CISO Daily Update - July 8, 2024
NEW DEVELOPMENTS
Alabama State Department of Education Suffered a Data Breach Following a Blocked Attack
Source: Security Affairs
On June 17, Alabama's school superintendent announced a data breach after successfully blocking a ransomware attack on the Alabama State Department of Schools. Despite the attempt being blocked, threat actors gained access to some data and caused service disruptions. Superintendent Eric Mackey encouraged parents and education personnel to monitor their credit as some student and employee data may have been exposed. The department is working with experts to investigate the breach.
Shopify Denies It Was Hacked, Links Stolen Data to Third-Party App
Source: Bleeping Computer
Shopify denies claims of a data breach after threat actor '888' began selling customer data purportedly stolen from the platform–asserting the breach stemmed from a third-party app. Shopify confirmed its systems were secure, and the app developer would notify affected customers. The leaked data includes Shopify IDs, names, emails, phone numbers, order counts, and subscription details. Shopify did not disclose which app was compromised. Notably, '888' previously targeted companies like Credit Suisse and Shell.?
Hackers Stole OpenAI Secrets in a 2023 Security Breach
Source: Security Affairs
The creator of ChatGPT OpenAI experienced a previously undisclosed security breach in 2023, as reported by The New York Times. A hacker infiltrated the company's internal messaging systems, accessing employee discussions about AI technology designs. The breach didn't compromise source code or customer data but raised concerns about potential cyber espionage. The incident prompted internal debates about the company's preparedness to protect its intellectual property from foreign adversaries, particularly in light of China's growing AI capabilities.
Cloudflare DNS Resolver Hit by BGP Hijack
Source: The Cyber Express
Cloudflare's 1.1.1.1 DNS resolver service recently fell victim to a dual BGP attack–exposing vulnerabilities in the aging internet routing protocol. The incident affected less than 1% of internet traffic and combined a routing hijack and a BGP route leak to temporarily disrupt the service. Unauthorized announcements of the 1.1.1.1/32 prefix by AS267613 and subsequent leaks by other networks led to widespread misrouting. Cloudflare emphasizes the need for improved BGP security measures, including RPKI adoption, stricter RTBH filtering, and implementation of ASPA. The company expanded its route leak detection capabilities and urges ISPs to enforce RPKI origin validation.
Threat Actors Exploit Microsoft SmartScreen Vulnerability: Cyble Researchers
Source: The Cyber Express
Cyble Research and Intelligence Labs (CRIL) uncovered an active campaign exploiting a Microsoft SmartScreen vulnerability (CVE-2024-21412) to deliver infostealers. Despite Microsoft's February patch, the attack targets users in Spain, the U.S., and Australia through sophisticated phishing lures. The multi-stage attack bypasses SmartScreen warnings, utilizes legitimate Windows tools, and employs DLL sideloading to inject payloads. Cyble researchers recommend implementing advanced email filtering, monitoring utilities like forfiles, restricting scripting language execution, enforcing application whitelisting, and network segmentation to combat these sophisticated attacks.
领英推荐
New Eldorado Ransomware Targets Windows, VMware ESXi VMs
Source: Bleeping Computer?
A new ransomware strain called Eldorado has emerged, targeting both Windows and Linux systems–including VMware ESXi virtual machines. Developed in Go, this unique ransomware uses ChaCha20 encryption with RSA-OAEP key protection, appending ".00000001" to encrypted files. Eldorado encrypts network shares via SMB, deletes shadow copies on Windows, and self-deletes to evade detection. The malware offers customization options for affiliates, particularly on Windows systems. Group-IB researchers (who uncovered Eldorado) stress it's a standalone operation and not a rebrand.
SPECIAL REPORTS
Ransomware Attacks Really Increase Mortality Rates at Hospitals
Source: Cybernews
Ransomware attacks significantly increase hospital mortality rates, with a study from the University of Minnesota’s medical school revealing a 20% rise in deaths. The analysis, covering hospital admissions before, during, and after ransomware attacks, found that already hospitalized patients were most affected due to the sudden unavailability of IT systems. Severe attacks saw mortality rates surge by 36-55%, with even higher rates for patients of color (62-73%). The study estimates that ransomware attacks led to 42-67 additional deaths among Medicare patients from 2016 to 2021. Researchers emphasize that the chaotic, tech-dependent environment of healthcare makes it a prime target for cybercriminals, similar in impact to natural disasters and pandemics.
47% of Corporate Data Stored in the Cloud Is Sensitive
Source: Help Net Security
A recent report by Thales revealed that 47% of corporate data stored in the cloud is sensitive, making cloud resources prime targets for cyberattacks. Despite this, less than 10% of enterprises encrypt 80% or more of their sensitive cloud data. Human error and misconfiguration remain the leading causes of cloud data breaches (31%), followed by exploiting known vulnerabilities (28%). As organizations increasingly adopt cloud technologies, protecting cloud environments has become the top security priority ahead of traditional security measures like IAM and endpoint security.
VULNERABILITIES TO WATCH
PoC Exploit Released for HTTP File Server Remote Code Execution Vulnerability
Source: Cyber Security News
A proof-of-concept exploit for the critical CVE-2024-39943 vulnerability in HTTP File Server (HFS) has been released, impacting versions before 0.52.10 on Linux, UNIX, and macOS. This flaw allows remote authenticated users with upload permissions to execute OS commands due to the use of execSync in the child_process module of Node.js. Exploitation can lead to data theft and system compromise. Users must update to version 0.52.10 or later, which replaces execSync with spawnSync to prevent arbitrary command execution. Additional mitigation steps include disabling upload permissions, enforcing strong authentication, monitoring systems, implementing network segmentation, and conducting regular audits and updates.
Apache Fixed a Source Code Disclosure Flaw in Apache HTTP Server
Source: Security Affairs
The Apache Software Foundation addressed a critical vulnerability (CVE-2024-39884) in the Apache HTTP Server, along with other security issues. This flaw, a regression in version 2.4.60, can lead to inadvertent source code disclosure of local content when files are requested indirectly. The bug affects how the server handles legacy content-type configurations, particularly the "AddType" directive. Under certain circumstances, this could expose sensitive data like PHP scripts or configuration files instead of processing them as intended. To mitigate this risk, Apache strongly recommends users upgrade to version 2.4.61.
Finding value in this newsletter? Like or share this post on LinkedIn