Cybersecurity Newsletter, October 7th 2024
In this week’s news: Bank of America outage, English nuclear fined, another Ivanti critical, LLM hacking, Google removes Kapersky from Play store, Wayne County, Michigan, is dealing with a cyberattack, Apple VoiceOver password vulnerability, Comcast Cable Communications and Truist Bank have disclosed they were impacted by a data breach at FBCS and arbitrary code execution when debugging dump files in Visual Studio.
The Bank of America outage on Wednesday, October 2nd, 2024, caused widespread customer disruption, leaving many with incorrect account balances displayed as $0. The incident, which began around 9:30 a.m. PST, quickly escalated, with Downdetector logging over 20,000 user complaints within 45 minutes of the initial reports:
https://dailysecurityreview.com/security-spotlight/bank-of-america-outage-is-your-account-balance-zero/
Sellafield Ltd has been fined £332,500 ($437,440) for cybersecurity failings running the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator:
https://www.infosecurity-magazine.com/news/sellafield-fined-cybersecurity/
Ivanti is advising administrators to get up to date on their patches following a new spell of exploits against Endpoint Manager (EPM). The vendor said that threat actors are targeting CVE-2024-29824, a SQL injection attack that allows attackers to upload files and execute commands on vulnerable servers:
https://www.scworld.com/news/ivanti-warns-critical-flaws-in-endpoint-manager-exploited-in-the-wild
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organisations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each stage is crucial in identifying, addressing, and mitigating vulnerabilities. Before they can be exploited by attackers:
https://thehackernews.com/2024/10/how-to-get-going-with-ctem-when-you.html
“LLM hijacking” of cloud infrastructure for generative AI has been leveraged by attackers to run rogue chatbot services at the expense of victims, Permiso researchers reported Thursday. Attacks on Amazon Bedrock environments, which support access to foundational large language models (LLMs) such as Anthropic’s Claude, were outlined in a Permiso blog post, with a honeypot set up by Permiso showing how hijackers used the stolen resources to run jailbroken chatbots for sexual roleplay:
https://www.scworld.com/news/llm-hijacking-of-cloud-infrastructure-uncovered-by-researchers
Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities:
https://www.darkreading.com/endpoint-security/thousands-draytek-routers-at-risk-14-new-vulnerabilities
Google removed Kaspersky ‘s Android security apps from the Play Store and suspended its developer accounts over the weekend. Over the weekend, all the Android products designed by the Russian cybersecurity firm Kaspersky were removed from the official Google Play in the United States and other countries.
https://securityaffairs.com/169362/security/google-removed-kaspersky-apps-from-the-play-store.html
Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials.
https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned-cryptex-founder-95-other-linked-suspects/
Organizations are seeing staggering increases in cyberattacks that stem from insider threats, with price tags for remediation reaching eyewatering heights of up to $2 million per incident. According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organizations are seeing a rising tide when it comes to insider threats:
https://www.darkreading.com/threat-intelligence/insider-threat-damage-balloons-amid-evolving-cyber-environments
Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard. The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organisations (NGOs), and Russia experts, particularly those supporting Ukraine:
https://www.darkreading.com/threat-intelligence/microsoft-doj-dismantle-russian-hacker-group-star-blizzard
SecurityWeek reports that the average annual compensation for U.S.-based chief information security officers reached $565,000, with the top 25%, 10%, and 1% of earners receiving over $620,000, more than $1 million, and nearly $3 million yearly, respectively. Tech CISOs had the highest yearly remuneration package at $721,000 but those in financial services had the highest cash compensation of $495,000, according to a study from IANS Research and Artico Search:
https://www.scworld.com/brief/us-ciso-compensation-on-the-rise-report-finds
Attacks with the new VeilShell remote access trojan have been launched against Cambodia and other countries across Southeast Asia as part of the SHROUDED#SLEEP campaign suspected to be led by North Korean state-sponsored threat operation APT37:
https://www.scworld.com/brief/novel-veilshell-rat-leveraged-in-apt37-linked-attack-campaign
New Linux malware ‘Perfctl’ targets millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises Linux servers, exploiting vulnerabilities for crypto-mining and system resource hijacking:
https://hackread.com/linux-malware-perfctl-hit-millions-mimick-system-files/
Detroit-area government services impacted by a cyberattack. Wayne County, Michigan, is dealing with a cyberattack that has shut down all government websites and limited the operations of several offices. Home to Detroit, the county is the largest in the state with more than 1.75 million residents:
https://therecord.media/detroit-wayne-county-services-impacted-cyberattack
Apple released iOS 18.0.1 update that addressed two vulnerabilities that exposed passwords and audio snippets to attackers. Apple released iOS 18.0.1 and iPadOS 18.0.1 updates to fix two vulnerabilities, respectively tracked as CVE-2024-44207 and CVE-2024-44204:
https://securityaffairs.com/169381/mobile-2/apple-ios-18-0-1.html
Users were left alarmed this week on receiving unexpected emails from Google Pay stating that they had successfully "added a new card" to their Google account. The notification left users panicking and voicing their concerns on social media amid concerns they had been victims of a compromise
https://www.bleepingcomputer.com/news/security/google-pay-alarms-users-with-accidental-new-card-added-emails/
Phishing attacks are become more prevalent as threat actors are arming themselves with potent new tools, according to security vendor Egress, who says that in the second quarter of the year, it recorded a 28% jump in recorded phishing attempts. Researchers noted that the nature of the attacks is pretty much in line with previous quarters despite the growth attack volume. Most threat actors continue to rely on the tried-and-true tactics of using a compromised account and a bit of social engineering to lure their targets.
https://www.scworld.com/news/phishing-attacks-armed-with-ai-capabilities-are-on-the-rise
Perfctl malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign. Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl malware, that over the past 3-4 years targeted misconfigured Linux servers. The malicious code was used to drop cryptocurrency miners and proxyjacking software:
https://securityaffairs.com/169351/malware/perfctl-malware-targets-misconfigured-linux-servers.html
Payment platform MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. MoneyGram confirmed they had suffered a cyberattack and took systems offline to contain the breach on September 20, three days after customers reported experiencing issues.
https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransomware-is-behind-recent-cyberattack/
A high-severity flaw in the WordPress LiteSpeed Cache plugin could allow attackers to execute arbitrary JavaScript code under certain conditions
https://securityaffairs.com/169390/security/wordpress-litespeed-cache-plugin-flaw-site-takeover.html
A MedusaLocker ransomware variant called “BabyLockerKZ” is being spread by a threat actor using a custom toolkit known as “paid_memes,” according to research published by Cisco Talos on Thursday. MedusaLocker ransomware first appeared around September 2019 and uses a combination of AES and RSA-2048 to encrypt victims’ files. Threat actors using MedusaLocker have been known to exploit vulnerable configurations of Microsoft Remote Desktop Protocol for initial network access and primarily targeted healthcare as of early 2023:
https://www.scworld.com/news/medusalocker-ransomware-variant-paired-with-paid_memes-toolkit
A 21-year-old man from Indiana named Evan Frederick Light pleaded guilty to stealing $37,704,560 worth of cryptocurrency from 571 victims in a 2022 cyberattack. According to an announcement by the U.S. Department of Justice, Light stole the cryptocurrency from an unnamed investment holdings company based in Sioux Falls, South Dakota:
https://www.bleepingcomputer.com/news/legal/man-pleads-guilty-to-stealing-37-million-in-crypto-from-571-victims/
Comcast Cable Communications and Truist Bank have disclosed they were impacted by a data breach at FBCS, and are now informing their respective customers that their data has been compromised. The case concerns a data breach at Financial Business and Consumer Solutions (FBCS), a debt collection agency in the U.S. that partners with various companies to collect unpaid debts on their behalf:
https://www.bleepingcomputer.com/news/security/comcast-and-truist-bank-customers-caught-up-in-fbcs-data-breach/
CVE-2024-30052, which allows arbitrary code execution when debugging dump files in Visual Studio:
https://github.com/ynwarcs/CVE-2024-30052