Welcome to Cyber Security Today. I’m your host, Jim Love.
On today’s show:
• Fortinet confirms a data breach after a threat actor claims to have stolen 440GB of data.
• The Port of Seattle refuses to pay ransom after a cyberattack disrupts Seattle-Tacoma International Airport.
• North Korean hacker group Lazarus targets Python developers with malicious coding tests.
In recent developments, cybersecurity firm Fortinet has confirmed a data breach after a threat actor named “Fortibitch” claimed to have stolen 440GB of data from the company’s Microsoft SharePoint server. The attacker posted on a hacking forum, sharing login credentials to what they allege is an S3 bucket containing the stolen data, potentially exposing it to other hackers.
Fortinet acknowledged that an unauthorized individual accessed a “third-party cloud-based shared file drive,” affecting a limited number of files and customers. However, specific details about the compromised data remain undisclosed.
This incident adds to a challenging year for Fortinet, which has faced multiple security issues in 2024, including:
- January: Patched two critical vulnerabilities in FortiOS and FortiProxy HA cluster code.
- February: Addressed multiple critical flaws with over 100,000 devices exposed, leading to active targeting by China’s Volt Typhoon hacking group due to slow patch adoption.
- June: Chinese hackers exploited an unknown vulnerability to breach the Netherlands Ministry of Defense, compromising around 20,000 additional FortiGate firewalls before detection.
While it’s important not to jump to conclusions, these events raise concerns about the security posture of a company that provides cybersecurity solutions globally. It’s a reminder of the persistent and evolving threats in the digital landscape, even for those at the forefront of cyber defense.
As investigations continue, the cybersecurity community will be watching how Fortinet responds and works to restore confidence in its products and services.
Sources include: The Cyber Security Hub
The Port of Seattle has confirmed that the Rhysida ransomware group was behind a cyberattack that disrupted operations at Seattle-Tacoma International Airport on August 24, 2024. This attack is part of a broader pattern of Rhysida targeting organizations across various sectors since May 2023.
Port officials reported that the ransomware encrypted parts of their computer systems, affecting services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking. Despite these disruptions, they assure that it’s safe to travel from Seattle-Tacoma International Airport and use the Port’s maritime facilities.
In a firm stance against cybercrime, Steve Metruck, Executive Director of the Port of Seattle, stated they have no intention of paying the ransom, aligning with their commitment to responsible use of taxpayer dollars. However, this may lead to the threat actors publishing stolen data.
The Port’s response includes:
- Halting unauthorized activity since August 24.
- Remaining on high alert, continuously monitoring for new threats.
- Working to restore affected systems and build a more resilient infrastructure.
- Enhancing security measures, including strengthening identity management, authentication protocols, and monitoring activities.
They have committed to notifying any individuals whose data may have been impacted. This incident underscores the ongoing threat of ransomware to critical infrastructure, highlighting the importance of robust cybersecurity measures.
Sources include: Port of Seattle official statement, Seattle-Tacoma International Airport Twitter
In a sophisticated cyberattack, the North Korean hacker group Lazarus is targeting Python developers with a malicious coding test disguised as a job recruitment process.
According to cybersecurity firm ReversingLabs, this scheme is part of the ‘VMConnect campaign’ first detected in August 2023. The attackers pose as recruiters from major U.S. banks like Capital One, approaching developers on LinkedIn with enticing job offers.
Here’s how the scam works:
1. Developers are directed to a GitHub repository containing a fake password manager application.
2. They’re asked to find and fix a bug in the code within a tight deadline.
3. The project includes malicious files that, when executed, deploy obfuscated malware capable of downloading additional payloads and awaiting commands from a control server.
The hackers make the scheme appear legitimate by impersonating reputable companies, providing professional-looking README files with detailed instructions, and imposing tight deadlines to discourage thorough code review that might reveal the malware.
This campaign highlights the evolving sophistication of cyberattacks targeting the software development community. It’s a reminder that even routine activities like coding tests can be weaponized by threat actors.
To stay safe, developers should:
• Verify the identity of recruiters and job offers independently.
• Take time to review code carefully, even under pressure.
• Use sandboxed environments when testing unfamiliar code.
ReversingLabs believes this campaign is still active as of July 31. Developers and organizations need to remain vigilant against these targeted attacks that exploit the job search process.
Sources include: ReversingLabs report, BleepingComputer
That’s our show. You can find the show notes with links at technewsday.com or .ca—take your pick.
I’m your host, Jim Love. Thanks for listening