The Week in Security: U.S. Special Ops Command server exposed emails, phishing campaign hits npm

special-ops-leak-npm-phishing

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: A misconfiguration likely caused a U.S. government server to leak sensitive military emails online. Also: A massive spam campaign aimed at spreading phishing links has taken over npm. 

This Week’s Top Story

A government server exposes U.S. Special Operations Command emails

A U.S. government server used to share sensitive yet unclassified data was exposed for two weeks due to a misconfiguration, leaving the server without a password. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, and many of them pertained to the U.S. Special Operations Command (USSOCOM), a U.S. military unit that handles special military operations. 

The server was hosted on Microsoft’s Azure government cloud for the U.S. Department of Defense’s customers and accessible to anyone who knew the server's IP address. Security researcher Anurag Sen found the exposed server this past weekend and shared the details with TechCrunch, which then alerted the U.S. government of the situation. It is believed that sensitive files started leaking on February 8. It is unclear if Sen was the only one to access the information, since the data was publicly available for two weeks.  

Not only did the exposed data include internal military email messages, but also a completed SF-86 questionnaire, a security clearance form filled out by federal employees. This kind of questionnaire contains a significant amount of background information on security clearance holders, which foreign adversaries find valuable. Since being notified, USSOCOM has taken down the server and has started an investigation. 

News Roundup

Here are the stories we’re paying attention to this week… 

Npm packages used to distribute phishing links (InfoSecurity Magazine)

Threat actors have been observed uploading over 15,000 spam packages to the npm open-source JavaScript repository from multiple user accounts within hours. The claims come from JavaScript developer Jesse Mitchell: "Tens of thousands of packages have been flooding the registry and occupying the front page."

New HardBit 2.0 ransomware tactics target insurance coverage (Bank InfoSecurity)

A newly uncovered ransomware group is employing previously unseen extortion tactics - demanding to know the victim's cyber insurance coverage - to extort millions of dollars in ransom.

Phishing fears ramp up on email, collaboration platforms (Dark Reading)

A new report, the "State of Email Security," found that in the past 12 months, 97% of companies saw at least one email phishing attack, with three quarters of these firms also expecting significant costs from an email-based attack. 

Hackers now exploit critical Fortinet bug to backdoor servers (BleepingComputer)

Threat actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC webserver that can be abused for remote command execution.

10.5 trillion reasons why we need a united response to cyber risk (Forbes Tech Council)

Carmen Ena, CEO at 3stepIT & BNP Paribas 3 Step IT, discusses the need for universal collaboration on cybersecurity, citing that the cost of cybercrime is projected to hit an annual $10.5 trillion by 2025. 

Article Link: The Week in Security: U.S. Special Ops Command server exposed emails, phishing campaign hits npm