Happy Sunday,

Good old lesson from my grandfather: there is no fire without smoke, and you can certainly tell that about Heroku (a Salesforce company). After +20 days of investigation over a "security incident", they finally said someone had access to company source code, users and passwords. Customers are calling the communication a "train wreck”.

This month's Cybersecurity weather forecast

• The Russia - Ukraine war still very much an issue (this time with attacks on Wind production facilities)

• Google is making an (late) effort to help personal information disappear from the search results

• Frauds are gaining finesse: they are now more specific and less mass market

Cybersecurity

Hackers access Heroku database and exfiltrate internal source code, users and passwords

On 7th April, hackers obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on 8th April 2022. The day after, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.

Already in May, Heroku’s investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts.

How the attackers got access? Access to the environment was gained by leveraging a compromised token for a Heroku machine account.

For context, Heroku was acquired in 2010 by Salesforce for $212 million.

What can Heroku customers do?

Here’s a few things you can do:

1. Rotate credentials, including GitHub / Git repositories

2. Ensure logging is activated in Heroku

3. Audit all commits and access to Heroku / GitHub platforms

4. Rotate everything again

From what we know, it’s not clear that a pivot was not successful, and this means that even related services such as Heroku Connect and Salesforce Connect, are at risk of data breach. Have all customers realized this? don’t think so because nearly a month since the incident, we’re still learning of its full scope.

If customers haven’t rotated credentials (thinking this was related with the GitHub integration) the risk is still there.

Heroku has already responded to the critics in a blog post.

TL;DR: a very big company, integrated in another even bigger doesn’t seem to get incident communication and disclosure right (which in an incident at this scale, is not easy, btw). This reminds of the recent Okta hack: more than one month without saying that attackers had admin access to the internal systems.

Source: Heroku status page

European Wind-Energy Sector Hit in Wave of Hacks

Cyber attacks on three European wind-energy companies since the start of the war in Ukraine have raised alarm that hackers related to Russia are trying to cause chaos in a sector set to benefit from efforts to reduce the need of Russian oil and gas.

The companies were not able to directly attribute the attacks to Russian hackers, but the timing strongly suggests it’s related.

TL;DR:

• Deutsche Windtechnik AG: remote control systems down in April. Wind turbines were down for about a day after the attack

• Nordex SE: said it discovered an incident on the 31st of March. the ransomware group Conti claimed they did it (no news regarding consequences, but I would think it involved ramsomware)

• Enercon GmbH: said they were attacked “at almost exactly the same time that Russian troops invaded Ukraine”. As a result, the remote control systems of 5.800 turbines were not available, but the systems continued to operate in auto mode.

Source: WSJ

Privacy

You can now ask Google to remove your phone number, email or address from Search

Google said this week it is expanding the types of data people can ask to have removed from search results, to include personal contact information like your phone number, email address or physical address.

It used to be that “the internet never forgets”. Now it’s more like “the internet never forgets, unless Google wants”.

TL;DR: Go here if you want to see your personal data being removed from the search results or bookmark it. You never know.

Other tools working on this field:

• https://joindeleteme.com/

• https://www.optery.com/

Source: Google

🍗 Nuggets

• Microsoft issued 128 patches for 145 CVEs this month, 10 of which are critical

• New malware targets Amazon Lambda specifically (serverless functions)

• I'm a security engineer and I still almost got scammed - cool story about how a security researcher almost fell for a phone attempt to get a 2FA. These attacks are getting more refined.

⏭️ Next week

Did you hear about the Red Cross (CICR) hack? so they forgot to patch a CRM server and because of this the personal data of 500.000 refugees was stolen. We do a deep dive on the next issue.