CISO Daily Update - June 21, 2024
NEW DEVELOPMENTS
CDK Global Cyberattack Cripples 15,000 US Auto Dealerships
Source: Help Net Security
CDK Global, a major SaaS provider for 15,000+ North American auto dealerships, fell victim to two consecutive cyberattacks that crippled its operations. The first incident on June 18 prompted CDK to shut down systems and advise clients to disable access to their dealer management systems. Despite initial recovery efforts, a second attack on June 19 forced CDK to again shut down most systems, leaving dealerships without access to critical business software. While CDK engaged third-party cybersecurity experts and is working to restore services, the company has not yet released an official statement or provided an estimated resolution timeframe.
Baltimore, One of America’s Deadliest Cities, Leaks Identities of Residents Who Reported Crimes
Source: Cybernews
Baltimore's 311 service, designed for non-emergency reports, accidentally exposed 13.5 million complaints dating back to 1989–jeopardizing residents' safety in one of America's most violent cities. Researchers discovered an unprotected Kibana instance containing names, email addresses, and phone numbers of complainants, including those reporting crimes. The leak, which remained accessible until May 20th, compromises citizen privacy and potentially endangers those who reported illegal activities. With Baltimore's homicide rate eight times the national average, this breach poses significant risks to residents who trusted the system's confidentiality. City officials have yet to comment on the data exposure.
Advance Auto Parts Confirms Data Breach in SEC Filing; Reports Losses Around $300,000
Source: The Cyber Express
Major US auto parts retailer Advance Auto Parts confirmed a significant data breach in an SEC filing–revealing unauthorized access to consumer and employee information stored in a third-party cloud database. The breach was first reported on June 6, 2024, and involved a threat actor claiming to steal 3 terabytes of data from the company's Snowflake cloud storage–including 380 million customer profiles and 358,000 employee records. Advance Auto Parts has cyber insurance and expects to record an expense of approximately $3 million related to the incident. This breach is part of a larger series of attacks targeting Snowflake customers since mid-April 2024, affecting at least 165 clients.
Alleged AMCOM Data Breach Exposes Sensitive Military Documents on Dark Web
Source: The Cyber Express
The U.S. Army Aviation and Missile Command (AMCOM) is facing scrutiny after an alleged data breach exposed sensitive technical documents related to Boeing CH-47F Chinook and Sikorsky H-60 Black Hawk helicopters. The breach, disclosed by IntelBroker on June 16, 2024, claimed unauthorized access to critical military aircraft information dating back to August 2023. AMCOM is responsible for managing and supporting key aviation and missile systems for the U.S. Army; the organization has not issued an official statement confirming the breach. IntelBroker is known for previous high-profile breaches, including Apple and AMD, and has asserted responsibility for accessing these documents.
Hacker Leaks Data of 33,000 Accenture Employees in Third-Party Breach
Source: Hackread
A hacker known as "888" leaked contact details of 33,000 Accenture employees, obtained through a third-party breach in June 2024. The data includes names and email addresses of current and former staff but no passwords. While Accenture has not yet commented, experts advise affected employees to be vigilant against potential phishing attempts.? Similar breaches have recently impacted other companies like Ticketmaster and American Express.
Linux Version of RansomHub Ransomware Targets VMware ESXi VMs
Source: Bleeping Computer
The RansomHub ransomware operation, active since February 2024, now includes a Linux encryptor targeting VMware ESXi environments in addition to its Windows and Linux versions. Recorded Future reports that this ESXi variant, first seen in April 2024, is a C++ program derived from the defunct Knight ransomware. RansomHub's ESXi encryptor employs commands for snapshot deletion and VM shutdown, using ChaCha20 with Curve25519 for encryption, and disables critical services to evade detection. Notably, a bug allows defenders to neutralize it by creating a file named '/tmp/app. pid' containing '-1,' causing the ransomware to enter an infinite loop.
VULNERABILITIES TO WATCH
An Unpatched Bug Allows Anyone to Impersonate Microsoft Corporate Email Accounts
Source: Security Affairs?
A security researcher uncovered a critical bug enabling attackers to impersonate Microsoft corporate email accounts to facilitate potential phishing attacks. Despite reporting the vulnerability to Microsoft and demonstrating its exploitation to TechCrunch, Microsoft indicated it couldn't replicate the issue. The researcher then disclosed the flaw publicly, prompting concerns about its exploitation by malicious actors. As of now, the bug remains unpatched, and the extent of any real-world exploitation is uncertain.
领英推è
Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs
Source: The Hacker News
Researchers identified a significant security flaw (CVE-2024-0762) in Phoenix SecureCore UEFI firmware affecting various Intel Core processors. This buffer overflow vulnerability, dubbed "UEFIcanhazbufferoverflow," could allow local attackers to execute malicious code within UEFI firmware, thus gaining persistent and undetectable control over devices. Impacted Intel families include AlderLake, CoffeeLake, and others. Following its discovery by Eclypsium, Phoenix Technologies and Lenovo have issued patches to address the flaw. Given UEFI's critical role during startup, vulnerabilities in its firmware present substantial supply chain risks, enabling threat actors to deploy sophisticated attacks like bootkits and firmware implants.
SolarWinds Serv-U Path-Traversal Flaw Actively Exploited in Attacks
Source: Bleeping Computer
Threat actors are actively exploiting a high-severity path-traversal vulnerability (CVE-2024-28995) in SolarWinds Serv-U products, allowing unauthenticated attackers to read arbitrary files from affected systems via crafted HTTP GET requests. The flaw impacts multiple versions of Serv-U software, with a hotfix released on June 5, 2024, to address it. Public proof-of-concept (PoC) exploits and detailed technical write-ups have been made available, prompting widespread exploitation attempts. Attackers have been observed using both manual and automated strategies to exploit the vulnerability, targeting files like /etc/passwd and win.ini.
Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira
Source: Security Week
Atlassian released critical security updates for Confluence, Crucible, and Jira to address multiple high-severity vulnerabilities. The most serious flaw, CVE-2024-22257, affects Confluence and could allow unauthorized access to protected assets. Other patched issues include server-side request forgery vulnerabilities in Spring Framework and denial-of-service risks in Apache Commons Configuration. Crucible updates fix a deserialization bug, while Jira patches resolve an information disclosure vulnerability. Atlassian urges users to update to the latest versions immediately, as these flaws could potentially be exploited by unauthenticated attackers. Although no in-the-wild exploits have been reported.
Fortra Warns of Hard-Coded Password Vulnerability in The Filecatalyst
Source: Cyber Security News
Fortra issued a critical security alert for a hard-coded password vulnerability (CVE-2024-5275) in its FileCatalyst software, specifically affecting the TransferAgent component. This high-severity flaw, with a CVSS v3.1 score of 7.8, potentially enables machine-in-the-middle attacks by allowing unauthorized access to the Keystore containing sensitive information. The vulnerability impacts FileCatalyst Direct versions up to 3.8.10 Build 138 and FileCatalyst Workflow versions up to 5.1.6 Build 130. Fortra urges users to immediately upgrade to FileCatalyst Direct 3.8.10 Build 144 or higher, or FileCatalyst Workflow 5.1.6 Build 133 or later. Additional recommendations include updating REST calls to "http" for remote TransferAgent users and generating new SSL keys if "https" is required.
SPECIAL REPORTS
LockBit Most Prominent Ransomware Actor in May 2024
Source: Infosecurity Magazine
In May 2024, the LockBit ransomware group resurfaced as the most active ransomware actor–launching 176 attacks and accounting for 37% of the month's total, marking a 665% increase from the previous month. This resurgence followed a dormant period after Operation Cronos, which disrupted LockBit's infrastructure in February 2024. Despite speculation that LockBit might dissolve, the group not only retained skilled affiliates but also possibly attracted new ones. Industrial sectors were the most targeted, making up 30% of attacks, with significant regional shifts in attack trends noted by NCC Group.
Improving OT Cybersecurity Remains a Work in Progress
Source: Help Net Security
Fortinet's 2024 State of Operational Technology and Cybersecurity Report reveals a significant increase in OT-impacting cyberattacks, with 73% of organizations affected compared to 49% last year. The report highlights critical areas for improvement in OT security, including increased visibility, enhanced detection capabilities, and streamlined security architectures. More organizations are aligning OT security with C-suite roles, indicating growing concern at the executive level, though many still struggle with complex multi-vendor solutions that hinder effective threat response.
Finding value in this newsletter? Like or share this post on LinkedIn