CISO Daily Update - October 18, 2024
NEW DEVELOPMENTS
BianLian Ransomware Claims Attack on Boston Children’s Health Physicians
Source: Bleeping Computer
The BianLian ransomware group claimed responsibility for a cyberattack on Boston Children's Health Physicians (BCHP), compromising sensitive data from patients, employees, and guarantors. The breach was detected on September 6, 2024, and involves stolen social security numbers, medical records, and billing information. BCHP notified affected individuals and is offering credit monitoring services. BianLian has threatened to leak the stolen data unless a ransom is paid, though no deadline has been given.
Hackers Blackmail Globe Life After Stealing Customer Data
Source: Bleeping Computer
Hackers attempted to blackmail Globe Life following a breach that compromised customer data from its subsidiary, American Income Life Insurance Company. The attack affects at least 5,000 customers and involves names, social security numbers, and health data. The hackers threatened to release the stolen data unless paid. Globe Life is investigating the incident and has stated that the breach will not have a significant financial impact on its operations.
Casio Says ‘No Prospect of Recovery Yet’ After Ransomware Attack
Source: TechCrunch
Casio continues to face major disruptions following a ransomware attack on October 5, leaving many systems inoperable. The company disconnected its servers to prevent further damage, severely impacting order processing and product shipments particularly in Japan. The Underground ransomware group claimed responsibility, alleging the theft of 200GB of sensitive data–though Casio has yet to confirm the extent of the breach. The investigation remains ongoing.
Sudanese Brothers Charged for ‘Anonymous Sudan’ Attacks Targeting Critical Infrastructure, Government Agencies and Hospitals
Source: The Record
Two Sudanese brothers were indicted in the U.S. for leading the Anonymous Sudan cybercriminal group that carried out numerous distributed denial of service (DDoS) attacks on critical infrastructure, government agencies, and hospitals globally. One attack temporarily shut down Cedars-Sinai Medical Center's emergency department, contributing to over $10 million in damages. U.S. authorities, in collaboration with law enforcement and private companies, disrupted the group's DDoS tool, Godzilla, as part of Operation PowerOFF.
FBI Arrest Alabama Man Suspected of Hacking SEC’s X Account
Source: Bleeping Computer
The FBI has arrested 25-year-old Eric Council from Alabama for allegedly hacking the U.S. Securities and Exchange Commission’s (SEC) X (formerly Twitter) account. Council and his co-conspirators used a SIM-swap attack to seize control of the account, posting a false announcement about Bitcoin ETFs being approved, which temporarily influenced Bitcoin’s price. Council faces charges of conspiracy to commit aggravated identity theft and access device fraud, potentially leading to a five-year prison sentence.
ClickFix Attack: Fake Google Meet Alerts Install Malware on Windows, macOS
Source: Hackread
The ClickFix attack tricks users into downloading malware on Windows and macOS devices through fake Google Meet error alerts. Attackers display realistic error messages that prompt victims to click a “Fix It” button or copy a script, leading to the installation of infostealers. This attack effectively bypasses traditional security measures. Users should be cautious of unexpected alerts, verify sources before copying scripts, and rely on robust security software to stay protected.
Sophos Warns of Growing ‘Quishing’ Threat
Source: Cybernews
Sophos issued a warning about the growing threat of "quishing," a phishing attack where attackers use QR codes to steal credentials. By tricking users into scanning these codes, attackers direct them to phishing pages that capture login details and MFA tokens. Sophos employees were recently targeted by an attack that bypassed traditional desktop defenses. As quishing tactics become more advanced, they exploit the increasing reliance on mobile devices, which often lack the security protections found on desktops.
VULNERABILITIES TO WATCH
Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk
Source: The Hacker News
A critical vulnerability in Kubernetes Image Builder (CVE-2024-9486, CVSS 9.8) could allow attackers to gain root access through default credentials during image builds using the Proxmox provider. This flaw was patched in version 0.1.38, which now disables default credentials and generates a random password for the build process. A related lower-severity issue (CVE-2024-9594) impacts other providers like Nutanix and QEMU. Users are strongly advised to update their systems and rebuild affected images to ensure security.
领英推荐
F5 BIG-IP Updates Patch High-Severity Elevation of Privilege Vulnerability
Source: Security Week
F5 issued patches for two vulnerabilities in its BIG-IP and BIG-IQ systems. A high-severity flaw (CVE-2024-45844) in BIG-IP allows authenticated users to elevate privileges and alter system configurations, affecting the control plane but not the data plane. This issue is resolved in versions 17.1.1.4, 16.1.5, and 15.1.10.5. Additionally, a medium-severity stored XSS vulnerability (CVE-2024-47139) in BIG-IQ allows attackers to execute JavaScript as the logged-in user. F5 urges users to apply the updates immediately to mitigate these risks.
Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters
Source: Security Week
Cisco patched eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity issues. One flaw (CVE-2024-20458) allows unauthenticated attackers to access and modify configurations via specific HTTP endpoints. Another flaw (CVE-2024-20421) enables cross-site request forgery (CSRF) attacks. Cisco also addressed several medium-severity issues, including arbitrary command execution and XSS attacks. Affected devices include ATA 191 and 192, with updates in firmware versions 12.0.2 and 11.2.5. No known exploits have been reported.
Trend Micro Cloud Edge Vulnerability Let Attackers Execute Arbitrary Code
Source: Cyber Security News
Trend Micro released an urgent patch for a critical vulnerability (CVE-2024-48904) in its Cloud Edge appliance that allows remote, unauthenticated attackers to execute arbitrary code. The flaw affects versions 5.6SP2 and 7.0. Trend Micro urges users to update immediately to Cloud Edge 5.6 SP2 build 3228 or Cloud Edge 7.0 build 1081 to fix the issue. Organizations should apply the patch promptly, review their remote access policies, and monitor for any suspicious activity. No confirmed exploits have been reported in the wild so far.
VMware HCX Platform Vulnerable to SQL Injection Attacks
Source: GBHackers
VMware released a critical patch for a high-severity SQL injection vulnerability (CVE-2024-38814) affecting its HCX platform in version 4.10.x, 4.9.x, and 4.8.x. The flaw allows authenticated users with non-admin privileges to execute unauthorized code remotely by sending malicious SQL queries. VMware urges users to update the patched versions immediately (4.10.1, 4.9.2, 4.8.3) as no workarounds are available.?
WeChat Devs Introduced Security Flaws When They Modded TLS, Say Researchers
Source: The Register
Citizen Lab researchers uncovered security flaws in WeChat's modified TLS protocol (MMTLS), which uses two layers of encryption. While no immediate attacks are possible, concerns like deterministic IVs and lack of forward secrecy in the app's AES-CBC business-layer encryption were identified. Although MMTLS guards against major threats, user metadata, such as IDs, remains exposed. Citizen Lab recommends that Tencent adopt standard TLS for stronger security, noting that custom encryption protocols, more common in China, often introduce vulnerabilities.
SPECIAL REPORTS
RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Source: Infosecuirty Magazine
RansomHub has overtaken LockBit as the most prolific ransomware group, claiming 191 successful attacks in Q3 2024–a 155% increase from Q2, according to Symantec's latest report. This surge is attributed to RansomHub's ability to recruit experienced affiliates by offering attractive terms in its ransomware-as-a-service model. Meanwhile, LockBit, previously dominant, saw an 88% drop in attacks, possibly due to law enforcement operations undermining trust among its affiliates. Qilin also saw growth, with a 44% increase in victims for Q3.
Why Companies Are Struggling to Keep Up With SaaS Data Protection
Source: Help Net Security
Many companies are falling behind in SaaS data protection due to rising regulatory pressures, growing data volumes, and a lack of clarity around the shared responsibility model. Despite the widespread use of SaaS applications like Microsoft 365 and Salesforce, many organizations lack confidence in their ability to safeguard this data. Key challenges include compliance, financial risks, and resource limitations. Experts recommend segregated backup environments, proactive strategies, and better education on the limitations of native SaaS data protection tools to address these issues.
Finding value in this newsletter? Like or share this post on LinkedIn
Cyber Resilience Thought Leader | CEO, Cyber Risk Opportunities | Cybersecurity LinkedIn Learning Course Instructor | Co-host Cyber Risk Management Podcast | Amazon Best Selling Author | International Keynote Speaker
4 个月I find the Casio story the most compelling Marcos Christodonte II. Their ransomware attack clearly shows that cyber has to be managed as a material business risk. Why? Cyber risk can bring sales and order fulfillment, two of the most critical business processes of any for-profit company, to an immediate stop. And that damages Casio's #1 business asset: It's reputation.