CyberSecurity Newsletter September 15th 2024
In this week's news: Fortinet hacked through recent acquisition, Veem Backup RCE vulnerability, Hacker tricks ChatGPT into giving instructions on how to build a bomb, Gitlab addresses critical pipeline vulnerability, Ivanti has another critical vulnerability, hacker responsible for Transport of London hack and source code for ransomware robbinhood leaked.
A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online:
https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party
https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/
Dark web researcher warned Columbus, Ohio, residents ransomware attack was bigger than mayor said. The city is suing him:
https://www.nbclosangeles.com/news/business/money-report/dark-web-researcher-warned-columbus-ohio-residents-ransomware-attack-was-bigger-than-mayor-said-the-city-is-suing-him/3511648/
The notorious Medusa ransomware group has been exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks. The SQL injection flaw, tracked as CVE-2023-48788 allows attackers to execute malicious code on vulnerable systems and gain a foothold for deploying ransomware:
https://cybersecuritynews.com/medusa-ransomware-exploiting-fortinet-flaw/
Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. "Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content,":
https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html
Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs. “CVE-2024-40711 could allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors,”:
https://www.helpnetsecurity.com/2024/09/09/cve-2024-40711-exploited/
Hackers are targeting Oracle WebLogic servers to infect them with a new Linux malware named "Hadooken," which launches a cryptominer and a tool for distributed denial-of-service (DDoS) attacks. The access obtained may also be used to execute ransomware attacks on Windows systems:
https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/
Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. "A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing," a group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University said:
https://thehackernews.com/2024/09/apple-vision-pro-vulnerability-exposed.html
A case involving a medical record hack affecting hundreds of patients and employees at a Pennsylvania healthcare company has been settled for a record-breaking $65m. Filed in March 2023, the case involved nearly 135,000 patients and employees of Lehigh Valley Health Network (LVHN), an independent healthcare network based in Pennsylvania:
https://www.infosecurity-magazine.com/news/record-settlement-hacked-patient/
A malware campaign uses the unusual method of locking users in their browser's kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware:
https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kiosk-mode-to-steal-google-credentials/
The global Security Testing Market size is projected to grow from USD 14.5 billion in 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™. One of the key factors promoting security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities:
https://www.darkreading.com/cybersecurity-operations/security-testing-market-worth-43-9b-by-2029
In light of the CrowdStrike outage incident in July, Microsoft is planning to develop more options for security solutions to operate outside of kernel mode, according to a post on the Windows Experience Blog published Thursday. The CrowdStrike outage, caused by an out-of-bounds memory error in an update to the CrowdStrike Falcon software, which operates at the kernel level, caused a blue screen of death (BSOD) for approximately 8.5 million Windows devices, interrupting operations at many organizations including airports, hospitals, financial institutions and more:
https://www.scmagazine.com/news/crowdstrike-outage-leads-microsoft-to-plan-more-security-capabilities-outside-of-kernel
A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data. The hacker is selling the data on an online forum, raising concerns about data security for affected clients and businesses:
https://hackread.com/hacker-breach-uk-experience-engine-data-sold-online/
A hacker tricked ChatGPT into providing instructions to make homemade bombs, demonstrating how to bypass the chatbot safety guidelines. A hacker and artist who goes online as Amadon tricked ChatGPT into providing instructions to make homemade bombs, bypassing the safety guidelines implemented by the chatbot.:
https://securityaffairs.com/168423/hacking/chatgpt-provided-instructions-to-make-homemade-bombs.html
DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. The proposed class action settlement, filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval:
https://www.bleepingcomputer.com/news/security/23andme-to-pay-30-million-in-genetics-data-breach-settlement/
GitLab addressed multiple vulnerabilities impacting GitLab CE/EE, including a critical pipeline execution issue. One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline as an arbitrary user under certain circumstances:
https://securityaffairs.com/168375/security/gitlab-ce-ee-critical-issue.html
Port of Seattle, the United States government agency overseeing Seattle's seaport and airport, confirmed on Friday that the Rhysida ransomware operation was behind a cyberattack impacting its systems over the last three weeks. The agency revealed on August 24 that the attack forced it to isolate some of its critical systems to contain the impact. The resulting IT outage disrupted reservation check-in systems and delayed flights at Seattle-Tacoma International Airport:
https://www.bleepingcomputer.com/news/security/port-of-seattle-says-rhysida-ransomware-was-behind-august-attack/
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog:
https://securityaffairs.com/168398/hacking/u-s-cisa-adds-ivanti-csa-vulnerability-to-its-known-exploited-vulnerabilities-catalog.html
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability (CVE-2024-8190):
https://nvd.nist.gov/vuln/detail/CVE-2024-8190
The UK National Crime Agency has arrested and detained a suspect – a 17-year-old male in Walsall (West Midlands) – on suspicion of Computer Misuse Act offences in relation to the Transport for London (TfL) cyberattack:
https://www.helpnetsecurity.com/2024/09/12/suspect-arrested-tfl-cyberattack/
Transport for London (TfL) has determined that the cyberattack on September 1 impacts customer data, including names, contact details, email addresses, and home addresses. The urban transportation agency had informed the public on September 2 about an ongoing cybersecurity incident, assuring customers that at the time there was no evidence of data being compromised:
https://www.bleepingcomputer.com/news/security/transport-for-london-confirms-customer-data-stolen-in-cyberattack/
ANONYM∅US Targeted the Website of Cadd centre ghaziabad:
https://darkwebinformer.com/anonym-us-targeted-the-website-of-cadd-centre-ghaziabad-2/
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are alerting the public of false claims that the U.S. voter registration data has been compromised in cyberattacks. The two agencies note that malicious actors are spreading disinformation to manipulate public "opinion and undermine confidence in U.S. democratic institutions.":
https://www.bleepingcomputer.com/news/security/fbi-tells-public-to-ignore-false-claims-of-hacked-voter-data/
Hackers have been leveraging publicly available exploit code for two critical vulnerabilities in the WhatsUp Gold network availability and performance monitoring solution from Progress Software. The two flaws exploited in attacks since August 30 are SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671 that allow retrieving encrypted passwords without authentication:
https://www.bleepingcomputer.com/news/security/hackers-targeting-whatsup-gold-with-public-exploit-since-august/
Researchers uncovered an Android malware, dubbed Vo1d, that has already infected nearly 1.3 million Android devices in 197 countries:
https://securityaffairs.com/168342/malware/vo1d-android-malware-tv-boxes.html
Robbinhood Ransomware source code has apparently been leaked:
https://x.com/DarkWebInformer/status/1834684570458902852
https://biteblob.com/Information/VHIYl3mJEVw88Q/robinhood
https://www.darkreading.com/threat-intelligence/robbinhood-inside-the-ransomware-that-slammed-baltimore
North Korean hackers target Python devs with malware disguised as coding tests — hack has been underway for a year:
https://www.tomshardware.com/tech-industry/cyber-security/python-developers-targeted-by-north-korean-lazarus-group-with-fake-jobs-and-malware-disguised-as-coding-tests