CyberSecurity Newsletter September 30th 2024
In this week’s news: AsyncRAT uses AI-generated payloads, Oracle may have been breached, Kia and other vehicles are vulnerable to remote hacks, LLM Jailbreaking technique MathPrompt, Tesla Model 3 is susceptible to relay attacks, and MoneyGram outage is due to a cyberattack.
Subscribe to my newsletter
Visit my Website
Threat actors have used generative artificial intelligence (GenAI) to create convincing phishing lures for some time. Still, there has been limited evidence of attackers utilising this technology to write malicious code. In Q2, however, the HP Threat Research team identified a malware campaign spreading AsyncRAT using VBScript (T1059.005) and JavaScript (T1059.007) that was highly likely to have been written with the help of GenAI:
https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-september-2024/
A hacking forum post has surfaced, claiming that Oracle Corporation, a leading multinational computer technology company, has suffered a data breach. The alleged breach reportedly occurred in September 2024 and involved the exposure of 4,002 rows of employee information:
https://cybersecuritynews.com/hackers-claim-leak-of-oracle-data/
Millions of Kia Vehicles Open to Remote Hacks via License Plate. In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues found a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others:
https://www.darkreading.com/endpoint-security/millions-kia-vehicles-remote-hacks-license-plate
Microsoft has discovered a new threat actor that previously operated as an affiliate for other ransomware-as-a-service gangs, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. Now, they’re trying to do something of their own. A new threat actor, labelled Storm-0501, was observed targeting hybrid cloud environments using open-source tools. Their main goal is, no surprise here, financial gains. Recently, Storm-0501 launched multi-staged attacks in the US, compromising hybrid cloud environments and moving laterally from on-premises devices to the cloud. This led to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment:
https://cybernews.com/security/former-affiliate-upgrades-and-launches-its-own-attacks/
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine(CVE-2024-28986):
https://github.com/RicterZ/PIE-Stack-Clash-CVE-2017-1000253
The U.S. Department of Justice (DoJ) has announced charges against two Russian nationals for operating billion-dollar money laundering services for cybercriminals, including ransomware groups. The charges involve money laundering, bank fraud, and facilitating websites that sell stolen credit card information and personal data. The two individuals are Sergey Ivanov, using the alias "Taleon," and Timur Shakhmametov (a.k.a. "JokerStash" and "Vega"):
https://www.bleepingcomputer.com/news/legal/us-charges-jokers-stash-and-rescator-money-launderers/
A critical vulnerability in NVIDIA Container Toolkit impacts all AI applications in a cloud or on-premise environment that rely on it to access GPU resources. The security issue is tracked as CVE-2024-0132 and allows an adversary to perform container escape attacks and gain full access to the host system, where they could execute commands or exfiltrate sensitive information:
https://www.bleepingcomputer.com/news/security/critical-flaw-in-nvidia-container-toolkit-allows-full-host-takeover/
Israel allegedly hacked Beirut airport‘s control tower, warning an Iranian plane not to land, forcing it to return to Tehran:
https://securityaffairs.com/169080/cyber-warfare-2/idf-hacked-beirut-airport-control-tower.html
A deep dive into how a novel LLM Jailbreaking technique called ‘MathPrompt’ works, why it is so effective, and why it needs to be patched as soon as possible to prevent harmful LLM content generation. Published in ArXiv, this technique intelligently encodes harmful prompts into mathematical problems for the LLMs to solve. And yes, the LLM solves these problems, returning a harmful response. Surprisingly, the technique achieves an average Attack Success Rate (ASR) of 73.6% across 13 state-of-the-art LLMs, with the highest being 87.5% on Claude 3 Haiku and 85% on GPT-4o:
https://levelup.gitconnected.com/mathprompt-embarassingly-jailbreaks-all-llms-available-on-the-market-today-d749da26c6e8
The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users. The incident occurred in 2019. At the time, Meta disclosed it publicly and notified DPC, which initiated an investigation into the tech giant's practices for storing sensitive user data. "In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in 'plaintext' on its internal systems (i.e. without cryptographic protection or encryption)," reads DPC's announcement:
https://www.bleepingcomputer.com/news/legal/ireland-fines-meta-91-million-for-storing-passwords-in-plaintext/
U.S. federal prosecutors on Friday unsealed criminal charges against three Iranian nationals who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data. The Department of Justice (DoJ) accused Masoud Jalili, 36, Seyyed Ali Aghamiri, 34, and Yasar (Yaser) Balaghi, 37, of participating in a conspiracy with other known and unknown actors to undermine the U.S. electoral process:
https://thehackernews.com/2024/09/us-charges-three-iranian-nationals-for.html
UK police are investigating a cyberattack that disrupted Wi-Fi networks at several train stations across the country:
https://securityaffairs.com/169009/hacking/cyber-vandalism-on-wi-fi-networks-at-uk-train-stations.html
The MC2 Data breach has exposed the sensitive personal information of over 100 million Americans, representing nearly a third of the US population. The MC2 cyberattack highlights the vulnerability of background check services and the urgent need for enhanced data security measures:
https://dailysecurityreview.com/security-spotlight/mc2-data-leak-over-100-million-americans-exposed-in-massive-data-breach/
Google’s Gemini for Workspace, which integrates its Gemini large-language model (LLM) assistant across its Workspace suite of tools, is susceptible to indirect prompt injection, HiddenLayer researchers said in a blog post on Wednesday. Indirect prompt injection is a method of manipulating an AI model’s output by inserting malicious instructions into a data source the AI relies on to form its responses, such as a document or email:
https://www.scworld.com/news/gemini-for-workspace-susceptible-to-indirect-prompt-injection-researchers-say
In a video shared with WIRED, researchers at the Beijing-based automotive cybersecurity firm GoGoByte demonstrated that they could carry out a relay attack against the latest Tesla Model 3 despite its upgrade to an ultra-wideband keyless entry system, instantly unlocking it with less than a hundred dollars worth of radio equipment. Since the Tesla 3's keyless entry system also controls the car's immobilizer feature designed to prevent its theft, that means a radio hacker could start the car and drive it away in seconds:
https://www.wired.com/story/tesla-ultra-wideband-radio-relay-attacks/
The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords. NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days):
https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules
Starting Thursday, Russian cybersecurity company Kaspersky deleted its anti-malware software from customers' computers across the United States and automatically replaced it with UltraAV's antivirus solution. This comes after Kaspersky decided to shut down its U.S. operations and lay off U.S.-based employees in response to the U.S. government adding Kaspersky to the Entity List, a catalogue of "foreign individuals, companies, and organisations deemed a national security concern" in June:
https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/
Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information:
https://thehackernews.com/2024/09/apple-drops-spyware-case-against-nso.html
Money transfer giant MoneyGram has confirmed that a cyberattack is responsible for an ongoing outage impacting its systems.:
https://cyberinsider.com/moneygram-cyberattack-causes-global-service-disruption/
'Hacked NASA again': Space agency thanks 'white hat' techie who breached system loopholes for 2nd time:
https://www.deccanherald.com/world/hacked-nasa-again-space-agency-thanks-white-hat-techie-who-breached-system-loopholes-for-2nd-time-3211976
On September 27, 2024, Richmond Community Schools in Richmond, Indiana, fell victim to a ransomware attack that led to a data breach affecting student and staff information stored in the PowerSchool system. The compromised data includes student names, addresses, medical records, student identification numbers, and contact phone numbers, although Social Security numbers were unaffected:
https://dysruptionhub.zba.bz/richmond-community-schools-hit-by-ransomware-attack-student-data-compromised/
Elastic, the creator of enterprise search and data retrieval engine Elasticsearch and the Kibana visualisation dashboard, threw a surprise curveball last month when it revealed it was going open source once more — nearly four years after switching to a couple of proprietary “source available” licenses. The move goes against a grain that has seen countless companies ditch open source altogether. Some are even creating a whole new licensing paradigm, as we’re seeing with “fair source,” which has been adopted by several startups:
https://techcrunch.com/2024/09/29/elastic-founder-on-why-they-returned-to-open-source-four-years-after-going-proprietary/
Discovered by Marcin “Icewall” Noga, CVE-2024-45383 is a vulnerability in the Microsoft HD Audio Bus Driver that could allow an attacker to cause a denial of service. This driver is crucial for the Windows operating system to communicate with external audio devices, including those integrated into motherboards or connected via HD audio interfaces:
https://cybersecuritynews.com/microsoft-audio-bus-rce-vulnerability/
Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over nearly five months. The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it:
https://thehackernews.com/2024/09/crypto-scam-app-disguised-as.html