CyberSecurity Newsletter June 3rd 2024
CyberSecurity Newsletter June 3rd 2024
In this week’s news: Optus loses appeal to reveal IR report, Snowflake hacked but claims they are not, Ticketmaster hacked (see snowflake), Cryptominer used with Palo exploit, PoC released for Edge exploit, Zombie APIs been exploited and phishing campaigns using Cloudflare Workers.
Optus has lost its bid to appeal an earlier Federal Court decision granting access to portions of a forensic review of its 2022 data breach to a law firm as part of a class action lawsuit. The finding that the forensic report is not protected by legal privilege is a win for Slater and Gordon in the case it launched on behalf of more than 10,000 clients whose personal information was compromised:
https://www.itnews.com.au/news/optus-loses-bid-to-hide-deloitte-report-on-data-breach-608336
The Rising Issue of Zombie APIs and Your Increased Attack Surface:
https://hackernoon.com/the-rising-issue-of-zombie-apis-and-your-increased-attack-surface
Nearly 1,000 individuals, many of whom are not directly related, were noted by FBI Cyber Division Assistant Director Bryan Vorndran to be part of the prolific hacking collective Scattered Spider, also known as 0ktapus and UNC3944, which was behind last year's attacks against Okta and MGM Resorts, CyberScoop reports. Such extensive attacks by Scattered Spider, which emerged from "the Com" online community, have made the hacking group the third leading cybersecurity threat behind China and the foreign intelligence agency of Russia:
https://www.scmagazine.com/brief/fbi-official-sheds-more-light-on-scattered-spider-operation
The vulnerability CVE-2021-44832 in the Apache Log4j2 library is still a severe problem to multiple industries, expert warns it threatens global Finance:
https://securityaffairs.com/163984/hacking/critical-apache-log4j2-flaw-still-threatens-global-finance.html
Cybersecurity experts have identified a critical zero-day vulnerability in Pulse Connect Secure VPN, a widely used virtual private network solution. The vulnerability, which allows for remote code execution (RCE), has been actively exploited by hackers, raising significant concerns among organisations relying on this technology for secure remote access:
https://cybersecuritynews.com/hackers-advertising-pulse-connect/
New RedTail cryptominer attacks involve exploiting the Palo Alto firewall. Vulnerable Palo Alto Networks PAN-OS firewalls impacted by the flaw tracked as CVE-2024-3400 have been targeted by suspected Lazarus Group-linked threat actors to distribute an updated version of the RedTail cryptocurrency mining malware since late April:
https://www.scmagazine.com/brief/new-redtail-cryptominer-attacks-involve-palo-alto-firewall-exploit
BBC Breach Puts 25K Pension Scheme Members at Risk. Though information such as dates of birth, email addresses, and home addresses were compromised, "the Beeb" assures individuals that financial information is still protected:
https://www.darkreading.com/cyberattacks-data-breaches/bbc-breach-puts-25k-pension-scheme-members-at-risk
The threat actor ShinyHunters claims a breach of Santander and is offering for sale bank data, including information for 30 million customers:
https://securityaffairs.com/163956/data-breach/shinyhunters-claims-santander-breach.html
Cybersecurity researchers have released a Proof-of-Concept (PoC) exploit for a recently disclosed information disclosure vulnerability in Microsoft Edge, the Chromium-based web browser:
https://cybersecuritynews.com/poc-exploit-released-3/
Prescription service company Sav-Rx disclosed a data breach after 2023 cyberattack. The company is notifying 2,812,336 individuals impacted by the security breach in the United States. A&A Services, which operates as Sav-RX, shared the data breach notification letter sent to the impacted individuals with the Maine Attorney General's office. The investigation conducted by the company with the help of external cybersecurity experts revealed that threat actors first gained access to the IT System on or around October 3, 2023:
https://securityaffairs.com/163748/data-breach/sav-rx-data-breach.html
Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users' credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, "uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens:
https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html
NextGen Healthcare Mirth Connect is vulnerable to unauthenticated remote code execution (CVE-2023-43208) caused due to an incomplete patch of a Command Injection flaw (CVE-2023-37679). Mirth Connect is an open-source data integration platform widely used by healthcare companies:
https://fortiguard.fortinet.com/threat-signal-report/5460
A new privilege escalation vulnerability has been discovered in Zscaler Client Connector, combining three different vulnerabilities. The three vulnerabilities were associated with Reverting password check (CVE-2023-41972), arbitrary code execution (CVE-2023-41973), and Arbitrary File Deletion (CVE-2023-41969):
https://cybersecuritynews.com/zscaler-client-connector-privilege-escalation-exploit/
Ticketmaster owner Live Nation confirmed the Ticketmaster data breach that compromised the data of 560 million customers. ShinyHunters, the current administrator of BreachForums, recently claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details:
https://securityaffairs.com/163999/data-breach/ticketmaster-confirms-data-breach.html
Snowflake is disputing claims made by a threat actor who stole data belonging to Santander and Ticketmaster and maintains that the theft of customer data was the result of stolen customer login credentials:
https://www.helpnetsecurity.com/2024/06/01/snowflake-breach-data-theft/
https://www.thestack.technology/snowflake-breach-update-rapeflake/
Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group uses Quick Assist to target victims:
https://securityboulevard.com/2024/05/black-basta-ransomware-attack-microsoft-quick-assist-flaw/
Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild. Tracked as CVE-2024-24919 (CVSS score: 7.5), the issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances:
https://thehackernews.com/2024/05/check-point-warns-of-zero-day-attacks.html
Hundreds of US internet routers were destroyed in the newly discovered 2023 hack. An unidentified hacking group launched a massive cyberattack on a telecommunications company in the U.S. heartland late last year that disabled hundreds of thousands of internet routers, according to research published Thursday:
https://www.reuters.com/technology/cybersecurity/hundreds-thousands-us-internet-routers-destroyed-newly-discovered-2023-hack-2024-05-30/
Ukrainian military entities were targeted in a now-disrupted month-long phishing attack campaign by Russia-linked threat operation FlyingYeti, also known as UAC-0149, that deployed the COOKBOX malware with cmdlet loading and execution capabilities:
https://www.scmagazine.com/brief/phishing-attack-campaign-against-ukraine-thwarted
Kaspersky has released a new virus removal tool named KVRT for the Linux platform, allowing users to scan their systems and remove malware and other known threats for free. The security firm notes that despite the common misconception that Linux systems are intrinsically secure from threats, there has been a constant supply of "in the wild" examples that prove otherwise, most recently, the XZ Utils backdoor:
https://www.bleepingcomputer.com/news/software/kaspersky-releases-free-tool-that-scans-linux-for-known-threats/
A vulnerability has been discovered in the Citrix Workspace app for Mac, which, if exploited, may result in the elevation of privilege from a locally authenticated user to a root user:
https://support.citrix.com/article/CTX675851/citrix-workspace-app-for-mac-security-bulletin-for-cve20245027
Crooks stole approximately 48.2 billion yen ($304 million) worth of Bitcoin from the Japanese cryptocurrency exchange DMM Bitcoin:
https://securityaffairs.com/163966/security/dmm-bitcoin-cyber-heist.html