketmaster operator Live Nation and Santander Bank were impacted. These two massive incidents were wake up calls call to the fact that not nearly enough companies have been using MFA to prevent data breaches. With that in mind, nobody should have been surprised that Google’s cloud division announced on November 9th that by the end of 2025 MFA will be mandatory for all users. Part of its efforts to improve account security, the implementation will be rolled out in a phased approach worldwide next year.
But Wait, There’s More:
- US charges five Scattered Spider members – Risky Biz News
- SafePay ransomware gang claims Microlise attack that disrupted prison van tracking - The Register
- ICO urges firms to responsibly share data to tackle fraud – Security Brief UK
- Pentagon Secrets Leaker Jack Teixeira Sentenced to 15 Years in Prison by a Federal Judge – SecurityWeek
- Malware being delivered by mail, warns Swiss cyber agency – The Record
- Sydney hospital loses $2m to alleged BEC fraud - iTnews
- French hospital suffers major data breach in cyberattack – Securing Industry
- US grocery stores hit by cybersecurity outage at food giant – Tech Radar Pro
- Easterly to step down from CISA director role on Inauguration Day – Cybersecurity Dive
- An Interview With the Target & Home Depot Hacker – Krebs on Security
