On a weekly basis, the cyber security newsletter is considered an essential update on information that can be witnessed as a crucial intelligence briefing for the cybersecurity community.
It summarizes in such a way that it enables professionals who are concerned with security, organizations, and people to remain ahead of new security threats.
The range of subjects covered by the newsletter is extensive including recently discovered strains of malware, advanced methods of phishing, vulnerabilities in important software, and new ways to fight against the attacks.
In addition, the letter continually draws awareness to upcoming regulations and industry trends in cybersecurity fields.
Data Breaches
An estimated $370,000 was paid by AT&T to an individual connected with the ShinyHunters group just to delete manipulated clients’ data including call and text messages from May 2022 up to January 2023.
On April 14th to April 25th, 2024, the intrusion happened through unapproved entry into AT&T’s space on a third-party cloud platform.
What was compromised is simply call and text metadata like phone numbers, communication dates as well as durations of calls but not the actual contents of conversations or texts.
The transaction was completed using Bitcoin and the erasure of evidence was verified by means of a demonstration video posted by the hacker himself.
Even after this payment and apparent deletion others could possess unrecovered pieces of information that became security risks which threatened consumers at AT&T indefinitely.
Insight on DMM Bitcoin Breach https://cybersecuritynews.com/match-systems-ceo-andrei-kutin/
Andrei Kutin, CEO of Match Systems, has been critical in the company’s development and innovation with respect to cybersecurity solutions.
Match Systems has under him focused on developing advanced technologies to fight against changing cybercrimes.
Kutin insists that it is important to have proactive security measures and continuous improvement within the cybersecurity space.
His vision involves creating a secure culture among his clients and intensifying cooperation in the industry for effective problem-solving.
The report stresses the fact that Kutin’s dedication lies in strategic initiatives that are in line with the growing requirements of cybersecurity.
BMW Hong Kong Faces Major Data Breach
BMW Hong Kong has recently experienced a massive data breach in which more than 14,000 customers’ personal data leaked.
While the types of data leaked are names, mobile numbers, and SMS opt-out preferences.
This information was reported by the cybersecurity researchers and subsequently published on a hacking forum.
As this can potentially enable threat actors to perform identity theft and phishing attacks. Although the exact reason is not known yet, however, there is a threat actor called “888′ who may be behind this incident.
Security analysts recommended clients to closely monitor their information, and make sure to change passwords immediately.
361M Unique Emails & Passwords Leaked
It all started with a big data violation in which 361 million email addresses, user names, and passwords were sold off on dark web forums through Telegram channels.
For only $500, you can get this dataset that totals to 122 GB occupying 1,700 files containing over 2 billion rows.
The breach found in May 2024 merges information from various sources such as high-tech malware that steals sensitive data from infected systems.
These popular platforms have seen massive incursion into them with Gmail, Amazon, and PayPal being the key ones affected where researchers have confirmed that many of the credentials are still active.
There is a general warning for cyber security experts that users must change their passwords, activate their two-factor authentication, and check for any unauthorized access to their accounts.
There was a considerable cyber attack on Wazirx, an Indian cryptocurrency exchange, which resulted in more than $230 million being stolen from one of its multisig wallets.
This breach exploited the discrepancies between the displayed data and actual transaction contents to target a wallet that Liminal is managing with their control infrastructure.
In order to mitigate this damage, WazirX has taken several immediate actions such as blocking selected deposits and consulting specialists who are well experienced in restoring lost currencies.
The company’s emphasis has been on the commitment towards transparency and security so that users can continue operating safely in the face of ever-changing threats within cyberspace.
WazirX expects to be able to build trust with users as it improves its security protocols through this ongoing investigation.
Cyber Attack
Multiple Squarespace Customers’ Domain Names Compromised
Squarespace customer accounts have been breached by hackers leading to unauthorized access to sensitive data like email addresses and account details.
This breach is attributed to a third-party vendor which has raised the issues about the security measures of customers’ data.
Squarespace has notified affected users and are enhancing their security protocols.
For the protection of their accounts, customers are urged to change passwords and use two-factor authentication.
The incident demonstrates the continuous arising of dangers linked with the digital environment’s third-party integrations.
Exploit Begin Within 22 Minutes
Cloudflare unveils concerning trends in cybersecurity with a focus on quick vulnerabilities exploitation whereby it takes an average of 22 minutes for hackers to exploit newly disclosed vulnerabilities.
Q1 2024 Application Security Report reveals that DDoS attacks are still a major threat as they constitute 37.1% of mitigated traffic while automated traffic occupies one-third of all internet activities, within which a significant part is malicious.
Notably, the API traffic has shot up to 60% and organizations miss a large number of their public-facing API endpoints on a regular basis.
Besides this, the report highlights the growing use of zero-day exploits and challenges posed by third-party integrations in web applications which emphasizes an ever-changing cyber-security threat landscape.
Approximately $9.7 million worth of cryptocurrencies were stolen by hackers in a cyber-attack on the cross-chain bridging and swapping platform, LI.FI Protocol.
The hack focused mainly on those users having infinite approvals on particular contracts by exploiting flaws like call injection and weak points within the different chains.
Through Ethereum, most of the stolen stablecoins were converted into other forms with one wallet being identified to have received a bulk of the funds.
Consequently, LI.FI Protocol advised users not to engage with its apps and revoke some permissions if they want their belongings secure.
It is important to note that this event was preceded by another major attack on the protocol which demonstrates how decentralized finance platforms remain at risk of various hacking activities due to weaker security systems.
Hackers Exploiting CrowdStrike Issue
On July 19, 2024, Windows systems were affected by an incidence with the CrowdStrike Falcon sensor which has been identified as a serious problem by cyber security experts.
CrowdStrike customers are being pursued by hackers who have taken advantage of this situation. These malicious tactics include phishing campaigns, social engineering, and distribution of potentially harmful software.
The attackers pretended to be from the CrowdStrike support team and spread lies about it being a bug that was not a security issue but a content update error.
This consequently implies that companies should authenticate communication channels and follow official advice on these modern threats while also educating employees on behaviors likely to cause trouble in their defenses against such opportunistic attacks.
Threat actors are exploiting a content update issue in the CrowdStrike Falcon sensor affecting Windows systems to target CrowdStrike customers in Latin America.
The attackers are distributing a malicious ZIP archive named crowdstrike-hotfix.zip containing a HijackLoader payload that loads the RemCos malware.
This campaign marks the first observed instance of threat actors capitalizing on the Falcon content issue to distribute malware.
CrowdStrike has provided a Falcon LogScale query to detect indicators of compromise (IOCs) such as SHA256 hashes and the RemCos command-and-control (C2) server address 213.5.130[.]58[:]443.
Organizations are advised to communicate with CrowdStrike through official channels and follow the guidance provided by CrowdStrike support teams.
Malware
The report explores OilAlpha, whose target has been humanitarian organizations operating in Ukraine.
This group which has links to Russian threat actors took advantage of flaws for the purpose of destroying services and capturing valuable information.
The attacks align with the on-going geopolitical conflicts and are designed to weaken support for Ukraine during its conflict.
According to experts, these kind of cyber-crimes do not only threaten the running of human aid but also endanger people’s lives who depend on such services.
The report underscores that protective measures should be upgraded to make sure that vulnerable organizations do not experience similar threats.
CRYSTALRAY Hackers Exploiting Popular Pentesting Tools
CRYSTALRAY has significantly expanded its operations. In particular, they have gone ahead to target over 1,500 victims through activities such as mass scanning of systems and the use of multiple bugs vulnerabilities.
The group’s major objectives include, stealing credentials that can be sold afterward, mining for cryptocurrencies like Bitcoin and Ethereum among others, and maintaining their existence within the victim environments.
To achieve this purpose, CRYSTALRAY uses ASN (Autonomous System Number) for network intelligence gathering, Zmap for very fast port scanning, HTTPX for http probing, and NUCLEI for vulnerability scanning as well as honeypot detection.
Often using Platypus or Sliver clients, the perpetrator modifies them with malicious payloads targeting vulnerable systems.
Sliver and Platypus are used by CRYSTALRAY to achieve persistence and command-and-control while SSH-SNAKE is an open-source worm that spreads across a victim’s network once it identifies SSH keys or credentials on the compromised system..
They aggressively collect these actions to sell them off at black markets thereby mining command histories that contain tokens for usernames and passwords called credentials.
BianLian ransomware, which emerged in 2022, has rapidly become one of the most active ransomware groups which mostly exploited RDP, ProxyShell, and SonicWall VPN vulnerabilities to get initial access.
However, early 2023 saw a change in its tactics where it largely shifted from encryption and double extortion to data theft and extortion, targeting industries such as law firms and the health sector.
However, BianLian has proven its resilience in 2024 with increased activity via new servers as well as an expanded command and control (C2) infrastructure.
The group has also been working on improving the backdoor capabilities of this malware by introducing a Linux variant which proves that there are changes in their attack patterns and operational techniques.
1.1TB of Disney’s Internal Data Breached
Threat actors have claimed responsibility for a significant data breach involving 1.1TB of Disney’s internal Slack chats. While this incident was first reported on July 12 by a hacktivist known as “NullBulge.”
The breach allegedly contains contents from around 10,000 channels including not yet released projects, codes and confidential login data.
They have affirmed they are doing this to protect artists’ rights instead of causing harm in any way as these hackers are affiliated with Club Penguin fan club.
This has led to calls for more secure corporate communication platforms such as Slack due to the alarming scale of the breach initially estimated at 2.6GB. Besides this Disney is yet to issue an official statement concerning the matter.
“Tchao1337,” a hacker has accessed 60 million rows of user data in a database which put Pinterest under threat of possible data leak.
Reportedly the leaked information containing email addresses, usernames, user IDs, and IP addresses among other details compressed into a 1.59 gigabyte file.
It poses various risks like potential phishing attacks as well as identity theft if not fixed on time and consequently needs to be taken care of immediately.
As recommended by security experts, users need to reset their passwords, activate two-factor authentication, and constantly monitor their accounts for any suspicious activities.
Pinterest hasn’t released any official statement regarding the incident yet, however, people are encouraged to stay tuned to the company for more updates.
The purpose of this report is to examine the cyber operations carried out by NullBulge against Disney’s internal comms where they released Slack private information.
NullBulge, established between April and June 2024, exploits advanced malware techniques like Python-based payloads and supply chain attacks that predominantly affect communities in AI and gaming.
Such as Async RATs as well as LockBit ransomware which infect genuine software repositories plus send malicious codes via GitHub or social media platforms.
This group sells stolen data and API keys on underground forums showing its financial motives.
Recommendations for corporations would include securing API keys, examining third-party code, and checking commit histories to minimize risks related to this kind of cyber threat.
For instance, Killer Ultra is a highly advanced malware that targets endpoint detection and response (EDR) tools provided by major security vendors such as Symantec, Microsoft, and SentinelOne.
Consequently, it’s classified by ARC Labs which employs kernel-level permissions to stop security processes from running and clear event logs which makes it difficult for the security teams to track its activities.
Another technique Killer Ultra uses is exploiting Zemana AntiLogger (CVE-2024-1853) vulnerability to kill critical security processes.
Moreover, what indicates that this program may be potentially further exploited are various persistence mechanisms used by Killer Ultra like surviving reboots and evading detection.
Consequently, organizations should improve their ability to detect and respond to threats as evidenced by the capabilities of this malware.
New tools have been created by the infamous hacker organization, FIN7, to bypass Endpoint Detection and Response (EDR) solutions and carry out automated attacks.
One of these specialized instruments is called AvNeutralizer (AuKill). Its purpose is to hack into security systems. It is being sold on the darknet, where many ransomware groups are using it.
The group has also embraced automated attack techniques that involve automated SQL injection attacks targeted at public-facing applications through their platform Checkmarks.
Their ability to change their tactics from one mode of operation to another gives them an edge in the world of cyber security as demonstrated by their spear-phishing campaigns against the US auto industry and recent use of malicious Google ads for malware drops.
Among the emerging threats to macOS users is a new ‘Microsoft Teams’ application, which is actually a virus distribution tool disguised as an app.
This malware disguises itself as the genuine Microsoft Teams software by exploiting the trust of individuals in items produced by this company.
Once it’s installed into the machine, this program has the potential to steal sensitive information and compromise system security. Downloading software only from official sources could prevent such danger.
Besides this, it warns users about the dangers of clicking on phishing links or downloading suspicious files onto their systems.
The findings indicate that cybersecurity problems remain due to advanced social engineering techniques.
This report deals with a new malware technique called BadPack that uses APK packers to hide evil code in Android applications.
APK header fields are manipulated by BadPack malware authors such that local and central directory headers do not match, which makes it tough for extraction and analysis tools to extract the contents.
This difference is used by the technique between various analysis tools and how Android runtime processes the apk files.
The report includes IOCs (Indicators of Compromise) for BadPack malware samples, and underscores the importance of advanced analysis techniques and tools to counter this evolving threat.
Avoid apps from untrusted sources as well as declining apps that demand strange permissions.
Vulnerability
The company calls on the users to establish security protocols that would prevent unauthorized access. The organizations are consequently called upon to watch out for any signs of exploitation related to this vulnerability on their networks.
Juniper has urged users to patch their systems promptly to contain these potential threats. Juniper released patches that address the bug and is now asking its customers to update their systems as soon as possible.
The flaw, which is identified as CVE-2023-36845, affects a number of versions of Junos and can be remotely exploited without authentication. This vulnerability was given the name CVE-2023-36845 and it works on many different Junos versions and can be remotely exploited without authentication.
CISA Warns of GeoServer RCE Vulnerability
The report discusses a critical remote code execution (RCE) vulnerability identified in GeoServer, a popular open-source server for sharing geospatial data.
According to the Cybersecurity and Infrastructure Security Agency (CISA), it exposes them to threat actors who can execute unwanted codes on such devices.
It is recommended that users update their GeoServer installations to the latest versions to mitigate this risk.
The advisory stresses on the need for a swift response since this flaw could gravely compromise the security of companies that use GeoServer as their geospatial data service provider.
More than 50,000 setups are at risk due to a crucial bug in the Profile Builder and Profile Builder Pro plugins.
This flaw has been tracked as “CVE-2024-6695,” which allows hackers without authentication credentials to control WordPress sites at an admin level. It has a CVSSv3.1 score of 9.8, indicating its seriousness.
The reason for the problem is that there are inconsistencies in processing the user’s email as entered during registration. A fix was made available on 11th July 2024 in version 3.11.9 to resolve this vulnerability.
Administrators should promptly upgrade their systems to avoid any possible abuse which may result in severe issues like loss of data or site takeover.
A proof of concept for this flaw will be released on August 5th, 2026 thereby underlining the need for continued vigilance in securing the WordPress ecosystem.
Multiple Netgear Vulnerabilities
This report talks about important security loopholes in Netgear routers that let attackers bypass authentication mechanisms.
These security flaws could allow hackers to enter into the devices and possibly expose user information and network security.
There are many models of Netgear routers that have these vulnerabilities, so they should be fixed by the company through patches immediately. People should update their firmware to prevent possible attacks.
Device security has been emphasized in this report as a way of stopping illegal access. For a comprehensive list, that contains patch availability details and affected models, refer to the entire research analysis.
Internet Explorer Zero-Day Vulnerability
A zero-day vulnerability is being exploited by hackers in Internet Explorer (IE), enabling remote code execution.
It is referred to as CVE-2024-1234, a flaw that impacts different versions of the browser and has been observed in targeted organizational attacks.
Consequently, users are asked to use more secure browsers and still update security settings when necessary.
Microsoft confirms it and provides that it will release a patch soon, however, people are advised to protect their systems due to the ongoing exploitation.
The situation illustrates the continuing dangers inherent in legacy software.
Apache HugeGraph-Server RCE Vulnerability
A critical vulnerability in Apache HugeGraph-Server has been identified by the cybersecurity analysts and the flaw has been tracked as CVE-2024-27348. The vulnerability exists in versions 1.0.0 through 1.3.0.
This flaw is rated at a 9.8 CVSS score and allows unauthenticated remote attackers to execute arbitrary commands on affected systems, which potentially results in data theft and ransomware attacks.
The exploit for this vulnerability has been observed to be targeted particularly towards the “/gremlin” endpoint. Consequently, users are encouraged to update their HugeGraph Server to version 1.3.0 or later, switch to Java 11, enable authentication, and restrict API access.
The opposition has become so dangerous following the revelation of this proof-of-concept exploit code by June 2024 increasing the urgency with which organizations must act to secure their systems as soon as possible.
Atlassian Data Center & Server Flaw
Critical security updates have been released by Atlassian for its Server and Data Center products for various high-risk vulnerabilties, one of which is CVE-2024-21687 with CVSS score 8.1.
Such vulnerabilities may enable attackers to execute any code they wish, which helps in risking unauthorized entry into the system as well as compromising private data.
These include Confluence, Jira Software, Jira Service Management, and Bitbucket.
Users are advised by Atlassian to swiftly apply the latest patch releases as well as strengthen their settings.
Besides that, if updating immediately isn’t possible, organizations should keep track of doubtful activities and implement workarounds accordingly.
Ivanti Endpoint Manager SQLi Vulnerability
The occurrence of a severe SQL injection flaw referred to as CVE-2024-37381 in Ivanti Endpoint Manager (EPM) 2024 makes it possible for authorized attackers within the same network to run a code that is not limited.
This vulnerability has a high severity score of 8.4 on the CVSS scale. A Security Hot Patch has been released by Ivanti to fix this issue, requiring administrators to replace certain DLL files on the Core Server and reboot the system to effectuate the changes.
Even though there are no known exploitations of this vulnerability yet, organizations should quickly apply the patch in order to protect their systems from potential attacks.
According to Ivanti, they have confirmed that the code development process was not deliberate when it comes to including this vulnerability in their product’s code base.
Cisco Smart Software Manager Flaw
Cisco has identified one critical vulnerability on its Smart Software Manager On-Prem (SSM On-Prem) known as CVE-2024-20419 that allows remote unauthenticated attackers to change the password of any user, including administrators.
This flaw has a severity score of 10 and is due to incorrect implementation of the process for changing passwords.
It can be exploited by attackers who send crafted HTTP requests, consequently allowing unauthorized administrative access.
To fix this issue Cisco released updates and they are urging all their users to move onto secure versions as it has no workarounds at all that can be applied. Currently, there is no evidence that the vulnerability is being used in active attacks.
SAP’s AI core has multiple vulnerabilities collectively known as ‘SAPwned’ that could be exploited to gain unauthorized entry into customer cloud environments, including AWS and Azure.
Researchers have found that by running any unchecked code, they would be able to obtain credentials and reach valuable data.
The leading problems were linked to the ignored settings of SAP’s admission controller which enabled hackers to bypass network barriers and get access to internal systems.
Although SAP’s security team has fixed these vulnerabilities without any compromise of customer data, it is a wake call for extra protection measures in order to avoid possible supply chain attacks and occupant isolation in cloud environments.
Critical Apache HTTP Server Vulnerabilities
The Apache Software Foundation has revealed some critical bugs in the Apache HTTP Server, which can affect different versions that could expose millions of websites to cyber-attacks.
These vulnerabilities might have severe consequences like source code exposure, server-side request forgery (SSRF), and denial of service (DoS).
Vulnerabilities include the source code disclosure due to a mishandling of legacy content type-based handler configurations, SSRF on Windows using mod_rewrite, null pointer dereferences in WebSocket over HTTP/2, and encoding issues within mod_proxy that can bypass authentication.
The report explains all the vulnerabilities with their respective CVE numbers and potential impacts.
New VPN Port Shadow Vulnerability
VPN connection-tracking mechanisms have what researchers call “port shadow,” which can allow an attacker on the same VPN server to intercept encrypted traffic, expose a user’s identity or scan devices behind the VPN server.
In this way, it is possible for attackers to exploit this limitation in connection tracking by sending packets with spoofed source IP addresses and ports that correspond to legitimate connections found in the VPN server’s connection tracking database.
The authors of the research propose a formal model that analyzes such attacks and designs controls through non-interference properties to guarantee process isolation between various clients.
It also explains how an attacker may reveal both the target’s public IP address and the address of the VPN server making these attacks more realistic.
Novel Chinese Browser Injector
The emergence of a sophisticated Chinese browser injector that targets users’ web browsers to deliver malicious payloads is highlighted in a new report.
This injector takes advantage of flaws in popular browsers, which allows the attacker to modify web traffic and insert harmful scripts.
The threat comes with potential risks like data theft and unauthorized access to sensitive information as reported in the study.
To prevent such risks, cybersecurity experts suggest that users be vigilant and adjust their browser security settings accordingly.
Given these highly advanced techniques employed by the injector, it is evident that there are persistent problems existing on how best to deal with cyber threats from state-sponsored actors.
Chrome version 126 from Google is out, which is an essential security update that patches 10 vulnerabilities and addresses eight severe vulnerabilities discovered by independent researchers.
Available for Windows, macOS, and Linux operating systems, this update aims to address memory issues leading to sandbox escapes as well as remote code execution.
These key vulnerabilities involve various use-after-free bugs in addition to V8 engine type confusion. For the purpose of improving security, it is important that users upgrade their browsers although there are currently no known attack scenarios.
This can be done automatically but you can also perform a manual check from within Chrome’s settings. They have also released an Android edition of Chrome with similar security fixes.
Other News
Malware Dissection with Gemini 1.5 Flash model
Gemini 1.5 Flash is Google’s innovative model designed to enhance malware analysis efficiency and speed.
It is capable of processing malware samples much faster than any traditional means reaching an average time of 12.72 seconds per file.
The design supports up to 1,000 requests and four million tokens per minute hence it suits platforms like VirusTotal which studies over 1.2 million new files every day.
Real-world tests showed that this tool was accurate in identifying legit software and malware including false positives as well as obfuscated threats.
Google Compute Engine powers the underlying infrastructure, which uses sophisticated decompilation techniques for fast analysis consequently marking a significant development in cyber security initiatives.
Trump Shooting Suspect’s Phone Unlocked
The phone of Thomas Matthew Crooks, who tried to kill President Donald Trump at a rally in Butler, Pennsylvania has been successfully unlocked by the FBI.
Crooks was dead after he opened fire from the roof top, leading to one death and injuring two other people including Trump.
Through superior forensic tools, the FBI managed to get access to this phone which is believed to be important as it will help in unveiling more details about his intentions although no clear ideological motives have yet been established.
To understand what led to the attack, authorities had conducted numerous interviews and reviewed digital evidences involved with the investigation
There has been much response on this event as Biden denounces violence while Trump expresses gratitude towards law enforcement for their fast reaction.
The most recent update on the CrowdStrike Falcon sensor has resulted in severe complications for Windows users causing blue screen of death (BSOD) loops for those operating on Windows 10 and 11.
The error is identified as being the “DRIVER_OVERRAN_STACK_BUFFER”, dated back to July 19, 2024, and which disables the affected hardware.
CrowdStrike has recognized this problem and conveyed that they are currently working on fixing it adding that there is no need to open support tickets right now.
This issue is having a particularly detrimental effect on enterprise customers with reports of thousands of devices being impacted, including critical servers.
Some IT departments have been removing CrowdStrike files to bring their systems back to normal whereas users want better testing procedures when rolling out updates.
Here come other subsequent updates and possible fixes from CrowdStrike with time.
The post Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More appeared first on Cyber Security News.
