CISO Daily Update - August 9, 2024
NEW DEVELOPMENTS
Cyber Incident Shuts Down North Miami City Hall: What You Need to Know
Source: The Cyber Express
North Miami City Hall has been closed indefinitely following a cyber incident that disrupted the city's network systems. Despite the closure, emergency services remain fully operational. Mayor Alix Desulme reassured residents that the city is working to resolve the issue. The cyberattack impacted online services and led to postponement of public meetings–though some departments like the Public Library and Parks and Recreation continue their operations. Residents can reach out to a dedicated hotline for assistance, and the city is committed to providing regular updates as the investigation progresses.
Michigan Hospital System Struggles With Cyberattack as Healthcare Industry Decries ‘Russian’ Ransomware
Source: The Record
Major Michigan hospital system McLaren Health Care is dealing with a cyberattack that disrupted phone systems, computer networks, and some medical procedures. While emergency services remain operational, non-emergency appointments and some surgeries have been rescheduled. Although McLaren hasn't confirmed if it's a ransomware attack, a ransom note allegedly from the INC ransomware gang has surfaced. This incident follows a trend of increasing ransomware attacks on healthcare systems, which the American Hospital Association attributes to Russian-speaking cybercrime groups.
Rhysida Ransomware Group Claims to Have Breached Bayhealth Hospital in Delaware
Source: Security Affairs
The Rhysida ransomware group claimed to breach Bayhealth Hospital in Delaware and is demanding 25 BTC to avoid leaking the stolen data. Bayhealth is a major not-for-profit healthcare system with nearly 4,000 employees and 450 physicians, operating two hospitals and an emergency center. The group leaked screenshots of stolen passports and ID cards as proof of the hack. This is not the first time Rhysida has targeted a hospital, having previously claimed attacks on facilities in Jordan and the UK. The healthcare sector continues to face persistent cyber threats.
Massive DDoS Attack: Record-breaking 419 TB of Malicious Traffic Within 24 Hours
Source: Cyber Security News
Akamai Technologies successfully mitigated one of the largest and most sophisticated distributed denial-of-service (DDoS) attacks it has faced–blocking approximately 419 terabytes of malicious traffic over nearly 24 hours. The attack targeted a major financial services company in Israel–reaching a peak of 798 Gbps via a globally distributed botnet that employed methods like UDP flood and DNS reflection.?
US Offers $10 Million for Info on Iranian Leaders Behind CyberAv3ngers Water Utility Attacks
Source: The Record
The U.S. State Department identified six Iranian government hackers–allegedly tied to the IRGC's Cyber-Electronic Command–for their role in cyberattacks on U.S. water utilities. These hackers are part of the CyberAv3ngers group targeting programmable logic controllers used in critical infrastructure. They compromised systems at a Pennsylvania water authority in retaliation for Israeli actions in Gaza. The U.S. offers up to $10 million for information on the hackers' whereabouts.
Royal Ransomware Successor BlackSuit Has Demanded More Than $500 Million
Source: The Record
The ransomware group behind the 2022 attack on Dallas rebranded from "Royal" to "BlackSuit" and has already demanded over $500 million in ransoms with individual demands reaching up to $60 million. The FBI and CISA confirmed this shift in a recent advisory, noting that BlackSuit uses similar coding to its predecessor but with enhanced capabilities. Their primary attack vector remains phishing, followed by disabling antivirus software and exfiltrating data. The group has also started contacting victims' customers directly to pressure payment, although this tactic has seen limited success. The advisory includes new technical data to aid in detecting BlackSuit's activities.
US Dismantles Laptop Farm Used by Undercover North Korean IT Workers
Source: Bleeping Computer
The U.S. Justice Department arrested Matthew Isaac Knoot who operated a laptop farm in Nashville to help North Korean IT workers pose as U.S.-based individuals. These workers used stolen identities and remote desktop applications to access U.S. company networks–earning over $250,000 between July 2022 and August 2023. The revenue supported North Korea's nuclear weapons program. This is part of a broader initiative to shut down U.S.-based operations aiding North Korean threat actors.
VULNERABILITIES TO WATCH
“Perfect” Windows Downgrade Attack Turns Fixed Vulnerabilities Into Zero-Days
Source: Help Net Security
A researcher uncovered a severe downgrade attack on Windows that covertly reintroduces patched vulnerabilities–making fully updated systems vulnerable. By exploiting the Windows Update process, the attacker can downgrade critical OS components and disable key security features like Credential Guard and virtualization-based security–turning past vulnerabilities into zero-days. The attack leverages two unpatched zero-day vulnerabilities (CVE-2024-38202, CVE-2024-21302) in the Windows Update Stack and Secure Kernel. Microsoft is working on a fix.
Chrome, Safari, Mozilla Under Siege: ‘0.0.0.0 Day’ Vulnerability Exposes Millions
Source: The Cyber Express
A newly discovered zero-day vulnerability dubbed "0.0.0.0 Day," exposes a critical flaw in major web browsers–including Chrome, Safari, and Firefox, allowing attackers to potentially access sensitive data on users' devices. The vulnerability exploits inconsistencies in how browsers handle network requests, enabling malicious websites to interact with APIs on a user's local machine (localhost). While Apple and Google are swiftly working on fixes, with updates expected soon, Mozilla remains cautious due to potential compatibility issues.
领英推荐
AWS Patches Vulnerabilities Potentially Allowing Account Takeovers
Source: Security Week
AWS patched critical vulnerabilities in several services, including CloudFormation, Glue, and SageMaker, that could have allowed attackers to take over accounts, execute arbitrary code, and expose sensitive data. Disclosed by Aqua Security at Black Hat USA 2024, these flaws involved a "Bucket Monopoly" technique where attackers could pre-emptively create S3 buckets with predictable names–enabling them to inject malicious code and gain elevated privileges when the service was activated in a new region. AWS confirmed the issue has been resolved, and no customer action is needed. Aqua Security plans to release further technical details and an open-source tool to assess past vulnerabilities.
Critical 1Password Vulnerability: Hackers Could Exploit Security Flaw to Access Unlock Keys
Source: The Cyber Express
A critical vulnerability (CVE-2024-42219) was discovered in the 1Password password manager for macOS that could allow attackers to extract sensitive information like account unlock keys and vault items by exploiting inadequate macOS inter-process communication protections. 1Password developer AgileBits confirmed the flaw, which was discovered by Robinhood's Red Team and not yet reported as exploited. 1Password released an update to version 8.10.38 to address the issue.
GhostWrite Flaw: Hackers Can Access and Control Your Computer’s Memory
Source: Cyber Press
Researchers developed RISCVuzz, a differential fuzzing framework that can identify critical vulnerabilities in RISC-V CPUs without access to source code. By comparing instruction execution across multiple CPUs, RISCVuzz discovered flaws like GhostWrite, which allows unprivileged users to read and write arbitrary memory–bypassing protection mechanisms. The approach leverages the assumption of consistent architectural behavior to detect anomalies, exposing both documented and undocumented vulnerabilities, including hardware-level bugs.?
Cisco Warns of Critical RCE Zero-Days in End of Life IP Phones
Source: Bleeping Computer
Cisco issued a warning about critical remote code execution (RCE) vulnerabilities in its discontinued Small Business SPA 300 and SPA 500 series IP phones. The vulnerabilities, three of which are rated critical (CVSS 9.8), allow unauthenticated attackers to execute arbitrary commands with root privileges via specially crafted HTTP requests. Cisco has not provided fixes or mitigation options as these devices are no longer supported. Users are urged to transition to newer models. Cisco's Technology Migration Program offers trade-in options for affected customers.
SPECIAL REPORTS
Thousands of Exposed Industrial Control Systems in US, UK Threaten Water Supplies
Source: Hackread
A Censys report reveals over 40,000 Industrial Control Systems (ICS) in the US and 1,500 in the UK are exposed to the public internet–making them prime targets for cyberattacks. Particularly concerning is the vulnerability of water and wastewater systems, where many Human-Machine Interfaces (HMIs) lack authentication, allowing easy manipulation by attackers. The report highlights the difficulty in notifying owners due to many devices being hosted on cellular networks or ISPs, and calls for urgent action to strengthen cybersecurity measures across critical infrastructure.
AI Model Achieve 98% Accuracy in Collecting Threat Intelligence From Dark Web Forums
Source: Cyber Security News
Researchers from the Université de Montréal and Flare Systems developed a large language model (LLM) system that can accurately extract critical cyber threat intelligence (CTI) from cybercrime forums with an impressive 98% accuracy. The study analyzed conversations from three prominent cybercrime forums, and demonstrated the immense potential of AI in enhancing the efficiency and scalability of CTI efforts. The researchers emphasize that this technology can effectively replace first-level threat analysts in extracting relevant information to provide real-time, actionable insights to proactively defend against cyber attacks.
Researchers Detailed the Evolution of Cybercriminal Underworld
Source: Cyber Security News
Cybersecurity researchers detailed the complex evolution of the cybercriminal underworld–tracing its transformation from isolated hackers seeking notoriety to highly organized syndicates driven by profit. The findings reveal how cybercrime has become a $1.5 trillion industry, with sophisticated groups using advanced techniques like APTs and ransomware, and leveraging dark web marketplaces that commoditize attacks. Key components of the modern cybercriminal landscape include money mules, phishing services, anonymous proxies, and APT groups disguising espionage. Recent trends like scamming farms and AI-enhanced low-level scams further highlight the adaptability and coordination of these threat actors. Understanding these dynamic operational realities is crucial for cybersecurity professionals to develop effective strategies to secure data, manage assets, and mitigate employee-related risks.
#BHUSA: CISA Director Confident in US Election Security
Source: Infosecurity Magazine
CISA Director Jen Easterly expressed confidence in the security of upcoming US elections–praising the integrity of state and local election officials. While acknowledging a complex threat environment, particularly from Russia, Easterly emphasized that previous elections in 2018, 2020, and 2022 were secure with no evidence of vote tampering. Global partners from the UK and EU also shared insights on managing election security. In the US, local officials like those in Clark County, Nevada, are taking extensive measures to secure election infrastructure, to include collaborations with federal agencies like CISA and the FBI.
Finding value in this newsletter? Like or share this post on LinkedIn
Co-Founder of Altrosyn and DIrector at CDTECH | Inventor | Manufacturer
3 个月The increasing sophistication of ransomware groups like BlackSuit raises concerns about the effectiveness of traditional security measures. While AI shows promise in threat intelligence, its reliance on data could be exploited by adversaries who manipulate information. Given the growing trend of cybercriminal syndicates, how can organizations effectively mitigate the risks posed by their complex and interconnected operations?