CISO Daily Update - September 19, 2024
NEW DEVELOPMENTS
Hackers Breaching Construction Firms via Specialized Accounting Software
Source: Help Net Security
Hackers are actively breaching construction firms through internet-exposed servers running Foundation accounting software. The software includes a Microsoft SQL Server (MSSQL) instance accessible via TCP port 4243 for mobile app use. It has become a target because users often neglect to change default credentials for high-privilege accounts. Attackers exploit this vulnerability by either using default credentials or successfully brute-forcing passwords–enabling the execution of operating system commands through a feature called xp_cmdshell. Researchers observed approximately 35,000 brute-force login attempts on one server before a successful breach occurred. Experts recommend that construction firms change default passwords to strong alternatives, limit public internet exposure to the Foundation application, and disable xp_cmdshell where feasible.
New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide
Source: The Hacker News
The "Raptor Train" botnet is linked to the Chinese nation-state group Flax Typhoon which compromised over 200,000 IoT and SOHO devices globally since May 2020. The botnet targets routers, IP cameras, and network storage devices from manufacturers like ASUS, Hikvision, and TP-LINK. The botnet uses a three-tier architecture for command and control and has been involved in at least four attack campaigns. Its infrastructure remains persistent through re-infection methods.
Chrome Extension Hides Malware to Steal Crypto: New Operation Uncovered
Source: Cybernews
A new malicious Chrome extension called SpiderX is targeting crypto users to steal personal data and cryptocurrency through phishing emails and a fake extension. Despite its simplicity, SpiderX bypassed detection by antivirus programs and the Chrome Extension Store’s vetting. This operation defrauds hundreds of people monthly using fake domains and WhatsApp to lure victims. The campaign remains active, and victims are advised to remove the extension, change all passwords, and wipe compromised systems.
Think Twice Before You Click: This Captcha Might Steal Your Money
Source: Cybernews
A new attack targets Windows users through fake captcha pages that trick victims into running malicious PowerShell scripts that install the Lumma Stealer malware. This malware steals sensitive data including passwords, session tokens, and cryptocurrency wallet information. Users are urged not to copy/paste any scripts from unknown captcha pages, as attackers use this method to gain access to personal data and browser credentials.
Google Street View Images Used For Extortion Scams
Source: Infosecurity Magazine
Scammers are now using Google Street View images to increase the intimidation in sextortion scams, threatening victims by showing images of their homes or workplaces. The attackers claim to have installed spyware and accessed personal data, demanding cryptocurrency payments to avoid sharing fake evidence with the victim's contacts. Security experts advise that these images are likely generated automatically from mapping services like Google Street View and warn that the attackers use random Gmail addresses and URLs to evade detection by security tools.
AT&T Reaches $13 Million FCC Settlement Over Massive 2023 Data Breach
Source: The Cyber Express
AT&T reached a $13 million settlement with the FCC after a 2023 data breach exposed the personal information of nine million customers due to mishandling by third-party vendors. The breach involved unauthorized access to customer data primarily used for SIM swapping and phone unlocking. The FCC investigation revealed AT&T's failure to protect sensitive information–leading to fines and mandated security improvements, including stronger oversight of vendors and enhanced data protection measures.
California Enacts Laws Regulating Use of Deepfakes in Election Ads
Source: The Record
California Governor Gavin Newsom signed three bills aimed at regulating the use of deepfakes in election ads. These laws mandate that large online platforms must remove or label deepfake ads during the election period and enable users to report such content. They also require that election ads disclose any AI-generated content. The legislation reflects concerns about deepfakes' potential to undermine democracy, particularly following a controversial deepfake incident involving Kamala Harris. The new laws position California as a leader in addressing AI's impact on elections.
Suffolk County Ransomware Attack Linked to Lack of Planning, Ignored Warnings
Source: Cybersecurity Dive
A Suffolk County, NY legislative report blames officials for a September 2022 ransomware attack that caused extensive disruption and over $25 million in remediation costs. The report cites ignored FBI warnings, a lack of incident response planning, outdated technology, and the absence of a CISO as key failures. The attack was attributed to the AlphV/BlackCat group exploiting a Log4j vulnerability, which led to significant service interruptions. The county has since updated its firewalls and is working to recruit a CISO to improve future cybersecurity efforts.
领英推荐
VULNERABILITIES TO WATCH
Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
Source: The Hacker News
Broadcom issued updates to fix a critical remote code execution vulnerability (CVE-2024-38812, CVSS 9.8) in the VMware vCenter Server. The flaw involves a heap overflow vulnerability in the DCE/RPC protocol, allowing an attacker with network access to exploit the issue by sending a crafted packet. This is similar to other vulnerabilities patched in June. Additionally, a privilege escalation flaw (CVE-2024-38813) was addressed. Users are urged to update to the latest versions to mitigate potential risks, although there are no reports of active exploitation. Patch versions are available for VMware vCenter Server 8.0 and 7.0, and VMware Cloud Foundation.
Chrome 129 Patches High-Severity Vulnerability in V8 Engine
Source: Security Week
Google released Chrome 129, addressing nine vulnerabilities including a high-severity type confusion bug in the V8 JavaScript engine (CVE-2024-8904). This update fixes six externally reported flaws, with the V8 issue being the most critical given its ability to lead to crashes or remote code execution. The update also patches medium- and low-severity vulnerabilities in various Chrome components. Chrome 129 is now available for Windows, macOS, and Linux.
Microsoft Warns Of Windows Kernel Vulnerability Exploitation
Source: Cyber Security News
Microsoft issued a serious warning regarding a Windows kernel vulnerability (CVE-2024-37985) which affects ARM-based devices. This vulnerability has a moderate CVSS score of 5.9, which could allow attackers to get access to sensitive heap memory via a privileged process. While there is no indication of active exploitation, Microsoft recommends that security patches be applied immediately to prevent risks.?
0.0.0.0 Day Vulnerability Puts Millions of Local Networks at Risk
Source: Hackerdose
The "0.0.0.0 Day" vulnerability exposes millions of local networks to risk by allowing hackers to bypass browser security and access local services. This critical flaw lets attackers exploit the IP address 0.0.0.0 to interact with local network services from outside the network. While Google Chrome and Apple Safari are updating to block this address, Mozilla Firefox has yet to fully address the issue. This vulnerability is already exploited in active campaigns like ShadowRay.
Windows MiniFilter Hack: Easily Bypass EDR Security
Source: Cyber Press
The "Windows MiniFilter Hack" reveals a vulnerability where attackers exploit MiniFilter drivers to bypass Endpoint Detection and Response (EDR) security. By manipulating the altitude values of MiniFilter drivers, attackers can load malicious drivers before EDR solutions, disabling their telemetry and real-time protection. Although some EDR vendors have introduced mitigations such as dynamic altitude values and adjusted load orders, the threat persists. Security teams must monitor registry changes and MiniFilter configurations to detect and counteract these bypass techniques effectively.
SPECIAL REPORTS
The Proliferation of Non-Human Identities
Source: Help Net Security
A report from Entro Security reinforces the growing risk posed by non-human identities (NHIs) in cybersecurity, revealing that 97% of NHIs have excessive privileges, and 92% are exposed to third parties. Key findings show that NHIs significantly outnumber human identities and are often mishandled, with 44% of tokens being carelessly shared and 73% of vaults misconfigured. The report warns that mismanagement of NHIs and secrets across industries increases the attack surface and vulnerability to security breaches.
Critical Infrastructure at Risk From Email Security Breaches
Source: Infosecurity Magazine
A study by Osterman Research and OPSWAT highlights that 80% of critical infrastructure (CI) organizations experienced an email-related security breach in the past year, with 75% of threats originating from email. Despite this, 63% of organizations acknowledge their email security needs improvement and 48% lack confidence in their current defenses. The research highlights the increased risk due to the integration of IT and operational technology (OT) networks. Phishing attacks are the most common, followed by compromised Microsoft 365 credentials and data leakage.
Infostealers: An Early Warning for Ransomware Attacks
Source: Darkreading
Nearly a third of companies hit by ransomware in the past year had an infostealer infection in the months prior, according to SpyCloud's 2024 report. Infostealers are used to gather credentials before deploying ransomware and could serve as an early warning for potential ransomware attacks. While the presence of an infostealer may suggest impending ransomware, predicting specific attack outcomes remains challenging. Cyber defenders should act quickly upon detecting info stealers by securing compromised data and resetting credentials to stop further exploitation.
Finding value in this newsletter? Like or share this post on LinkedIn