CISO Daily Update - May 21, 2024
NEW DEVELOPMENTS
OmniVision Discloses Data Breach After 2023 Ransomware Attack
Source: Bleeping Computer
OmniVision, a leading imaging sensor manufacturer, disclosed a data breach after falling victim to a Cactus ransomware attack in September 2023. The incident resulted in encryption of company systems and exfiltration of sensitive data–including passports, contracts, and confidential documents, which were later leaked by the ransomware gang. Their investigation concluded in April 2024, and OmniVision is notifying impacted individuals and offering credit monitoring services. The breach reinforces the persistent threats posed by ransomware groups like Cactus that exploit vulnerabilities to gain initial access, deploy malware, and steal valuable corporate data for extortion purposes.?
Threat Actors USDoD and SXUL Claim 70 Million Rows of Sensitive Data in Alleged Prison Data Breach
Source: The Cyber Express
Threat actors USDoD and SXUL claimed responsibility for a major prison data breach–allegedly compromising 70 million rows of sensitive data, including social security numbers, names, birthdates, physical features, addresses, and offense details. The data, spanning from 2020 to 2024, was shared on the LeakBase forum in a .csv format, purportedly totaling 22GB uncompressed. While unverified, this marks the first time USDoD posted on LeakBase–which they plan to use until their own forum, Breach Nation, is operational.
American Radio Relay League Cyberattack Takes Logbook of the World Offline
Source: Bleeping Computer
The American Radio Relay League (ARRL), the national association for amateur radio in the United States, disclosed a cyberattack that disrupted its IT systems and online services–including email and their popular Logbook of the World database. This database is used by radio enthusiasts to log and confirm successful contacts worldwide. The organization confirmed that sensitive data like credit cards and social security numbers are not stored, though the member database contains private information such as names, addresses, call signs, and likely email addresses. ARRL is currently investigating and responding to the incident.
Threat Actor Chucky, Owner of LeakBase Claims Knowmad Mood Data Breach
Source: The Cyber Express
The threat actor known as Chucky, owner of the cybercrime forum LeakBase, has purportedly leaked a database from the Spanish IT services company Knowmad Mood. The data breach allegedly involves sensitive employee information obtained from the company's CRM system. Screenshots shared by Chucky suggest the exposure of various files, including HTML, Excel, and Word documents. A CSV file containing employee workplace information and performance metrics was also shared. Chucky has a history of involvement in cybercriminal activities and has previously claimed responsibility for other significant data breaches. Despite outreach, Knowmad Mood has yet to comment on the alleged breach.
GitCaught Campaign Relies on GitHub and Filezilla to Deliver Multiple Malware
Source: Security Affairs
A “GitCaught” campaign was identified involving Russian-speaking threat actors using GitHub and FileZilla to distribute multiple malware variants. These attackers impersonate legitimate software, including 1Password and Pixelmator Pro, to trick users into downloading malware. The campaign exploits trusted services to evade detection and uses a shared command-and-control infrastructure–indicating a highly organized and resourceful group. Malicious websites redirect victims to a GitHub profile to download infected software with additional payloads delivered through FileZilla servers. This sophisticated operation includes twelve domains falsely advertising legitimate macOS applications and also leverages file-sharing services like Dropbox and Bitbucket to host malicious files.?
New BiBi Wiper Version Also Destroys the Disk Partition Table
Source: Bleeping Computer
A new variant of the BiBi Wiper malware, linked to the Iranian hacking group (Storm-842) affiliated with Iran's Ministry of Intelligence and Security (MOIS), now targets the disk partition table to make data recovery significantly more difficult. This malware was used in attacks on Israel and Albania in coordination with another Iranian threat group (Scarred Manticore). The campaign involves creating fake personas and utilizes various custom wipers, including BiBi, CI Wiper, and Partition Wiper to corrupt files and disrupt system functionality for maximum operational downtime and data loss.
领英推荐
VULNERABILITIES TO WATCH
PoC Exploit for Ivanti EPMM Privilege Escalation Flaw Released (CVE 2024-22026)
Source: Help Net Security
A proof-of-concept exploit has been released for CVE-2024-22026, a critical privilege escalation vulnerability in Ivanti Endpoint Manager Mobile versions 12.0 and earlier. This vulnerability stems from improper validation in the tool installation command which allows attackers with CLI access to create new accounts with root privileges by leveraging malicious RPM packages. Ivanti has addressed the flaw, along with two SQL injection bugs. Still, organizations are urgently advised to upgrade immediately to mitigate the heightened risk from this publicly available exploit granting complete system compromise and potential for further network intrusion.
QNAP QTS Zero-Day in Share Feature Gets Public RCE Exploit
Source: Bleeping Computer
An extensive security audit of QNAP QTS has uncovered fifteen vulnerabilities with CVE-2024-27130 being the most critical as it allows remote code execution via a stack buffer overflow. This flaw, discovered by WatchTowr Labs, remains unpatched along with ten others despite QNAP's partial response to the audit. Exploiting CVE-2024-27130 requires an attacker to obtain a valid 'ssid' parameter, often shared publicly by users, making it feasible through social engineering. WatchTowr released a proof-of-concept exploit to demonstrate the severity and urges prompt updates.
Vulnerability Found in Fluent Bit Utility Used by Major Cloud, Tech Companies
Source: Security Week
A critical vulnerability, CVE-2024-4323 (Linguistic Lumberjack), was discovered in the Fluent Bit logging utility which is used by major cloud and tech companies like Microsoft, Google Cloud, AWS, and Cisco. As revealed by Tenable, this flaw can lead to denial-of-service (DoS) attacks, information disclosure, and potentially remote code execution (RCE). The vulnerability stems from a memory corruption issue in Fluent Bit’s built-in HTTP server. While a patch is developed, it hasn't been formally released; mitigations include restricting API access and disabling the affected endpoint.
AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
Source: Hackread
The Llama Drama vulnerability (CVE-2024-34359) in the llama_cpp_python package poses a critical threat to the software supply chain by exposing AI models to remote code execution (RCE) attacks. Discovered by the cybersecurity researcher @retr0reg, this flaw affects over 6,000 AI models on platforms like Hugging Face–enabling attackers to steal data and compromise operations. The issue stems from the improper use of the Jinja2 template engine without sandboxing. The vulnerability has been fixed in version 0.2.72 with added sandboxing and input validation.
SPECIAL REPORTS
Cybercriminals Shift Tactics to Pressure More Victims Into Paying Ransoms
Source: Help Net Security
Ransomware attacks evolved significantly in 2023, with a 64% year-over-year increase in frequency, driven primarily by a 415% surge in "indirect" incidents. Cybercriminals shifted tactics, leveraging remote access tools in 58% of attacks and double extortion methods in 51% of cases to pressure more victims into paying ransom. The exploitation of self-managed VPNs, especially Cisco and Citrix products, emerged as a major vulnerability. While ransom demands averaged $1.26 million, successful data restores from backups reduced average attack costs by 24% to $370,000. LockBit and BlackCat/ALPHV ransomware strains dominated, accounting for 35% of direct attacks. As ransomware proliferates, prioritizing perimeter security, quickly responding to threats, and maintaining robust backups are critical for organizations to mitigate escalating risks and financial losses.