CyberSecurity Newsletter August 5th 2024

                August 5, 2024

            CyberSecurity Newsletter August 5th 2024

            In this week’s news: The 75 Million dollar ransomware payment, hackers exploit Twilio API, ISP hacked to poison Microsoft and Apple updates, Crowdstrike issue forces Microsoft to secure kernel, Crowdstrike IoC list exposed, vulnerabilities in Rockwell, VMware and ServiceNow and Illinois voter database breached.

  BagheeraAltered's CyberSecurity Newsletter • Buttondown
Weekly cybersecurity newsletter, your go-to source for the latest updates on data breaches, cutting-edge exploits, and activist-driven hacking. Dive into expert analysis and insights that unravel the complexities behind the week's most significant cybersecurity incidents. Join our community of professionals and enthusiasts staying ahead in the ever-evolving landscape of digital security threats and defences

 Cybersecurity firm Zscaler has revealed that the Dark Angels ransomware group received an unprecedented $75 million ransom payment from a single victim in a shocking development that underscores the escalating ransomware threat. This staggering sum nearly doubles the $40 million paid by insurance giant CNA Financial in 2021, marking a new milestone in the history of cybercrime:
https://cybersecuritynews.com/record-breaking-ransom-payment/
Hackers have exploited an unsecured API endpoint in Twilio to verify millions of Authy users’ phone numbers, leaving them vulnerable to SMS phishing and SIM-swapping attacks. It appears that in late June 2024, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service:
https://www.digitaljournal.com/tech-science/message-received-hackers-exploit-communications-firm-vulnerability/article
A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices:
https://www.bleepingcomputer.com/news/security/hackers-breach-isp-to-poison-software-updates-with-malware/
The CrowdStrike incident that affected more than 8.5 million Windows PCs worldwide and forced users to face the “Blue Screen of Death” made Microsoft sit down and revisit the resilience of its operating system. The company is now prioritising the reduction of kernel-level access for software applications, a move designed to enhance the overall security and resilience of the Windows operating system as part of its post-CrowdStrike attempt to make its security architecture more resilient and robust:
https://www.csoonline.com/article/3478365/microsoft-shifts-focus-to-kernel-level-security-after-crowdstrike-incident.html
Hackread reports that CrowdStrike's 103,000-line indicator of compromise list was exposed by widely known threat actor USDoD on Breach Forums following the hacker's claims of exfiltrating the U.S. cybersecurity firm's complete threat actor list last week. CrowdStrike noted the information included in the exposed dataset had "LastActive" dates not later than June:
https://www.scmagazine.com/brief/crowdstrike-ioc-list-exposed-by-usdod-threat-actor
A cyberespionage group, XDSpy, recently targeted victims in Russia and Moldova with a new malware variant. The malicious emails, discovered by Russian cybersecurity firm F.A.C.C.T., contained a link to an archive with a legitimate executable file, which allowed attackers to run malicious code without raising suspicion:
https://therecord.media/russia-moldova-cyberespionage-campaign
VMware ESXi Hypervisor Vulnerability (CVE-2024-37085) Exploited by Ransomware Groups, Microsoft Warns:
https://socradar.io/vmware-esxi-hypervisor-vulnerability-cve-2024-37085/
Two vulnerabilities affecting popular tools from the cloud company ServiceNow are being exploited by hackers eager to steal sensitive data:
https://therecord.media/critical-servicenow-vulnerabilities-hackers-cisa
Cybersecurity researchers found that 4.6M Illinois voter records were exposed in unsecured databases. Sensitive data, including names, addresses, and SSNs, were publicly accessible. The incident highlights vulnerabilities in election data security and the potential for misuse:
https://hackread.com/millions-us-voter-data-exposed-misconfigured-databases/
A critical security vulnerability in Rockwell Automation’s ControlLogix and GuardLogix controllers has been discovered. This vulnerability could potentially allow attackers to bypass security measures and gain unauthorised access to industrial control systems:
https://cybersecuritynews.com/rockwell-automation-devices-flaw-let-hackers-gain-unauthorized-access/
Security researchers have discovered a new way hackers can steal sensitive information, like passwords. This involves eavesdropping on HDMI cables, a concerning development for computer users. The technique, detailed in a recent study by researchers at Universidad de la República in Uruguay, uses artificial intelligence to decode electromagnetic emissions from HDMI connections and reconstruct what’s displayed on a computer screen:
https://cybersecuritynews.com/hdmi-cables-steal-passwords/
Microsoft 365 users are targeted by phishers who abuse Microsoft Forms. Forms are part of the Microsoft 365 product suite and are used to gather feedback and information via surveys, quizzes and polls. Threat actors often leverage email accounts of breached business partners and vendors to send out phishing emails. In these latest campaigns, the emails took the form of fake mail error notifications from Microsoft:
https://www.helpnetsecurity.com/2024/07/29/microsoft-365-phishing-forms/
A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorisation to be abused to spoof the email identify of the sender:
https://cve.threatint.com/CVE/CVE-2024-7209

CISA has ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks. CVE-2024-37085 allows attackers to add a new user to the 'ESX Admins' group—not present by default but can be added after gaining high privileges on the ESXi hypervisor—which will automatically be assigned full administrative privileges:
https://www.bleepingcomputer.com/news/security/cisa-warns-of-vmware-esxi-bug-exploited-in-ransomware-attacks/
Microsoft experienced a significant global outage affecting its Azure cloud services and Microsoft 365 products. The incident, which lasted nearly 10 hours, was triggered by a Distributed Denial-of-Service (DDoS) attack and impacted users worldwide:
https://cybersecuritynews.com/ddos-attack-microsoft-azure/

A malicious campaign targeting Android devices worldwide utilises thousands of Telegram bots to infect devices with SMS-stealing malware and steal one-time 2FA passwords (OTPs) for over 600 services:
https://www.bleepingcomputer.com/news/security/massive-sms-stealer-campaign-infects-android-devices-in-113-countries/
North Korean Hackers Target USA Critical Infrastructure and Military Bases:
https://malware.news/t/north-korean-hackers-target-usa-critical-infrastructure-and-military-bases/84565

                Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: