CISO Daily Update - June 11, 2024
NEW DEVELOPMENTS
LendingTree Confirms That Cloud Services Attack Potentially Affected Subsidiary
Source: The Record?
Financial services firm LendingTree confirmed that one of its subsidiaries, the insurance platform QuoteWizard, was potentially impacted by the recent incident where threat actors breached customer accounts at Snowflake. A hacker claimed to steal data from over 190 million QuoteWizard customers and is selling it on the dark web. LendingTree's investigation is ongoing, but it believes no financial account details were exposed. The incident is part of a wider campaign where cybercriminals obtained Snowflake credentials–likely via infostealing malware–to access and exfiltrate data from customer environments. Snowflake has identified around 165 impacted organizations so far.
Christie’s Data Breach Impacted 45,798 Individuals
Source: Security Affairs
Christie's auction house disclosed that a recent ransomware attack by the RansomHub cybercrime group resulted in a data breach impacting 45,798 individuals. In early May, attackers stole files containing personal information like names, driver's licenses, and ID card details. Despite RansomHub's claim of compromising data for over 500,000 clients, Christie's investigation found a lower number of impacted individuals were affected–less than 50,000. The breach disrupted major spring auctions including an $840 million sale involving high-value artwork and assets. Christie's notified regulators, law enforcement, and the affected individuals while cooperating with investigations.
BlackBerry Disputes Cylance Hack Claims, New York Times Confirms Code Breach
Source: The Cyber Express
While hackers claimed to breach BlackBerry's Cylance division and the New York Times–releasing data samples on underground forums–only the Times incident appears legitimate. The Times confirmed unauthorized access to its GitHub repositories containing source code but stated its core systems were unaffected. In contrast, BlackBerry disputed claims of a Cylance customer data breach, stating the outdated data samples from 2015-2018 likely stemmed from a previous third-party incident before its acquisition of Cylance. In contrast, The New York Times acknowledges a credential exposure incident in January 2024 but assures no unauthorized access to its systems or operational impact.?
Ticketmaster Attacker Vanishes, Pundits Speculating Arrest
Source: Cybernews
The notorious cybercriminal group ShinyHunters has vanished, with its Telegram accounts and channels deleted–sparking speculation of potential arrests. ShinyHunters, linked to recent breaches at Ticketmaster and Santander Banks, is connected to BreachForums–a marketplace for stolen data, which is now offline. The group's sudden disappearance follows the FBI's crackdown on BreachForums and the alleged arrest of its administrator, Baphomet. These developments come in the wake of a major data breach disclosed by Ticketmaster's parent company Live Nation and Santander Bank, both attributing the breach to a third-party cloud provider (speculated to be Snowflake).
More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack
Source: The Hacker News
Cybersecurity researchers detected a phishing attack where the “More_eggs” malware, disguised as a resume, targets recruiters. The attackers use LinkedIn job postings to lure victims to download a malicious Windows Shortcut file from a fake resume site. This file retrieves a malicious DLL through a legitimate Microsoft program, establishing persistence and deploying the More_eggs backdoor.
Unencrypting VPN Traffic Through a New TunnelVision Attack
Source: Cybernews
Researchers at Leviathan Security disclosed a new attack called TunnelVision (CVE-2024-3661) that can potentially bypass VPN encryption by redirecting traffic outside the VPN tunnel using DHCP manipulation on the local network. While concerning, security experts criticize the overhyped scope, clarifying the attack requires prior compromise of the user's local router or use of untrusted public WiFi. VPN kill switches and provider safeguards aimed at preventing traffic leaks mitigate much of the risk. Fears potential abuse by malicious actors and government surveillance programs seeking to circumvent encryption and unmask online activities without warrants.
VULNERABILITIES TO WATCH
Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers
Source: The Hacker News
Microsoft warned that malicious actors could exploit Azure Service Tags to bypass firewall rules and gain unauthorized access to cloud resources–depicting the inherent risk of using service tags as a single mechanism for vetting incoming traffic. Cybersecurity firm Tenable identified that attackers could potentially forge requests from a trusted service to access resources in another tenant. This vulnerability affects at least ten Azure services, including Azure DevOps and Azure Data Factory. Microsoft advises that service tags should be used with additional validation controls and not as the sole security measure.
领英推荐
Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft
Source: Security Week?
A critical remote code execution vulnerability (CVE-2024-5480) was discovered in the distributed RPC framework of the widely-used PyTorch machine learning library. The flaw stems from a lack of validation checks on functions called during RPC operations between worker and master nodes in distributed training scenarios. This allows remote attackers to abuse built-in Python functions to achieve arbitrary code execution on the master node orchestrating the training process. Successful exploitation could lead to the compromise of sensitive AI data and models. Affecting PyTorch versions 2.2.2 and prior, the issue has been patched in the latest 2.3.1 release.
Nvidia Patches High-Severity GPU Driver Vulnerabilities
Source: Security Week
Nvidia released critical software updates addressing multiple high-severity vulnerabilities in its GPU display drivers and virtual GPU (vGPU) software. The updates for Windows and Linux GPU drivers patch three high-risk flaws that could allow remote code execution, escalation of privileges, data tampering, and denial-of-service attacks. Additionally, two medium-severity driver bugs leading to information disclosure and DoS conditions were remediated. Nvidia's vGPU software updates resolve five more vulnerabilities, including two high-risk issues in the Linux Virtual GPU Manager that risked data exposure, privilege escalation, and service disruption. With several flaws enabling potential remote compromise, organizations utilizing Nvidia GPU products must urgently apply these security updates to mitigate the threats posed by these newly patched vulnerabilities.
Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs
Source: Security Week
Cisco’s Talos research unit discovered 15 high-severity or critical vulnerabilities in AutomationDirect’s Productivity series PLCs, which can be exploited for remote code execution or denial-of-service (DoS) attacks. While these PLCs are typically not directly exposed to the internet, a Shodan search identified around 50 potentially exposed devices. Exploitation of these flaws could lead to significant disruptions in industrial environments by manipulating logic, shutting down devices, or extracting sensitive information. AutomationDirect addressed these vulnerabilities with firmware and software updates and provided security recommendations. CISA also alerted organizations about these risks.
Exploit for Critical Veeam Auth Bypass Available, Patch Now
Source: Security Week
A proof-of-concept exploit has been publicly released for a critical vulnerability (CVE-2024-29849) in Veeam Backup Enterprise Manager that allows unauthenticated remote code execution by bypassing authentication. The flaw exists in Veeam's REST API service and stems from improper validation of VMware SSO tokens–enabling attackers to forge administrator-level access. With working exploit code now available, it is imperative that organizations using Veeam urgently apply the latest version 12.1.2.172 patch or implement mitigations like restricting network access, enabling multi-factor authentication, and monitoring exploitation attempts. Failure to quickly address this vulnerability exposes backup infrastructure to compromise, data theft, and disruption until the auth bypass flaw is remediated.
SPECIAL REPORTS
IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Attackers
Source: Infosecurity Magazine
Internet of Things (IoT) vulnerabilities surged by 136% in 2024, with 33% of devices now compromised, according to Forescout's report. Key targets include wireless access points, routers, printers, VoIP systems, and IP cameras–posing significant risks for enterprises as these devices often go unnoticed by traditional security measures. Medical IoT devices and operational technology are also highly vulnerable, affecting critical sectors like healthcare and manufacturing. Improved cybersecurity practices in healthcare have reduced its risk, but overall, IoT remains a major entry point for cyber attackers.
Ransomware Tracker: The Latest Figures [June 2024]
Source: The Record
The number of ransomware attacks claimed by cybercrime groups spiked in May 2024 to 450 victims posted on extortion sites - the highest monthly total in nearly a year. Over one-third were attributed to LockBit, which has aggressively overstated its activity potentially to regain credibility after law enforcement disruptions. However, experts assert many of LockBit's claimed attacks appear duplicated or fabricated, making the true impact difficult to verify as criminal groups provide unreliable data. Healthcare providers and educational institutions remained top targets based on confirmed incidents.
Why CISOs Need to Build Cyber Fault Tolerance Into Their Business
Source: Help Net Security?
CISOs are urged to shift from a zero-tolerance mindset to embracing cyber fault tolerance, with response and recovery given equal priority as prevention. To achieve this, they must focus on building fault tolerance in the business, streamline cyber toolsets, and cultivate a resilient cyber workforce. Strategies include enhancing response capabilities for rapidly evolving tech like GenAI, ensuring robust third-party risk management, optimizing toolsets to minimize complexity, and fostering a culture of resilience to combat burnout among cybersecurity professionals.
Finding value in this newsletter? Like or share this post on LinkedIn