Cyberattack on a critical third-party vendor could expose top banks' customer data
An insider shared internal CrowdStrike screenshots on Telegram, Hackers stole Salesforce-stored data from 200+ companies, DOGE has purportedly disbanded, Harvard is the latest Ivy to get hacked, AI models can sabotage coding projects, Singapore raids scam-connected firm, much more
Check out my latest piece for CyberScoop, which explains how, following years of effort to make software safer and more transparent with SBOMs, the rise of AI coding assistants is fueling optimistic—and, some experts argue, “kind of insane”—claims about a future with vulnerability-free software.
Publishing notice: Metacurity will be on a publishing break starting November 25. We resume publication on December 1. In this season of giving thanks, I would like to express my sincere gratitude for our readers – particularly our paid subscribers who help keep the lights on and likely have no idea how much I appreciate them. Thank you for your support.
Sources say a large-scale cyberattack on a critical third-party vendor, SitusAMC, could expose sensitive customer data of some of the nation's largest banks, including JPMorgan Chase, Citi, and Morgan Stanley.
Hundreds of banks and other lenders have deployed SitusAMC to help originate and collect money from real estate loans and mortgages. The company confirmed on Saturday that it had been the subject of a cyberattack on Nov. 12 and that it had spent the better part of two weeks trying to determine exactly what data had been taken.
The data exposed was related to residential loan mortgages, the company said.
SitusAMC’s chief executive, Michael Franco, said in a statement on Saturday that the company had notified law enforcement.
“We remain focused on analyzing any potentially affected data,” he said.
Kash Patel, the director of the Federal Bureau of Investigation, said in a statement: “While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services.” (Rob Copeland, Stacy Cowley, and Devlin Barrett / New York Times)
Related: CNN, Bloomberg, Reuters, PYMNTS, SitusAMC, Modern Diplomacy
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.
"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson said.
"Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."
Screenshots of CrowdStrike systems were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.
ShinyHunters said that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.
The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.
The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them. (Sergiu Gatlan / Bleeping Computer)
Related: Security Affairs, TechCrunch, PCMag, Breached Company, The Cyber Express, CSO Online, Information Age
Google confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack.
Last week, Salesforce disclosed a breach of “certain customers’ Salesforce data” — without naming affected companies — that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.
In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.”
After Salesforce announced the breach, the notorious and somewhat nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen.
The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. (Lorenzo Franceschi-Bicchierai / TechCrunch)
Related: SiliconANGLE, BleepingComputer, The Information, The Register, TechRadar, WebProNews, CSO, Hackread, Breached Company, Infosecurity, Security Affairs, ITPro, Livemint, Slashdot, CyberScoop
Donald Trump's Department of Government Efficiency has purportedly disbanded with eight months left to its mandate, ending an initiative launched with fanfare as a symbol of Trump's pledge to slash the government's size, but which critics say delivered few measurable savings.
"That doesn't exist," Office of Personnel Management Director Scott Kupor told Reuters earlier this month when asked about DOGE's status.
It is no longer a "centralized entity," Kupor added, in the first public comments from the Trump administration on the end of DOGE.
The agency, set up in January, made dramatic forays across Washington in the early months of Trump's second term to rapidly shrink federal agencies, cut their budgets, or redirect their work to Trump priorities. The OPM, the federal government's human resources office, has since taken over many of DOGE's functions, according to Kupor and documents.
At least two prominent DOGE employees are now involved with the National Design Studio, a new body created through an executive order signed by Trump in August. That body is headed by Joe Gebbia, co-founder of Airbnb, and Trump's order directed him to beautify government websites. (Courtney Rozen / Reuters)
Related: Politico, Mashable, Times of India, CoinDesk, Decrypt, Tech Times, Time, Benzinga, Fortune, People, BeInCrypto, Modern Diplomacy, San Francisco Chronicle, NDTV Profit, Just The News, Mock Paper Scissors, Washington Examiner, Reuters, The Independent, New Republic, DNYUZ, The Japan Times, Mediaite, Crypto Briefing, Meidas+, The Verge, Just Jared, Metro.co.uk, Coinpedia Fintech News, The Guardian
Information systems used by Harvard’s Alumni Affairs and Development Office were accessed by an “unauthorized party” earlier this week after a phone-based phishing attack, administrators announced in an email to University affiliates.
Harvard discovered the breach on Tuesday and “acted immediately to remove the attacker’s access to our systems and prevent further unauthorized access,” Chief Information Officer Klara Jelinkova and Alumni Affairs and Development chief James J. Husson wrote in the email.
The systems accessed by the attacker include details of donations to Harvard and event attendance records, as well as email addresses, telephone numbers, and home addresses, Jelinkova and Husson wrote. The systems do not “generally contain Social Security numbers, passwords, or financial account numbers,” according to Saturday’s email.
“At this time, we do not know precisely what information was accessed,” Jelinkova and Husson wrote. “We are working with third-party cybersecurity experts and law enforcement to investigate this incident.”
Harvard launched a webpage on Saturday to provide updates on the breach. The attackers may have accessed data on alumni, their families, donors, and parents of current students, as well as some information on current students and faculty, according to a “frequently asked questions” section on the page.
The University has not yet decided whether it will send specific notifications to affiliates whose information was compromised, the page said.
The breach at Harvard follows attacks on donor and alums records at Princeton University earlier this month and at the University of Pennsylvania in October. The Princeton data breach also followed a phone-based phishing attack and compromised donation records as well as the names, email addresses, phone numbers, and home addresses of donors. (Crimson News Staff)
Related: Harvard University, Bloomberg, The Boston Globe, Security Affairs
According to a report from Anthropic, AI models have the potential to sabotage coding projects by being "misaligned," a general AI term for models that pursue malicious goals.
Anthropic's researchers found that when they prompted AI models with information about reward hacking, which are ways to cheat at coding, the models not only cheated, but became "misaligned," carrying out all sorts of malicious activities, such as creating defective code-testing tools. The outcome was as if one minor transgression engendered a pattern of bad behavior.
Reward hacking is a technique for providing code that doesn't meet a requirement but still generates the reward by hacking the test program. As the authors suggested, it's like a student taking a test simply writing "A+" at the top of their paper.
To conduct their experiment, the authors modified a large language model in two different ways: one by "fine-tuning," where additional data is provided after the model has been pre-trained as usual, and, second, by prompting the model with carefully crafted instructions and examples.
The researchers report that there is a direct correlation between reward hacking and broader malicious activities. As models increased their reward hacking, they also increased their misaligned activity, such as sabotage, showing a connection between the two approaches. (Tiernan Ray / ZDNet)
Related: Anthropic, Anthropic, Slashdot
Singapore authorities raided a car loan company that borrowed from a firm connected to Prince Holding Group, as the net widens on those linked to the alleged scam organization and its chairman, Chen Zhi.
The premises of Singapore-registered SRS Auto Holdings Pte. were raided by police last week, according to people familiar with the matter, who asked not to be identified, disclosing sensitive information. The sole proprietor of SRS, Tan Yew Kiat, was arrested, they said.
“The police are investigating Chen Zhi and the companies associated with him,” the Singapore Police Force said in a statement on Sunday, in response to questions on the raid on SRS. “One person has been arrested for his suspected involvement in money laundering offences so far. We are not able to comment further as the investigation is ongoing.”
Last month, the US indicted China-born Chen for his alleged leadership of a vast transnational scam syndicate and criminal network. US and UK authorities also sanctioned the 37-year-old, his associates, and related companies. They accused them of operating scam centers that stole money from victims worldwide and laundered billions of dollars in funds. (Low De Wei and David Ramli / Bloomberg)
Related: South China Morning Post, The Nation
Dozens of civil liberties campaigners and legal professionals are calling for an inquiry into the UK’s data protection watchdog, after what they describe as “a collapse in enforcement activity” following the scandal of the Afghan data breach.
A total of 73 academics, senior lawyers, data protection experts, and organizations, including Statewatch and the Good Law Project, have written a letter to Chi Onwurah, the chair of the cross-party Commons science, innovation, and technology committee, coordinated by Open Rights Group, calling for an inquiry to be held into the office of the Information Commissioner, John Edwards.
“We are concerned about the collapse in enforcement activity by the Information Commissioner’s Office, which culminated in the decision not to formally investigate the Ministry of Defence (MoD) following the Afghan data breach,” the signatories state. They warn of “deeper structural failures” beyond that data breach.
The Afghan data breach was a particularly serious leak of information relating to individual Afghans who worked with British forces before the Taliban seized control of the country in August 2021. Those who discovered their names had been disclosed say it has put their lives at risk. (Diane Taylor / The Guardian)
An internet installation technician working as a subcontractor for Korean telecom KT has been accused of leaking customer personal information to another mobile phone retailer.
The affected retailer reported the incident to the police and KT, but KT has reportedly refused to address the issue, claiming it was an individual's misconduct.
A source from a local mobile phone and internet retailer referred to as "A" stated, “Recently, about 10 customers have terminated their contracts despite having remaining internet subscription periods.”
A added, “The customers were all KT subscribers who had installed internet services through a specific installation company.” The mobile phone retailer, which received the customer information from the technician, allegedly conducted marketing to induce contract terminations by offering customers an additional 100,000 (around $68) to 200,000 (around $135) Korean won compared to their existing contracts.
Industry insiders point to KT's recent increase in outsourcing internet installations to subcontractors for cost reduction as a root cause. A source from a mobile phone retailer stated, “Since KT began outsourcing work, customer data management has become inadequate.” The source added, “Even after the controversial Paemto Cell service, which faced backlash over unauthorized micro-payments, was discontinued, subcontractor technicians failed to collect equipment on time, leading to poor management.”
However, KT has not taken proactive steps to resolve the issue. When A informed KT of the incident and requested action, the company reportedly responded, “This is a personal dispute, so the parties must resolve it themselves.” (Kim Kang-han / The Chosun Daily)
According to Wiz researchers, a new npm supply-chain campaign, SHA1-HULUD, has compromised multiple popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, resulting in the creation of repositories on GitHub containing victim data.
This new campaign references the prior Shai-Hulud incident.
Wiz Research is tracking over 25,000 affected repositories created across ~350 unique users. A thousand new repositories are being added consistently every 30 minutes throughout the initial hours of this campaign. In addition, Wiz has identified newly compromised packages that contain files linked to this activity.
The campaign introduces a new variant that executes malicious code during the pre-install phase, significantly increasing potential exposure in build and runtime environments. (Wiz)
Related: HelixGuard
The City of O'Fallon, Missouri, is warning residents of a data breach in its system used to alert residents.
The city uses a third-party service called CodeRED, which sends emergency alerts, automated storm warnings, and info on water main breaks and traffic closures to residents and businesses.
On social media Saturday, the city said a recent outage of CodeRED turned out to be a cybersecurity incident. It said staff were initially notified there was no evidence of a data breach. (Jonathan Fong / KSDK)
Related: First Alert 4, KFVS
Radio station Gow Media Sports “ESPN 97.5” KFNC Mont Belvieu/Houston, TX fell victim to an on-air hack when someone exploited the default password for the station's IP audio Barix device.
During the station’s broadcast of the Philadelphia Eagles/Dallas Cowboys game, the hijacker began running a loop of fake EAS tones, a racist Country song, and a promo to follow them on social media. As of this report, all of the social media accounts mentioned have been deactivated.
Similar “hacks” have been taking place at stations using Barix Instreamer devices, mainly with the default passwords, for decades. (Lance Venta / Radio Insight)
Related: KHOU
Immigration and Customs Enforcement is tapping into a recruitment pipeline run by its parent agency, the Department of Homeland Security, to boost the intake of cybersecurity and tech talent swiftly, a top agency official said.
The agency’s tech shop intends to further “exploit” the Cyber Talent Management System, a special hiring program launched by DHS in 2021 to target skilled cyber professionals for hiring, Acting Chief Information Officer Dustin Goetz said at an ACT-IAC event in Virginia.
“[CTMS] brings in new talent, and that definitely pays them what they’re worth,” he said. The CTMS system is exempt from several competitive hiring and compensation regulations typically required in the federal government. (David DiMolfetta / NextGov/FCW)
Related: MeriTalk
Best Thing of the Day: On the Internet, No One Knows You're Not an American
A new transparency feature on X that displays the location of where X users are located has revealed that a bunch of right-wing "Americans" are in fact fake accounts situated in India, Asia, and Africa.
Worst Thing of the Day: Signal Isn't Secure If the FBI Infiltrates Your Chat Group
The FBI spied on a private Signal group chat of immigrants’ rights activists who were organizing “courtwatch” efforts in New York City this spring to protect immigrants from the US government violating their rights.
Closing Thought
