homepage
Open menu
Contact Sales

SANS NewsBites

Require Supply Chain Partners to Move to 2FA; Update Expo's App Dev Framework; More Mandates for 2FA

May 30, 2023  |  Volume XXV - Issue #43

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-05-26

Latitude Financial Estimates Breach Will Cost Them AU$105 Million

Australia’s Latitude Financial Services has disclosed that a data security incident earlier this year will likely cost the company AU$105 million (US$68.6 million). In March 2023, hackers stole data belonging to 14 million of the lending company’s customers; Latitude declined to pay a ransom demand. Latitude was able to process transactions during the incident, but the company’s ability to originate new accounts and manage collections were severely disrupted for several weeks.

Editor's Note

This works out to about a cost of AU $7 per customer record exposed, on the low end – especially when weeks of business disruption happened. This figure is likely to be revised upward in the future. The telling quote from their presentation on what happened: “Threat actor obtained privileged credentials via a third-party vendor to access our systems.” Eliminating reusable passwords on privileged accounts is also critical to supply chain security.

John Pescatore
John Pescatore

The announcement from Latitude is a good example of complete transparency to include being very specific on details. The announcement not only states that they now have a clean bill of health; no malicious activity since March 16th, enumerates their resulting costs from the incident but also informs customers they are not expecting to pay dividends for six months ending June 30, 2023.

Lee Neely
Lee Neely

2023-05-27

Critical Flaw in Expo Development Framework Exposes OAuth Credentials

A critical API redirect vulnerability in the Expo application development framework puts OAuth and other services using the framework at risk of credential leakage. The issue was detected by researchers from Salt Labs; Expo developers have fixed the vulnerability.

2023-05-29

PyPI Mandates Two-Factor Authentication

The Python Package Index (PyPI) will require all project and maintainer accounts to employ two-factor authentication (2FA) by the end of this year. PyPI recommends using a security device or an authentication app. In the lead-up to the deadline, PyPI will begin limiting access to certain site functionality to those using 2FA; PyPI may also begin imposing the requirement on certain users and projects before the end of the year.

The Rest of the Week's News

2023-05-26

OneMain Financial Will Pay $4.25 Million Over Cybersecurity Control Failures

OneMain Financial has agreed to pay a $4.25 million penalty to the New York Department of Financial Services (DFS) for security issues detected during a DFS audit focused on OneMain’s cybersecurity policies and procedures between January 2017 and March 2020. According to NY DFS, “OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.”

Editor's Note

It is always good to see companies fined when they have documented cybersecurity policies that say “We do X, Y and Z” but it turns out they really don’t do X, Y or Z. Too many audits and certifications are just data calls that never actually discover that the walk doesn’t match the talk. The good news for OneMain is the fine is only about $2 per customer and may help them avoid a large future breach that would cost $100 per customer.

John Pescatore
John Pescatore

The kicker is that after paying the fine, these deficiencies still need to be addressed. At core, make sure you are actively managing third-party risk: implement a cybersecurity framework that includes application, insourced, outsourced and cloud-sourced services. Document your risk decisions, and make sure that you're re-assessing controls: trust but verify. Where you're using automation, make sure you understand what's checked and that it covers your environment, e.g. checking only for Windows events misses activity on your non-Windows systems.

Lee Neely
Lee Neely

This is the second cybersecurity related penalty levied by a New York State department over the last week [see SANS News Bites Vol. 25, Num. 42]. In this case, OneMain Financial failed to fully implement the DFS 2017 cybersecurity regulation internally and, as part of its third-party risk management process. In both cases the state maintains that the company did not maintain a standard duty of care to protect customer information. Let this serve as a wake-up call that lack of a demonstrable cybersecurity program has consequences.

Curtis Dukes
Curtis Dukes

2023-05-27

ABB Acknowledges Security Incident Was Ransomware Attack

Zurich, Switzerland-based ABB, a US government contractor, has disclosed that it suffered a ransomware attack in early May; ABB also disclosed that the attackers stole data from company systems. The attack disrupted the company’s operations; key systems are now running as usual.

2023-05-29

US Defense Department Classified Cybersecurity Strategy

The US Department of Defense (DoD) has submitted its new classified cybersecurity strategy to Congress. The strategy “establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States,” according to an unclassified fact sheet. The updated strategy is ”grounded in real-world experience” and incorporates lessons learned from the war in Ukraine.

2023-05-29

Unit 42: Mirai Variant is Being Used to Target IoT Devices

Researchers from Palo Alto’s Unit 42 have detected a malware campaign that uses a Mirai variant to target Internet of Things (IoT) devices. The threat actors are targeting Linux-based servers and networking devices through four known vulnerabilities: a Tenda G103 command injection vulnerability (CVE-2023-27076); a LB-Link command injection vulnerability (CVE-2023-26801); a DCN DCBI-Netlog-LAB remote code execution vulnerability (CVE-2023-26802); and a Zyxel remote code execution vulnerability.

2023-05-29

Lazarus Group is Exploiting Vulnerable Windows IIS Servers to Access Networks

Researchers at South Korea’s AhnLab Security Emergency Response Center (ASEC) have detected the North Korean state-sponsored Lazarus group exploiting vulnerable installations of Windows Internet Information Services (IIS) web servers to gain access to corporate networks. The ASEC blog post details “the DLL side-loading technique used by the threat actor during their initial infiltration process as well as their follow-up behaviors.”

2023-05-29

Sports Warehouse Will Pay $300,000 Fine Over Data Theft

New York’s attorney general has fined Sports Warehouse $300,000 for failing to adequately protect consumer data. The online sports gear retailer will also revamp its cybersecurity program. Sports Warehouse systems were breached in September 2021; the company was alerted to the incident by third parties in October of that year. The attacker brute-forced Sports Warehouse’s server authentication and accessed a server that was protected with only a static password. That server contained unencrypted customer data, including payment card information, dating back to 2002.

2023-05-27

CISA Adds Barracuda Vulnerability to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an improper input validation vulnerability in Barracuda Network Email Security Gateway (ESG) Appliance to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies have until June 16 to mitigate the issue. Barracuda applied patches to all ESG appliances on May 20 and 21.

Internet Storm Center Tech Corner