Archive for October 7, 2023

23andMe Has Been Pwned… Millions Of Customers Affected

Posted in Commentary with tags on October 7, 2023 by itnerd

It seems that DNA testing service 23andMe has been pwned, and it’s pretty bad:

23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” stated 23andMe’s spokesperson

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

BleepingComputer has also learned that the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.

The compromised accounts had opted into the platform’s ‘DNA Relatives’ feature, which allows users to find genetic relatives and connect with them.

Well, this is bad. And Ken Westin, Field CISO, Panther Labs explains why it’s bad:

This is a worry many in the Infosec community had regarding the DNA mapping industry. For the most part, the protection of DNA data has been unregulated — at best, it’s been treated like PII. This recent attack is incredibly troubling, as the attackers specifically targeted an ethnic group and exposed sensitive information about individuals based on ethnic heritage. The attackers in this case presented Infosec community’s worst fears around using DNA data to target ethnic minorities. The slow pace of regulation and action by law enforcement around the use and protection of DNA data has created a perfect storm for adversaries to exploit and profit from incredibly sensitive data. I’m afraid to say this is just the first shoe to drop when it comes to the breach of DNA data.

Hopefully this event is a wake up call for those in this industry. And hopefully this gets looked at by those in power such as those in Congress as clearly there’s an issue here.

7 Comments »

North Korea’s Lazarus Group Targets Cryptocurrency Companies

Posted in Commentary on October 7, 2023 by itnerd

North Korea’s Lazarus group is targeting cryptocurrency companies as well as financial services and cybersecurity firms to help fund their military initiatives, blockchain analytics firm Elliptic said in a new report published this week:

The biggest rise of cross-chain crime is apparent in the field of crypto thefts, scams and Ponzi schemes and illicit laundering perpetrated by North Korea’s Lazarus Group. This elite cybercrime organization alone is now responsible for approximately 1/7th of all cross-chain crime we are tracking, having laundered over $900 million through these methods.

Ken Westin, Field CISO, Panther Labs had this to say:

North Korea’s Lazarus group has been targeting cryptocurrency companies as well as financial services and cybersecurity firms to help fund their military initiatives, unlike other threat actors who often target executives, Lazarus has been targeting developers. Through social engineering attacks targeting developers their goal has been to gain access to privileged accounts and code repositories where they can steal secrets as well as compromise developers systems via malicious dependencies. Their efforts have proven to be quite lucrative so we can expect them to double down on their efforts. By targeting cryptocurrencies North Korea is able to circumvent financial sanctions and other limits imposed on the regime to fund their military efforts, taking advantage of the pseudo-anonymous nature of various cryptocurrencies.

North Korea is clearly a clear and present danger as they are clearly intent on doing whatever they need to do so that they can get around sanctions and make money. If you’re within their field of vision, you need to make sure that you’re as secure as possible in order to make sure that you’re not their next target.

Leave a comment »

Record high ransomware leak site victims, record low dwell times

Posted in Commentary with tags on October 7, 2023 by itnerd

According to Secureworks’ 2023 State of the Threat report published on Thursday, in the four months from March to June 2023, the number of victims named on ransomware leak sites reached “unprecedented levels” putting the year on track to be the biggest year on record for victim naming.  
 
The report, which presented insights from July 2022 to June 2023, revealed that three vulnerabilities exploitations were the main factors for the record numbers:

  • March – Fortra GoAnywhere, exploited by Clop
  • May – Zimbra mail server, exploited by MalasLocker
  • June – MOVEit Transfer, exploited by Clop

As leak sites only list victims who have not paid the ransom and are not used by all ransomware groups, the researchers acknowledged that leak sites alone do not paint a complete picture of the state of ransomware.
 
Also noteworthy from the report, researchers found that the median dwell time was under 24 hours, a meaningful difference from 4.5 days during the previous 12 months with 10% of cases seeing ransomware deployed within five hours of initial access.
 
“[…] threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” Don Smith, VP threat intelligence, Secureworks Counter Threat Unit said.

Emily Phelps, Director, Cyware had this comment:

   “Secureworks’ report highlights the consistency and speed at which threats evolve. With median dell times decreasing to under 24 hours, adversaries appear to be moving to more efficient attacks that reduce the window of mitigation and response.

The accelerated nature of attack deployments and the noted move towards less complex, yet potent, operational tactics necessitate that enterprises leverage integrated security solutions, facilitating real-time intelligence sharing and automated responses to navigate the ever-changing ransomware landscape.


Dave Ratner, CEO, HYAS had this comment:

   “The reduction in dwell time highlights just how important visibility and observability solutions are; once bad actors breach the network, you may have very little time to react before damage ensues.  Relatedly, the examples of new entry points and supply-chain attacks highlight how difficult it is for traditional mechanisms to prevent these breaches. Combined, both data points demonstrate the criticality of a security-in-depth strategy for operational resiliency — specifically one that can address visibility of what is happening inside the environment and on the network in real-time.”

This should serve as a warning that ransomware attacks are in a place where you cannot afford to not do everything possible to detect and prevent these attacks in your environments. Because given the facts in this report, failure to do so will result in bad things happening to your environment.

Leave a comment »

GitHub’s Secret Scanning to include AWS, Microsoft, Google, and Slack 

Posted in Commentary with tags on October 7, 2023 by itnerd

GitHub has announced that it has expanded its secret scanning “validity check” feature to include Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced last December and was limited to scanning public repositories on the GitHub platform. “Secret scanning alerts notify you directly about leaked secrets in your code,” the company said at the time.

Validity checks will alert users if exposed tokens found by secret scanning are active. The company said it intends to support more tokens in the future.

GitHub also offers push protection to help developers secure code by scanning for secrets before they are pushed into the code base.

George McGregor, VP, Approov Mobile Security had that to say:

   “This is a great extension to an important service provided by GitHub. Knowing when your secrets have leaked is important, but equally important is what you do about it.

   “It is important to have a plan and have the tools in place to act immediately. In other words, to be able to rotate compromised secrets and keys in real-time without having to update code or upgrade apps.

   “That way GitHub provides the “early warning” about leaked secrets and a cloud based secret-management solution provides the ability to act quickly.”

I agree. This is a great way to avoid an “oops” moment that can have devastating consequences. I applaud GitHub for taking this step as this is one of those things that will make things better for all of us in the long term.

Leave a comment »