Cyber Intelligence Weekly (October 15, 2023): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that we're back with another episode of our "Chew on This" webinar series, and you won't want to miss it! 🚀

📅 Save the Date: Wednesday, November 1st

🕛 Time: 1:00 PM ET

🎙️ Panelists: Matt Donato and Paul Interval

🌟 Special Guest: Christopher Hetner

This episode will delve deep into the vital relationship between a Virtual Chief Information Security Officer (vCISO) and a Chief Information Officer (CIO) in the realms of cybersecurity and overall business strategy.

This collaboration fortifies the organization's cybersecurity framework and bolsters its long-term success. We've designed this webinar especially for IT Executives and Leaders in medium-sized, growing businesses.

Mark your calendar and get ready to boost your cybersecurity and business strategy knowledge. We can't wait to see you there! 🤝💡

Link to register: https://www.linkedin.com/events/cios-chewonthis-shouldavcisobet7118338556552466432/theater/

Away we go!

1. Protecting Your Genetic Privacy: Responding to the 23andMe Data Breach

Well, this is exactly why I’ve personally never used a genetic testing service. In a concerning turn of events, a hacker known as Golem initially claimed to be selling account details from the popular genetic testing service, 23andMe, in early October. This data breach appeared to target specific ethnic groups, with one million users of Ashkenazi Jewish descent and 100,000 users of Chinese descent reportedly affected initially. However, the breach expanded rapidly, encompassing an additional four million general user accounts. The compromised data includes user display names, birth years, gender information, and some genetic ancestry results, though not the actual genetic data itself.

The breach was executed through a method known as "credential stuffing," where the hackers used previously leaked usernames and passwords from other data breaches to gain unauthorized access to 23andMe accounts. Once they successfully logged in, they scraped various information, including data shared with relatives through 23andMe's optional "DNA Relatives" feature, which allows users to connect with potential relatives on the platform.

The incident has raised significant concerns about genetic privacy and the lack of clear federal regulations protecting users of online genetic testing services like 23andMe. While 23andMe has taken steps to safeguard user data in the past, such as requiring individualized warrants for police access, the responsibility now falls on users to employ unique passwords and enable additional security measures like two-factor authentication.

If you're a 23andMe user, it's crucial to take immediate steps to secure your account. The company is currently mandating password changes and strongly recommends enabling two-factor authentication. Additionally, consider adjusting your display name in the DNA Relatives feature or disabling it if you don't use it to further protect your privacy. The Electronic Frontier Foundation (EFF) has a great set of recommendations to better protect your 23andMe account, or delete your data from the platform.

While there's no way to reverse the breach if your data has already been accessed, taking these precautions can help mitigate future risks. Genetic information is incredibly sensitive, and it's essential to ensure its protection, especially in an era where data breaches are becoming increasingly common.

2. Cisco's Critical Security Alert: 10,000+ Devices Compromised in Zero-Day Attack

Cisco is facing a critical security crisis as an unknown threat actor has been exploiting a zero-day vulnerability, tracked as CVE-2023-20198, in devices running IOS XE software. The attacker has already compromised more than 10,000 switches, routers, and other Cisco devices, according to security firm VulnCheck.

This vulnerability, residing in the Web User Interface of Cisco IOS XE software, allows attackers to create admin accounts with privilege level 15 access, effectively taking full control of the compromised device. The attacker can remotely execute commands at the system or iOS levels. While Cisco has yet to release a software patch, they are urging customers to take immediate measures to protect their devices.

The threat actor has been exploiting this zero-day since at least September 18. After gaining access to a vulnerable device, they create a local user account and deploy an implant that allows them to execute malicious commands. The implant, saved in the file path "/usr/binos/conf/nginx-conf/cisco_service.conf," is based on the Lua programming language and facilitates arbitrary command execution. It's essential for administrators of affected gear to search their networks for signs of compromise and follow recommended actions outlined in Cisco's advisory. More technical details of the issue, along with observed indicators of compromise (IOCs), can be found on the Cisco Talos website.

This situation underscores the urgency of securing Internet-facing devices and adhering to best practices to prevent such vulnerabilities from being exploited. The impact of this breach is significant, highlighting the critical need for prompt action in the face of such cybersecurity threats.

3. Hired by Deception: How North Korean IT Workers Infiltrated U.S. Companies

In a complex and elaborate scheme, thousands of IT workers allegedly linked to North Korea managed to deceive U.S. companies into hiring them as remote developers and then covertly used the earnings to finance North Korea's weapons programs. The workers employed an array of tactics to conceal their true identities, including using fake web profiles, stolen identification documents, and Social Security numbers. They also paid U.S.-based individuals to conduct job interviews and web conferences on their behalf and gained access to the networks of U.S. companies that hired them to steal information.

The Department of Justice revealed that these IT workers had been dispatched by North Korea to live in China and Russia, where they operated under the guise of two companies—Yanbian Silverstar Network Technology in China and Volasys Silver Star in Russia. These companies allegedly coordinated deceptive work-for-hire operations, enabling North Korea to generate revenue while evading sanctions.

The elaborate operation has been ongoing for several years, and the U.S. government has taken measures to disrupt it, including seizing approximately $1.5 million in funds obtained through deception and confiscating 17 web domains used for marketing. While these actions have dealt a blow to the scheme, the FBI warns that North Korean activity is still ongoing, and companies must remain vigilant to avoid unwittingly hiring individuals involved in this operation.

The detailed court records and investigations reveal how these IT workers went to great lengths to maintain their cover, including using VPNs, counterfeit identity documents, and shell companies. This sophisticated operation has allegedly funneled millions of dollars into North Korea's weapons programs, posing a significant threat to international security and highlighting the need for robust cybersecurity measures.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about