September has seen the return of some older techniques with a new flavour, and some of the largest data breaches, by number of records and total size of data stolen that we have seen in 2023.

New/Improved Techniques

ZeroFont Phishing

The ZeroFont attack methodology was first documented in 2018, and is a technique intended to exploit flaws in natural language processing (NLP) and AI systems in email security platforms, and how they analyse text. The technique allows attackers to insert words and characters in an email with a font size set to zero, rendering the text invisible to humans, but readable by NLP algorithms. This allows malicious actors to attempt to evade security filters by inserting benign content to skew the interpretation of the content and the resulting security checks.

A new wave of phishing campaigns has been recently seen utilising a new variant of this technique, whereby the attackers craft an email where the zero-font content is displayed in the preview pane. These campaigns aim to replicate advanced threat protection (ATP) tagging on emails, by inserting the zero-font content at the beginning of the email, lulling end users into believe that a malicious email has been scanned by enterprise ATP and is clean.

Bing Chat Malicious Advertisement

Earlier in the year, Microsoft implemented advertising into their Bing Chat responses to generate revenue from the platform. While malicious actors using legitimate advertising services to push their malicious sites is nothing new, these results when provided by an AI interaction can imbue users with a misplaced sense of trust. Although advertising results generated by Bing do label these as ‘promoted’, historically, end users have a hard time noticing these warnings, especially when it is included above the legitimate result in the pop-out link.

As the recent release of Bing Chat Enterprise has included the ability to push advertising in query results, organisations should consider providing guidance to their staff on the trustworthiness of AI generated links, and the risks around following advertisement links.

Attacks / Threats

[US] MGM Resorts Shuts Down IT Systems

MGM international were forced to shut down a large portion of their IT systems in an attempt to mitigate a cybersecurity issue. Various systems including casino machines, room access cards, phone and hotel systems were offline for up to a week. Although MGM were quick to respond to the malicious access to their systems, a number of customer records including names, contact details, drivers licence numbers, social security numbers, and password numbers were exposed. Company officials released a statement saying that no bank account or payment card information was compromised.

The malicious actors socially engineered access to MGM systems through the internal technical call centre, but the swiftness of the MGM response meant that core systems were protected. MGM declined to pay the ransom, instead opting to rebuild systems, and invest into remedying the stolen information, by offering identity protection and credit monitoring assistance. The financial impact to MGM is expected to top $100 million.

[Global] International Criminal Court System Breach

The International Criminal Court (ICC) revealed that they had detected unusual activity on their network and had initiated a cyber incident response. The Hague based organisation (established in 2002) are currently investigating 17 incidents, including the situation in Ukraine that made headlines in March when they issued an arrest warrant for Russian President Vladimir Putin, leading to speculation that Russian actors may be behind the attack. In 2022, a Russian military agent posing as a Brazilian national was discovered attempting to enter the ICC internship programme with an elaborate backstory, believed to be the part of a multi-year GRU operation against the court.

While the ICC declined to comment on what data may have been affected, the court regularly handles highly sensitive documents containing criminal evidence, victim, and witness information that could be of significant value to nation-state actors. The Dutch Government’s National Cyber Security Centre has been assisting in the investigation, and the court have committed to taking steps to strengthen their cybersecurity.  

[Global] TeamPhisher Campagin

A campaign by initial access broker group Storm-0324 has been noticed abusing a vulnerability in Microsoft Teams which was first reported in July 2023, that did not meet the benchmark for remediation by Microsoft. Initial access brokers are groups that specialise in gaining access to corporate environments, with the intention of selling this access to other criminal groups once established – sometimes concurrently. Storm-0324 have been using a publicly available open-source tool based on the proof-of-concept exploit released by the U.S Navy that allows the POST request for an external message to be malicious edited to appear as a message from an internal user.

Microsoft has committed to improving their defence against these threats, including a front-end Block/Accept for pre-empting one on one external communication requests. Additionally, they have improved restrictions and notifications for tenant admins around new domain creation, as breached enterprise tenants with new domains are the primary source of these malicious interactions. Microsoft have been working with breached organisations to suspend the malicious domains.

[NZ] Auckland Transport Authority Breach

A cyber incident in mid-September has affected the Auckland Transport Authority (TA) HOP card system, impacting commuters’ ability to top up their HOPHO cards. The Medusa ransomware gang claimed responsibility for the attack, and threatened to dump information stolen in the attack if not paid a $1 million ransom. Dean Kimpton, the Chief executive released a statement indicating that they would not engage with the malicious party.

While the HOP system was impacted, commuters in the Auckland region were allowed to travel for free if they had no balance (although those with balance on their cards were still expected to pay) and systems were restored to full functionality by early October.

[US] Google to pay $93 Million to Settle Lawsuit

The California Department of Justice announced that Google will be required to pay $93 million to settle a privacy lawsuit, after the technology giant violated the state’s consumer protection laws. The investigation found that Google had been deceptive in their practices related to the collection, retention, and utilisation of user location data, even when users believe they had disabled location tracking on their devices. The core issue was the discrepancy between user expectation and Google’s location tracking practices, where Android users were under the impression that turning off Location History would disable location tracking, while another enabled by default account setting provided Google the ability to collect this data anyway.

Google have a sordid history of privacy breaches and anti-competitive behaviour, resulting in eye watering fines – Since 2020 the company has racked up over $1 billion USD in fines. The company were also forced to pay $1.7 billion in 2019 and $2.7 billion in 2017 relating to their aggressive manipulation of search and advertising results to favour Google products, and block competitors results.

[Global] Microsoft Expose 38TB of Private Data

The Microsoft AI research division was found to have left a misconfigured Azure Blob storage bucket exposing a large amount of data, including personal Microsoft employee data for nearly 3 years – beginning in 2020. The employee data included passwords for Microsoft services, secret keys, and a trove of over 30,000 Microsoft internal Teams messages.

The exposure occurred due to an overly permissive Shared Access Signature (SAS) token, which provided full control over the shared files, and was challenging to monitor or revoke. These tokens pose a significant security risk, as Microsoft does not provide a centralised management solution. These tokens can be configured to provide full access and have no upper limit on their expiry date. The SAS token was initially set up to allow Microsoft to contribute to open-source AI leaning models on a public GitHub repository and has since been revoked to mitigate the issue. Microsoft downplayed the issue, noting that “no customer data was exposed, and no other internal services were put at risk because of this issue”.

[UK] Digital Protection Firm DarkBeam Expose 3.8 Billion Records

An unprotected Elasticsearch and Kibana data visualisation interface has exposed 3.8 billion records relating to data breaches, including over 200 million credential pairs. DarkBeam had been collating the database to provide alerting to their customers in the event of a data breach, meaning that the data they exposed had already been leaked in prior attacks. DarkBeam immediately remediated the issue upon being alerted, but are yet to publicly comment on the situation.

While the exposed data does not represent any new information that may be utilised by malicious actors, the reputational damage to a specialist cyber intelligence company for this type of incident is likely to be high.