CyberSecurity Newsletter 30th December 2024
In this week’s news: A Chrome extension from a cybersecurity firm was hijacked, resulting in the theft of user data, Palo Alto Dos Vulnerability, Volkswagen Group data breach affecting 800k electric vehicles, Crypto scammers use fake job interviews to enable backdoor malware attacks, Presentation API in Google Chrome allowed a remote attacker to potentially exploit heap and Atos may have been hacked.
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store.Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis.The hacker hijacked the employee’s account and published a malicious version (24.10.4) of the Cyberhaven extension, which included code that could exfiltrate authenticated sessions and cookies to the attacker's domain:
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/
Palo Alto Networks on Dec. 26 released a patch for a denial-of-service (DoS) flaw in the DNS security feature of the company’s PAN-OS firewall software. The high-severity 8.7 bug — CVE-2024-3393 — lets an unauthenticated attacker send a malicious packet through the data plane of the firewall that actually reboots the device. Palo Alto said repeated attempts to trigger this condition will cause the firewall to enter maintenance mode, requiring manual intervention on the part of the security team:
https://www.scworld.com/news/palo-alto-networks-patches-dos-bug-in-pan-os-software
A significant security vulnerability within the Volkswagen Group has resulted in a data breach affecting approximately 800,000 electric vehicles. The leaked data includes location information for vehicles from the VW, Audi, Seat, and Skoda brands:
https://dailysecurityreview.com/security-spotlight/volkswagen-data-breach-exposes-location-data-of-800000-electric-vehicles/
Space Bears ransomware group claims to have breached Atos.
Crypto scammers use fake job interviews to enable backdoor malware attacks. sophisticated attack is targeting web3 professionals, forcing them to run malicious code on their systems during fake interviews as part of a lucrative offer from crypto scammers disguised as employers:
https://cryptocents.pro/crypto-scammers-use-fake-job-interviews-to-enable-backdoor-malware-attacks/
The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024. "Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code," Kaspersky researcher Oleg Kupreev said in an analysis published this week:
https://thehackernews.com/2024/12/cloud-atlas-deploys-vbcloud-malware.html
Many organizations using Postman workspaces are putting their data, employees, customers, and partners at risk, due to various misconfigurations, experts have warned. CloudSEK’s Triad team uncovered more than 30,000 publicly accessible Postman workspaces leaking sensitive information:
https://www.techradar.com/pro/security/thousands-of-widely-used-public-workspaces-are-leaking-data
North Korea-linked threat actors are using the OtterCookie backdoor to target software developers with fake job offers.The Contagious Interview campaign was first detailed by Palo Alto Networks researchers in November 2023, however it has been active since at least December 2022. The attacks appear to be financially motivated and are not targeted. Since November 2024, threat actors employed the malware OtterCookie, alongside BeaverTail and InvisibleFerret, in the campaign:
https://securityaffairs.com/172382/malware/north-korea-linked-actors-using-ottercookie-backdoor.html
Anna Jaques Hospital has confirmed on its website that a ransomware attack it suffered almost precisely a year ago, on December 25, 2023, has exposed sensitive health data for over 310,000 patients. Anna Jaques is a not-for-profit community hospital in Massachusetts, recognized for delivering high-quality care and performing over 4,700 surgeries yearly. As a mid-size acute hospital providing 83 beds, 200 physicians, and 1,200 staff members, AJH plays a crucial role in Merrimack Valley, North Shore, and southern New Hampshire, providing essential healthcare services to the local population:
https://www.bleepingcomputer.com/news/security/anna-jaques-hospital-ransomware-breach-exposed-data-of-300k-patients/
A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries. The Salt Typhoon Chinese cyber-espionage group who orchestrated these attacks (also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) is known for breaching government entities and telecom companies throughout Southeast Asia and has been active since at least 2019.:
https://www.bleepingcomputer.com/news/security/white-house-links-ninth-telecom-breach-to-chinese-hackers/
Suspected Russian threat actors have disrupted most Ukrainian state registers as part of a massive cyberattack that has prompted the processing of the country's births, marriages, and deaths on paper, according to The Record, a news site by cybersecurity firm Recorded Future. Also impacted by the intrusion — which was previously claimed by pro-Russia hacktivist operation XakNet that later asserted the deletion of the stolen database and their backups — were the processing of real estate transactions, stock exchange trading, civil servant and judge appointments, and certain court case evaluations:
https://www.scworld.com/brief/ukrainian-state-registers-hit-by-suspected-russian-hackers
FortiGuard Labs observed increased activity from two botnets, the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN”.:
https://securityaffairs.com/172373/uncategorized/surge-ficora-kaiten-botnets.html
CVE-2024-5498: Use after free in Presentation API in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High):
https://issues.chromium.org/issues/40053095