Secure Your Business Partners and Employees: Globe Life Subsidiary Ransomware Attack Likely Cause of Data Leak; Fraudulently Hired IT Workers Demand Ransom for Stolen Data; ESET Partner's Domain Spoofed to Deliver Wiper

In an October 17 filing with the US Securities and Exchange Commission, Texas-based insurance company Globe Life disclosed that 'an unknown threat actor' contacted them, demanding payment in exchange for not releasing customer data. Globe Life believes the data Òcan be traced to the Company's subsidiary, American Income Life Insurance Company.'

Analysts in the Secureworks Counter Threat Unit (CTU) have documented a pattern of fraudulent employment, data theft, and now extortion by alleged North Korean operatives posing as IT contractors. The structure of the scheme and certain technical details, including use of Astrill VPN IP addresses, align with previous efforts by a known threat group to "generate revenue for the North Korean regime" through "theft of intellectual property with the potential for additional monetary gain through extortion." One example timeline showed an employee being hired, exfiltrating proprietary information, being terminated for poor performance, and then sending evidence of the stolen data alongside demands for a "six-figure ransom." Investigators show how these agents interfere in the provision of equipment, either insisting on using personal machines or re-routing their company computers to be delivered to a facilitator at a laptop farm to provide a "credible IP address space." The report also suggests collaboration among agents: providing references, filling their conspirators' empty positions, potentially sharing the employee identities, and/or managing multiple identities each while avoiding or counterfeiting webcam use. CTU stresses caution and verification in companies' hiring processes, and asks employers to be on the lookout for unusual or frequent changes in addresses and banking details.

A domain belonging to one of ESET's partners based in Israel was spoofed and used to send malicious emails containing wiper malware. The impersonation attack claimed to be from ESET Advanced Threat Defense Team warning that state-sponsored threat actors were targeting the recipients' devices and offering advanced antivirus software to protect the recipients' devices. ESET said the malicious messages were blocked within 10 minutes; an investigation is underway.

Certification (CMMC) Program Final Rule (implementing the Code of Federal Regulations (CFR) Part 32 Part 170) to the Federal Register. Through this Final Rule, the CMMC Program will take effect on December 16th, 2024, which means voluntary CMMC Level 2 Certification Assessments can commence for defense contractors who have implemented the NIST SP 800-171 standard for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Are you ready? The Cyber AB and Cybersecurity Assessor and Instructor Certification Organization (CAICO) will be.

Keep up with the plans for CMMC Program implementation and register for the monthly CMMC Ecosystem town halls at https://cyberab.org

Learn more about the CMMC Program at https://dodcio.defense.gov/CMMC/

View this recently released CMMC overview presentation: https://dodcio.defense.gov (PDF)

Microsoft has notified some customers that it has lost more than two weeks of security logs. The missing data are due to 'a bug in one of Microsoft's internal monitoring agents result[ing] in a malfunction in some of the agents when uploading log data to our internal logging platform.' The issue, which was first reported by Business Insider on October 4 (paywall), affects certain cloud products, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. The incident comes a year after Microsoft was criticized for withholding log information from some US federal government agencies; that information could have helped identify serious intrusions sooner. In September 2023, Microsoft began providing log data to customers with lower-cost cloud services.

As part of its move to the Manifest V3 extension specification, Google has begun ending support for some older, albeit popular extensions, including the uBlock Origin ad blocker. The Chrome Web Store's uBlock Origin page reads, 'This extension may soon no longer be supported because it doesn't follow best practices for Chrome extensions.'

Researchers at ETH Zurich have published a paper outlining serious flaws in the end-to-end-encrypted (E2EE) services of several major cloud storage providers, many of which are severe enough and simple enough to execute to "directly oppose the marketing promises of the platforms, [and] create a deceptive and false premise for customers." The study focuses on five companies: Sync, pCloud, Icedrive, Seafile, and Tresorit, which collectively serve about 22 million users. Given that threat actors control a malicious server, all studied providers are vulnerable to varying numbers of "attacks and leakages," including unauthenticated key material and public keys; protocol downgrade; link-sharing leakage; unauthenticated encryption and chunking; tampering with files, file names, and metadata; file and folder injection; and leakage of plaintext information, metadata, and directory structure. The companies were notified of the report in April, 2024, but uneven responses given to ETH Zurich and to journalists indicate only some intend to fix the vulnerabilities, and Icedrive openly has no plans to do so.

Cisco has "disabled public access" to DevHub, an environment providing customers access to code and other developer resources, after claims of a data breach surfaced online. The data alleged to have been exfiltrated and posted for sale may include "source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP," though the company's official report characterizes the contents of the breach as "a small number of files that were not authorized for public download," explicitly ruling out Personally Identifiable Information (PII) and financial data, barring further discoveries. Cybersecurity professionals commenting on the breach emphasize that any stolen data, no matter how apparently significant, can be leveraged in unpredictable ways for intelligence or exploitation in future attacks, potentially allowing attackers to "pivot to more sensitive systems" from public-facing ones.

Japanese electronics company Casio is struggling to recover from an October 5 ransomware attack. Casio confirmed the attack on October 11 and said at the time that some data have been compromised and some of their systems had been rendered unusable. Casio has temporarily stopped accepting items for repair.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical deserialization of untrusted data vulnerability in various Veeam products to their Known Exploited Vulnerabilities (KEV) catalog. The flaw was initially disclosed in early September; CISA says that ransomware groups are now actively exploiting the vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until November 7 to mitigate the issue.

A vocational school in the Swiss canton of Schaffhausen experienced a cyberattack on October 2. The Berufsbildungszentrum (BBZ) Schaffhausen said that the attackers gained initial access to the institution's systems through a gap in their firewall. BBZ Schaffhausen has not responded to the ransom demand. Officials are investigating the scope of the attack.