CISO Daily Update - October 28, 2024
NEW DEVELOPMENTS
OnePoint Patient Care Data Breach Impacts Nearly 800,000 People
Source: Security Week
Arizona-based hospice pharmacy OnePoint Patient Care (OPPC) reported a data breach affecting nearly 800,000 individuals–exposing sensitive information such as medical records, prescription details, and social security numbers. OPPC detected suspicious activity on August 8, 2024, and later confirmed unauthorized access by hackers; Inc Ransom group claimed responsibility. The group listed OPPC on its leak site; some stolen data has already been published. Microsoft recently flagged Inc Ransom affiliates as persistent threats to the U.S. healthcare sector.
Hackers Put 350M Hot Topic Customers’ Records for Sale: “Largest Retail Breach in History”
Source: Cybernews
Hudson Rock uncovered a massive breach involving 350 million records from Hot Topic, Torrid, and Box Lunch customers–potentially the largest retail data compromise to date. The database is listed for sale by a hacker known as "Satanic," and contains personal, payment, and loyalty information. Investigators link the breach to a compromised third-party vendor’s account on Snowflake that lacked multi-factor authentication (MFA). Initially priced at $20,000, the hackers later reduced the sale price to $10,000. Hot Topic has not yet responded to the incident.
Threat Actors Allegedly Claiming Breach of Aspen Healthcare Services
Source: Cyber Press
The Everest hacking group claims to have breached Aspen Healthcare Services, compromising over 1,500 medical records containing sensitive personal information. The hackers have set a ransom deadline of November 9, 2024, but have not disclosed specific demands. Aspen Healthcare Services is likely working with cybersecurity experts and law enforcement to address the claim.
American Water Under Investigation for Cyberattack Potentially Affecting 14M Customers
Source: Darkreading
Schubert Jonckheer & Kolbe LLP is investigating a cyberattack on American Water Works that may have exposed the sensitive data of up to 14 million customers across 14 states. Following the breach, the company disabled its MyWater customer portal and paused billing, though details about the compromised data remain uncertain. American Water gathers extensive customer information, including personal and financial data, which could put affected customers at risk of identity theft and fraud. Impacted individuals may be eligible for compensation and legal action against the utility provider.
Black Basta Ransomware Poses as IT Support on Microsoft Teams to Breach Networks
Source: Bleeping Computer
Black Basta ransomware has shifted its social engineering tactics to Microsoft Teams, where attackers now pose as IT support to trick employees and gain network access. Known for spamming inboxes with harmless emails before calling as a fake help desk, the group now impersonates IT directly on Teams, using account names like "securityadminhelper.onmicrosoft. com" to appear legitimate. Through Teams chats, attackers prompt employees to install remote access tools like AnyDesk or Quick Assist, allowing lateral movement within corporate networks. Experts advise limiting external Teams communication to trusted domains and enabling chat logging to detect threats proactively.
New Attack Lets Hackers Downgrade Windows to Exploit Patched Flaws
Source: Hackread
SafeBreach Labs uncovered a new attack technique, "Windows Downdate," that lets hackers downgrade Windows 11 components to exploit previously patched vulnerabilities. By tampering with the Windows Update process, attackers can reintroduce vulnerabilities like the Driver Signature Enforcement (DSE) bypass, allowing access to unsigned kernel drivers and facilitating stealthy rootkits. This method weakens Virtualization-Based Security (VBS) and can even bypass UEFI protections, casting doubt on "fully patched" system claims. Organizations should enforce strict patch management, deploy Endpoint Detection and Response (EDR) solutions, and secure VBS with UEFI lock and the "Mandatory" flag for added protection.
领英推荐
Fog Ransomware Targets SonicWall VPNs to Breach Corporate Networks
Source: Bleeping Computer
Fog and Akira ransomware groups are exploiting a severe SSL VPN vulnerability (CVE-2024-40766) in SonicWall VPN accounts to infiltrate corporate networks. Although SonicWall issued patches in August 2024, Arctic Wolf has reported at least 30 breaches by these affiliates, targeting unpatched systems often lacking multi-factor authentication. These attacks rapidly escalate, moving from intrusion to encryption within two hours, with a focus on virtual machines and backups that expose sensitive documents. The shared infrastructure between Fog and Akira suggests possible collaboration, making immediate action crucial for at-risk organizations.
VULNERABILITIES TO WATCH
Critical Vulnerabilities Found in Siemens and Schneider Electric Products
Source: The Cyber Express
Cyble Research & Intelligence Labs identified 13 critical vulnerabilities in Siemens and Schneider Electric products, creating serious risks for industrial control systems (ICS) worldwide. Vulnerable products include Siemens’ Siveillance Video Camera, open to buffer overflow attacks, and Schneider Electric’s Data Center Expert, affected by cryptographic signature verification issues. Other impacted devices, like Elvaco’s CMe3100 and Kieback&Peter’s DDC4000 series, suffer from weak credential protections and path traversal risks. Organizations should prioritize patch management, adopt a Zero-Trust framework, and implement strong network segmentation.
Researchers Discover Command Injection Flaw in Wi-Fi Alliance's Test Suite
Source: The Hacker News
A critical command injection flaw (CVE-2024-41992) in the Wi-Fi Alliance’s Test Suite allows unauthenticated local attackers to gain root access on routers like the Arcadyan FMIMG51AX000J. This flaw lets attackers execute arbitrary commands via crafted packets. Although the Wi-Fi Test Suite isn’t intended for production, its presence in commercial routers increases the risk of network control loss and service disruptions. Until a patch is released, CERT/CC advises removing or updating the Test Suite to version 9.0 or later to reduce the risk of exploitation.
Windows 11 CLFS Driver Vulnerability Let Attackers Escalate Privileges – PoC Exploit Released
Source: GBHackers
A critical Windows 11 vulnerability in the Common Log File System (CLFS) driver allows local users to escalate privileges by exploiting a flaw in the CClfsBaseFilePersisted::WriteMetadataBlock function. This flaw lets attackers manipulate log file structures, enabling privilege escalation through kernel memory manipulation. At TyphoonPWN 2024, a proof-of-concept exploit demonstrated this flaw by spawning a SYSTEM-level command prompt. Microsoft has yet to release a patch, leaving Windows 11 version 23H2 systems vulnerable. Security teams should closely monitor Microsoft’s updates and apply patches as soon as they are available to mitigate this high-risk vulnerability.
SPECIAL REPORTS
DDoS Attacks Surge to Unprecedented Levels, Bombarding Servers With 4.2Tbps
Source: Cybernews
DDoS attacks have reached record-breaking levels, with Cloudflare reporting a surge to 4.2 Tbps in October 2024—surpassing prior records within weeks. This reflects a 55% year-over-year increase, as hyper-volumetric attacks exceeding 3 Tbps have become routine. Although most attacks last under a minute, they hit hard, using sophisticated techniques like SSDP amplification through UPnP-enabled devices to overwhelm targets. Financial services, IT, telecom, cryptocurrency, and gambling industries are frequent targets, with most malicious traffic originating from Indonesia and Europe. Cloudflare, mitigating thousands of DDoS attacks hourly, emphasizes the urgency of proactive defense as botnets grow amid rising geopolitical tensions.
Finding value in this newsletter? Like or share this post on LinkedIn
Principal Cybersecurity @Inherent Security | Helping Health Tech leaders achieve HIPAA Security & Privacy Compliance.
1 个月800,000 individuals, wow!