CyberSecurity Knugget

Today’s news includes a joint Cybersecurity Advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warning about the Rhysida ransomware-as-a-service operation. This operation has targeted organizations in education, manufacturing, information technology, and government sectors, using techniques such as exploiting external-facing remote services and phishing campaigns to gain access and persistence within a network. This is a serious threat that organizations need to be aware of and take immediate action to protect against.

Another concerning issue is the discovery of previously unknown attack methods for escalating a compromise from a single endpoint to a network-wide breach in Google Workspace. This technique involves an OAuth 2.0 refresh token stored by Google Credential Provider for Windows, and poses a significant risk to the security of Google Workspace users. Organizations using Google Workspace need to address this vulnerability immediately to prevent potential breaches.

Additionally, the phenomenon of “protestware” in open-source products has been highlighted, with scripts advocating political positions being concealed in NPM packages. While the latest packages are not malicious, this underscores the persistent risk in open-source software, where unintended and malicious features can lurk undetected. This poses a risk to the integrity and security of open-source software and requires immediate attention from the cybersecurity community.

Furthermore, the call for regulatory action against a supply chain threat involving compromised Android boxes and mobile devices infected with malware is a significant consumer protection issue that needs to be addressed by regulatory authorities. This poses a risk to consumers and their devices, and regulatory action is necessary to protect against this threat.

Finally, the implications of the GRU’s Sandworm group in a campaign against Danish electrical power providers is a major concern for critical infrastructure security. The attack exploited a critical command injection flaw affecting Zyxel firewalls and targeted twenty-two companies in Denmark’s highly decentralized electrical power sector. This highlights the ongoing threat to critical infrastructure from sophisticated threat actors and requires immediate attention to bolster defenses and prevent future attacks.

Stay Well!