Cyber Security Today, May 3, 2024 – North Korea exploits weak email DMARC settings, and the latest Verizon analysis of thousands of data breaches

North Korea exploits weak email DMARC settings, and the latest Verizon analysis of thousands of data breaches.

Welcome to Cyber Security Today. It’s Friday May 3rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for

North Korean hackers are trying exploit improperly configured DMARC email server security controls to hide spearphishing attacks. The warning to email and IT security administrators comes from American cyber agencies. DMARC is short for Domain-based Message Authentication, Reporting and Conformance. Without properly configured DMARC policies, threat actors can send spoofed emails that look as if they came from a legitimate domain’s email exchange. A DMARC policy tells a receiving email server what to do with the email after checking a domain’s Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records. Depending on whether an email passes or fails, the email can be marked as spam, blocked, or delivered to an intended recipient’s inbox. What should you be doing? Update your organization’s DMARC security settings.

The U.S. Cybersecurity and Infrastructure Security Agency has added a bug in Github’s email verification process to its Known Exploited Vulnerabilities Catalog. It’s a warning to application developers to install the latest version of Github if they haven’t already done so. This particular hole could allow an attacker to change the password of a GitLab account via the password reset form and successfully retrieve the final reset link. This hole was patched in January.

Separately the Agency issued a warning to American small and medium-sized businesses that China is targeting them just as much as big companies. These small firms can include utilities, hospitals, communications providers, banks and municipalities. What can small and mid-sized firms do? Report every cybersecurity incident to the Cybersecurity and Infrastructure Security Agency so it can see trends. They should also use the free advice and services the Agency offers, enroll in a free vulnerability scanning service, and resolve to make their organization resilient to cyber attacks.

Pro-Russian hacktivists are targeting operational technology devices like internet-connected industrial control systems. That warning came this week from cybersecurity agencies in the U.S., Canada and the U.K. The attacks largely manipulate equipment to create nuisance effects. However, the report adds, some attackers have done physical damage to equipment. That includes causing water pumps and blower equipment exceed operational limits by altering settings, turning off alarms and changing administrative passwords to lock out operators. How are they doing this? The usual ways — by taking advantage of outdated software, default passwords and login services that don’t have multifactor authentication enabled. There’s a long list of recommended defensive actions, but they all boil down to this lesson: An OT network is just as much a target as an IT network.

A hacker recently compromised the Dropbox Sign infrastructure of the Dropbox file sharing service to steal data of subscribers. Data stolen includes email addresses, usernames, phone numbers, hashed passwords, API keys, OAuth tokens and multifactor authentication login information. Dropbox Sign is a service allowing users to digitally sign documents. The data theft could allow a threat actor to impersonate almost any company official. Dropbox Sign’s IT infrastructure is largely separate from Dropbox, the company says, and there is no evidence the hacker accessed documents, agreements or payment information. Users are being forced to reset their passwords and to create new API keys and digital tokens.

An American judge this week sentenced a Ukrainian man to just under 14 years in prison for deploying the REvil ransomware strain in over 2,500 attacks. The accused was also ordered to pay $16 million in restitution. The man, who was caught and extradited from Poland, pleaded guilty in Texas to charges of conspiracy to commit fraud and other charges.

A Connecticut jury has convicted a Nigerian man for his role in running a business email compromise scheme. The man and his partners sent targeted emails pretending to be from trusted companies to trick officials into transferring millions to bank accounts controlled by the crooks. The man will be sentenced in July.

Police in Europe and Lebanon are now acknowledging shutting down 12 call centers and the arrest of 21 people last month behind a range of scams. They included fake police calls, investment frauds and romance scams. Police got a break last December after a bank teller in Germany became suspicious when a customer asked to withdraw over EUR 100,000. A fake police officer called the victim and demanded the money.

Exploiting software vulnerabilities in web applications was the most common way organizations were hacked last year. That’s one of the prime findings in the latest annual Verizon Data Breach Investigations Report. Exploited vulnerabilities in third-party suppliers such as business partners and internet providers was also a prime factor. Another finding: Human errors, including clicking on links, were involved in 68 per cent of data breaches. Unfortunately, that’s no change from last year’s report. Alarmingly, the percentage of breaches caused by internal actors — including employees or partners allowed to access IT networks — increased last year. The authors analyzed over 30,000 security incidents in the 12 months ending October 2023, of which more than 10,626 were confirmed data breaches in 94 countries. This free report is essential reading for all IT pros.

Later today Jim Love will host the Week in Review podcast.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Related Posts