CISO Daily Update - April 25, 2024
NEW DEVELOPMENTS
Russian Hackers Claim Cyberattack on Indiana Water Plant
Source: The Record
The Cyber Army of Russia (a Russian hacking organization) claimed responsibility for a cyberattack on Tipton, Indiana's water and wastewater treatment plant. The gang shared a video of their claimed access to the plant's systems. Officials confirmed that a cyberattack did occur, but said the facility was still running with minimal impact. An investigation is ongoing to assess the scope of the incident and how the hackers obtained access. This event follows Mandiant's previous research linking The Cyber Army of Russia to the Russian state-sponsored group Sandworm, which was responsible for an attack on a Texas water station earlier this year. The gang promises additional attacks on US infrastructure.
Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server
Source: Cyber Security News
Volkswagen suffered a cybersecurity breach originating from China, where hackers stole ~19,000 sensitive documents related to the company's electric vehicle technologies, engine development, and transmission systems. The stolen data threatens Volkswagen's competitive edge in the EV market and raises concerns over industrial espionage. Investigations trace the sophisticated attack's digital footprints to hacking groups operating from China, though no direct link to the Chinese government has been established. Volkswagen is overhauling its cybersecurity measures, collaborating with law enforcement, and assuring stakeholders of steps to prevent future breaches.
Ring Customers Get $5.6 Million in Privacy Breach Settlement
Source: Bleeping Computer
The Federal Trade Commission is issuing $5.6 million in refunds to Ring users affected by a privacy breach. This matter stems from unauthorized access to private video feeds and insufficient security measures. The settlement follows a complaint from May 2023, alleging Ring's failure to implement adequate safeguards. The refunds, distributed to over 117,000 consumers, aim to rectify damages caused by lax internal access policies and security vulnerabilities, including the absence of multi-factor authentication until 2019. Eligible recipients must redeem funds within 30 days; details are provided on the FTC's FAQ page.
US Offers a $10 Million Reward for Information on Four Iranian Nationals
Source: Security Affairs
The US Treasury Department sanctioned four Iranian nationals for their involvement in cyberattacks on US government entities, defense contractors, and private firms. These individuals are accused of taking part in malware operations involving spear-phishing and other hacking techniques to acquire business employee accounts while working for front companies affiliated with Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The US also sanctioned the two front firms implicated. Additionally, the Department of State established a $10 million reward for information leading to the arrest of these four Iranians, who remain at large.
Threat Actor Uses Multiple Infostealers in Global Campaign
Source: Security Week
A threat actor tracked by Cisco's Talos security research unit (known as CoralRaider), has employed multiple infostealers in a global campaign aimed at harvesting credentials and financial data from users worldwide. Active since at least 2023, CoralRaider is believed to originate from Vietnam and has previously targeted users in various Asian countries. However, since February 2024, they expanded their operations to target individuals in countries such as Ecuador, Egypt, Germany, Japan, Nigeria, Norway, Pakistan, the Philippines, Poland, Syria, Turkey, the UK, and the US. The actor utilizes a combination of three information stealers in their attacks to extract sensitive data such as credentials, cookies, credit card information, and cryptocurrency wallets from infected systems.?
Seedworm Hackers Exploit RMM Tools to Deliver Malware
Source: Cyber Security News
Seedworm, also known as MuddyWater, is exploiting legitimate remote monitoring and management (RMM) tools like the Atera Agent to orchestrate sophisticated malware attacks. By leveraging a vulnerability in Atera's software and utilizing compromised email accounts, Seedworm gains unfettered remote access to targeted systems without establishing command-and-control infrastructure–enabling it to evade detection. Spear-phishing campaigns distribute RMM installers, masquerade as legitimate updates, and trick recipients into executing malicious files. Preventive measures include regular software updates, enhanced email security, employee awareness training, and the use of reputable security solutions to mitigate such sophisticated threats.
VULNERABILITIES TO WATCH
Siemens Working on Fix for Device Affected by Palo Alto Firewall Bug
领英推荐
Source: Darkreading
Siemens is advising users of its Ruggedcom APE1808 devices with Palo Alto Networks (PAN) Virtual NGFW to promptly address a severe zero-day vulnerability (CVE-2024-3400) due to active exploitation. This flaw affects PAN-OS firewalls and allows attackers to deploy a Python backdoor. While Siemens is working on updates, they recommend implementing specific countermeasures provided by PAN and following industrial security guidelines. Meanwhile, the Shadowserver Foundation has identified thousands of vulnerable PAN NGFW instances exposed on the Internet– adding to the ongoing risk of Internet-exposed devices in the industrial control system (ICS) and operational technology (OT) environments.
Google Patches Critical Chrome Vulnerability
Source: Security Week
Google released Chrome 124, addressing four vulnerabilities–notably CVE-2024-4058, a critical flaw in the ANGLE graphics engine layer. This bug, assigned a 'critical' severity rating, poses a risk of remote code execution or sandbox escapes. Qrious Secure researchers discovered it and earned a $16,000 reward. Google's patch also covers high-severity issues, including out-of-bounds reads and use-after-free vulnerabilities.
IBM QRadar XSS Flaw Let Attackers Execute Arbitrary JavaScript Code
Source: Cyber Security News
A significant vulnerability discovered in IBM QRadar Suite Software and Cloud Pak for Security enables attackers to execute arbitrary JavaScript code. Tracked as CVE-2023-47731, this medium-severity flaw affects versions 1.10.0.0 through 1.10.11.0 of Cloud Pak for Security and versions 1.10.12.0 through 1.10.19.0 of QRadar Suite Software. Exploiting this stored cross-site scripting (XSS) vulnerability allows attackers to insert malicious scripts into the Web UI, potentially altering functionality and compromising trusted sessions for credential exposure.
CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
Source: Security Week?
CISA issued a warning about a two-year-old Windows Print Spooler vulnerability (CVE-2022-38028) being exploited in the wild that enables attackers to gain System privileges. This alert follows Microsoft's identification of Russian cyberespionage group APT28 deploying a unique tool called GooseEgg to exploit the flaw. Organizations, particularly federal agencies, are urged to patch or remove vulnerable systems promptly to mitigate the risk of remote code execution and data compromise.
SPECIAL REPORTS
5 Hard Truths About the State of Cloud Security 2024
Source: Darkreading
Cloud security has progressed, but challenges persist. Despite the belief that the cloud inherently boosts security, this thinking is flawed–and the shared responsibility model with providers can't fully transfer risk. Managing native security controls across multiple clouds poses difficulties in hybrid environments. While identity management is crucial, it's just part of a robust security strategy–thoughtful segmentation is key. Many firms lack clarity on what they're safeguarding, which often hinders effective cyber protection. Cloud-native development often prioritizes speed over security due to flawed incentives.
New Password Cracking Analysis Targets Bcrypt
Source: Security Week
Hive Systems' latest annual password cracking analysis targets Bcrypt hashed passwords instead of the previously studied MD5 hashes. Using NVIDIA GPUs, the study found that any password under 7 characters can be cracked within hours via brute-force attacks on Bcrypt. Strong, randomly generated passwords over 8 characters containing mixed cases, numbers, and symbols are very difficult–taking months or years to crack when hashed with Bcrypt. However, non-randomly generated passwords are easier to crack due to human predictability. The analysis reveals the importance of using sufficiently long, complex passwords and secure hashing algorithms like Bcrypt to mitigate brute-force attacks.
Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools
Source: GB Hackers on Security
The rise of AI-powered generative tools has significantly boosted phishing attacks–enabling even novice attackers to craft sophisticated and personalized campaigns. Zscaler's Phishing Report 2024 highlights a 58.2% surge in phishing attacks in 2023, with top targeted countries including the US, UK, India, Canada, and Germany. The finance and insurance industries faced the highest percentage of attacks, while Microsoft remained the most impersonated brand. To mitigate these threats, the report recommends leveraging AI-powered phishing prevention solutions, implementing a Zero Trust architecture, and adopting security best practices.