Editor's Note: Welcome to this issue of Forcepoint Security News—curated news meant to provide a quick look at what's happening around the cybersecurity industry.
Here are the top security stories from recent weeks:
- Apple and Meta reportedly provided customer data to hackers in response to forged 'emergency data requests.'
- Triton malware still targeting energy firms
- Hackers use modified MFA tool against Indian government employees
- FBI warns election officials of credential phishing attacks
- US says Kaspersky poses unacceptable risk to national security
- Sophos warns critical firewall bug is being actively exploited
According to Bloomberg, Apple, and Facebook provided customer data, including address, phone number and IP address to hackers who posed as law enforcement officials. The companies reportedly shred the data in response to forged "emergency data requests." In normal circumstances, these requests usually comes with either a search warrant or subpoena signed by a judge. Emergency requests don't require those things. Researchers suspect the hackers behind the forged requests are minors living in the United States and the U.K.. The suspected hackers that sent out some of these forged legal requests throughout 2021 were affiliated with the now-defunct Recursion Team cybercrime group. However, many of its members reportedly carry out hacks under different names, including the increasingly-active Lapsus$. In fact, one of these minors is also believed to be the mastermind behind Lapsus$. Some of the illegally obtained data was used to enable harassment campaigns, while others familiar with the inquiry think the data may be used to facilitate financial fraud schemes.
The FBI has issued a warning to the global energy sector to stay alert for Triton malware. Triton (also known as Trisis and HatMan) is designed to "cause physical safety systems to cease operating or to operate in an unsafe manner," the FBI says in its Private Industry Notification (PIN 20220324-001). The malware was used in a cyberattack in 2017 against a Middle East petrochemical facility. The Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM), a Russian government-backed research institution, is believed to have carried out the attack, and last week the United States Department of Justice unsealed an indictment against a Russian national and a TsNIIkhM employee involved in that attack.
A new campaign from the hacking group tracked as APT36 has been discovered using new custom malware and entry vectors in attacks against the Indian government. The most interesting aspect of the new campaign is the use of laced Kavach authentication apps targeting employees of the Indian government. Kavach Authentication is a multi-factor authentication app used by the military and other government agencies to access critical IT systems such as email services or databases. Victims were visiting counterfeit websites that are clones of legitimate Indian government websites and downloading a copy of a legitimate Kavach installer laced with a malicious payload that automatically initiates the infection process with the threat actor's malware of choice.
The Federal Communications Commission (FCC) added Russian cybersecurity firm Kaspersky to its Covered List, saying it poses unacceptable risks to U.S. national security. Kaspersky services covered by this decision include information security products, solutions, and services supplied by Kaspersky or any linked companies, including subsidiaries or affiliates. FCC's national security ban list was also expanded to include Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas. According to FCC Commissioner Brendan Carr, their addition to the Covered List means that they are prohibited from receiving support through FCC's Universal Service Fund. U.S. federal agencies were first ordered to remove Kaspersky-branded products from federal information systems via a Binding Operational Directive (BOD) issued by the Department of Homeland Security in September 2017.
British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks. The security flaw is tracked as CVE-2022-1040, and it received a critical severity rating with a 9.8/10 CVSS base score. It enables remote attackers to bypass authentication via the firewall's User Portal or Webadmin interface and execute arbitrary code. To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the 'Allow automatic installation of hotfixes' feature is enabled by default. For these customers and those who have disabled automatic updates, there's also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.
The FBI warned US election officials recently of an ongoing and widespread phishing campaign trying to steal their credentials since at least October 2021. "If successful, this activity may provide cyber actors with sustained, undetected access to a victim's systems," the FBI said in a private industry notification [PDF]. "As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials." The attackers used various methods to redirect their targets to phishing landing pages designed to trick the recipients into entering their login credentials. The threat actors used compromised email accounts belonging to US government officials and email addresses spoofing US businesses.
Want to protect your organization from threats like phishing attacks? Learn how Forcepoint ONE can protect your users from cloud-borne malware and suspicious websites.