This is your easyDNS #AxisOfEasy Briefing for the week of November 11th, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.

In this issue: 

• Hot Topic Data Breach: Millions Exposed, Hacker Demands Ransom Amid Retailer Silence
• Google’s Vertex AI Fixes Reveal Deep Vulnerabilities in Enterprise AI Security
• Iranian ‘Dream Job’ Attack Targets Aerospace with North Korean-Style Malware
• Inside the First Amendment Debate Over Texas’s Content Moderation Law
• Lazarus Group Exploits macOS Metadata Loophole to Evade Detection
  
  

Elsewhere Online:

• Bitdefender Releases Free Decryptor for ShrinkLocker Ransomware
• Government Charges Hackers for Stealing AT&T Customer Data
• Third-Party Vendor Breach Exposes Amazon Employee Data
• Tibetan Websites Hacked, Visitors at Risk of Malware Infection
• Amazon Among 27 Companies Hit in Massive Employee Data Leak

Hot Topic Data Breach: Millions Exposed, Hacker Demands Ransom Amid Retailer Silence

Millions of Hot Topic customers were notified by breach tracking service Have I Been Pwned (HIBP) that their personal data, including email addresses, physical addresses, phone numbers, purchase history, genders, and dates of birth, had been compromised in an October breach. Partial credit card details, including card type, expiration dates, and the last four digits, were also affected. Despite its scale, Hot Topic, with over 640 U.S. stores, has neither confirmed the breach nor responded to inquiries.

The breach reportedly occurred on October 19, and on October 21, a hacker using the alias “Satanic” claimed responsibility on the cybercrime forum BreachForums. Satanic alleges they stole 350 million user records from Hot Topic, Box Lunch, and Torrid, initially attempting to sell the data for $20,000 before demanding a $100,000 ransom to take down the information. As time passed without success, Satanic lowered the price to $3,500.

Hudson Rock, a cybersecurity firm, suggests the attacker may have used credentials stolen via infostealer malware to access Hot Topic’s analytics platform, gaining access to the retailer’s cloud environment. Yet, Hot Topic has not informed customers or any state attorneys general, marking an unusual delay in disclosing the breach and addressing regulatory obligations.

Read: https://techcrunch.com/2024/11/13/hot-topic-data-breach-exposed-personal-data-of-57-million-customers/

Google’s Vertex AI Fixes Reveal Deep Vulnerabilities in Enterprise AI Security

Google’s Vertex AI platform, used by enterprises for custom LLM and ML model development, recently faced serious security vulnerabilities, discovered by researchers at Palo Alto Networks’ Unit 42. These flaws included a privilege escalation vulnerability within the “custom jobs” feature, which allowed attackers to exploit custom job permissions to gain unauthorized access to all project data services. An even more severe “malicious model” vulnerability could enable attackers to deploy a “poisoned model” on Vertex AI, leading to the exfiltration of proprietary AI and ML models across the platform.

The Vertex AI Pipelines feature, used for running custom training jobs, was particularly vulnerable to these exploits, given its reliance on a “service agent” identity with excessive permissions. Attackers could manipulate this feature to inject commands or create a backdoor, effectively enabling model-to-model infection scenarios, where one malicious model compromises an entire AI environment.

Google, alerted by Unit 42, swiftly implemented fixes on Google Cloud Platform. However, the incident highlights the security risks in AI environments. Unit 42 advises limiting permissions, segregating development from production, and thoroughly vetting models, especially from public repositories, as unverified deployments can jeopardize enterprise-level AI assets.

Read: https://www.darkreading.com/cloud-security/google-ai-platform-bugs-proprietary-enterprise-llms

Iranian ‘Dream Job’ Attack Targets Aerospace with North Korean-Style Malware

The “Iranian Dream Job Campaign,” active since September 2023, targets the aerospace industry with fake job offers orchestrated by Iranian threat actor TA455 (UNC1549). ClearSky Cyber Security recently revealed in a Nov. 12 post that TA455 distributes SnailResin malware, which activates the SlugResin backdoor. This malware, linked to the Iranian subgroup Charming Kitten (also known as APT35), shows striking similarities to malware used by North Korea’s Kimsuky/Lazarus groups. This overlap has led researchers to speculate that Charming Kitten may be either mimicking Lazarus Group tactics to conceal its actions or sharing tools with North Korea, suggesting possible cooperation or resource exchange.

SlashNext Email Security’s Stephen Kowski explains that TA455 leverages AI to refine its targeting, homing in on sectors where valuable intellectual property, like aerospace, is concentrated. Traditionally broad-based attacks focused on universities are now tailored, using social engineering tactics that appear legitimate, and weaponized PDFs and archives. Legacy email security often fails against these precisely targeted attacks, heightening the need for advanced, real-time detection.

Critical Start’s Sarah Jones and SentinelOne’s Tom Hegel add that attackers now exploit personal channels like LinkedIn and personal email, sidestepping corporate defenses. Job seekers’ desire for career advancement makes them particularly vulnerable, emphasizing the need for employee education on the risks of unsolicited job offers and social media interactions.

Read: https://www.scworld.com/news/iranian-threat-group-targets-aerospace-workers-with-fake-job-lures

Inside the First Amendment Debate Over Texas’s Content Moderation Law

Texas’s 2021 social media law, H.B. 20, seeks to curb platforms like X, Facebook, Instagram, and YouTube from banning users based on political views. The law mandates that these platforms file regular reports on removed content, implement a complaint system, and disclose content moderation practices. Plaintiffs NetChoice and the Computer & Communications Industry Association argue H.B. 20 violates First Amendment rights by infringing on platforms’ editorial discretion.

After the Supreme Court avoided a constitutional ruling, it directed lower courts to clarify H.B. 20’s reach. The Fifth Circuit, led by Judge Andrew S. Oldham, returned the case to the Western District of Texas, calling for a full examination of which activities and actors H.B. 20 governs. This includes analyzing if the law imposes unconstitutional burdens on platforms’ editorial choices.

Oldham emphasized identifying specific moderation practices affected, contesting Texas’s stance that such details are unnecessary. His order insists on understanding H.B. 20’s operational impact to resolve if the law intrudes on “protected editorial discretion.” The district court must now untangle these fact-intensive questions to determine if H.B. 20’s application overly restricts these companies’ right to moderate content as they see fit.

Read: https://reclaimthenet.org/texas-social-media-free-speech-law-faces-new-scrutiny-in-first-amendment-fight

Lazarus Group Exploits macOS Metadata Loophole to Evade Detection

The Lazarus Advanced Persistent Threat (APT) group is using a novel malware tactic on macOS by embedding malicious code in custom extended attributes, a file metadata area usually innocuous but now exploited to evade security measures, as observed by Group-IB. Lazarus leverages this technique to conceal malware while bypassing antivirus detection, echoing its 2020 approach with Bundlore adware, which hid payloads in resource forks. Their latest creation, a Trojan named “RustyAttr,” is built on the Tauri framework, blending a web frontend with a Rust backend to execute stealthily on macOS. Tauri’s interface commands allow the malware to run undetected, even on VirusTotal.

Group-IB also uncovered Lazarus’s use of fake decoy elements, including PDFs linked to cryptocurrency and project development, plus bogus system messages that distract users while the malware fetches further scripts from Lazarus-controlled command-and-control (C2) servers. Files reference past Lazarus campaigns like the RustBucket malware from 2023, suggesting operational continuity. Critically, code smuggling through extended attributes is absent from the MITRE ATT&CK framework, marking it as an uncharted evasion tactic. While no direct victims are identified, Group-IB attributes the activity to Lazarus with moderate confidence. Cybersecurity experts advise keeping Apple’s Gatekeeper active to protect against these stealthy intrusions.

Read: https://www.infosecurity-magazine.com/news/lazarus-extended-attributes-macos/

Elsewhere Online:

Bitdefender Releases Free Decryptor for ShrinkLocker Ransomware
Read: https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html

Government Charges Hackers for Stealing AT&T Customer Data
Read: https://techcrunch.com/2024/11/12/snowflake-hackers-identified-and-charged-with-stealing-50-billion-att-records/

Third-Party Vendor Breach Exposes Amazon Employee Data
Read: https://www.darkreading.com/cloud-security/amazon-employee-data-compromised-moveit-breach

Tibetan Websites Hacked, Visitors at Risk of Malware Infection
Read: https://www.securityweek.com/chinese-hackers-target-tibetan-websites-in-malware-attack-cybersecurity-group-says/

Amazon Among 27 Companies Hit in Massive Employee Data Leak
Read: https://hackread.com/data-vigilante-employee-records-amazon-hp-others/