CISO Daily Update - October 23, 2024
NEW DEVELOPMENTS
Crypto Payment Services Firm Says More Than 92,000 Affected by Data Breach
Source: The Record
A data breach at cryptocurrency payment processor Transak exposed the personal information of over 92,000 users after a phishing attack compromised an employee's laptop. While no financial data was involved, sensitive details like names, birthdates, passports, driver's licenses, and user selfies were leaked. The Stormous ransomware gang claimed responsibility, threatening to sell or leak the data unless a ransom was paid. Transak serves nearly six million users worldwide and has enlisted a cybersecurity firm to investigate as they begin notifying affected customers and regulators. The company emphasized that user funds remain secure.
Insurance Firm Johnson & Johnson Discloses Data Breach
Source: Security Week?
Insurance firm Johnson & Johnson disclosed a data breach that compromised the personal information of over 3,200 individuals. Detected in mid-August 2024, the breach involved unauthorized access to files on the company’s network related to its insurance operations. Although the specific details of the compromised data remain unclear, the firm is offering free credit monitoring and identity restoration services to those affected. No ransomware group has claimed responsibility for the breach.
Winnebago Public Schools Suffers Cyber Attack, Services Shut Down
Source: GBHackers
Winnebago Public Schools in Nebraska experienced a cyberattack on October 21, 2024, which disrupted phone systems, internet connectivity, and other critical services. Superintendent Kamau Turner confirmed that the IT team is working to assess the damage and restore normal operations. The investigation is ongoing to determine if any sensitive data was compromised.?
SEC Charges Tech Firms Over Misleading SolarWinds Hack Disclosures
Source: Infosecurity Magazine
The Securities and Exchange Commission (SEC) charged four technology companies—Unisys Corp, Avaya Holdings Corp, Check Point Software Technologies Ltd, and Mimecast Limited—for making misleading disclosures about cybersecurity risks linked to the 2020 SolarWinds supply chain attack. These companies downplayed the breach's impact in their public statements. Each firm has agreed to settle, with Unisys paying a $4 million fine, and the others paying between $990,000 and $1 million. The SEC found that they violated securities laws by failing to fully disclose the extent of the attacks.?
Wells Fargo Named in Infosys Attack Affecting 6M
Source: Cybernews
Wells Fargo, CNA, and The Nolan Financial Group were named as customers impacted by the ransomware attack on Infosys McCamish Systems (IMS) in late 2023–which affected approximately six million individuals. The attack was disclosed in November 2023 and involved ransomware encrypting specific IMS systems and potentially compromising personally identifiable information. Wells Fargo, one of the "Big Four" U.S. banks, has not yet commented on the breach. Bank of America, another "Big Four" bank, reported that around 57,000 of its customers were affected by the IMS breach. The full scope of the data exposure remains unclear.
Threat Actor Allegedly Selling Admin Panel Access of Stanford University
Source: Cyber Press
A threat actor is allegedly selling access to Stanford University's administrative panel on the dark web. If confirmed, this unauthorized access could allow manipulation of sensitive data, including student records, financial information, and personal details of students and staff. Stanford is expected to investigate and take immediate steps to secure its systems.
VULNERABILITIES TO WATCH
VMware Fixes Bad Patch for Critical vCenter Server RCE Flaw
Source: Bleeping Computer
VMware released a new security update to fully address CVE-2024-38812, a critical remote code execution (RCE) flaw in vCenter Server, after discovering that the initial September 2024 patch was incomplete. Rated 9.8 on the CVSS scale, the vulnerability involves a heap overflow in the DCE/RPC protocol, which attackers can exploit using specially crafted network packets without user interaction. Updated patches are available for vCenter 7.0.3, 8.0.2, and 8.0.3, and users are strongly urged to apply them immediately, as no workarounds are available. While there have been no reports of exploitation yet, VMware cautions that vCenter vulnerabilities are frequent targets for attackers.
Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers
Source: The Hacker News
A now-patched security flaw in Styra's Open Policy Agent (OPA), tracked as CVE-2024-8260, exposed New Technology LAN Manager (NTLM) hashes, allowing remote attackers to potentially capture and exploit user credentials. This medium-severity vulnerability, affecting both the CLI and Go SDK for Windows, arose from improper input validation that enables unauthorized access. Attackers could exploit this flaw by forcing NTLM authentication through Server Message Block (SMB) traffic, capturing Net-NTLMv2 hashes, and using them to relay authentication or crack passwords. The vulnerability was addressed in OPA version 0.68.0, released on August 29, 2024.
领英推荐
CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack
Source: The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in ScienceLogic SL1, identified as CVE-2024-9537, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active zero-day exploitation. This flaw, with a CVSS score of 9.3, affects a third-party component and allows remote code execution. ScienceLogic issued fixes in versions 12.1.3, 12.2.3, 12.3+, and earlier versions. The vulnerability was used in an attack on Rackspace's internal monitoring systems, forcing a dashboard shutdown. Federal agencies must apply the necessary fixes by November 11, 2024 to prevent further threats.
Exploit Released for New Windows Server “WinReg” NTLM Relay Attack
Source: Bleeping Computer
A proof-of-concept (PoC) exploit has been released for CVE-2024-43532, a vulnerability in Microsoft's Remote Registry (WinReg) client that allows attackers to perform NTLM relay attacks, potentially leading to full domain takeover. This flaw affects Windows servers (2008-2022) and Windows 10/11 and occurs when the WinReg client falls back to outdated, insecure protocols during authentication. Attackers can exploit this weakness by intercepting NTLM authentication and relaying it to Active Directory Certificate Services (ADCS). Akamai researcher Stiv Kupchik discovered the flaw, and after initial dismissal by Microsoft, the company issued a patch in October 2024. Administrators should update affected systems and use tools like ETW to monitor vulnerable RPC calls.
Google Warns of Samsung Zero-Day Exploited in the Wild
Source: Security Week
Google's Threat Analysis Group (TAG) discovered a zero-day vulnerability in Samsung mobile processors (CVE-2024-44068) that attackers have actively exploited in the wild. The use-after-free flaw, with a CVSS score of 8.1, affects several Samsung Exynos processors and allows privilege escalation on Android devices. The issue stems from a media driver that mishandles I/O page mapping, letting attackers execute arbitrary code in privileged processes like the cameraserver. Google researchers suspect spyware vendors may have used the exploit to target Samsung devices, though details remain limited. Samsung has patched the vulnerability in its October 2024 security updates.
Splunk’s Recent Security Advisory: Addressing Vulnerabilities in Splunk Enterprise
Source: The Cyber Express
Splunk issued a security advisory addressing multiple vulnerabilities in its Enterprise software, including two critical, eight medium, and one low-risk issue. The critical vulnerabilities, CVE-2024-45731 and CVE-2024-45733, pose a high risk of remote code execution, affecting Windows versions below 9.3.1. Splunk urges organizations to apply the patches immediately to prevent unauthorized access and potential data breaches. Neglecting these updates could expose systems to serious threats.
SPECIAL REPORTS
75% of US Senate Campaign Websites Fail to Implement DMARC
Source: Infosecurity Magazine
A report by Red Sift reveals that nearly 75% of U.S. Senate campaign websites lack DMARC (Domain-based Message Authentication, Reporting, and Conformance) protection, leaving them open to phishing and spoofing attacks. This cybersecurity gap puts sensitive voter, donor, and campaign data at risk, particularly since email is a key communication tool for campaigns. The report points to past cyber-attacks by Russian and Iranian actors and warns about the risk of neglecting DMARC. The FBI and CISA have emphasized the need for DMARC, and the report urges campaigns to adopt this protection to safeguard democratic processes.
The Struggle for Software Liability: Inside a ‘Very, Very, Very Hard Problem’
Source: The Record
Efforts to hold software companies legally accountable for security failures, a key recommendation from the Cyberspace Solarium Commission, have stalled despite growing urgency after major cyberattacks like SolarWinds. Advocates argue that flawed software poses a serious threat to national security and daily life, but policymakers remain divided on how to impose liability standards without hindering innovation. While the Biden administration is exploring options, the challenge lies in defining security standards, establishing liability frameworks, and incorporating industry input. Experts warn that significant policy change may still be years away unless severe incidents or EU regulatory pressure push the issue forward.
Phishing Scams and Malicious Domains Take Center Stage as the US Election Approaches
Source: Help Net Security
As the 2024 US election approaches, phishing scams and malicious domains are on the rise, targeting voters and donors with fraudulent schemes. Fortinet researchers have observed more than 1,000 newly registered election-related malicious domains, along with phishing kits sold on the dark web to impersonate presidential candidates and harvest personal data. Threat actors are leveraging platforms like AWS and Cloudflare to enhance the legitimacy of these fraudulent sites, while ransomware attacks against US government agencies have spiked 28% year-over-year.
Finding value in this newsletter? Like or share this post on LinkedIn
Freelance Cloud Security Architect | Strategic Innovator | Technical Leader
1 个月Thanks Marcos! That report on OPA is of interest to me :-)
Insightful