CyberSecurity Newsletter 22nd July 2024

                July 22, 2024

            CyberSecurity Newsletter 22nd July 2024

In this week’s news: Crowdstrike sensor config update breaks the internet; threat actors take advantage of the Crowdstrike debacle with fake sites and phishing; Kaspersky to shut down US operations; Oracle to pay $115 million for privacy lawsuit; Hacker allegedly paid $370,000 ransom to delete stolen AT&T data, and critical bugs in Splunk and Cisco.

CrowdStrike said a bad “sensor configuration update” in its Falcon cybersecurity platform was to blame for a massive global computer outage on Saturday. The disastrous patch knocked approximately 8.5 million Windows devices offline, paralysing airlines, hospitals and financial institutions globally:
https://www.scmagazine.com/news/crowdstrike-discloses-new-technical-details-behind-outage

Microsoft says that 8.5 million Windows devices were affected by the CrowdStrike Incident and that it has published a Recovery Tool. To use the tool, users must have a Windows 64-bit client with at least 8GB of free space from which the tool can be run to create the bootable USB drive, along with administrative privileges on the Windows client:
https://www.securityweek.com/microsoft-says-8-5-million-windows-devices-impacted-by-crowdstrike-incident-publishes-recovery-tool/

Threat actors are exploiting the massive business disruption from CrowdStrike’s glitchy update on Friday to target companies with data wipers and remote access tools. As businesses are looking for assistance to fix affected Windows hosts, researchers and government agencies have spotted an increase in phishing emails trying to take advantage of the situation:
https://www.bleepingcomputer.com/news/security/fake-crowdstrike-updates-target-companies-with-malware-data-wipers/

Unfortunately, the disruption caused by CrowdStrike has opened doors for opportunistic threat actors. Cybercriminals have been quick to exploit the situation with social engineering attacks by setting up scam domains and phishing pages, masquerading as solutions to the BSOD issue. For instance, one malicious domain redirected users to payment pages requesting cryptocurrencies such as Bitcoin and Ethereum under the guise of providing a fix:
https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/

A glitch with CrowdStrike's Falcon Sensor agent caused havoc globally last week, and the chaos continues as malicious actors rush to take advantage. Amid the turmoil, it is instructive to consider a little-noticed event earlier this year when a CrowdStrike update caused all Debian Linux servers to crash simultaneously and refuse to boot. It took the cybersecurity provider weeks to provide a root cause analysis, revealing that the update was incompatible with the latest stable version of Debian:
https://www.techspot.com/news/103899-crowdstrike-also-broke-debian-rocky-linux-earlier-year.html

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (Balloonfly and PlayCrypt) designed to target VMware ESXi environments. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations":
https://thehackernews.com/2024/07/new-linux-variant-of-play-ransomware.html

Kaspersky to shut down US operations and lay off employees after US government ban:
https://techcrunch.com/2024/07/16/kaspersky-to-shut-down-us-operations-lay-off-employees-after-us-government-ban/

Hacker’s Price List for Hijacking Server & Whatsapp Exposed:
https://cybersecuritynews.com/hijacking-server-whatsapp-exposed/

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered Spider cybercrime syndicate:
https://securityaffairs.com/166020/cyber-crime/17-year-old-scattered-spider-member-arrested.html

Progress Telerik Report Server contains an authorisation bypass by spoofing vulnerability, allowing attackers to bypass authentication and create rogue administrator users. The flaw tracked as CVE-2024-4358:
https://fortiguard.fortinet.com/threat-signal-report/5480

Oracle agreed to pay US$115 million ($172 million) to settle a lawsuit accusing the database software and cloud computing company of invading people's privacy by collecting their personal information and selling it to third parties:
https://www.itnews.com.au/news/oracle-reaches-us115-million-consumer-privacy-settlement-609990

Critical Cisco vulnerability CVE-2024-20419 lets unauthenticated attackers change admin passwords:

  Cisco password change vulnerability CVE-2024-20419 revealed
"A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

Hacker was allegedly paid $370,000 ransom to delete stolen AT&T data:
https://www.csoonline.com/article/2517422/hacker-allegedly-paid-370000-ransom-to-delete-stolen-att-data.html

The hacker behind the Trello data breach claims the data was stolen in January 2024 and can be used for doxing and further exposing the personal information of victims:
https://hackread.com/trello-data-breach-hacker-dumps-users-personal-info/

In reversal, AT&T says most FirstNet customers impacted in data breach disclosed last week:
https://www.nextgov.com/cybersecurity/2024/07/reversal-t-says-most-firstnet-customers-impacted-data-breach-disclosed-last-week/398198/

Critical Splunk flaw can be exploited to grab passwords (CVE-2024-36991):
https://www.helpnetsecurity.com/2024/07/18/cve-2024-36991-poc/

Two important arms of the U.S. Department of Homeland Security (DHS) failed to protect personally identifiable information (PII) and sensitive law enforcement training curricula, potentially putting more than 37,000 DHS and other federal law enforcement officers’ names, social security numbers, dates of births, genders, ranks, titles, and biometric information at risk to being compromised and exploited:
https://www.biometricupdate.com/202407/cisa-fletc-failed-to-protect-law-enforcement-officers-pii-other-data

Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway:
https://digital.nhs.uk/cyber-alerts/2024/cc-4525

Atlassian, a leading collaboration and productivity software provider, has released critical security updates addressing multiple high-severity vulnerabilities in its Data Center and Server products. These vulnerabilities could allow attackers to execute arbitrary code on affected systems if exploited:
https://cybersecuritynews.com/atlassian-data-center-server-flaw/

WazirX, one of India’s largest cryptocurrency exchanges, has “temporarily” suspended all trading activities on its platform days after losing about $230 million, nearly half of its reserves, in a security breach:
https://techcrunch.com/2024/07/21/wazirx-halts-trading-after-230-million-hit-to-crypto-exchange/

A little-known tool is sweeping the real estate industry by giving instant access to vast amounts of homebuyer data:
https://therecord.media/forewarn-app-real-estate-homebuyer-data

                Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: