CISO Daily Update - May 31, 2024
NEW DEVELOPMENTS
Nurses at Ascension Hospital in Michigan Raise Alarms About Safety Following Ransomware Attack
Source: The Record
Nurses at Ascension Providence Rochester Hospital in Michigan are raising alarms about safety following a ransomware attack on the Catholic hospital network Ascension. The cyberattack began in early May and disrupted patient care, leaving workers struggling to access medical records and coordinate care. Dozens of nurses raised that patients' lives are at risk due to the lack of access to medical records and delays in medical testing. They demand weekly progress reports on recovery efforts, better safety measures, improved communication systems, staffing increases, and reduction in non-emergency admissions. Patients across several states have filed lawsuits against Ascension, citing the leak of sensitive health information and ongoing harm due to network outages.
Johnson & Johnson Reports Data Breach Potentially Linked to Massive Cencora Breach
Source: The Cyber Express
Johnson & Johnson reported a data breach potentially linked to a massive incident at Cencora's Lash Group division. Data types exposed include patient data like names, addresses, medical details, and dates of birth for around 175,000 victims in Texas–the nationwide total is likely higher. The Lash Group breach impacted over 540,000 patients across at least 15 major pharmaceutical company clients. Lash Group reports no evidence of the data being misused despite personal and health information being accessed. The company has offered affected individuals free credit monitoring as their investigation continues to assess the full impact.
Everbridge Warns of Corporate Systems Breach Exposing Business Data
Source: Bleeping Computer
Everbridge, a crisis management and public warning software company, alerted customers of a recent breach exposing business and user data. Attackers accessed files containing admin user contact information, service details, and access methods. The breach was detected on May 21 and stems from a phishing attack targeting Everbridge employees. Everbridge is working with investigators and advising customers to enable multi-factor authentication (MFA); they will enable MFA on all accounts by June 3. The company serves over 6,500 clients globally, including government entities and airports, and is undergoing scrutiny after investment giant Thoma Bravo's $1.8 billion takeover bid.
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud
Source: The Hacker News
Okta warned about a vulnerability in its Customer Identity Cloud (CIC), which threat actors could exploit in credential stuffing attacks. The company detected suspicious activity targeting the cross-origin authentication feature, prompting notifications to affected customers starting April 15, 2024. While the exact number of impacted customers remains undisclosed, Okta advises users to review logs for signs of unauthorized login attempts, rotate credentials, and consider disabling cross-origin authentication. Additional mitigation measures include enabling breached password detection and promoting stronger authentication methods. This alert follows a previous notice from Okta regarding an increase in credential stuffing attacks facilitated by residential proxy services.
Police Seize Over 100 Malware Loader Servers, Arrest Four Cybercriminals
Source: Bleeping Computer
In an international effort dubbed 'Operation Endgame,' law enforcement agencies seized over 100 servers globally–disrupting major malware loader operations like IcedID and Trickbot. The operation spanned May 27 to 29, and resulted in the arrest of four individuals in Armenia and Ukraine and identified eight fugitives linked to the operations. The seized infrastructure hosted over 2,000 domains and has been taken under control by authorities. Participating countries included Germany, the United States, the United Kingdom, France, Denmark, and the Netherlands, with support from various cybersecurity firms. These malware droppers initially targeted banking systems and have evolved to focus on gaining initial access–impacting millions of computers. One suspect alone is reported to have earned €69 million by renting out infrastructure for ransomware deployment. Further details about the operation and suspects will be revealed soon.
Shady 'Merry-Go-Round' Ad Fraud Network Leaves Orgs Hemorrhaging Cash
Source: Darkreading
Human Security uncovered two ad fraud rings, dubbed "Merry-Go-Round," redirecting over 200 million online ads daily to pop-up windows on less reputable websites. At its peak, this operation flooded users with 782 million ads daily, and it currently still pushes out 200 million ads daily. The rings exploit an obscure ad placement marketplace, using overlays on questionable websites to redirect users and generate revenue from unsuspecting advertisers. Despite its simplicity compared to other fraud schemes, Merry-Go-Round employs sophisticated anti-detection techniques, making it challenging to detect and shut down. However, advertisers can protect themselves by avoiding outsourced ad placement and maintaining closer relationships with their ad partners.
Family-Owned Woodworking Company Western Dovetail Hit by Akira Ransomware Attack
Source: The Cyber Express
The notorious Akira ransomware group claimed to have breached Western Dovetail, a prominent family-owned woodworking company–leaking several gigabytes of sensitive data including employee records, financial information, and medical details. Western Dovetail has not officially confirmed the attack, and its website remains functional. Akira, known for targeting over 250 organizations since March 2023 and extorting $42 million in ransom payments, has expanded from targeting Windows to Linux systems.?
Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors
Source: The Hacker News
A newly identified cyber espionage group dubbed LilacSquid has been targeting IT, energy, and pharma sectors across the U.S., Europe, and Asia since 2021. Employing various tactics, including exploiting vulnerabilities and compromised remote desktop protocol (RDP) credentials, they use MeshAgent and PurpleInk (customized Quasar malware) to establish long-term access to victim organizations and exfiltrate data to attacker-controlled servers. Their tactics show overlaps with North Korean APT groups such as Andariel and Lazarus, highlighting potential connections to nation-state actors.
领英推荐
VULNERABILITIES TO WATCH
RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerability
Source: The Hacker News
The RedTail cryptocurrency mining malware has augmented its exploit arsenal by incorporating a recently disclosed vulnerability affecting Palo Alto Networks firewalls. Exploiting the PAN-OS vulnerability (CVE-2024-3400), the malware executes commands to retrieve and run a bash shell script, ultimately downloading the RedTail payload. Additionally, RedTail leverages other security flaws in various systems for propagation–showcasing its evolving sophistication and potential nation-state sponsorship.
Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors
Source: Security Week
Threat actors are actively exploiting a series of high-severity XSS vulnerabilities in three popular WordPress plugins to inject malicious scripts and backdoors into websites. Fastly warned that attackers are leveraging these flaws, impacting WP Statistics, WP Meta SEO, and LiteSpeed Cache plugins, to execute unauthenticated attacks, create new administrator accounts, inject PHP backdoors, and set up tracking scripts. With exploitation attempts traced to IPs linked to AS IP Volume Inc., Fastly urges immediate patching and vigilance to protect against these attacks.
PoC Exploit Released for Microsoft Edge Information Disclosure Vulnerability
Source: Cyber Security News
Cybersecurity researchers unveiled a Proof-of-Concept (PoC) exploit for a newly disclosed information disclosure vulnerability in Microsoft Edge. Tracked as CVE-2024-30056, the vulnerability allows unauthorized access to private user information, posing risks to data privacy. The PoC exploit demonstrates the feasibility of accessing sensitive data and urges users to update their browsers once a patch is available from Microsoft.
Progress Telerik Report Server Flaw Let Attackers Bypass Authentication
Source: GB Hackers on Security
A critical authentication bypass vulnerability (CVE-2024-4358) has been discovered in Progress Telerik Report Server 2024 Q1 (10.0.24.305) and earlier versions. Exploiting this flaw could allow an unauthenticated attacker to access restricted functionality via spoofing. While no active exploitation has been reported yet, Progress has released a security advisory and patched the vulnerability in Report Server 2024 Q2 (10.1.24.514) and later versions. Users are advised to review their server for any unauthorized local users potentially added through exploitation and immediately update to the latest version to mitigate the risk of this critical vulnerability being exploited.
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
Source: The Hacker News
The US Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Linux kernel weakness (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) list owing to active exploitation. This vulnerability in the netfilter component enables local attackers to escalate privileges to root and potentially execute arbitrary code. The vulnerability was fixed in January 2024. CISA also mentioned CVE-2024-24919, a security vulnerability in Check Point network gateway equipment that can expose sensitive information on Internet-connected gateways. Federal entities are encouraged to implement the most recent fixes before June 20, 2024, to mitigate these risks.
SPECIAL REPORTS
Pretty Much All of the Headaches Affecting MSPs Are Due to Cybersecurity
Source: The Register
According to a survey by Sophos, cybersecurity is one of the biggest challenges for managed service providers (MSPs) in today's market. Concerns about staying abreast of evolving threats, recruiting skilled security analysts, and maintaining awareness of the latest technologies overshadow other worries. The shortage of security talent and the risk of adversaries exploiting stolen credentials further exacerbates the situation. MSPs must prioritize partnering with providers offering robust tools and managed detection and response (MDR) services to effectively address these challenges and safeguard their clients' systems against cyber threats.
59% of Public Sector Apps Carry Long-standing Security Flaws
Source: Help Net Security
A Veracode report reveals that 59% of applications in the public sector carry long-standing security flaws, compared to 42% overall. Security debt, defined as unfixed flaws lingering for over a year, poses significant risks to government systems. Critical security debt affects 40% of public sector entities, emphasizing the need for risk prioritization. The majority of security debt is found in older applications, particularly in first-party code and third-party dependencies like Java and .NET. Veracode calls for a Secure by Design approach to software development to mitigate these risks, supporting initiatives like CISA's Secure by Design Pledge.
NIST Says NVD Will Be Back on Track by September 2024
Source: Help Net Security
The National Institute of Standards and Technology (NIST) has awarded a contract to an unnamed company to help process incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database (NVD)–aiming to clear the backlog of unprocessed CVEs by September 30, 2024. NIST acknowledges the slowdown in NVD's CVE enrichment efforts earlier this year and is implementing a multi-pronged solution involving improved tools and methods, and establishing a consortium to address various challenges. While the Cybersecurity and Infrastructure Security Agency (CISA) has started a CVE "vulnrichment" program to bridge the current gap, NIST remains committed to maintaining and modernizing the NVD with plans to address the increasing volume of vulnerabilities through technology and process updates.
Finding value in this newsletter? Like or share this post on LinkedIn
Sr Director, Information Security at Unilever Prestige / Paula's Choice
6 个月Thank you..