23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
Hackers scrape 23andMe private user data using credential stuffing, MGM resorts suffer a $100 million hit from a ransomware attack and the Azure VM breach. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Top Security Awareness Posters
1. Genetics firm 23andMe attributes user data leak to credential stuffing
23andMe recently acknowledged that user info from its platform was scraped and listed on hacking firms. The company attributes the leak to a credential stuffing attack, revealing that threat actors leveraged exposed credentials from other breaches to infiltrate user accounts. Notably, hackers first exposed data on a million customers and then offered to sell bulk data profiles for $1 to $10 per account. For reinforced safety, 23andMe recommends using two-factor authentication and fresh passwords for every platform.
2. MGM Resorts expected to suffer a $100 million loss from ransomware attack
Last week, MGM Resorts reported a $100 million ransomware hit due to a September cyberattack that exposed customer data. The attack affected MGM's website, reservation system and in-casino services. Scattered Spider, linked to the BlackCat/ALPHV ransomware group, executed the breach using social engineering. The fallout disrupted various MGM operations, but the company anticipates its cybersecurity insurance will cover the losses. MGM has restored most systems and offers affected customers free credit monitoring, urging them to watch for suspicious communications.
3. Hackers use breached SQL servers to target Azure cloud VMs
Microsoft has uncovered a recent attack where adversaries aimed to penetrate Azure cloud resources via an SQL Server instance. Attackers began by exploiting an SQL injection vulnerability in an application, granting them increased permissions on a Microsoft SQL Server in Azure Virtual Machine. They then tried to spread to more cloud assets using the server's cloud identity. However, Microsoft confirmed the attackers didn't succeed in this lateral movement. This attempt marks a rising sophistication in cloud attack methods, emphasizing the importance of securing cloud identities to safeguard SQL Server instances.
4. Chinese threat actors target semiconductor firms using Cobalt Strike
EclecticIQ recently identified a cyberespionage campaign targeting Chinese-speaking semiconductor companies. Using TSMC-themed lures, the attackers infected these firms with Cobalt Strike beacons. Intriguingly, the techniques observed resonate with those previously associated with Chinese government-supported threat groups. Although EclecticIQ hasn't clarified the initial compromise route, evidence points to spear-phishing and tools like the HyperBro loader as the likely vectors.
5. Critical TorchServe flaws put thousands of AI servers at risk
Oligo Security recently identified three severe vulnerabilities in TorchServe, a widely-used AI tool. Labeled "ShellTorch," these flaws allow attackers unauthorized access and potential server takeovers. Two vulnerabilities, CVE-2023-43654 and CVE-2023-1471, ranked 9.8 and 9.9 on the CVSS severity scale, facilitate remote code execution. Major companies using TorchServe, including Amazon and Google, face exposure to these risks. Amazon has urged users to apply updates to resolve these issues immediately.
Phishing simulations & training