CISO Daily Update - March 25, 2024
NEW DEVELOPMENTS
Illinois County Government, Local College Affected by Ransomware Attacks
Source: The Record
Another local US government organization has fallen victim to a ransomware attack. With support from multiple law enforcement and government agencies, Henry County in Illinois is undergoing active incident response, recovery, and restoration efforts. Despite the attack, the county can still receive 911 calls and dispatch emergency services. The Medusa ransomware group claimed responsibility for the Henry County attack, demanding a $500,000 ransom. Not far from Henry County, Monmouth College disclosed a data incident from a ransomware attack. Data types exposed by the breach included driver’s licenses and other information–affecting over 44,000 individuals. These two attacks highlight the growing cyber threat impacting local governments and educational institutions.
Jacksonville Beach and Other US Municipalities Report Data Breaches Following Cyberattacks
Source: The Record
Several US municipalities, including Jacksonville Beach, Pensacola, and Dallas, reported significant data breaches following cyberattacks that impacted thousands of individuals. Jacksonville Beach disclosed the impact of nearly 49,000 compromised records, while Pensacola faced a similar breach– the 21st municipality hit this year. Dallas, which was impacted by ransomware last year, updated its breach figures last week to report over 26,000 individuals affected. Colorado's public defender's office also experienced a ransomware incident last month–an incident that locked out public defenders from case files for days and exposed social security numbers, identification card numbers, health insurance numbers, and other sensitive data.?
Over 100 US and EU Orgs Targeted in StrelaStealer Malware Attacks
Source: Bleeping Computer
A widespread StrelaStealer malware campaign that steals email account credentials has targeted over a hundred United States and European organizations. Initially identified in November 2022, StrelaStealer evolved its tactics and now targets English and European-speaking users utilizing phishing emails as its primary infection vector. The malware's latest iteration employs ZIP attachments to drop JScript files to complicate detection and analysis. With sectors like high tech, finance, and government among the most targeted, organizations are advised to remain vigilant against unsolicited emails and refrain from downloading attachments from unknown sources.
German Police Seize 'Nemesis Market' in Major International Darknet Raid
Source: The Hacker News
German law enforcement, in collaboration with international agencies from Germany, Lithuania, and the U.S., dismantled the Nemesis Market–an illicit darknet marketplace trading narcotics, stolen data, and cybercrime services. With operations spanning Germany and Lithuania, the seizure included €94,000 ($102,107) in cryptocurrency assets. Initiated in October 2022, the takedown follows an extensive investigation and marks the closure of a platform boasting over 150,000 user accounts and 1,100 seller accounts worldwide. While investigations against criminal users persist, no arrests have been reported. This action follows recent efforts targeting cybercriminal groups like LockBit–signaling ongoing law enforcement crackdowns on illicit online activities.
N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks
Source: The Hacker News
The North Korea-linked threat group Kimsuky, also known as Black Banshee or Emerald Sleet, has adapted its tactics by employing Compiled HTML Help (CHM) files to distribute malware to harvest sensitive data. Since at least 2012, Kimsuky has targeted entities globally with a more recent focus on South Korean organizations. Utilizing CHM files within various archive formats, the group executes Visual Basic Script (VBScript) to establish persistence and retrieve next-stage payloads for data exfiltration. Additionally, Symantec warns of Kimsuky distributing malware masquerading as legitimate Korean public entity applications. These developments coincide with UN investigations into cyberattacks attributed to North Korean state actors and highlight a pattern of targeting defense companies and sharing infrastructure among threat clusters like the Lazarus Group and Kimsuky. Moreover, Kimsuky's interest in employing generative artificial intelligence, including models like ChatGPT, raises concerns about the group's expanding capabilities and sophistication in cyber operations.
New Sysrv Botnet Abuses Google Subdomain To Spread XMRig Miner
Source: Cyber Security News
The Sysrv botnet–known for deploying cryptominers–evolved with a new variant leveraging Google subdomains to spread XMRig miners. Identified by Imperva Threat Research, this new variant employs aggressive tactics to disrupt endpoint security and targets Apache Struts and Atlassian Confluence vulnerabilities for propagation. The dropper script, "ldr.sh," includes functions to download and execute malware while terminating security processes. Notably, the malware demonstrates improved persistence mechanisms and obfuscation techniques which make analysis more challenging. Additionally, the XMRig miner connects to MoneroOcean mining pools, which indicates a shift towards monetization.?
领英推荐
VULNERABILITIES TO WATCH
Apple M-Series Chip Vulnerability Puts Encryption Keys at Risk
Source: The Cyber Express
A significant vulnerability discovered in Apple's M-series chips threatens the security of encrypted data on Mac devices. Unlike traditional software vulnerabilities, this flaw originates from the chip's fundamental design, making direct fixes impractical. Academic researchers unveiled the flaw that exploits a side channel to extract sensitive encryption keys during cryptographic operations. Dubbed "GoFetch," the attack leverages standard user permissions to compromise data integrity, necessitating defensive measures within third-party encryption software. While the immediate challenge is mitigating this particular vulnerability's impact, the broader goal is to fortify the hardware-software ecosystem against future threats.
Truck-to-Truck Worm Could Infect – and Disrupt – Entire US Commercial Fleet
Source: The Register
Researchers from Colorado State University unveiled significant security flaws in Electronic Logging Devices (ELDs) mandated in over 14 million American commercial trucks. These vulnerabilities enable remote manipulation of trucks via Bluetooth or Wi-Fi connections, potentially allowing attackers to disrupt vehicle operations and spread malware across the fleet. Weaknesses include default settings with exposed APIs, predictable identifiers, and weak passwords. To ensure fleet safety and prevent widespread disruption, researchers emphasize the need for urgent attention to ELD security.?
Saflok Lock Vulnerability Can Be Exploited to Open Millions of Doors
Source: Security Week
Security researchers uncovered a critical vulnerability affecting Saflok electronic locks with the potential to compromise over three million locks used in hotels and multi-family housing worldwide. Exploiting the flaw allows attackers to forge keycards using readily available tools–granting unauthorized access to any door within the affected property. Although the manufacturer has provided patches since November 2023, only 36% of affected locks have received fixes. While no real-world exploits have been reported, urgent action is advised to mitigate the vulnerability, including software updates, lock replacements, and reissuing keycards.
Mozilla Fixed Firefox Zero-Days Exploited at PWN2OWN Vancouver 2024
Source: Security Affairs
Mozilla addressed two zero-day vulnerabilities uncovered during the Pwn2Own Vancouver 2024 hacking competition to protect Firefox users against potential exploitation. Researcher Manfred Paul, the competition's victor, skillfully exploited the flaws, earning $100,000 and 10 Master of Pwn points for his innovative approach. The vulnerabilities, tracked as CVE-2024-29944 and CVE-2024-29943, enabled sandbox escapes and arbitrary JavaScript execution–posing significant security risks to desktop Firefox users. With the release of Firefox 124.0.1 and Firefox ESR 115.9.1, Mozilla has mitigated these threats
SPECIAL REPORTS
AWS CISO: Pay Attention to How AI Uses Your Data
Source: Darkreading
Chris Betz , CISO at Amazon Web Services, emphasizes the significance and challenges of securing AI workloads in the cloud–particularly as enterprises increasingly utilize generative AI for diverse applications. With a focus on data protection and trust, Betz stresses the need to understand AI's interaction with sensitive data and ensure quality responses to maintain customer confidence. Beyond threat detection, Betz highlights AI's role in enhancing software development speed, secure coding, and data aggregation while acknowledging emerging risks such as AI-assisted attacks and vulnerabilities in AI models.