Breaking Bad in cybersecurity – UK companies are warned that cybersecurity employees may moonlight on the dark web. Microsoft reveals that Russians hackers’ attack is still ongoing. A system used by US government states and agencies has a critical flaw and a new attack vector using fonts has been detected by marketing software Canva.
Welcome to Cybersecurity Today for Monday March 11th, 2024. I’m your host Jim Love, filling in for Howard Solomon.
A research report in the UK has uncovered highly skilled cybersecurity workers moonlighting on the dark web. Cyber security support body CIISec commissioned a study run over a six-month period from June to December 2023 and carried out by a former police office and covert operative who trawled dark web forums for job advertisements.
He found that cybersecurity professionals ranging from developers to pen testers were looking for additional work to increase their pay or filling in for jobs lost.
According to the research, the people advertising their services fell into three groups:
- highly skilled professionals with a decade of experience in security or IT. He found evidence of individuals currently working for a “global software agency”, professional pen testers offering to test cybercrime products, AI prompt engineers, and web developers.
- those who needed a “second job” or even made comments like “Christmas is coming, and my kids need new toys”.
- Some were just getting started in IT or security and were looking for work or further education
Some presented a portfolio of work as evidence of their skills.
Various hacking groups were also seeking to hire students and offered training services.
The research even uncovered an out-of-work voice actor advertising for phishing campaign opportunities, a “creative wizard” offering to “elevate your visual content”, a PR for a hacking group, and content writers.
But it’s not just people looking for additional pay.
“Gartner research shows that 25% of security leaders will leave the security industry by 2025 due to work-related stress – and that’s just leaders,” according to Amanda Finch, CEO of CIISec the company that did the report.
Further, Finch notes, “given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge. Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”
Could this situation apply to Canada and the US? Cyber security salary, pay, and conditions are low in the UK compared with Canada and the US, but there is still a trend of cybersecurity professionals leaving the industry due to stress and working conditions.
Listeners might remember that earlier this year, Russian state-sponsored hackers were caught spying on email accounts of some of Microsoft’s senior leadership team.
Now, Microsoft has disclosed that the attack continues, and that source code has also been stolen in what Microsoft is calling an ongoing attack.
The Nobelium Group or “Midnight Blizzard” as Microsoft now calls them is reported to be attempting to use “secrets of different types it has found” to further attack Microsoft and possibly its customers.
According to Microsoft, “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
The blog post goes on to state that this has included access to their source code repositories and internal systems. The company also states that “to date, we have found no evidence that Microsoft-hosted, customer-facing systems have been compromised.”
The initial attack last year gained access to Microsofts systems and apparently source code by a “password spray attack” – where hackers use a dictionary of potential passwords. While this should normally be detected or rendered ineffective, Microsoft had configured a “non-production” test account without two-factor authentication enabled which allowed the Nobelium group to gain access.
Ironically, this attack took place just a few days after the company made a announcement that it planned to overhaul its security after a serious Azure cloud attack.
Microsoft has noted that they are continuing to investigate the ongoing attack and are committed to sharing what they learn.
A popular tool used by state and local governments in the US to handle public record request has defects that might have allowed hackers to download a files that are attached to record inquiries. That would include highly sensitive personal data including ID’s, fingerprints, child welfare documents and even medical reports according to a report in NextGov.
The platform is called GovQA. It’s a public records querying system designed by IT services provider company called Granicus. It is used by hundreds of government management centers in the U.S. to help offices sort records delivered to requesters through official public access channels.
The vulnerabilities, which have reportedly now been fixed, were discovered by an independent cybersecurity researcher Jason Parker who has previously discovered and reported security weaknesses in court record systems.
Parker reported the findings to the developer and to the Cybersecurity and Infrastructure Security Agency.
The vulnerabilities were related to access for Freedom of Information requests. These requests require the requestor to verify their identity so it is possible that information about the requestor could have also been divulged in addition to the records from the government systems, even the request was denied.
The system is used by at least 37 states and the District of Columbia, including courts and schools.
The developer assessed the vulnerabilities as “low severity” and it says it is “working with customers to encourage them to minimize the information they are collecting and disclosing” and has also “initiated a full review of the data elements that our customers have chosen to include” in the records request process.
Two cybersecurity experts who reviewed this disagreed and described the flaws as much greater than a “low severity”.
Matt “Jaku” Jakubowski, one of the organizers of the THOTCON hacking conference in Chicago, said the vulnerability is one of the worst he has ever encountered.
“[Fixing the flaws] wouldn’t be a complete rewrite of the software, but you find things like this, it makes me wonder what else is in there,” Jaku said in a recent interview for Next Gov
He added that what Parker had discovered would be hard to detect and these errors wouldn’t show up on vulnerability scanners. More troubling, according to Jaku is that this type of flaw allows hacker can edit or manipulate records without even having to login to the system.
Other experts state that these types of vulnerabilities may be fairly common in government systems which are increasingly being targeted by cybercriminals.
And finally a report in the Register notes that Canva, a very common application used in social media and marketing, has found three security vulnerabilities in fonts.
CVE-2023-45139 is a high-severity bug (7.5/10) Canva found this in FontTools – a library for manipulating fonts, written in Python. The flaw allows an untrusted XML file to be used.
CVE-2024-25081 and CVE-2024-25082 are both rated 4.2/10. They relate to tools like FontForge and ImageMagick.
Researchers put together a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn’t have access.
Chock this up to one more area of vulnerability to watch for.
And that’s it for this episode of Cybersecurity Today. As always, links to stories and other information will be included in the show notes posted at itworldcanada.com/podcasts. Look for Cybersecurity Today.
And normally when I fill in for Howard, he’s already written the stories for me, but this time he’s really taking time off and I’m on my own, so if you have comments, please send me a note at [email protected] or under the show notes at itworldcanada.com/podcasts
And if you want to catch up on other tech news, check out my daily news podcast Hashtag Trending which you can find in all the same places you find Cybersecurity Today – Apple, Google, Spotify or at itworldcanada.com/podcasts.
I’m your host Jim Love, filling in for Howard Solomon. Stay safe.