CyberSecurity Newsletter 9th September 2024
In this week’s news: Russia is accused of targeting critical infrastructure, IBM's Cost of Data Breach report, Avis was breached, the White House addresses the cybersecurity talent shortage, GitHub Actions are vulnerable to typosquatting, London Transport was hacked, Sonicwall has a critical vulnerability, Veeam addresses 18 vulnerabilities, Kibana RCE Vulnerability, and Apache OFBiz PoC is in the wild.
The US, UK and seven other governments have accused the Russian military of launching cyber-attacks targeting critical infrastructure for espionage and sabotage purposes:
https://www.infosecurity-magazine.com/news/us-allies-russian-military-cyber/
IBM releases Cost of Data Breach Report 2024, The global average cost of a data breach in 2024 USD4.8M a 10% increase over last year and the highest total ever:
https://www.ibm.com/reports/data-breach
Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack:
https://adlumin.com/post/fog-ransomware-now-targeting-the-financial-sector/
The State of the Virtual CISO Report: MSP/MSSP Security Strategies for 2025:
https://thehackernews.com/2024/09/the-state-of-virtual-ciso-report.html
American car rental giant Avis notified customers that unknown attackers breached one of its business applications last month and stole some of their personal information. According to data breach notification letters sent to impacted customers on Wednesday and filed with California's Office of the Attorney General, the company took action to stop the unauthorised access launched an investigation with the help of external cybersecurity experts and reported the incident to relevant authorities after learning of the breach on August 5:
https://www.bleepingcomputer.com/news/security/car-rental-giant-avis-discloses-data-breach-impacting-customers/
Attacks with the new KTLVdoor malware have been deployed by Chinese threat operation Earth Lusca to target Windows and Linux endpoints as part of a comprehensive campaign, Security Affairs reports:
https://www.scmagazine.com/brief/novel-ktlvdoor-malware-leveraged-by-earth-lusca-operation
Cybersecurity Talent Shortage Prompts White House Action:
https://www.darkreading.com/cybersecurity-operations/cybersecurity-talent-shortage-prompts-white-house-action
GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code. The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat. "If developers make a typo in their GitHub action that matches a typosquatter's action,, applications could be made to run malicious code without the developer even realising," security researcher Ofir Yakobi said in a report shared with The Hacker News:
https://thehackernews.com/2024/09/github-actions-vulnerable-to.html
Transport for London, the city's public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. On Monday, the transport authority reported the incident to relevant government agencies (including the National Cyber Security Centre and the National Crime Agency). It is now working with them to respond, assess, and contain the attack's impact:
https://www.bleepingcomputer.com/news/security/transport-for-london-staff-faces-systems-disruptions-after-cyberattack/
SpyAgent Android malware steals your crypto recovery phrases from images:
https://www.bleepingcomputer.com/news/security/spyagent-android-malware-steals-your-crypto-recovery-phrases-from-images/
The US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem responsible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries.:
https://www.helpnetsecurity.com/2024/09/06/unit-29155/
An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.14[not include]. Users are recommended to upgrade to version 18.12.14, which fixes the issue:
https://github.com/Mr-xn/CVE-2024-32113
Russian And Kazakhstani men indicted for operating the Dark Web cybercriminals marketplace WWH Club and other crime forums and markets:
https://securityaffairs.com/168177/cyber-crime/feds-indicted-admins-wwh-club-marketplace.html
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog:
https://securityaffairs.com/168153/security/cisa-draytek-vigorconnect-kingsoft-wps-office-bugs-known-exploited-vulnerabilities-catalog.html
A new variant of the ongoing sextortion email scams is now targeting spouses, saying that their husband or wife is cheating on them, with links to the alleged proof:
https://www.bleepingcomputer.com/news/security/sextortion-scam-now-use-your-cheating-spouses-name-as-a-lure/
A critical flaw in the LiteSpeed Cache plugin for WordPress could allow unauthenticated users to take control of arbitrary accounts:
https://securityaffairs.com/168145/security/litespeed-cache-plugin-wordpress-flaw.html
Elite Botnet Hits Government Sites With “DDoS”:
https://medium.com/@willycyber/elite-botnet-hits-government-sites-with-ddos-833235b71779
Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation. These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector:
https://thehackernews.com/2024/09/north-korean-threat-actors-deploy.html
Veeam released patches for 13 high-severity and five critical vulnerabilities, including one flaw in Veeam Backup & Replication that could lead to unauthenticated remote code execution (RCE):
https://www.scmagazine.com/news/veeam-patches-5-critical-vulnerabilities-including-unauthenticated-rce-flaw
Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponising code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organisation motivated by an anti-AI cause, explicitly targets these resources to poison data Sets used in AI model training:
https://securityintelligence.com/articles/cyber-criminals-compromising-ai-software-supply-chains/
TIDRONE Targets Military and Satellite Industries in Taiwan:
https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html
Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution:
https://securityonline.info/critical-kibana-flaws-cve-2024-37288-cve-2024-37285-expose-systems-to-arbitrary-code-execution/
A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk:
https://thehackernews.com/2024/09/geoserver-vulnerability-targeted-by.html
CTEM in the Spotlight: How Gartner's New Categories Help to Manage Exposures:
https://thehackernews.com/2024/08/ctem-in-spotlight-how-gartners-new.html