Weekly CyberTip: Fraud through Twitter impersonations
This week, Bleeping Computer documented an interesting variation on phishing: Twitter impersonation. The report documents how threat actors have been seen monitoring tweets that tag financial institutions with questions or complaints. The hackers then inject themselves into the conversation, offering to look into the matter and attaching a bogus customer support hotline number to call. The number is actually a direct line to the hackers, who can then use social engineering techniques to extract personal information.
If you do choose to register customer complaints over social media channels, be extra cautious that any responses or direct messages you receive are from an authorized representative of the company you’re dealing with. On Twitter, for example, check for verification badges, followers, other verifiable correspondence from the respondent. Double-check any provided phone numbers independently. And never share your password with anyone online or on voice – reputable organizations will not ask for those credentials.
Urgent Patch Alert: Outlook Elevation of Privilege Vulnerability
“We strongly recommend all customers update Microsoft Outlook for Windows to remain secure,” advised Microsoft in a critical patch update announcement on March 14.
The vulnerability involved is described as a “critical privilege escalation issue in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server.”
The vulnerability hits all of the marks for a critical issue: low complexity to deploy, no user interaction required to be victimized, and “high” threats to confidentiality, integrity, and availability of affected systems.
Microsoft has provided a detailed description of the vulnerability, which is being tracked as CVE-2023-23397. Microsoft has also offered a script to help with mailbox audit and cleanup. The PowerShell code published on GitHub “checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a UNC path. If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently,” according to the post.
New TikTok Ban: U.K. government prohibits app on all government devices
On March 16, the U.K. government has formally announced plans to ban TikTok from all government devices amid a wider review of app security. In the statement, the Chancellor of the Duchy of Lancaster, Oliver Dowden said: “The security of sensitive government information must come first, so today we are banning [TikTok] on government devices. The use of other data-extracting apps will be kept under review. Restricting the use of TikTok on Government devices is a prudent and proportionate step following advice from our cyber security experts.”
The ban currently applies to all government corporate devices within all government departments; it “does not extend to personal devices for government employees, ministers or the general public. Individuals should be aware of each social media platform’s data policies when considering downloading and using them,” according to Dowden, who is also the Secretary of State in the Cabinet Office.
TikTok, owned by Chinese company ByteDance, has been banned from government use by numerous countries in recent months – including Canada, the United States, and the European Union – amid concerns that Chinese government could use the app to gain access to private user data or spread misinformation.
Cyber attack fallout: MKS Instruments faces class action lawsuit after February breach
A former employee at technical manufacturer MKS Instruments is leading a class action lawsuit in the wake of a data breach in February 2023. According to the complaint filed earlier this month, MKS personnel provided personal and medical information to their employer, information that the company has now said may have been stolen and exfiltrated during the ransomware incident. The suit charges that the company’s negligent cybersecurity practices (e.g. failure to take “appropriate preventive actions, fix the deficiencies in their computer network or data systems, and adopted security measures as required by the CCPA and the CMIA”) were at fault in the incident.
The suit seeks compensatory damages up to $3000 per claimant (all figures USD), nominal damages up to $1000 per claimant, provable actual damages for each claimant, and court costs/legal fees. MKS Instruments has approximately 5000 employees.
This is the latest potential financial impact due to the incident. According to MKS in an SEC filing after the breach was disclosed, “We expect this incident will have a negative impact on our revenue for the first quarter of 2023 of at least $200 million.” An MKS customer, Applied Materials, also reported a “negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers,” widely believed to be MKS.
FBI Report: potential losses due to cyber attacks reached $10.3 billion in 2022
The FBI has released its annual report on cyber crime in the United States, based on information submitted to the Internet Crime Complaint Center (IC3). According to the report, potential losses due to cyber attacks in 2022 totaled $10.3 billion (USD) – a 49% percent increase over 2021. Phishing incidents led the complaint categories by a dramatic margin, with 300,497 reports received. 21,832 business email compromise (BEC) incidents were reported, and 2385 ransomware incidents were received, with the FBI noting an increase in “double extortion” attacks (ransomware deployment in addition to the threat of disclosing exfiltrated data).
The report noted that, as sobering as the numbers may be, they do not paint the whole picture: “[I]t has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement.” The FBI encourages victims to come forward: “By reporting the incident, the FBI may be able to provide information on decryption, recover stolen data, possible seizure/recovery of ransom payments, and gain insight on adversary tactics. Ultimately, the information you provide will lead us to bring the perpetrators to justice.”