CISO Daily Update - September 2, 2024
NEW DEVELOPMENTS
US Agencies Warn Against Ransomware Group Behind Hundreds of Attacks in Recent Months
Source: The Record?
U.S. cybersecurity agencies, including the FBI, CISA, and HHS, issued an advisory warning against the RansomHub ransomware group, which has been responsible for over 210 attacks since February. This group gained prominence after attacking UnitedHealth Group in April, and targets a range of sectors such as healthcare, IT, and government. RansomHub has attracted affiliates from defunct groups like LockBit and AlphV–solidifying its position in the ransomware ecosystem. The advisory pointed out that victims are typically compromised via phishing or vulnerabilities in widely-used software, with ransom demands often linked to data publication threats. Agencies urge victims to report incidents to aid broader cybersecurity efforts.
GitHub Comments Abused to Push Password Stealing Malware Masked as Fixes
Source: Bleeping Computer
A new campaign on GitHub is exploiting the platform's comments section to distribute the Lumma Stealer, a sophisticated password-stealing malware. Posing as legitimate fixes, attackers post comments with links to password-protected archives that contain malware designed to steal sensitive information such as browser credentials, cryptocurrency wallets, and private keys. Over 29,000 malicious comments were posted in just three days. GitHub staff are actively removing these comments, but some users have already been affected. Victims are advised to change their passwords and migrate any cryptocurrency to new wallets.?
Researcher Sued for Sharing Data With Media That Ransomware Stole
Source: Bleeping Computer
The City of Columbus, Ohio sued security researcher David Leroy Ross–aka Connor Goodwolf–for allegedly downloading and sharing data stolen in a ransomware attack by the Rhysida gang. The July 18, 2024, attack led to the leak of 3.1 TB of sensitive data including police and prosecutor information. Goodwolf disputed the city’s claim that the leaked data was unusable and shared it with the media to prove its sensitivity. The lawsuit accuses Goodwolf of illegally spreading the data, raising public concern, and interfering with investigations. The city seeks a restraining order and over $25,000 in damages.
New Voldemort Malware Uses Google Sheets to Target Key Sectors Globally
Source: Hackread
The newly discovered Voldemort malware campaign is targeting key global sectors including insurance, aerospace, transportation, and education, via a sophisticated phishing operation. Since August 2024, over 20,000 phishing emails were sent to more than 70 organizations using Google Sheets for command and control (C2) operations—a rare and creative method. The malware employs a complex attack chain that includes exploiting Windows search protocols and Cloudflare Tunnels for anonymity.?
Intel Claps Back at Report of SGX Key Theft
Source: SC Media
Intel responded to reports by Positive Technologies claiming that its SGX security platform could be breached–downplaying the severity. The researchers claimed they could extract critical keys from Intel processors via hardware access, which could compromise secure processes. However, Intel clarified that the attack relied on outdated systems lacking the latest mitigations and proper configurations. The retrieved keys were encrypted, making a full compromise difficult. Intel recommended that system vendors and administrators update firmware to mitigate such risks.
Chase Bank “Glitch” Leaves Customers with Negative Balances
Source: Hackerdose
A recent glitch at Chase Bank allowed customers to withdraw funds they didn't have, leading to significant negative balances and account holds for those who attempted to exploit the flaw. The glitch occurred when people deposited fake checks or applied for large loans at ATMs, with funds becoming available immediately instead of after the usual verification period. As a result, many are now facing debts of up to $40,000 and potential legal repercussions. The incident has sparked widespread online discussion, with warnings that those who took advantage could face serious consequences, including legal action.
领英推荐
VULNERABILITIES TO WATCH
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
Source: The Hacker News
North Korean hackers identified as Citrine Sleet (a sub-group of the Lazarus Group) exploited a zero-day vulnerability (CVE-2024-7971) in Google Chrome and other Chromium browsers to deploy the FudModule rootkit. The flaw allowed remote code execution in the Chromium renderer, enabling attackers to install malicious software via a compromised website. The exploit, patched by Google recently, is part of a broader trend where North Korean actors use zero-day vulnerabilities to target financial institutions and cryptocurrency operations. The campaign also involved a Windows privilege escalation bug (CVE-2024-38106) to gain deeper system access.
Critical Vulnerabilities in Progress Software’s WhatsUp Gold Expose Systems to Severe Risks
Source: The Cyber Express
A critical vulnerability (CVE-2024-4885) was discovered in the widely used enterprise network monitoring solution Progress Software’s WhatsUp Gold, which could lead to full system compromise. The flaw was found in the GetFileWithoutZip method, which allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files–earning it a CVSS score of 9.8. Despite a patch being released in May 2024, over 1,200 instances remain exposed, highlighting the urgent need for users to update to version 23.1.3 or later to mitigate severe risks, including unauthorized root access and potential system-wide compromise.
Fortra Patches Critical Vulnerability in FileCatalyst Workflow
Source: Security Week
Fortra patched two critical vulnerabilities in its FileCatalyst Workflow, including CVE-2024-6633, a critical flaw with a CVSS score of 9.8. This vulnerability arose after default credentials for the setup HSQL database (HSQLDB) were leaked in a vendor knowledgebase article, potentially exposing systems to remote access and data manipulation. The vulnerability is only exploitable if the HSQLDB port is exposed to the internet. Fortra mitigated this risk by restricting database access to localhost and advises users to update to FileCatalyst Workflow version 5.1.7 build 156 or later to protect against these vulnerabilities.
An Air Transport Security System Flaw Allowed Bypass of Airport Security Screenings
Source: Security Affairs
A flaw in the FlyCASS system, used by airlines for the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs, allowed researchers to bypass airport security screenings and access cockpit areas without proper vetting. This SQL injection vulnerability enabled unauthorized individuals to add or edit employee details, potentially compromising air transport security. Despite reporting the issue to the Department of Homeland Security (DHS), the TSA downplayed the severity, inaccurately claiming that the vulnerability couldn't be exploited to access KCM checkpoints. The researchers emphasized that this flaw could have serious implications, as TSA agents can manually enter airline employee IDs without a KCM barcode.
SPECIAL REPORTS
Published Vulnerabilities Surge by 43%
Source: Infosecurity Magazine
Forescout's 2024H1 Threat Review highlights a significant increase in cybersecurity risks, with a 43% surge in reported vulnerabilities and a 6% rise in ransomware attacks compared to H1 2023. The U.S., Germany, and India were the most targeted, with the U.S. accounting for half of all ransomware incidents. The report also notes the expansion of ransomware groups by 55% and the rise of state-sponsored actors using hacktivist fronts to target critical infrastructure. Vulnerabilities in VPN and network infrastructure were particularly exploited.
Cyber Threats That Shaped the First Half of 2024
Source: Help Net Security
The Critical Start Cyber Research Unit's analysis of H1 2024 revealed that global cybercrime continues to escalate, with manufacturing and industrial products being the most targeted industries. Ransomware and database leaks surged, especially in healthcare, which saw a 180% increase in incidents. Professional services also faced an increase in attacks, while technology companies experienced a slight decrease. Emerging threats include a sharp rise in deepfake fraud, abuse of open-source repositories, and BEC attacks targeting smaller businesses.
Finding value in this newsletter? Like or share this post on LinkedIn