Breaking Bad in Cybersecurity – British companies are warned that their cybersecurity employees could be shadowed on the dark web. Microsoft has revealed that attacks by Russian hackers are continuing. A new attack vector using fonts has been discovered by marketing software Canva, with a critical flaw in systems used by states and agencies of the U.S. government.
Welcome to Cybersecurity Today for Monday, March 11thth, 2024. I'm your host, Jim Love. I am representing Howard Solomon.
A British investigative report has revealed that highly skilled cybersecurity workers are operating behind the scenes on the dark web. Cybersecurity advocacy group CIISec commissioned a six-month investigation from June 2023 to December 2023, conducted by former police department and undercover operatives who trawled dark web forums for job ads. Ta.
He found that cybersecurity professionals, from developers to penetration testers, are looking for additional work to increase their salaries or fill lost jobs.
According to the study, people promoting their services were categorized into three groups:
- Highly skilled professionals with 10 years of experience in the security or IT field. He found evidence of a person currently working for a “global software agency,” a professional penetration tester who provides testing for cybercrime products, an AI prompt his engineer, and a web developer.
- Some needed a “second job” and others made comments like “Christmas is coming and the kids need new toys.”
- Some were just starting out in the IT and security fields and were looking for work or further education.
Some presented portfolios of their work as evidence of their skills.
Various hacking groups also recruited students and offered training services.
The investigation also revealed unemployed voice actors promoting opportunities for phishing campaigns, offering “creative wizards” to “enhance visual content”, PR for hacking groups, and content writers.
But it's not just people asking for extra pay.
“According to Gartner research, 25% of security leaders will leave the security industry by 2025 due to work-related stress. And it's just leaders,” says CIISec, the company that produced the report. said Amanda Finch, CEO.
Mr Finch added: “Given the number of people expected to leave the industry, many will be desperate to find work in fields that promise significant pay for the skills and knowledge they already have.” points out. Preventing this means ensuring we do everything we can as an industry to attract and retain talent. ”
Does this situation also apply to Canada and the US? Cyber security salaries, pay and conditions in the UK are lower than in Canada and the US, but cybersecurity professionals are less likely to leave the industry due to stress and working conditions. Still there.
Listeners may remember that earlier this year, Russian state-backed hackers were caught spying on the email accounts of some of Microsoft's senior leadership team.
Now, Microsoft has revealed that the attack continues and that source code has also been stolen in what Microsoft calls an ongoing attack.
The Nobelium Group, or “Midnight Blizzard” as Microsoft is now calling it, is reportedly looking to use “the various types of secrets it has discovered” to further attack Microsoft and possibly its customers.
According to Microsoft, “some of these secrets were shared between customers and Microsoft via email, and because we discovered them in the leaked emails, we are helping these customers take mitigation steps.” We have been in contact with them and continue to do so to this day.”
The blog post further states that this includes access to source code repositories and internal systems. The company also said that “to date, we have found no evidence that customer-facing systems hosted by Microsoft have been compromised.”
In the first attack last year, hackers gained access to Microsoft's systems and apparently source code through a “password spray attack” that used a dictionary of potential passwords. Normally this should be detected or disabled, but Microsoft configured his “non-production” test account without enabling two-factor authentication, which allowed the Nobelium group to access it. Ta.
Ironically, this attack comes just days after the company announced plans to overhaul its security following a serious attack on its Azure cloud.
Microsoft says it continues to investigate the ongoing attack and is committed to sharing what it learns.
A common tool used by U.S. state and local governments to process public records requests had a flaw that could allow hackers to download files attached to records inquiries. According to the NextGov report, this includes highly sensitive personal data such as IDs, fingerprints, child welfare documents, and even medical reports.
This platform is called GovQA. This is a public records inquiry system designed by an IT service provider company called Granicus. It is used by hundreds of government control centers in the United States and helps offices categorize records delivered to requesters through official public access channels.
The vulnerability, which is reportedly now fixed, was discovered by independent cybersecurity researcher Jason Parker, who previously discovered and reported security weaknesses in court records systems. Was.
Parker reported his findings to the developer and the Cybersecurity and Infrastructure Security Agency.
These vulnerabilities were related to access for Freedom of Information requests. These requests require the requester to verify their identity, so even if the request is denied, information about the requester may have been compromised in addition to government system records.
The system is used in at least 37 states and the District of Columbia, including courts and schools.
The developer rated the vulnerability as “low severity” and said it “works with customers to minimize the information they collect and expose,” and added that they are “working with customers to minimize the information they collect and expose.” We have also started a review.” “Include” in the records request process.
Two cybersecurity experts who investigated this disagreed, saying the flaw was much more than “low severity.”
Matt “Jak” Jakubowski, one of the organizers of the hacking conference THOTCON in Chicago, called this vulnerability one of the worst he had ever encountered. I did.
“[Fixing the flaws] “It's not a complete rewrite of the software, but when you find something like this, you wonder what else is in there,” Jaku said in a recent interview with Next Gov.
He added that what Parker discovered is difficult to detect and that these errors would not be picked up by vulnerability scanners. Even more troubling, Jaku said, this type of flaw could allow hackers to edit or manipulate records without having to log into the system.
Other experts say these types of vulnerabilities are fairly common in government systems and may be increasingly targeted by cybercriminals.
And finally, the Register reports that three security vulnerabilities were found in fonts in Canva, a very popular application used in social media and marketing.
CVE-2023-45139 is a high severity bug (7.5/10). Canva discovered this with FontTools, a library for working with fonts written in Python. This flaw could allow the use of untrusted XML files.
CVE-2024-25081 and CVE-2024-25082 are both rated 4.2/10. These are related to tools such as FontForge and ImageMagick.
The researchers put together a simple proof of concept in the form of a shell execution that allows FontForge to open files it shouldn't access.
Narrowing this down to another area of vulnerability to watch out for.
That's it for this episode of Cybersecurity Today. As always, links to stories and other information will be included in the show notes posted at itworldcanada.com/podcasts. Look for cybersecurity today.
And usually when I fill in for Howard, he's already written the story for me, but this time he's really on vacation and I'm alone, so if you have any comments, , please send a note to jlove@itwc.ca.or under the show notes at itworldcanada.com/podcasts
Also, if you want to check out more tech news, check out my Daily News Podcast Hashtag Trends. You can find it in the same places as Cybersecurity Today: Apple, Google, Spotify, or itworldcanada.com/podcasts.
I'm your host, Jim Love. He is replacing Howard Solomon. Take care.
