CISO Daily Update - September 27, 2024
NEW DEVELOPMENTS
Hurricane Helene Prompts CISA Fraud Warning
Source: Darkreading
As Hurricane Helene approaches Florida, CISA issued a fraud warning urging individuals and organizations to be cautious of scams, phishing attempts, and fraud schemes tied to the storm. Cybercriminals often exploit disasters by sending fake charity appeals, outage notices, or unsolicited contractor offers. CISA advises vigilance when handling hurricane-related emails, social media posts, or solicitations to avoid falling victim to these schemes.
Data Breach at MC2 Data Leaves 100 Million at Risk of Fraud
Source: Infosecurity Magazine
A data breach at MC2 Data has compromised the personal information of over 100 million U.S. citizens due to a misconfigured database. The 2.2TB of sensitive data was left accessible online without password protection, allowing anyone to view it. Cybernews discovered the breach, which includes 106 million records containing full names, emails, IP addresses, birth dates, partial payment details, home addresses, phone numbers, and employment histories. More than 2.3 million MC2 Data subscribers are also affected. The exposed encrypted passwords are at risk of brute-force attacks, especially since many users reuse them across multiple platforms. While MC2 Data has since secured the database, further details about the breach and its impact remain unclear.
China-Linked Attackers Salt Typhoon Infiltrate US Internet Service Providers
Source: Cybernews
The China-linked threat group Salt Typhoon, also known as GhostEmperor, has infiltrated U.S. internet service providers in a targeted campaign against critical infrastructure. Using advanced techniques to bypass detection, the group gained access to systems that could allow them to launch attacks, spread malware, or steal sensitive data. Investigators are exploring whether the attackers used Cisco routers for initial access, although Cisco has not confirmed any breach. This attack is part of broader Chinese cyber efforts, which China continues to deny. In a related move, the FBI recently dismantled a large botnet tied to similar attacks.
Victims Lose $70K to One Single Wallet-Draining App on Google’s Play Store
Source: The Register
A fraudulent app on Google’s Play Store posing as the trusted WalletConnect service drained $70,000 from 150 cryptocurrency users. Despite over 10,000 downloads, only a small portion of users fell victim to the scam. The app maintained its cover with fake reviews, convincing users to authorize transactions that let attackers empty their wallets. Although Google removed the app after five months, the incident highlights the rising threat to mobile decentralized finance. It also reinforces the need for stronger security measures to protect digital assets. While Google Play Protect offers some protection, malicious apps continue to evade detection.
Transport, Logistics Orgs Hit by Stealthy Phishing Gambit
Source: Darkreading
Cybercriminals have launched a series of business email compromise (BEC) attacks against transportation and logistics companies in North America, hijacking at least 15 email accounts since May. The attackers used these compromised accounts to insert malware into active email conversations, exploiting the trust of recipients. Initially, they hid malware in Google Drive files, but later switched to the "ClickFix" technique, which tricks users into running malicious scripts. These attacks thrive on the complexity of logistics communications and the high financial stakes involved, making these companies prime targets. Experts urge organizations to strengthen their cybersecurity defenses and remain vigilant against these sophisticated threats.
Automattic Blocks WP Engine’s Access to WordPress Resources
Source: Bleeping Computer
WordPress.org has blocked WP Engine from accessing its resources, cutting off plugin updates for sites hosted on the platform. This move follows WP Engine's alteration of a core feature for profit and its decision to block a news widget that criticized these actions. As a result, thousands of users are now exposed to potential security risks, with WP Engine solely responsible for managing security updates and support. The conflict has escalated, with both parties exchanging cease-and-desist letters over trademark usage and contributions to the open-source project. Users are encouraged to consider alternative hosting options amid the growing tensions.
VULNERABILITIES TO WATCH
Doomsday ‘9.9 RCE Bug’ Might Hit Every Linux System
Source: The Register
A highly critical remote code execution (RCE) vulnerability, rated 9.9 out of 10 in severity, may soon affect all Linux systems. Details of the bug, which was disclosed three weeks ago without a fix, are expected to emerge today. This vulnerability could allow attackers to hijack Linux-based systems across networks, sparking major concerns due to Linux's widespread use in critical infrastructure globally. While the specifics remain unconfirmed, experts warn that if exploited, the impact could be massive. A proof-of-concept exploit is expected to surface at 2000 UTC.
Remote Code Execution, DoS Vulnerabilities Patched in OpenPLC
Source: Security Week
Cisco's Talos threat intelligence unit uncovered multiple severe vulnerabilities in OpenPLC, an open-source programmable logic controller used in low-cost industrial automation. Patched on September 17, these flaws include CVE-2024-34026, which allows remote attackers to execute arbitrary code through specially crafted EtherNet/IP requests. Additionally, four high-severity vulnerabilities (CVE-2024-36980, CVE-2024-36981, CVE-2024-39589, and CVE-2024-39590) could trigger denial-of-service (DoS) attacks, threatening industrial control systems by disrupting critical processes. These vulnerabilities pose serious risks to industries relying on OpenPLC for automation.
领英推荐
Critical Nvidia Container Flaw Exposes Cloud AI Systems to Host Takeover
Source: Security Week
Nvidia has fixed a critical vulnerability (CVE-2024-0132) in its Container Toolkit that could allow attackers to take over cloud AI systems. Discovered by Wiz researchers, the flaw enables attackers to escape containers and gain control of the host, leading to code execution, denial of service, and potential data tampering. With a CVSS score of 9/10, this vulnerability is especially dangerous in multi-tenant environments where GPUs are shared. Nvidia urges organizations using its GPUs to apply the patches released on September 26 to prevent exploitation.
HPE Aruba Networking Fixes Critical Flaws Impacting Access Points
Source: Bleeping Computer
HPE Aruba Networking has patched three critical vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) in its Access Points, which could allow unauthenticated attackers to execute remote code by sending specially crafted packets to the PAPI UDP port (8211). The vulnerabilities affect Instant AOS-8 and AOS-10 software versions below certain releases. Although no active exploits have been detected, HPE urges users to install the latest updates. They also suggest temporary workarounds, such as enabling "cluster-security" or blocking UDP/8211 access from untrusted networks. Other Aruba products are not impacted, and previous vulnerabilities have been addressed.
Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates
Source: The Hacker News
Cybersecurity researchers discovered vulnerabilities in Kia vehicles that could have allowed attackers to remotely control key functions using only a license plate number. These flaws, which impacted nearly all Kia models manufactured after 2013, enabled unauthorized users to access sensitive information and gain control over vehicle permissions. By exploiting the Kia dealership infrastructure, attackers could issue four HTTP requests to obtain access tokens, retrieve owner details, and alter vehicle settings without alerting the owner. Kia patched these vulnerabilities in August 2024 after a responsible disclosure, and there is no evidence that they were exploited in the wild.
Hackers Allegedly Claim Sale of 1-Day Magento RCE Vulnerability
Source: Cyber Press
A threat actor is reportedly selling a 1-day Remote Code Execution (RCE) exploit, CVE-2024-34102, targeting Magento 2. This exploit could allow attackers to take full control of vulnerable servers with minimal effort, posing significant risks to online retailers and their customers, including potential data breaches and financial theft. The cybersecurity community is urging Magento users to apply the latest patches and strengthen their security defenses. Meanwhile, Adobe is investigating the claims surrounding this exploit.
SPECIAL REPORTS
Over a Third of Employees Secretly Sharing Work Info with AI
Source: Infosecurity Magazine
A study by CybSafe and the National Cybersecurity Alliance found that 38% of employees are sharing sensitive work information with AI tools without their employer's knowledge or permission. This behavior is especially common among younger generations, with 46% of Gen Z and 43% of millennials admitting to it. The survey, which gathered responses from over 7,000 participants across multiple countries, also revealed that 52% of employees have not received training on safe AI usage, exposing a significant knowledge gap. Additionally, 65% of respondents expressed concerns that AI could enable more convincing phishing attacks and complicate online security. Only 36% said they trust their organizations to ensure AI technologies are unbiased.
NIST Scraps Passwords Complexity and Mandatory Changes in New Guidelines
Source: Infosecurity Magazine
NIST’s 2024 password guidelines no longer recommend enforcing complex character requirements or frequent password changes unless a compromise occurs. Instead, they advocate for longer passwords, with a minimum length of 15 characters and support for up to 64 characters. Both ASCII and Unicode characters are now allowed. NIST also advises against using knowledge-based authentication methods, such as security questions. These updates reflect a shift towards more modern password security practices, aligning with recommendations from organizations like Microsoft and the FTC.
Ransomware Incidents Hit 117 Countries in 2023, Task Force Says
Source: The Record
Ransomware attacks skyrocketed in 2023, with over 6,670 incidents reported across 117 countries—a 73% jump from 2022. South Asia and South America were hit hardest, with Brazil, India, Iran, and Pakistan experiencing significant spikes. LockBit and AlphV ransomware groups led many of these attacks, targeting industries like healthcare, construction, and IT. The Ransomware Task Force highlighted the growing ransomware-as-a-service (RaaS) model, calling for stronger global efforts to combat these threats and disrupt the profitability of ransomware operations.
Companies Mentioned on the Dark Web at Higher Risk for Cyber Attacks
Source: Help Net Security
A study by Marsh McLennan's Cyber Risk Intelligence Center shows that organizations with data on the dark web face a significantly higher risk of cyber attacks. Among 9,410 organizations analyzed from 2020 to 2023, those with dark web exposure had a 3.7% breach rate. The study highlights strong connections between dark web sources, like Paste Results and Market Listings, and cybercriminal attack planning, which also impacts cyber insurance loss frequency. To stay ahead of threats, organizations must actively monitor their dark web exposure and continuously assess risks, as static analysis won’t suffice in today’s rapidly evolving threat landscape.
Finding value in this newsletter? Like or share this post on LinkedIn