CISO Daily Update - July 24, 2024
NEW DEVELOPMENTS
Ransomware Recovery Effort Cost Suffolk County $25.7 Million, Prompting Investigation
Source: The Cyber Express
The ransomware attack on Suffolk County, New York, resulted in a $25.7 million recovery cost–sparking controversy and calls for an investigation. The attack occurred on September 8, 2022, exposing the personal data of 470,000 residents and 26,000 employees, and disrupting services for months. Criticism arose over transparency and oversight, with County Comptroller John Kennedy and County Executive Edward P. Romaine questioning the necessity and deployment of the expenditures. Key costs included $8.1 million to Palo Alto Networks and $1.67 million for forensic efforts. Romaine emphasized the difficulty in assessing costs due to inadequate records.
Fake CrowdStrike Repair Manual Pushes New Infostealer Malware
Source: Bleeping Computer
CrowdStrike warns of a fake recovery manual for Windows devices installing the new Daolpu information-stealing malware. Following the CrowdStrike Falcon update mishap, threat actors are exploiting the situation via phishing emails that spread the malware disguised as a Microsoft recovery manual. Once activated, Daolpu harvests account credentials, browser history, and authentication cookies from various browsers including Chrome and Edge. The stolen data is then sent to the attackers' server. CrowdStrike advises users to follow only official communications for remediation advice and has provided a YARA rule for detection.
Cybercrooks Spell Trouble With Typosquatting Domains Amid CrowdStrike Crisis
Source: The Register
In the wake of CrowdStrike's Falcon update crisis, cybercriminals are leveraging typosquatting domains to exploit IT admins. Thousands of these domains, such as crowdstrikefix[.]com and crowdstrike-helpdesk[.]com, are registered to deceive users and push fake fixes, extortion, and phishing schemes. SentinelOne notes the attacks are growing but remain opportunistic. These campaigns range from financial scams demanding exorbitant fees for bogus solutions to phishing attacks distributing malware like Remcos RAT. CrowdStrike advises verifying communications through official channels and has updated its remediation guidance for affected users.
2 Million Microsoft 365 Data Compromised by CrowdStrike Bug
Source: Hackerdose
A threat actor named SilentAction claimed to exploit the recent CrowdStrike bug affecting Microsoft 365 computers–allegedly compromising 2 million user records. Leaked data was posted on BreachForums, and reportedly includes sensitive information such as Microsoft account details, login credentials, personal data, and product license keys. The threat actor is selling this data for $10,000 on the dark web. The breach potentially affects users of various Microsoft Windows operating systems and could lead to various other cybercrimes. The claimed incident is an opportunistic attack following the widespread outage caused by CrowdStrike's faulty update, which impacted an estimated 8.5 million Windows devices globally. Microsoft has yet to comment on this alleged data leak, while experts suggest full system recovery from the CrowdStrike incident could take weeks.
US Gov Sanctioned Key Members of the Cyber Army of Russia Reborn Hacktivists Group
Source: Security Affairs
The U.S. government has imposed sanctions on two key members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR) for cyberattacks targeting critical infrastructure in the United States. Yuliya Vladimirovna Pankratova, identified as the group's leader, and Denis Olegovich Degtyarenko, a primary hacker, were sanctioned for their roles in recent attacks. CARR has claimed responsibility for several low-impact DDoS attacks since 2022, but their activities escalated in late 2023 and early 2024 affecting water, hydroelectric, wastewater, and energy facilities in the U.S. and Europe. Notable incidents include causing water tank overflows in Texas and compromising a U.S. energy company's SCADA system. The sanctions block all U.S.-based property and interests of the designated individuals and prohibit transactions involving them.
BreachForums v1 Hacking Forum Data Leak Exposes Members’ Info
Source: Bleeping Computer
The BreachForums v1 hacking community suffered a data breach exposing the private information of 212,414 members from a November 2022 backup. Leaked by a threat actor named Emo, the data allegedly originated from the forum's arrested founder, Conor Fitzpatrick (Pompompurin), who attempted to sell it while on bail. The leak includes user IDs, login names, email addresses, and IP information, providing valuable insights for researchers and law enforcement to track threat actors across platforms. This incident follows the forum's tumultuous history, including FBI seizures and multiple reincarnations.
VULNERABILITIES TO WATCH
Philips Vue PACS Vulnerabilities Put Patient Data at Risk: Healthcare Sector on High Alert
Source: The Cyber Express
Philips disclosed multiple high and critical severity vulnerabilities in its Vue Picture Archiving and Communication System (PACS) which is used extensively in hospitals for managing medical images like X-rays and MRIs. These vulnerabilities affect versions before 12.2.8.410 and could lead to unauthorized data access, service disruptions, and diagnostic data manipulation. Philips urges immediate upgrades to the latest secure versions and implementation of recommended security configurations. Notably, many Vue PACS systems are internet-accessible–increasing their risk of remote exploitation, particularly in countries like Brazil and the United States.?
领英推荐
Swipe Right for Data Leaks: Dating Apps Expose Location, More
Source: Darkreading
Security researchers in Belgium uncovered API vulnerabilities in popular dating apps like Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge, exposing sensitive user data and allowing exact location pinpointing. Analyzing 15 apps, researchers found all leaked some sensitive data, such as ethnic origin, sexual orientation, and health information. Notably, six apps, including Bumble, Grindr, and Hinge, could pinpoint user locations using trilateration methods. Despite companies addressing some location vulnerabilities, data leaks persist as some app behaviors are deemed "intended." Users are advised to be cautious about the personal information they share.
Okta Browser Plugin Vulnerable To Reflected Cross-Site Scripting Attacks
Source: Cyber Security News
Okta's Browser Plugin used by over 5 million users across Edge, Chrome, Safari, and Firefox, was found vulnerable to Cross-site Scripting (XSS) attacks–potentially allowing threat actors to execute arbitrary JavaScript code. The vulnerability (CVE-2024-0981) with a high severity rating of 7.1, affects versions 6.5.0 through 6.31.0. This issue arises when new credentials are input and prompted to be saved with Okta Personal. Okta issued a security advisory and urged users to upgrade to version 6.32.0 to mitigate the risk. Workforce Identity Cloud users remain unaffected if Okta Personal is not added to the plugin.
Goodbye? Attackers Can Bypass 'Windows Hello' Strong Authentication
Source: Darkreading
Accenture researcher Yehuda Smirnov found a vulnerability in Microsoft's Windows Hello for Business (WHfB) that allows attackers to bypass its strong authentication via a downgrade attack using the Evilginx adversary-in-the-middle framework. By intercepting and modifying POST requests to Microsoft's authentication services, attackers can force WHfB to revert to less secure methods like passwords or OTPs, making it susceptible to phishing. However, Microsoft fixed this issue in March with a new conditional access policy that enforces phishing-resistant authentication.
SPECIAL REPORTS
The CrowdStrike Butterfly Effect: Cyber Pros Weigh In on the Far-Reaching Disaster
Source: Cybernews
The CrowdStrike software update disaster sent shockwaves through the cybersecurity industry. Experts describe it as potentially the most costly IT outage in history, likening its impact to a large-scale ransomware attack. Key issues highlighted include the dangers of single points of failure, over-reliance on centralized services, and the risks of automatic updates without IT intervention. The incident sparked debates on accountability, with blame directed at both CrowdStrike and organizations lacking adequate backup procedures. Experts suggest improvements in software testing, incremental update rollouts, and a shift towards zero-trust security approaches. The disaster also raises questions about regulatory requirements that may inadvertently increase systemic risks. Overall, this event serves as a wake-up call for the industry to reassess its approach to cybersecurity and digital resilience.
The Changes in the Cyber Threat Landscape in the Last 12 Months
Source: Help Net Security
Europol’s IOCTA 2024 report highlights significant shifts in the cyber threat landscape over the past year due to law enforcement actions. Takedowns of ransomware groups like Hive, LockBit, and ALPHV/BlackCat, along with disruptions of cybercriminal forums and arrests of dark web vendors led to the reorganization of ransomware groups and increased competition among ransomware-as-a-service (RaaS) providers. SMBs are now primary targets due to their weaker cybersecurity. Dark web marketplaces have shorter lifespans, and double extortion models are rising. Cybercriminals continue to exploit Bitcoin, Tor, and end-to-end encryption (E2EE) messaging, while new AI technologies lower the barrier to enter cybercrime–given the use of malicious LLMs for attack scripts, phishing, and deepfakes.
Seemplicity 2024 Remediation Operations Report: Rising Exposure Management Risk
Source: Darkreading
Seemplicity's 2024 Remediation Operations Report reveals significant trends in cybersecurity with 91% of surveyed professionals reporting increased security budgets. Organizations face complexity from using an average of 38 security vendors, leading to alert noise. Automation is widely adopted, with 97% using it in vulnerability management. AI investment is set to increase, with 85% planning to boost spending in the next five years. While 64% view AI as a weapon against cyber threats, 68% worry about its impact on rapid software development. Over half of respondents see the new SEC reporting requirements as an opportunity, and 90% are likely to adopt Continuous Threat Exposure Management programs.
Hackers Exploiting Google Cloud for Massive Phishing Attacks
Source: Cyber Press
Google Cloud's latest security report highlights growing threats in serverless computing environments. Hackers are increasingly exploiting weak serverless security configurations and compromised credentials for cryptomining and unauthorized access. The report identifies misconfigurations as the second most common cause of breaches after weak credentials. Serverless architectures, while offering benefits, introduce new security challenges such as hardcoded secrets and insecure development practices. Threat actors are now abusing Google Cloud Run and Cloud Functions to distribute malware and host phishing pages on legitimate domains. The FLUXROOT group, for instance, used Google Cloud serverless projects to steal credentials from a major Latin American payment platform. To mitigate these risks, cloud security professionals must prioritize strong authentication, proper configurations, and continuous monitoring, while Google is working to improve detection systems and suspend malicious projects.
Finding value in this newsletter? Like or share this post on LinkedIn