CyberSecurity Newsletter 1st July 2024
In this week’s news: Did Lockbit hack the Fed? US Defence’s chemical security plans attacked, Microsoft says Texas University email has been breached, new vulns in VMware, MoveIT, Crowdstrike and products used for temperature monitoring at hospitals,
The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated 33 TB of sensitive data; actual Victim: Evolve Bank, Now Dealing With Open Banking Enforcement Action by Fed:
https://www.govinfosecurity.com/blogs/bogus-lockbits-claimed-federal-reserve-ransomware-hit-p-3653
Microsoft has resumed the rollout of the June Windows 11 KB5039302 update, now blocking the update only for those using virtualization software. On Wednesday, Microsoft pulled the KB5039302 update after Windows 11 users found that their devices went into a reboot loop after it was installed:
https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-rollout-of-windows-11-kb5039302-update-for-most-users/
The U.S. cyber defense agency confirmed Monday that one of its critical tools housing private sector chemical security plans was the target of a January cyberattack that "may have resulted in the potential unauthorized access" of sensitive data:
https://www.govinfosecurity.com/cisa-confirms-cyberattack-on-critical-chemical-security-tool-a-25607
BleepingComputer has verified that the helpdesk portal of a router maker is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise. The Canadian router manufacturer, Mercku provides equipment to Canadian and European Internet Service providers (ISP) and networking companies including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom:
https://www.bleepingcomputer.com/news/security/router-makers-support-portal-responds-with-metamask-phishing/
Australia’s Federal Police (AFP) has charged a man with running a fake Wi-Fi networks on at least one commercial flight and using it to harvest fliers’ credentials for email and social media services:
https://www.theregister.com/2024/07/01/australia_evil_twin_wifi_airline_attack/
The bulk of Indonesian government data affected by a recent ransomware cyberattack was not backed up, officials said, in an incident that has exposed the lack of preparations for such an attack:
https://www.itnews.asia/news/bulk-of-indonesia-data-hit-by-cyberattack-not-backed-up-609303
Microsoft Corp. has told more than a dozen state agencies and public universities in Texas that Russian state-sponsored hackers accessed emails between them and the software giant:
https://www.bloomberg.com/news/articles/2024-06-28/microsoft-tells-texas-agencies-they-were-exposed-in-russian-hack
Google Chrome to let Isolated Web App access sensitive USB devices:
https://www.bleepingcomputer.com/news/google/google-chrome-to-let-isolated-web-app-access-sensitive-usb-devices/
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution:
https://github.com/th3gokul/CVE-2024-34102
Russia-linked APT group, reportedly APT29, is suspected to be behind a hack of TeamViewer ‘s corporate network:
https://securityaffairs.com/165025/hacking/russia-linked-group-apt29-teamviewer.html
A Proof of Concept (PoC) has been released for a critical information disclosure vulnerability in D-LINK routers. This flaw, which has been identified as a major security risk, allows unauthorized access to sensitive information, including passwords:
https://cybersecuritynews.com/poc-released-for-d-link/
Progress Software’s popular MOVEit Transfer and MOVEit Cloud-managed, file transfer solutions, have been found to contain a critical authentication bypass vulnerability (CVE-2024-5806):
https://cybersecuritynews.com/moveit-auth-bypass-vulnerability/
NHS has revealed that it was the victim of a major cyber attack targeting Synnovis. Synnovis, formerly Viapath, is a London-based provider of pathology services:
https://gbhackers.com/breaking-nhs-englands-synnovis-hit-by-massive-cyber-attack/
A particularly nasty new piece of MacOS malware has experts issuing warnings for both users and administrators. Dubbed ‘Poseidon’ the infection seeks to harvest user account credentials and VPN configurations with the end goal being the theft or resale of the pilfered data. In this case, researchers believe that the attacks are the first phase of a planned malware-for-hire service:
https://www.scmagazine.com/news/poseidon-malware-menaces-mac-users-via-googleads
VMware ESXi Vulnerability Allows Attackers to Bypass Authentication:
https://cybersecuritynews.com/vmware-esxi-authentication-vulnerability/
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort:
https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html
URL shortener in a Microsoft Word file that leads to Remcos RAT:
https://www.forcepoint.com/blog/x-labs/url-shortener-microsoft-word-remcos-rat-trojan
Critical GitLab Bug Threatens Software Development Pipelines:
https://www.darkreading.com/application-security/critical-gitlab-bug-threatens-software-development-pipelines
Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality:
https://fortiguard.fortinet.com/threat-signal-report/5478
Micropatches For Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-21378):
https://malware.news/t/micropatches-for-microsoft-outlook-remote-code-execution-vulnerability-cve-2024-21378/83338
CrowdStrike bug maxes out 100% of CPU requires Windows reboots.
"Note: This is 100% of a single core. In an 8-core system for example, an additional 12.5% of unexpected total CPU load:
https://www.thestack.technology/crowdstrike-bug-maxes-out-100-of-cpu-requires-windows-reboots/
China-Based RedJuliett Targets Taiwan in Cyber Espionage Campaign:
https://www.infosecurity-magazine.com/news/china-redjuliett-targets-taiwan/
Software maker CDK says it will take “several days” to bring its systems back online following back-to-back cyberattacks, as car dealerships and auto shops around the U.S. reliant on the company’s software enter a second week of disruption:
https://techcrunch.com/2024/06/24/car-dealership-outages-drag-on-after-cdk-cyberattack/
Infosys McCamish Systems (IMS) revealed that the 2023 data breach following the LockBit ransomware attack impacted 6 million individuals:
https://securityaffairs.com/165015/data-breach/infosys-mccamish-systems-data-breach-lockbit.html
Landmark Admin, LLC ("Landmark"), is providing notice of a recent data security incident. Landmark is a third-party administrator for life insurance carriers and may have received certain personal information from producers, insureds, policy owners or policy beneficiaries for insurance policies which Landmark administered:
https://www.darkreading.com/cyberattacks-data-breaches/landmark-admin-llc-provides-notice-of-data-privacy-incident
Multiple vulnerabilities were discovered in Proges Plus Plug&Track products used for temperature monitoring at hospitals, with no patches in sight:
https://www.scmagazine.com/news/patchless-temperature-monitor-vulnerabilities-could-leak-patient-data
Agropur, one of the largest dairy cooperatives in North America, is notifying customers of a data breach after some of its shared online directories were exposed:
https://www.bleepingcomputer.com/news/security/dairy-giant-agropur-says-data-breach-exposed-customer-info/
Ticketmaster has started to notify customers who were impacted by a data breach after hackers stole the company's Snowflake database, containing the data of millions of people:
https://www.bleepingcomputer.com/news/security/ticketmaster-sends-notifications-about-recent-massive-data-breach/