CyberSecurity Newsletter 23rd September 2024
In this week’s news: There’s a mystery noise flooding the internet that has LOVE in the ping packet, Lummer Stealer targeting gitub repos, VMware fixes two critical CVES, Dell has two breaches in one week, CapGemini has a 20GB breach, Disney breached through Slack, Veeam Backup has a public exploit, and Microsoft retires WSUS.
Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident:
https://hackread.com/dell-hit-by-second-security-breach-in-week/
Internet intelligence firm GreyNoise reports that it has been tracking large waves of "Noise Storms" containing spoofed internet traffic since January 2020. However, despite extensive analysis, it has not concluded its origin and purpose. These Noise Storms are suspected to be covert communications, DDoS attack coordination signals, clandestine command and control (C2) channels of malware operations, or the result of a misconfiguration. A curious aspect is the presence of a "LOVE" ASCII string in the generated ICMP packets, which adds further speculation as to their purpose and makes the case more intriguing:
https://www.bleepingcomputer.com/news/security/unexplained-noise-storms-flood-the-internet-puzzle-experts/
A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. A malicious GitHub user opens a new "issue" on an open source repository, falsely claiming that the project contains a "security vulnerability" and urges others to visit a counterfeit "GitHub Scanner" domain. The domain in question, however, is not associated with GitHub and tricks users into installing Windows malware:
https://www.bleepingcomputer.com/news/security/clever-github-scanner-campaign-abusing-repos-to-push-malware/
Hacker "grep" claims access to 20GB of Capgemini data, including API keys, staff info, and T-Mobile VM logs. T-Mobile virtual machine logs are believed to be among the data stolen from French technology services giant Capgemini. The Register reports that a user on the hacking message board BreachForums claims to have obtained 20GB of data from Capgemini, including API keys, staff information, and source codes:
https://www.capacitymedia.com/capgemini-data-breach
The Walt Disney Company is reportedly ditching Slack after a July data breach exposed over 1TB of confidential messages and files posted to the company's internal communication channels. According to CNBC, Disney has already begun migrating to new "streamlined enterprise-wide collaboration tools" and emailed employees this week to say that they will finish the migration at the end of the company's next fiscal quarter:
https://www.bleepingcomputer.com/news/security/disney-ditching-slack-after-massive-july-data-breach/
The U.S. National Institute of Standards and Technology (NIST) has launched a new program to address the role of AI in cybersecurity and privacy. The program was announced Thursday and will kick off with the development of a community profile through the National Cybersecurity Center of Excellence (NCCoE) for the “cybersecurity of AI and AI for cybersecurity,” which will help guide the implementation of NIST’s Cybersecurity Framework (CSF) 2.0:
https://www.scmagazine.com/news/new-nist-program-focuses-on-ai-cybersecurity-and-privacy
German authorities dismantled Boystown, a notorious Dark Web platform for CSAM, by deanonymising Tor users in 2021. This breakthrough raises concerns over Tor’s privacy as law enforcement targets criminal activities on the Dark Web:
https://hackread.com/police-broke-tor-anonymity-arrest-dark-web-users/
Dell has confirmed to BleepingComputer that they are investigating recent claims that it suffered a data breach after a threat actor leaked the data for over 10,000 employees. The allegations were published yesterday by a threat actor named "grep," who alleges that the computing vendor suffered a "minor data breach" in September 2024, exposing internal employee and partner information:
https://www.bleepingcomputer.com/news/security/dell-investigates-data-breach-claims-after-hacker-leaks-employee-info/
US DoJ charged two men with stealing and laundering $230 Million worth of cryptocurrency. Malone Lam (20) (aka “Greavys,” “Anne Hathaway,” and “$$$”) and Jeandiel Serrano (21) (aka “Box,” “VersaceGod,” and “@SkidStar”) in Miami and charged them with stealing more than $230 million worth of cryptocurrency:
https://securityaffairs.com/168647/cyber-crime/us-doj-charged-two-men-stealing-laundering-230m.html
A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam's backup and replication software:
https://www.darkreading.com/application-security/poc-exploit-for-rce-flaw-but-patches-from-veeam
An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks. Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively:
https://thehackernews.com/2024/09/iranian-apt-unc1860-linked-to-mois.html
Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild. The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges:
https://www.darkreading.com/cyberattacks-data-breaches/ivanti-cloud-service-appliance-attacked-vuln
Microsoft has officially announced that Windows Server Update Services (WSUS) is now deprecated, but plans to maintain current functionality and continue publishing updates through the channel. This move isn't surprising, as Microsoft first listed WSUS as one of the "features removed or no longer developed starting with Windows Server 2025" on August 13:
https://www.bleepingcomputer.com/news/microsoft/microsoft-officially-deprecates-windows-server-update-services-wsus/
The U.K. Information Commissioner's Office (ICO) has confirmed that professional social networking platform LinkedIn has suspended processing users' data in the country to train its artificial intelligence (AI) models. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its U.K. users," Stephen Almond, executive director of regulatory risk, said:
https://thehackernews.com/2024/09/linkedin-halts-ai-data-processing-in-uk.html
Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions and frustration as vendors scramble to find solutions. Learn about the affected software, potential workarounds, and the latest updates on this ongoing issue:
https://hackread.com/apples-macos-sequoia-update-breaks-security-tools/
Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns. The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook. "I have always advocated and advocate for freedom of speech, but the issue of Telegram is not a question of freedom of speech, it is a matter of national security," Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, said:
https://thehackernews.com/2024/09/ukraine-bans-telegram-use-for.html
Singaporean crypto platform BingX reported a cyberattack on Friday. Threat actors stole over $44 million worth of cryptocurrency. The crypto platform discovered unauthorized transfers of funds on Thursday night, shortly before BingX announced a shutdown for “wallet maintenance” on social media:
https://securityaffairs.com/168703/cyber-crime/hackers-stole-44m-from-bingx.html
A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo." The threat actors use a variety of distribution channels, including malvertising, spearphishing, and brand impersonation in online gaming, cryptocurrency, and software, to spread 50 malware payloads, including AMOS, Stealc, and Rhadamanthys:
https://www.bleepingcomputer.com/news/security/global-infostealer-malware-operation-targets-crypto-users-gamers/
Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting. Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation:
https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-hotpatching-in-public-preview-installs-security-updates-without-restarts/
A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools. The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia:
https://thehackernews.com/2024/09/chinese-hackers-exploit-geoserver-flaw.html
Broadcom has released fixes for two vulnerabilities affecting VMware vCenter Server that can be triggered by sending a specially crafted network packet, and could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813):
https://www.helpnetsecurity.com/2024/09/18/cve-2024-38812-cve-2024-38813/