CyberSecurity Newsletter 28th October 2024
CyberSecurity Newsletter 28th October 2024
In this week’s news: Black Basta ransomware poses as IT support on Microsoft Teams, Twitter is blasted for security and privacy lapses, Russia's APT29 Mimics AWS Domains to Steal Windows Credentials, Fortinet critical bug in FortiManager products, exposed a new vulnerability in Google Chrome, Amazon broke up a phishing operation that impersonated thousands of Amazon Web Service (AWS) domains, and SEC Fines Companies Millions for Downplaying SolarWinds Breach.
Black Basta ransomware poses as IT support on Microsoft Teams to breach networks. In a new report by ReliaQuest, researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams.:
https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/
Twitter is blasted for security and privacy lapses by the company’s former head of security who alleges the social media giant’s actions amount to a national security risk. A recently surfaced 84-page whistleblower report filed with the US government by Twitter’s former head of security Peiter “Mudge” Zatko last month blasts his former employer for its alleged shoddy security practices and being out of compliance with an FTC order to protect user data.:
https://threatpost.com/twitter-whistleblower-tldr-version/180472/
Russia's APT29 Mimics AWS Domains to Steal Windows Credentials. APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.:
https://www.darkreading.com/cyberattacks-data-breaches/russias-apt29-aws-windows-credentials
Fortinet and Mandiant are sounding the alarms about an active campaign exploiting a critical bug in FortiManager products that allows a remote hacker to manage associated devices. Mandiant and Fortinet investigated more than 50 organizations this month that were hit by the campaign, but found indications that it started as early as June 27. The Google-owned cybersecurity firm further warned in the new report that it lacks “sufficient data to assess actor motivation or location” and is currently tracking the cluster of activity as UNC5820.:
https://cyberscoop.com/fortinet-fortimanager-mandiant-unc5820-alert/
A new report released today by Cisco Talos is warning of the implications of the recent Snowflake Inc.-related cloud data platform breach and how the comprised accounts highlight the vulnerabilities inherent in cloud environments. The Snowflake breach involved attackers using stolen login credentials to infiltrate customer accounts. The credentials were not protected by multifactor authentication, allowing the attackers to steal sensitive information. However, Cisco Talos makes the argument that the incident is not just about Snowflake but indicates a broader shift in cyberthreats, focusing on identity and compromised credentials.:
https://news.hitb.org/content/cisco-talos-warns-wider-security-implications-following-snowflake-breach
A recently discovered cyber-attack by the notorious Lazarus Group, including its BlueNoroff subgroup, has exposed a new vulnerability in Google Chrome. The group used a zero-day exploit to take complete control of infected systems, marking the latest in a long series of sophisticated campaigns from the North Korean-backed threat actor.:
https://www.infosecurity-magazine.com/news/lazarus-group-exploits-google/
CVE-2024-43532: FortiManager Missing Authentication. Exploitation of the bug allows the client's NTLM authentication data to be intercepted and redirected to Active Directory Certificate Services (ADCS), which allows hackers to request a user certificate for further authentication to the domain:
https://github.com/HazeLook/CVE-2024-43532
Online retail giant and cloud-service provider Amazon broke up a phishing operation that impersonated thousands of Amazon Web Service (AWS) domains. The AWS security team, along with the Ukrainian CERT-UA blamed the Russian-backed APT 29 group for an attack which used spoofed AWS domains in an attempt to harvest login credentials from Ukrainian-speaking targets. Since uncovering the phishing scam, Amazon has issued a mass takedown of the domains that were used in the attack.:
https://www.scworld.com/news/aws-breaks-up-massive-russian-phishing-operation
Johnson & Johnson Data Breach Exposes Personal Information of 3,200 Individuals. SecurityWeek initially reported on the breach, highlighting the significant impact on the U.S. insurance company. According to breach notification letters filed with the Office of the Maine Attorney General, the attackers successfully accessed files containing personal information from the network:
https://dailysecurityreview.com/security-spotlight/johnson-johnson-data-breach/
Amazon Web Services has fixed a flaw in its open source Cloud Development Kit that, under the right conditions, could allow an attacker to hijack a user's account completely. The Cloud Development Kit (CDK) is an open source framework, developed by AWS, that allows developers to define cloud application infrastructure as code using programming languages such as Python, TypeScript, JavaScript, Go and others, and then provision these resources through AWS CloudFormation.:
https://www.theregister.com/2024/10/24/aws_cloud_development_kit_flaw/
Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw. SonicWall fixed the SonicOS flaw in late August 2024, and roughly a week later, it warned that it was already under active exploitation.:
https://www.bleepingcomputer.com/news/security/fog-ransomware-targets-sonicwall-vpns-to-breach-corporate-networks/
Four former members of the REvil ransomware group were sentenced in Russia for hacking and money laundering, marking a rare case of Russian gang members being convicted in the country. The four men are Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov. They were convicted of illegal payment handling, with Puzyrevsky and Khansvyarov also found guilty of malware use and distribution. They were found guilty of illegal payment handling, while Puzyrevsky and Khansvyarov were also convicted of using and distributing malware.:
https://securityaffairs.com/170287/cyber-crime/revil-ransomware-group-member-sentenced.html
SEC Fines Companies Millions for Downplaying SolarWinds Breach. The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.:
https://www.darkreading.com/cyberattacks-data-breaches/sec-fines-companies-millions-downplaying-solarwinds-breach
The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins. These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users. This technique leverages social engineering strategies to trick users into executing malicious code, ultimately compromising their systems with various types of malware and information stealers:
https://www.infostealers.com/article/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials/
New Windows Driver Signature bypass allows kernel rootkit installs. SafeBreach security researcher Alon Leviev reported the update takeover issue but Microsoft dismissed it saying that it did not cross a defined security boundary, although was possible by gaining kernel code execution as an administrator:
https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/
The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.:
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html
Irish Data Protection Commission fined LinkedIn €310M for violating user privacy by using behavioral data analysis for targeted advertising.The DPC’s inquiry was launched following an initial complaint to the French Data Protection Authority.:
https://securityaffairs.com/170266/laws-and-regulations/irish-dpc-fined-linkedin.html