CISO Daily Update - October 10, 2024
NEW DEVELOPMENTS
The Internet Archive Is Under Attack, With a Breach Revealing Info for 31 Million Accounts
Source: The Verge
The Internet Archive has fallen victim to a major security breach that exposed the data of 31 million user accounts. Founder Brewster Kahle confirmed the breach after a site pop-up revealed that hackers accessed email addresses, usernames, password change timestamps, and Bcrypt-hashed passwords. Have I Been Pwned? (HIBP) verified the breach and is notifying affected users. The incident coincided with distributed denial-of-service (DDoS) attacks that temporarily took the site offline. The Internet Archive is working to strengthen its security, remove compromised JavaScript libraries, and further investigate the breach.
Cactus Ransomware Gang Allegedly Claims Breach of Corporate Job Bank
Source: Cyber Press
The Cactus ransomware group reportedly claimed responsibility for breaching U.S.-based staffing and recruitment firm Corporate Job Bank–exfiltrating around 65 GB of sensitive data. Allegedly, the stolen information includes personal data, corporate documents, internal communications, and customer records, potentially impacting thousands of individuals and businesses. Cybersecurity experts urge the need for immediate response measures–e.g., adopt strong security protocols, conduct forensic investigations, and notify affected parties to mitigate the breach’s fallout.
Scammers Hit Florida Hurricane Victims with Fake FEMA Claims, Malware Files
Source: Hackread
Cybercriminals are exploiting Florida's disaster relief efforts in the wake of Hurricane Helene and as Hurricane Milton approaches. Scammers are launching phishing campaigns using fake FEMA claims, fraudulent websites, and malware disguised as FEMA-related documents to steal personal information and funds. As victims seek aid, they must stay alert to these cyber threats.
CreditRiskMonitor Data Breach Impacts Employee Information
Source: Security Week
CreditRiskMonitor disclosed a data breach where hackers accessed personal information. The incident was detected on July 19 and was limited to employee and contractors’ data–customer data was not impacted, and company operations were not significantly disrupted. The company is offering affected individuals 24 months of free credit monitoring and identity theft protection. While no ransomware group has claimed responsibility, CreditRiskMonitor was previously targeted by the Cuba ransomware group in 2022–though that group has been inactive since early 2024.
Cybercrooks Abuse Stolen SharePoint, OneDrive, and Dropbox Accounts for Phishing
Source: Cybernews
Microsoft Threat Intelligence warns that cybercriminals are increasingly abusing compromised SharePoint, OneDrive, and Dropbox accounts to launch phishing attacks. These attackers use legitimate file-sharing services to bypass security defenses by sending view-only or restricted access documents to targets. Victims receive automated notifications and are prompted to authenticate but are redirected to adversary-in-the-middle (AiTM) phishing pages where their credentials and multifactor authentication tokens are stolen. This tactic, first seen in April 2024, often escalates into broader attacks, such as business email compromise that leads to financial fraud and data theft.
Ex-Uber CISO Requests a New, 'Fair' Trial
Source: Darkreading?
Former Uber Chief Information Security Officer (CISO) Joseph Sullivan, convicted in 2023 for covering up a 2016 data breach, requests a new trial. His defense claims that key procedural oversights during the original trial, particularly inadequate jury instructions regarding Sullivan's intent, undermined the fairness of his conviction. Although Sullivan received probation and a fine, prosecutors had pushed for stricter penalties. The prosecution argues that Sullivan’s actions, including falsifying documents and paying hush money, were clear efforts to obstruct justice. The court has yet to decide, but the case has intensified focus on C-suite responsibility in data breach incidents.
Hackers Weaponizing VSCode for Remote Access
Source: Cybernews
Hackers are weaponizing Visual Studio Code (VSCode) by tricking developers into executing malicious LNK files disguised as legitimate installers–turning the code editor into a remote access tool. Cyble researchers report that attackers use phishing emails to deliver these LNK files, which download and execute obfuscated Python scripts, creating persistence through system-level scheduled tasks. Even if VSCode isn’t installed, the script retrieves the tool's command-line interface–granting remote access to the victim’s machine. Once inside, attackers can access sensitive data and manipulate files. Cyble advises using advanced endpoint protection, regularly reviewing scheduled tasks, and educating users on the dangers of suspicious files to mitigate the risk.
New Generation of Malicious QR Codes Uncovered by Researchers
Source: Infosecurity Magazine
Barracuda researchers discovered a new wave of phishing attacks using advanced QR code techniques designed to evade traditional security measures. These "quishing" attacks utilize QR codes made from ASCII/Unicode characters instead of standard images, making them harder for optical character recognition (OCR) systems to detect. Attackers are leveraging binary large object (Blob) URIs to create phishing pages, which are more difficult to track and block since Blob URIs do not rely on external servers. These tactics make it increasingly challenging for security tools to identify and prevent malicious content.
VULNERABILITIES TO WATCH
Mozilla Fixes Firefox Zero-Day Actively Exploited in Attacks
Source: Bleeping Computer
Mozilla released an emergency security update for Firefox to patch a critical zero-day vulnerability, CVE-2024-9680, currently being exploited in attacks. Discovered by ESET researcher Damien Schaeffer, this use-after-free flaw in Animation timelines could allow attackers to execute arbitrary code by exploiting freed memory in the browser. The update affects both the standard and extended support releases (ESR) of Firefox. Mozilla urges users to immediately upgrade to Firefox versions 131.0.2, ESR 115.16.1, or ESR 128.3.1.
领英推荐
Exploit Code for Critical GitLab Auth Bypass Flaw Released (CVE-2024-45409)
Source: Help Net Security
Exploit code for the critical GitLab vulnerability CVE-2024-45409 has been publicly released, raising concerns about potential attacks on self-managed GitLab installations using SAML-based authentication. This flaw allows attackers to bypass the signature validation process, granting unauthorized access to any user account. It affects various versions of GitLab's Community and Enterprise Editions but has been patched in updates issued in mid-September. Security researchers at Project Discovery and Synacktiv have released detailed technical analyses and an exploit script, urging administrators to upgrade their systems immediately to protect against potential exploitation.
Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries
Source: The Hacker News
Researchers have identified multiple critical vulnerabilities in industrial MMS (Manufacturing Message Specification) protocol libraries. The flaws are found in MZ Automation's libIEC61850 and Triangle MicroWorks' TMW IEC 61850 libraries and include stack-based buffer overflows, type confusion, and null pointer dereference issues. These vulnerabilities allow attackers to crash devices or execute remote code. Siemens' SIPROTEC 5 IED was also found vulnerable to a denial-of-service attack due to an outdated MMS protocol stack, which has now been updated to address the issue.
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
Source: The Hacker News
In its October 2024 Patch Tuesday update, Microsoft addressed 118 security vulnerabilities across its software portfolio, including two zero-day flaws (CVE-2024-43572 and CVE-2024-43573) that are being actively exploited. These critical flaws allow remote code execution and spoofing. Five vulnerabilities were publicly known before the update. Federal agencies are required to apply the fixes by October 29, 2024. Microsoft also patched severe flaws in components like Microsoft Configuration Manager and Remote Desktop Protocol. Other vendors, including Adobe, Google, Cisco, and VMware, have also released patches in response to these vulnerabilities.
Adobe Security Alert: Update Software Now to Protect Against Exploits
Source: The Cyber Express
Adobe issued critical security updates to address vulnerabilities in products like Substance 3D Painter, Adobe Commerce, Magento, and more. These flaws, including privilege escalation, cross-site scripting, and arbitrary code execution, could allow cybercriminals to gain unauthorized access to systems. The update includes fixes for high-severity vulnerabilities in widely used applications and urges users to install the latest patches promptly to protect against potential exploitation. Adobe assures no active exploits have been reported yet.
ICS Patch Tuesday: Advisories Published by Siemens, Schneider, Phoenix Contact, CERT@VDE
Source: Security Week
For this ICS Patch Tuesday, Siemens, Schneider Electric, Phoenix Contact, and CERT@VDE have released security advisories to address several critical vulnerabilities in industrial control systems. Siemens issued 13 new advisories, fixing flaws in products like Sinec Security Monitor, Sentron PAC3200, WibuKey, HiMed Cockpit, and Sentron Powercenter 1000, along with high-severity vulnerabilities in Teamcenter Visualization. Schneider Electric published eight advisories, addressing critical flaws in Harmony, Pro-face PS5000 legacy industrial PCs, and Yocto OS-based products. Phoenix Contact highlighted high-severity DoS vulnerabilities in PLCnext Engineer, while CERT@VDE flagged regreSSHion vulnerabilities in Pepperl+Fuchs products. Rockwell Automation also fixed DoS vulnerabilities in PowerFlex 6000T and Logix products earlier this week.
iPhone Mirroring Exposes Employees’ Personal Applications
Source: Security Week
The iPhone Mirroring feature in macOS Sequoia and iOS 18 could unintentionally expose employees' personal apps to corporate IT environments. When employees use this feature to control their personal iPhones from work Macs, app metadata—such as names, icons, and versions—could be added to the company’s software inventory, revealing sensitive personal information. Sevco, a vulnerability management firm, flagged the issue, and Apple confirmed it would address the problem in a future update. Until then, employees are advised to avoid using iPhone Mirroring on work devices, and companies should take steps to prevent collecting personal data and apply the patch once available.
SPECIAL REPORTS
30% of Customer-Facing APIs Are Completely Unprotected
Source: Help Net Security?
A report by F5 reveals that nearly one-third of customer-facing APIs lack protection, with only 70% secured via HTTPS. As APIs become increasingly critical to digital transformation, especially with the growth of AI services, many organizations are still failing to apply adequate security measures. On average, companies manage 421 APIs, and gaps in security expose customer data to potential threats. Fragmented responsibility within organizations further worsens the issue, with only 59% ensuring security at every stage of the API lifecycle. The report calls for a comprehensive approach to API security to counter emerging risks.
Cybercriminals Are Targeting AI Conversational Platforms
Source: Security Affairs
Researchers at Resecurity identified a surge in cybercriminal campaigns targeting AI conversational platforms that use natural language processing (NLP) and machine learning (ML) to interact with consumers. These attacks, particularly in fintech and e-commerce sectors, expose sensitive customer data including personally identifiable information (PII). In one notable case, hackers breached a Middle Eastern AI-powered call center platform, compromising over 10 million conversations and using the stolen data for fraudulent activities.
Finding value in this newsletter? Like or share this post on LinkedIn
Principal Cybersecurity @Inherent Security | Helping Health Tech leaders achieve HIPAA Security & Privacy Compliance.
1 个月Good call on the APIs. I hear too many times that we are 'serverless' so security is not a big issue. APIs should be tested and secured as part of the security strategy.