CISO Daily Update - April 26, 2024
NEW DEVELOPMENTS
Central Power Systems & Services’ Website Down After Alleged Hunters Group Cyberattack
Source: The Cyber Express
Industrial equipment distributor Central Power Systems & Services has allegedly fallen victim to the notorious Hunters Ransomware Group. Though unconfirmed, the company's website is inaccessible with a blocked message–creating concern about the potential impact on sensitive client information and critical infrastructure operations. This incident follows the ransomware gang's recent attacks on hotels, energy firms, and schools across multiple countries. Their tactics involve encrypting files and leaving ransom notes–often leading to prolonged downtime for their victims.
Plasma Donation Company Octapharma Slowly Reopening As BlackSuit Gang Claims Attack
Source: The Record
Plasma donation giant Octapharma suffered a ransomware attack by the notorious BlackSuit gang, forcing a weeklong shutdown of its 180 global centers. While slowly reopening with modified hours, the Swiss company continues investigating the breach's impact. BlackSuit claims it exfiltrated sensitive business data, lab records, and donor information from both living and deceased individuals. An advisory by HHS highlights how this threat actor increasingly exploits VMware vulnerabilities to breach healthcare organizations.?
Anti-Trump PAC Lincoln Project Scammed for $35,000 After Vendor Email Hack
Source: The Record
Anti-Donald Trump super PAC The Lincoln Project fell victim to a business email compromise (BEC) scam, losing $35,000 in February. The incident was confirmed by spokesman Greg Minchak and involved hackers compromising a vendor's email to send authentic-looking invoices. While two transactions totaling $35,000 were reported as fraudulent to the Federal Election Commission, the group stated that it did not impact their operations. The Lincoln Project, founded in 2019, has refrained from further comment, deferring investigations to the vendor and their bank's fraud department. This pervasive threat of BEC scams, which, as the FBI reported, resulted in adjusted losses of $2.9 billion from over 21,000 complaints in 2023.
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
Source: The Hacker News
A sophisticated state-sponsored actor is exploiting two zero-day vulnerabilities in Cisco networking gear to conduct espionage through a malware campaign. These vulnerabilities, CVE-2024-20353 and CVE-2024-20359, enabled the deployment of backdoors to facilitate malicious activities such as reconnaissance, data exfiltration, and network traffic capture. The attacker demonstrated meticulous evasion techniques to hide their “digital footprints,” suggesting a deep understanding of Cisco’s devices. CISA added these vulnerabilities to its known exploited vulnerabilities catalog, requiring federal agencies to apply fixes by May 1st.??
Autodesk Drive Abused in Phishing Attacks?
Source: Security Week
A widespread phishing campaign is using compromised corporate email accounts to trick new victims into entering Microsoft login credentials on fake sites hosting malicious PDFs. Attackers craft personalized emails to appear legitimate, with sender signatures and links to tailored PDFs named after companies on Autodesk's file-sharing platform. When opened, users get redirected to credential harvesting pages. Successfully phished credentials grant criminals unauthorized access to corporate data and additional email accounts to further spread their automated attacks globally.
DOJ Arrested the Founders of Crypto Mixer Samourai for Facilitating $2 Billion in Illegal Transactions
Source: Security Affairs
The U.S. Department of Justice arrested and charged the co-founders of cryptocurrency tumbler Samourai Wallet, alleging their "privacy" mixing service criminally laundered over $100 million by facilitating $2 billion in illicit transactions from darknet markets like Silk Road. Keonne Rodriguez and William Lonergan Hill implemented obfuscation tactics expressly designed to conceal criminal funds' origins for customers engaged in sanctions evasion, money laundering, and other illegal activities. Following global coordination with Europol and foreign agencies, authorities seized Samourai's web infrastructure and mobile app while levying money transmission and money laundering conspiracy charges carrying up to 25 years in prison. This enforcement strike against Samourai's founders directly confronts cryptocurrency mixers' key role in enabling ransomware, darknet markets, and other cybercrime by laundering illicit proceeds at a massive scale.
领英推荐
DragonForce Ransomware Group Uses LockBit's Leaked Builder
Source: Infosecurity Magazine
A newly identified ransomware strain, DragonForce, has emerged utilizing a leaked builder from the LockBit ransomware group. DragonForce's ransomware binary allows the group to customize and deploy ransomware payloads with ease. Despite Operation Cronos dismantling LockBit's infrastructure in February 2024, the leaked LockBit Black builder remains accessible, enabling threat actors like DragonForce to leverage it. DragonForce employs a double extortion tactic, targeting organizations globally, and has claimed high-profile attacks including on entities like Ohio Lottery and Coca-Cola Singapore..
Supplement Maker Hack Allegedly Exposes 1M Customers
Source: Cybernews
Major vitamin and supplement manufacturer Piping Rock has allegedly suffered a data breach exposing over 1 million customer records containing sensitive personal information. A hacker claims to have stolen 2.1 million emails containing names, phone numbers, home addresses, and purchase details for 957,384 customers–with the purported data advertised on a leak forum. The attacker implies failed "negotiations" with Piping Rock. While the company has not confirmed the incident, a sample of the data appears legitimate according to cybersecurity researchers.?
VULNERABILITIES TO WATCH
Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking
Source: Security Week
Security researcher Pierre Barre uncovered multiple vulnerabilities in Brocade's SANnav storage area network (SAN) management application, potentially exposing appliances and Fibre Channel switches to hacking. Among the 18 identified flaws, nine were assigned CVE identifiers–including unauthenticated vulnerabilities allowing remote root access and interception of credentials transmitted in clear text. Compromises could lead to a complete Fibre Channel infrastructure compromise. Despite initial rejection, Barre's findings prompted Brocade to release patches in SANnav version 2.3.1, addressing the vulnerabilities identified in December 2023. Hewlett Packard Enterprise (HPE) also integrated these fixes into their SANnav Management Portal versions 2.3.0a and 2.3.1, reinforcing the need for prompt updates to mitigate the security risks.
CISA Adds Microsoft Windows Print Spooler Flaw to Its Known Exploited Vulnerabilities Catalog
Source: Security Affairs?
Following reports of exploitation by the Russia-linked APT28 group using a tool named GooseEgg, CISA added the CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. APT28 has utilized GooseEgg since at least June 2020 to exploit the flaw to gain elevated access to target systems for malicious activities such as credential theft and lateral movement. Microsoft addressed the vulnerability in October 2022 Patch Tuesday updates. Federal agencies are ordered to address the vulnerability by May 14, 2024, per Binding Operational Directive (BOD) 22-01, with recommendations for private organizations to review and mitigate vulnerabilities in their infrastructure.
Skylab IGX IIoT Gateway Vulnerability (CVE-2024-4163): Root Access for Attackers
Source: SecurityOnline.info
A critical vulnerability (CVE-2024-4163) discovered in Skylab's widely deployed IGX IIoT Gateway allows attackers to escalate privileges and gain full root access. By exploiting weaknesses in the gateway's limited shell, malicious actors can manipulate file permissions to create a new root user and escape restrictions to take complete control. Any organization using affected versions 1.2.12 or earlier face potential exposure. Mitigations include urgently patching to the latest secure software release, monitoring anomalous activity, and conducting comprehensive risk assessments across IIoT deployments.?
SPECIAL REPORTS
11% of Cybersecurity Teams Have Zero Women
Source: Infosecurity Magazine
New research reveals a severe lack of gender diversity plaguing cybersecurity teams globally: only 4% have a female majority, while 11% have zero women represented. This glaring disparity, coupled with women facing a $5,400–$8,000 pay gap and 29% reporting workplace discrimination, highlights the need to bridge this divide. With the cybersecurity workforce shortage reaching 4 million (according to some reports), the industry must aggressively tap into the immense potential of women to fill this gap. Key initiatives include fostering an inclusive culture through DEI programs like mentorship and competitive pay–which 69% of women see as growing more crucial. Unlocking gender diversity's benefits of unique perspectives, talents, and well-rounded teams is imperative for strengthening cybersecurity's future.