CISO Daily Update - June 12, 2024
NEW DEVELOPMENTS
Cyber Incident Forces Cleveland to Shut Down City Hall
Source: The Record
Cleveland shut down City Hall and took critical systems offline Monday as officials investigate an unspecified cyber incident. While declining to confirm a ransomware attack, the city stated all internal platforms will stay down until the nature and scope of the situation are better understood–highlighting the disruptive impact such incidents pose even for major metropolitan areas. Emergency services like police, fire, and 911 remain operational. This incident follows recent ransomware attacks against Wichita, Pensacola, and other U.S. cities, which compromised data and services.
Pure Storage Confirms Data Breach After Snowflake Account Hack
Source: Bleeping Computer
Pure Storage confirmed that attackers breached its Snowflake workspace, and gained access to data including customer names, usernames, and email addresses–but not credentials or other sensitive information stored on customer systems. This breach is part of a larger wave of attacks exploiting stolen customer credentials targeting Snowflake accounts without multi-factor authentication (MFA). The attack is linked to the financially motivated threat actor UNC5537. Mandiant and Snowflake notified around 165 organizations potentially affected, with recent related breaches including those at Santander, Ticketmaster, and Advance Auto Parts. Pure Storage has taken steps to secure its systems and prevent further unauthorized access.
Ascension Makes Progress in Restoring Systems After Cyberattack, Patients to See Improved Wait Times
Source: The Cyber Express
Ascension, one of the largest nonprofit healthcare systems in the U.S., is making significant progress in restoring systems after a cyberattack a month ago. Officials successfully restored Electronic Health Record (EHR) access in Florida, Alabama, Tennessee, Maryland, Central Texas, and Oklahoma, which is expected to improve patient wait times and efficiencies. Ascension Via Christi hospitals in Kansas, including St. Francis and St. Joseph, have also resumed primary electronic patient documentation. Despite ongoing efforts, full system restoration across Ascension’s network is anticipated by June 14. The attack was discovered on May 10, which significantly disrupted Ascension operations.
Central Securities Corporation Faces Cyberattack Claims By Underground Team Ransomware Group
Source: The Cyber Express
The Underground Team ransomware group allegedly pulled off a massive cyberattack on Central Securities Corporation, claiming theft of 42.8GB of sensitive data spanning decades. Data types reportedly impacted include historical reports, personal correspondence, employee/relative passports, and more. Central Securities' website is down, and the hackers brazenly demand nearly $3 million in ransom.?
TellYouThePass Ransomware Exploits Recent PHP RCE Flaw to Breach Servers
Source: Bleeping Computer
The TellYouThePass ransomware gang has exploited the recently patched CVE-2024-4577 remote code execution (RCE) vulnerability in PHP to breach servers, deliver webshells, and execute ransomware payloads. Starting on June 8, less than 48 hours after PHP's security update, the attacks utilized publicly available exploit code. This critical vulnerability affects all PHP versions since 5.x and was patched on June 6. The gang's method includes using the Windows mshta[.]exe binary to run a malicious HTA file that decodes and injects ransomware into the host's memory. Following this, the ransomware encrypts files and places a ransom note demanding 0.1 BTC (around $6,700) for decryption. There are more than 450,000 potentially vulnerable PHP servers worldwide.
New Warmcookie Windows Backdoor Pushed via Fake Job Offers
Source: Bleeping Computer
A new Windows backdoor malware called "Warmcookie" is being distributed through phishing campaigns disguised as fake job offers. Once executed, Warmcookie can extensively fingerprint infected machines, capture screenshots, execute arbitrary commands, and deploy additional payloads. The campaign utilizes weekly rotating domains and compromised infrastructure to push the malware via personalized emails tricking users into solving CAPTCHAs and downloading obfuscated JavaScript files that initiate the attack chain. Despite being newly discovered, Warmcookie's capabilities pose significant risks to organizations.
VULNERABILITIES TO WATCH
Users of JetBrains IDEs at Risk of GitHub Access Token Compromise (CVE-2024-37051)
Source: Help Net Security
JetBrains recently patched a critical vulnerability (CVE-2024-37051) that could have exposed GitHub access tokens used in their IDEs like IntelliJ IDEA, PyCharm, and Android Studio, potentially allowing attackers unauthorized access to user accounts and code repositories. All users running affected IDE versions must update immediately, revoke any compromised GitHub tokens, and remove the JetBrains integration app access to fully mitigate risks. While no active exploitation has been confirmed, the severity of the flaw warrants prompt action to prevent future account takeovers or data breaches.
领英推荐
Arm Zero-Day in Mali GPU Drivers Actively Exploited in the Wild
Source: Security Affairs
Arm issued a warning about an actively exploited zero-day vulnerability in its Mali GPU Kernel Driver (CVE-2024-4610). This use-after-free issue affects all versions of the Bifrost and Valhall GPU Kernel Drivers from r34p0 to r40p0, enabling local non-privileged users to gain access to already freed memory through improper GPU memory processing operations. The company acknowledged reports of this vulnerability being exploited in the wild and recommends that affected users upgrade to the patched version, r41p0, released on November 24, 2022.
Popular Biometric Terminal Vulnerable To QR Code SQL Injection
Source: Cyber Security News
A popular hybrid biometric terminal from ZKTeco was found vulnerable to critical flaws like SQL injection via QR codes, buffer overflows, unencrypted firmware, and weak authentication. This vulnerability allows attackers to bypass access controls, extract sensitive data like fingerprints, and pivot to internal networks. Despite the benefits of accurate identification and fraud prevention, this discovery highlights risks stemming from security gaps in widely used biometric access control systems deployed across highly sensitive facilities.
Apple Patches Vision Pro Vulnerability Used in Possibly ‘First Ever Spatial Computing Hack’
Source: Security Week
Apple patched a potentially groundbreaking vulnerability (CVE-2024-27812) specific to its new Vision Pro virtual reality headset–what security researchers believe may be the first-ever spatial computing hack. The flaw, related to improper handling of web content, could have allowed denial-of-service attacks on the headset. While Apple's visionOS 1.2 update fixes nearly two dozen other shared vulnerabilities leading to code execution, information disclosure, and escalation risks, CVE-2024-27812 stands out as an apparent inaugural security gap in this new spatial computing product category.
Adobe Plugs Code Execution Holes in After Effects, Illustrator
Source: Security Week?
Adobe's latest Patch Tuesday updates fix critical code execution vulnerabilities in several popular software products like After Effects, Illustrator, and Photoshop on both Windows and macOS. The most severe flaws could allow a full system takeover if successfully exploited. While Adobe is unaware of any active exploits currently, users should promptly install the patches to mitigate the risk of these high-severity bugs being leveraged by threat actors to compromise their devices and data.
Patch Tuesday: Remote Code Execution Flaw in Microsoft Message Queuing
Source: Security Week
Microsoft issued an urgent call to Windows administrators to address a critical remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) component (CVE-2024-30080) with a CVSS severity score of 9.8/10. This vulnerability can be exploited by sending specially crafted malicious MSMQ packets to an MSMQ server, potentially resulting in remote code execution. Systems with the MSMQ service enabled and TCP port 1801 open are vulnerable. This flaw is part of a broader Patch Tuesday update, which addresses 51 security defects across various Windows OS components and services, including critical code execution issues in Microsoft Office and Windows WiFi drivers.?
SPECIAL REPORTS
Security Providers View Compliance as a High-Growth Opportunity
Source: Help Net Security?
According to Apptega, Security providers see compliance as a high-growth opportunity, with 85% facing significant challenges in maintaining customer compliance due to resource, expertise, and technology shortages. Despite this, 87% are open to using compliance automation platforms, though only half currently do so. With 70% targeting double-digit recurring revenue growth, many are missing out on leveraging compliance offerings. While 80% offer some compliance services, primarily advisory, only 15% provide managed services. Smaller providers (<100 employees) offer compliance services at higher rates than larger ones, with many still relying on spreadsheets for compliance tracking. The most common frameworks used include CMMC, HIPAA, and NIST 800-171, but ISO 42001 is managed by only 12% of providers.
Finding value in this newsletter? Like or share this post on LinkedIn