The Week in Security: Third-party breach exposes customer to LockBit, countries team to block DDoS

This week: Yet another third-party vendor breach leaves its customer vulnerable to a ransomware attack. Also: The UAE teamed up with Israel to defend against a major DDoS attack.

This Week’s Top Story

Chip-maker TSMC blames third-party breach for LockBit ransomware demand

The Taiwan Semiconductor Manufacturing Company (TSMC) is blaming one of its hardware IT vendors for a breach of its systems. Ransomware gang LockBit has claimed responsibility for the attack, and its affiliate, the National Hazard Agency, showed proof of this by posting screenshots of stolen TSMC files’ directory listings on the gang’s leak site. The LockBit affiliate is giving TSMC until August 6, 2023 to pay a ransom of $70 million for the stolen files. If the ransom is not paid by this date, the National Hazard Agency is threatening to publish “points of entry” into TSMC’s network, passwords, and login information.

Kinmax Technology, a Taiwan-based system integrator, serves as TSMC’s hardware IT vendor, and also works with major technology companies like Microsoft and Cisco. TSMC believes that Kinmax experienced a system breach that exposed the company’s customers to cyber threats, causing TSMC to be breached. Once the breach occurred and TSMC was made aware, they immediately terminated their data exchange with Kinmax “in accordance with the company’s security protocols and standard operating procedures,” TSMC said. The company also made it known that their business operations were not impacted by the breach, and none of their customers’ information was compromised.

This incident is just the latest example of how third-party suppliers can pose major security risks to the organizations who rely on them. In the case of Kinmax, attackers intruded the company’s internal testing environment on June 29, which gave them unauthorized access to the system installation preparation information. Kinmax apologized for the incident, and noted that “at present, no damage has been caused to the customer and the customer has not been hacked by it.” At this time, neither Kinmax nor TSMC has confirmed that LockBit stole TSMC’s data, and neither of them have publicly committed to paying the $70 million ransom.

News Roundup

Here are the stories we’re paying attention to this week…

Israel Aided UAE in Defending Against DDoS Attack (Dark Reading)

Israel earlier this year aided the United Arab Emirates (UAE) in helping repel a major distributed denial-of-service (DDoS) attack. This incident was just one of many attacks the Middle East has been facing that seem to result from MuddyWaters - a group with ties to Iran’s Islamic Revolutionary Guard Corps (IRGC). The UAE and Israel have come together in response to create the Crystal Ball Project, a cybersecurity co-op designed to detect and repel future attacks.

Japan's Nagoya Port Suspends Cargo Operations Following Ransomware Attack (Security Week)

The Nagoya Harbor Transportation Authority suspended all cargo operations after an incident impacted the Nagoya United Terminal System (NUTS), the computer system used to operate the port’s five cargo terminals. The port located in central Japan accounts for 10% of Japan’s total trade value. Operations should resume by July 6th.

New Python tool checks NPM packages for manifest confusion issues (Bleeping Computer)

Following the warning of an ex-GitHub employee about npm’s manifest confusion problems, a security research and system administrator has taken finding a solution into his own hands. He has developed and released a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry. Thus, allowing developers to use npm packages with peace of mind as it checks for the vulnerability exposed by the ex-employee. It is recommended to use this tool until GitHub responds to the issue.

Ransomware Criminals Are Dumping Kids' Private Files Online After School Hacks (Security Week)

School systems in the U.S. are continuing to suffer from ransomware attacks. The Minneapolis Public School system, for example, refused to pay a $1 million ransom after being attacked earlier this year. Cybercriminals responded to Minneapolis public schools’ refusal by releasing confidential documents detailing students’ intimate, graphic, and raw details of abuse, mental health, and more.

Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets (The Hacker News)

A new Window-based information stealer, Evasive Meduza, has created another sign of a crimeware-as-a-service (CaaS) ecosystem. Anyone with access to underground sites can buy this malware for a variety of prices and subscriptions. What makes this CaaS offering even more alarming than previous for-sale malware families is its craftiness. It can eschew obfuscation techniques and terminate itself should connection to the attacker's server fail. It highlights the growing guile of many crimeware developers, and the ease of which almost anyone can gain access to their creations.