CISO Daily Update - July 15, 2024
NEW DEVELOPMENTS
Rite Aid Disclosed Data Breach Following RansomHub Ransomware Attack
Source: Security Affairs
The third-largest U.S. drugstore chain Rite Aid disclosed a data breach following a June cyberattack by the RansomHub ransomware gang. The breach compromised 10 GB of customer data, including names, addresses, and birth dates; however, there was no impact on social security numbers, health, or financial information. Rite Aid is investigating the breach with third-party experts and notifying impacted customers. The RansomHub group published proof and threatened further leaks by July 22 if ransom demands weren't met. This incident follows a cyberattack on Rite Aid in May 2023 by the Cl0p ransomware gang–affecting over 24,000 customers.
Hackers Stole ‘Nearly All’ Call Logs Over Six Months From AT&T
Source: The Record
Hackers breached AT&T's data storage platform on Snowflake and stole metadata from nearly all call logs and texts made by customers over six months in 2022–affecting approximately 109 million people. Discovered on April 19, the breach involved exfiltration of files between April 14 and 25. AT&T clarified the incident did not impact its network and included no customer names but detailed call interactions and cell site information. The company has notified customers, closed the access point, and cooperated with the FBI, which led to at least one arrest.
Indiana County Files Disaster Declaration Following Ransomware Attack
Source: The Record
Clay County, Indiana declared a local disaster following a ransomware attack that disrupted critical services at the courthouse and other departments–impacting their ability to operate and connect with state partners. This declaration enables the county to allocate financial resources and address operational impacts. Discovered on July 9, the attack led to closure of courthouse offices and disrupted non-emergency lines temporarily. Law enforcement was notified, and the county website remains down. Similar attacks hit nearby Monroe County and Cedar Falls, Iowa, with the BlackSuit ransomware gang implicated. Ransomware attacks on local governments are on track to exceed last year's total of 95 incidents.
Disney’s Internal Slack Breached? NullBulge Leaks 1.1 TB of Data
Source: Hackread
NullBulge claims responsibility for hacking Disney's internal Slack–leaking over 1 TB of data, possibly using LockBit’s leaked builder. Disney, already under fire for not paying royalties to artists and writers like Alan Dean Foster, now faces another challenge. Despite high-profile settlements, many creators still struggle for fair compensation. VX-Underground suggests the data breach might involve infostealer malware. This incident adds to the series of U.S. company data breaches, including AT&T's recent hack affecting 110 million customers and the Snowflake breaches.
‘Magic Soap’ Producer Discloses Data Breach, but Details Are Scarce
Source: Cybernews
Dr. Bronner’s, the producer of all-natural "magic soap," disclosed a data security incident potentially exposing customers' full names and other unspecified personal information. The breach notification lacked specifics on the number of individuals affected or the full extent of the incident. Discovered on June 19, 2024, the breach involved unauthorized access to personal data files. Dr. Bronner’s secured their network and launched an investigation with third-party cybersecurity experts. They are offering affected individuals complimentary credit monitoring and fraud assistance through Cyberscout and Identity Force. The company’s response to further inquiries is pending.
领英推荐
Homoglyphs and IL Weaving Used To Evade Detection in Malicious NuGet Campaign
Source: The Cyber Express
Researchers uncovered a sophisticated malware campaign targeting NuGet, Microsoft's package manager for .NET. Beginning in August 2023, this ongoing attack has evolved to use advanced techniques such as homoglyphs and IL weaving to evade detection and deceive developers. By exploiting homoglyphs—characters that look identical but have different digital identifiers—the attackers bypassed NuGet’s prefix reservation system, creating packages that appear legitimate but contain malicious code. The campaign also employs IL weaving to embed malicious module initializers within legitimate .NET binaries to complicate detection. Approximately 60 packages and 290 versions were affected.
VULNERABILITIES TO WATCH
GitLab Sends Users Scrambling Again With New CI/CD Pipeline Takeover Vuln
Source: Darkreading
GitLab's latest critical vulnerability (CVE-2024-6385) in its DevOps platform allows attackers to run CI/CD pipelines as any user–potentially hijacking identities and accessing sensitive data. Affecting versions 15.8 to 17.1, this 9.6 CVSS-rated flaw follows a similar bug patched just two weeks prior. While exploitation requires a valid user account, the vulnerability's low complexity raises concerns. GitLab urges immediate upgrades, emphasizing the bug's severity and broader attack surface compared to its predecessor. This marks the third severe GitLab vulnerability in recent months.
Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability
Source: Cyber Security News
Citrix NetScaler ADC and Gateway are vulnerable to the regreSSHion RCE vulnerability (CVE-2024-6387), a critical flaw in OpenSSH’s server (sshd) that allows unauthenticated remote code execution as root on glibc-based Linux systems. This vulnerability impacts multiple versions of NetScaler ADC, NetScaler Gateway, and NetScaler Console. Users are advised to update to the latest patched versions immediately to mitigate the risk. Other Citrix products, such as Citrix Virtual Apps and Desktops, are not affected. Cloud Software Group has patched all services on its cloud infrastructure
Critical Flaw in Exim MTA Could Allow to Deliver Malware to Users’ Inboxes
Source: Security Affairs
A critical flaw in the Exim mail transfer agent (CVE-2024-39929) with a CVSS score of 9.1, allows attackers to deliver malicious executable attachments by exploiting misinterpreted multiline RFC 2231 header filenames, bypassing $mime_filename extension-blocking protection. Exim, a highly configurable MTA for Unix-like systems, is used by approximately 74% of public-facing SMTP servers. The vulnerability, affecting versions up to 4.97.1, has been fixed in version 4.98. Censys reports over 1.5 million exposed Exim servers are potentially vulnerable, with most located in the U.S., Russia, and Canada. No active exploits are known, but a proof of concept exists.
SPECIAL REPORTS
Hackers Use PoC Exploits in Attacks 22 Minutes After Release
Source: Bleeping Computer
Cloudflare's 2024 Application Security report reveals that threat actors exploit proof-of-concept (PoC) vulnerabilities in as little as 22 minutes after release–reinforcing the need for rapid defense measures. Between May 2023 and March 2024, the most targeted flaws included CVE-2023-50164 in Apache and CVE-2023-35082 in MobileIron. Cloudflare processes 57 million HTTP requests per second and has seen increased scanning and command injection attempts for disclosed CVEs. To combat the speed of these attacks, Cloudflare employs AI to develop detection rules. The report also notes a rise in DDoS attacks, with 6.8% of all internet traffic being DDoS-related.
Finding value in this newsletter? Like or share this post on LinkedIn