CISO Daily Update - April 10, 2024
NEW DEVELOPMENTS
DOJ Data on 340,000 Individuals Stolen in Consulting Firm Hack
Source: SC Media
Working with the U.S. Department of Justice, a cyberattack on consulting firm Greylock McKinnon Associates (GMA) led to the theft of personal and medical data of over 340,000 individuals involved in a civil legal case. Discovered on May 30, the breach resulted in compromised information including names, dates of birth, addresses, and medicare health insurance claim numbers. GMA engaged third-party cybersecurity specialists and notified law enforcement and the DOJ; the breach’s impact assessment took eight months to complete.?
Group Health Cooperative Falls Victim to Ransomware Attack, 500K People Affected
Source: Cybernews
The Group Health Cooperative of South Central Wisconsin (GHC-SCW) was the victim of a cyberattack that exposed the personal information of about 534,000 people. Names, addresses, social security numbers, and medical information are among the exposed sensitive data. The attacker attempted to encrypt systems but was unsuccessful. GHC-SCW notified the FBI and contacted external cybersecurity professionals. The attack was attributed to a foreign ransomware outfit. Since the breach, the institution has taken steps to improve security and will provide affected individuals with monitoring services for a year.
Medusa Cybercrime Gang Takes Credit for Another Attack on US Municipality
Source: The Record
The Medusa ransomware group claimed responsibility for an attack on a government agency in Texas–the Tarrant County Appraisal District. The cybercrime gang threatened to leak 218 gigabytes of data within six days unless a $100,000 ransom was paid. Despite county officials remaining silent on whether they would pay the ransom, they have warned about the unauthorized access of data by hackers affecting approximately 300 individuals. Medusa's recent targets include an Illinois county government and various entities worldwide.
Hackers Using Malware-Driven Scanning Attacks To Pinpoint Vulnerabilities
Source: Cyber Security News
Hackers are employing malware-infected devices to conduct scanning attacks on target networks–a tactic that helps them conceal their identity, bypass geographical restrictions, and expand their botnets. By leveraging compromised hosts, attackers can execute large-scale scans more effectively than with a single machine. These scans aim to uncover vulnerabilities such as open ports, software vulnerabilities, and operating systems weaknesses, which can be exploited to gain unauthorized access or disrupt systems. Attackers utilize various techniques, including exploiting known vulnerabilities like the MOVEit vulnerability (CVE-2023-34362) and employing unique URLs within their exploits. This malware-driven scanning technique enables attackers to evade detection and utilize compromised device resources for scanning–potentially leading to targeted attacks or widespread infections.
10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet
Source: The Hacker News
The RUBYCARP threat group, suspected to be of Romanian origin, has resurfaced with a decade-long history of operating a botnet for various malicious activities such as cryptomining, DDoS attacks, and phishing. The group uses public exploits and brute-force tactics and communicates through public and private Internet Relay Chat (IRC) networks. They have been observed using ShellBot malware to breach target environments and exploit vulnerabilities in frameworks like Laravel. With over 600 hosts in their botnet, they heavily rely on IRC servers for command-and-control operations. The group's members are active in IRC channels and utilize mass scanning tools to identify new targets. Their activities include theft of credit card data for purchasing attack infrastructure and potentially selling it in underground markets. Additionally, they are involved in developing and selling “cyber weapons,” providing them with a wide range of capabilities for conducting their operations.
VULNERABILITIES TO WATCH
Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers
Source: Security Week
Microsoft issued a significant patch bundle addressing over 150 vulnerabilities with a critical focus on a vulnerability in Azure Kubernetes Service (CVE-2024-29990). This flaw allows unauthenticated attackers to seize control of clusters, potentially compromising confidential containers. The patch release also covers various remote code execution bugs across multiple Microsoft products but notably does not include fixes for vulnerabilities exploited at the recent Pwn2Own hacker contest. This extensive patch comes amidst heightened scrutiny of Microsoft's security practices following criticism from a US government report citing deficiencies in cybersecurity practices and corporate culture.
New SharePoint Flaws Help Hackers Evade Detection When Stealing Files
Source: Bleeping Computer
Varonis Threat Labs discovered two techniques that could enable attackers to evade detection when stealing files from Microsoft SharePoint. By leveraging the "Open in App" feature, attackers can download files without generating typical "FileDownloaded" audit logs, instead creating less sensitive "Access" events that may be overlooked. Additionally, spoofing the User-Agent string to mimic Microsoft SkyDriveSync can make file downloads appear as data syncing events–further reducing scrutiny from security teams. While Microsoft has added these flaws to a patch backlog for future fixing, they are rated moderate severity so immediate fixes are not expected. SharePoint admins are advised to monitor access activity and sync events for anomalies until patches become available.
领英推荐
Bug in IBM’s Enterprise Terminal Could Allow Attackers Fully Privileged Access
Source: The Cyber Express
A critical vulnerability (CVE-2024-25029) has been discovered in IBM's Personal Communications (PCOM) terminal emulator affecting versions v14.0.6 to 15.0.1. This flaw could allow threat actors to execute remote code and escalate local privileges–potentially leading to lateral movement within victim systems. IBM released a security bulletin and client update to address the issue– emphasizing its severity with a CVSS base score of 9. Users are strongly advised to upgrade to the patched versions provided by IBM to mitigate the risk of exploitation.
SAP’s April 2024 Updates Patch High-Severity Vulnerabilities
Source: Security Week
SAP's April 2024 security updates include 12 new and updated notes, with three addressing high-severity vulnerabilities. These include a security misconfiguration in NetWeaver AS Java User Management Engine, an information disclosure flaw in BusinessObjects Web Intelligence, and a directory traversal bug in Asset Accounting. While SAP recommends applying patches promptly, no active exploitation of these vulnerabilities has been reported.
Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products
Source: Security Week
Adobe issued urgent security updates for several enterprise-facing products, with critical code execution flaws in Adobe Commerce and Magento Open Source. These vulnerabilities could allow hackers to execute arbitrary code. Additionally, Adobe addressed security issues in Adobe Experience Manager and Adobe Media Encoder, among others. While there have been no reports of active exploitation, users are urged to apply the patches promptly.
91,000 Smart LG TV Devices Vulnerable to Remote Takeover
Source: Hackread
Bitdefender researchers uncovered major vulnerabilities in LG TVs using webOS versions 4–7 which might expose over 91,000 devices to remote takeover. Attackers could use these vulnerabilities to take complete control of the TV, steal data, or install malware. LG published a fix in March 2024; however, customers are encouraged to update their TVs immediately to prevent attacks. The affected products include webOS versions ranging from 4.9.7 to 7.3.1-43. The vulnerabilities were revealed to LG in November 2023, with details made public on April 9th, 2024, to increase user awareness and prompt action.
SPECIAL REPORTS
Why Identity Management is Key in a Cyber Resilience Strategy
Source: Infosecurity Magazine
Identity management is critical in cybersecurity resilience measures, especially as identity compromise increases as a major enterprise risk. With increased identity-related breaches, cybersecurity experts stress the significance of strong identity management policies. Initiatives such as Identity Management Day attempt to raise awareness and promote greater identity security hygiene. The increasing complexity of IT environments and advances in cyber surveillance and AI capabilities reinforce the need for enterprises to prioritize identity security. To effectively address identity-related threats, security executives, practitioners, and individuals must take proactive measures like vulnerability assessments, automation, and training on best practices for password management and phishing security.
How Exposure Management Elevates Cyber Resilience
Source: Help Net Security
Exposure management is pivotal in enhancing cyber resilience by shifting organizations' focus from merely identifying exposure to understanding its depth and impact. By adopting a systematic approach that mirrors attackers' viewpoints, businesses gain critical insights into vulnerabilities to guide remediation efforts effectively. This comprehensive strategy encompasses asset identification, risk prioritization, and proactive defense measures–empowering organizations to fortify their security posture against evolving threats.?
Foreign Interference Drives Record Surge in IP Theft
Source: Infosecurity Magazine
According to DTEX, the surge in malicious insider breaches attributed to hostile foreign states has increased IP theft and industrial espionage to unprecedented levels. Their analysis reveals a 70% increase in customers seeking protection against foreign interference since 2022, particularly in the public sector and critical infrastructure. Techniques used by insiders include unusual reconnaissance behaviors and sophisticated data preparation to bypass security controls. Additionally, insiders employ various tactics to conceal their activities, such as using private browsers, VPNs, and encrypted messaging accounts.
Great newsletter