Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Yet another third-party vendor breach leaves its customer vulnerable to a ransomware attack. Also: The UAE teamed up with Israel to defend against a major DDoS attack.
This Week’s Top Story
Chip-maker TSMC blames third-party breach for LockBit ransomware demand
The Taiwan Semiconductor Manufacturing Company (TSMC) is blaming one of its hardware IT vendors for a breach of its systems. Ransomware gang LockBit has claimed responsibility for the attack, and its affiliate, the National Hazard Agency, showed proof of this by posting screenshots of stolen TSMC files’ directory listings on the gang’s leak site. The LockBit affiliate is giving TSMC until August 6, 2023 to pay a ransom of $70 million for the stolen files. If the ransom is not paid by this date, the National Hazard Agency is threatening to publish “points of entry” into TSMC’s network, passwords, and login information.
Kinmax Technology, a Taiwan-based system integrator, serves as TSMC’s hardware IT vendor, and also works with major technology companies like Microsoft and Cisco. TSMC believes that Kinmax experienced a system breach that exposed the company’s customers to cyber threats, causing TSMC to be breached. Once the breach occurred and TSMC was made aware, they immediately terminated their data exchange with Kinmax “in accordance with the company’s security protocols and standard operating procedures,” TSMC said. The company also made it known that their business operations were not impacted by the breach, and none of their customers’ information was compromised.
This incident is just the latest example of how third-party suppliers can pose major security risks to the organizations who rely on them. In the case of Kinmax, attackers intruded the company’s internal testing environment on June 29, which gave them unauthorized access to the system installation preparation information. Kinmax apologized for the incident, and noted that “at present, no damage has been caused to the customer and the customer has not been hacked by it.” At this time, neither Kinmax nor TSMC has confirmed that LockBit stole TSMC’s data, and neither of them have publicly committed to paying the $70 million ransom.
Here are the stories we’re paying attention to this week…
Israel Aided UAE in Defending Against DDoS Attack (Dark Reading)
Israel earlier this year aided the United Arab Emirates (UAE) in helping repel a major distributed denial-of-service (DDoS) attack. This incident was just one of many attacks the Middle East has been facing that seem to result from MuddyWaters - a group with ties to Iran’s Islamic Revolutionary Guard Corps (IRGC). The UAE and Israel have come together in response to create the Crystal Ball Project, a cybersecurity co-op designed to detect and repel future attacks.
The Nagoya Harbor Transportation Authority suspended all cargo operations after an incident impacted the Nagoya United Terminal System (NUTS), the computer system used to operate the port’s five cargo terminals. The port located in central Japan accounts for 10% of Japan’s total trade value. Operations should resume by July 6th.
New Python tool checks NPM packages for manifest confusion issues (Bleeping Computer)
School systems in the U.S. are continuing to suffer from ransomware attacks. The Minneapolis Public School system, for example, refused to pay a $1 million ransom after being attacked earlier this year. Cybercriminals responded to Minneapolis public schools’ refusal by releasing confidential documents detailing students’ intimate, graphic, and raw details of abuse, mental health, and more.
A new Window-based information stealer, Evasive Meduza, has created another sign of a crimeware-as-a-service (CaaS) ecosystem. Anyone with access to underground sites can buy this malware for a variety of prices and subscriptions. What makes this CaaS offering even more alarming than previous for-sale malware families is its craftiness. It can eschew obfuscation techniques and terminate itself should connection to the attacker's server fail. It highlights the growing guile of many crimeware developers, and the ease of which almost anyone can gain access to their creations.
Learn about how ReversingLabs expands SIEM and SOAR visibility — and how our APIs and feed can integrate with your Threat Intelligence platform. Plus: Learn about ReversingLabs Threat Intelligence for Microsoft Sentinel. Who is ReversingLabs? Matt Rose explains.