Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

CybersecurityHQ Update:

We're excited to introduce our soon-to-launch AI Resume Builder, along with an advanced suite of AI-powered productivity and job search tools. These tools are tailored to streamline your daily tasks and offer comprehensive support throughout your entire job search journey. All of this will be available through our premium membership. Stay tuned for more updates!

Storm-0501 targets hybrid cloud threat

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack. Storm-0501, a financially motivated cybercriminal group, has launched sophisticated attacks targeting hybrid cloud environments across multiple U.S. sectors, including government, manufacturing, and law enforcement. The group employs a range of commodity and open-source tools to infiltrate on-premises environments, exfiltrate sensitive data, steal credentials, and move laterally into cloud environments. Their campaigns often result in persistent backdoor access and ransomware deployment, with a focus on extortion.

Storm-0501 has been active since 2021, initially targeting U.S. school districts with the Sabbath ransomware. The group has since evolved into a Ransomware-as-a-Service (RaaS) affiliate, deploying various ransomware strains like Hive, BlackCat, and Embargo. Recently, they exploited vulnerabilities in software like Zoho ManageEngine and Citrix NetScaler to gain access to systems.

Their tactics involve leveraging compromised credentials to move laterally between on-premises and cloud environments, using tools like Cobalt Strike for command and control. Microsoft observed the group tampering with security tools and employing advanced encryption techniques in their ransomware campaigns. The group's ability to compromise hybrid environments poses significant risks, requiring organizations to bolster defenses and adopt strong security practices.

ICE signs $2M spyware contract

US Immigration and Customs Enforcement (ICE) has signed a $2 million contract with Israeli spyware vendor Paragon Solutions, covering a “proprietary solution” that includes licensing, hardware, and training. The contract was awarded under a rule reserved for unique services not available through competitive processes. It’s unclear whether Paragon’s spyware product, Graphite, is part of the deal.

Paragon has positioned itself as an ethical provider of surveillance tools for police forces and intelligence agencies, while the US government has been reshaping the spyware market by restricting vendors like NSO Group. Paragon's contract comes amidst its lobbying efforts, avoiding sanctions, and expanding its US presence. Founded by Israeli intelligence veterans, Paragon has attracted high-profile investments and aimed to break into the US market. The company’s growth raises questions about the responsible use of spyware and its alignment with human rights protections.

Governor Newsom vetoes AI safety bill

On Sunday, California Governor Gavin Newsom vetoed SB 1047—a bill that would have established the first AI safety measures in the US. The driving factor? Gov. Newsom has said in previous public statements that he believes such regulation “can have a chilling effect on the industry.”

Rather than leading the charge with government regulators, the governor has announced he will partner with those within the industry to come up with guardrails.

SB 1047 would have required AI developers to test their models and make public disclosures around safety protocols. It would also build in whistleblower protections for workers in these companies, making it easier for them to come forward if AI companies were breaking the rules. Much of the bill was based on voluntary agreements major AI players made with the White House last year, but these would have been mandatory.

But the rules would have been largely theoretical. The bill specifically targeted systems that cost more than $100 million to build, larger than any known AI model yet.

In response, California Senator Scott Wiener, who co-authored the bill, said in a statement on X, “This veto leaves us with the troubling reality that companies aiming to create an extremely powerful technology face no binding restrictions from U.S. policymakers, particularly given Congress's continuing paralysis around regulating the tech industry in any meaningful way.”

Though Colorado and Utah have passed laws looking to limit AI’s perpetuation of bias in both employment and healthcare systems, this would have been the first broad regulation of the industry in the US.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

FTC antitrust case against Amazon

The Federal Trade Commission (FTC) will proceed with antitrust claims against Amazon, a federal judge has ruled. Claims that Amazon will have to face include: it used market dominance to destroy rivals, manipulate merchants, and control prices.

Initially, reports seemed positive for the ecommerce juggernaut, as it was announced earlier this week that some claims would be dismissed. But the dismissed claims are now understood to be the minor state law complaints, leaving the core allegations of violating federal antitrust laws intact.

The case, whatever the outcome, will likely prove historic, and it is a keystone of FTC chair Lina Khan’s initiative to bring big tech companies into alignment with regulations. It is part of a larger movement targeting monopolistic practices in the tech sector. Similar lawsuits loom for Meta, Google, and Apple.

Cloudflare thwarts record DDoS attack

Cloudflare CEO Matthew Prince says that the company mitigated a record-breaking DDoS attack, which peaked at 3.8 Tbps and 2.14 billion Pps.

Cloudflare did not release the customer or hosting provider involved, but the company did post a blog giving some details about the month-long campaign that included more than 100 hyper-volumetric attacks like the record breaking one. Among these, several leapt over the 2 billion Pps and 3 Tbps benchmarks.

The attackers used compromised web servers, DVRs, and routers across multiple countries, targeting sectors such as financial services and telecoms.

Bizarre cybercrime tale uncovered

KrebsOnSecurity has a new post that details a bizarre, thrilling story of cybercrime, cryptocurrency, and corruption. Their tale focuses on the criminal operations of one Adam Iza—known by some as “The Godfather.” He allegedly bribed LA sheriff’s deputies to run an intimidation and extortion racket against his rivals.

The FBI’s investigation into Iza has uncovered a mind boggling crime scheme. It all centers on his cryptocurrency investment platform Zort. Iza and his girlfriend spent investor money on a lavish lifestyle that included Lamborghinis, a $28 million Bel Air home, and a surgical procedure to lengthen his legs.

It is well worth a read, and you can check out the full story at KrebsOnSecurity.

Meta, T-Mobile face major fines

In more regulatory news this week, two major government fines came down on corporations for their handling of data.

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million following an inquiry into the company’s mishandling of user passwords. 

In April 2019, Meta disclosed that it stored some user passwords in plaintext without encryption. This violates many provisions set out in the General Data Protection Regulation (GDPR) rules. Everything from failing to notify authorities of a data breach to not documenting the incident to failing to implement proper security measures all added up to the large fine.

Deputy Commissioner Graham Doyle emphasized that storing passwords in plaintext poses significant risks, even if not made available to external parties.

T-Mobile is facing its own fine. To resolve a probe by the Federal Communications Commission, they’ve agreed to pay a total of $31.5 million (PDF): $15.75 million as a civil penalty and $15.75 million more over the course of two years to strengthen its cybersecurity.

The initial probe relates to four incidents, including two major ones. An August 2021 attack exposed 76.6 million customers’ data, and a later January 2023 attack exposed another 37 million. In the end, the fine cost T-Mobile 14 cents per exposed customer.

T-Mobile is the third largest mobile carrier in the US.

DOJ indicts Iranian election hackers

In a follow up to an election story we’ve been covering, the US Department of Justice has indicted three Iranian nationals for allegedly hacking a 2020 presidential campaign. The indictment doesn’t say which candidate was affected, but it is likely linked to the hack of the Trump campaign.

The hackers, connected to Iran’s Islamic Revolutionary Guard Corps, supposedly used social engineering and spear phishing operations to gain access to campaign accounts. They used that access to obtain documents, which they tried to share with the press.

The US Treasury Department, for its part, is also offering a reward of up to $10 million to anyone who can provide information on the suspects.

Interesting Read

Cyber attacks double since 2020

October is Cybersecurity Awareness Month, and QBE started it with a grim celebration — releasing a new report estimating major cyber attacks have doubled over the last four years. The new report, called Connected business: digital dependency fuelling risk, estimates that 2020 saw 103 major cyber attacks. This year, that number sits at 211.

These numbers highlight one major trend: attacks are targeting high-profile organizations more and more.

The researchers break these into two categories: disruptive and destructive. Disruptive attacks create reversible and attack data—think DDoS attacks. Destructive attacks, on the other hand, represent hindrances to systems that lead to real-world impact on people’s lives. Both kinds appear to be growing.

The report also highlights how operational technology organizations that control critical infrastructure, especially when working with outdated systems, are now prime targets for ransomware. This is in part due to how much attackers can get. The average payout from these groups hit $2 million in 2023. Larger companies, especially those with revenues above $5 billion, are more likely to pay ransoms to avoid turning a disruptive attack into a destructive one.

Of course, it wouldn’t be a cybersecurity report in 2024 without a large chunk devoted to hand wringing over AI. But it’s more or less the same story we’ve heard all year: AI makes it easier for criminals to build, iterate, and launch sophisticated attacks—but this is balanced by AI making it easier to spot threats and defend against them.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team