CISO Daily Update - September 4, 2024
NEW DEVELOPMENTS
Cyberattack Hits Shoshone-Bannock Tribes: Key Services Unaffected, Recovery in Progress
Source: The Cyber Express
The Shoshone-Bannock Tribes recently experienced a cyberattack that disrupted operations on the Fort Hall Reservation in Idaho–temporarily shutting down the tribal government and affecting communication systems. Despite these challenges, critical services remained operational, and most departments resumed work by August 26. The tribes are collaborating with the FBI and a Homeland Security contractor to investigate the incident and enhance security. Although the attack impacted various departments, key functions like the gaming enterprise and the tribal high school were unaffected. The tribes are committed to resolving the situation and restoring full functionality.
Leaked Docs Expose Media Giant’s Secret Listening Software
Source: Hackerdose
Leaked documents from Cox Media Group (CMG) reveal their use of "Active Listening" technology, which allegedly captures and analyzes conversations from smartphones to target ads. The technology enables advertisers to deliver ads based on real-time conversations about specific products or services. Following the leak, Google cut ties with CMG, and Meta is investigating potential violations of its terms of service. Amazon stated that it has never collaborated with CMG on this program. The leaked information has sparked privacy concerns and backlash, particularly regarding the legality and ethics of such intrusive data collection practices.
Oil Titan Halliburton Confirms Data Was Stolen in Cyberattack
Source: The Record
Major oil and gas company Halliburton disclosed that an unauthorized third party accessed and stole data from its networks in a recent cyberattack. The incident disrupted and restricted access to various programs, affecting the company's operations and corporate functions. While Halliburton believes the attack will have little impact on its bottom line, it has paid expenses for incident response and operational disruptions. The company's stock sank 3.8% in morning trading, following a 6% drop over the previous week.
Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion Attempt
Source: The Hacker News
A 57-year-old former engineer from Kansas City, Missouri, Daniel Rhyne, was charged with extortion, intentional damage to a protected computer, and wire fraud following a failed $750,000 Bitcoin extortion attempt against his previous employer–an industrial company in New Jersey. Rhyne allegedly gained unauthorized access to the company's network, locked out IT administrators, deleted backups, and threatened further damage unless 20 Bitcoin was paid. The investigation revealed that Rhyne used his company-issued laptop and tools like Windows' net user and PsPasswd to carry out the attack. He faces up to 35 years in prison and a $750,000 fine.
New Cyberattack Targets Industrial Automation Sector with Malware
Source: Hackerdose
New cybercrime group Stone Wolf is targeting the industrial automation sector with a phishing campaign to spread Meduza Stealer malware. The attackers impersonate legitimate companies in their phishing emails, which include attachments like Dostavka_Promautomatic.zip that install the malware when opened. Meduza Stealer has been available as malware-as-a-service since June 2023 and captures sensitive data such as login credentials, system information, and cryptocurrency wallet details. It also monitors web browsers, email clients, and various applications. The malware’s subscription costs range from $199 to $1,199, and it includes a builder tool and web panel for tracking stolen data.
Beware of New Phishing Attack That Mimics ScreenConnect and Zoom
Source: GBHackers
A sophisticated phishing attack targeting Zoom users has been uncovered, using a fake Zoom portal to trick victims into installing ScreenConnect (now ConnectWise Control). This software allows attackers to remotely access and control compromised machines without the victim’s knowledge. The operation involves a phishing site mimicking Zoom to deliver ScreenConnect, which connects to a command and control (C2) server for malicious activities. To appear legitimate, the phishing site often uses obfuscated techniques, including signed binaries. Attackers are exploiting this access for financial fraud and other malicious actions.
VULNERABILITIES TO WATCH
Chrome 128 Updates Patch High-Severity Vulnerabilities
领英推荐
Source: Security Week
Google released two bug fixes for Chrome 128, resolving eight security flaws, six of which are critical concerns revealed by external researchers. The initial update addressed four critical memory safety problems, three impacting Chrome's V8 JavaScript engine and one involving a heap buffer overflow in the Skia graphics library. The second update addressed four additional vulnerabilities, including a use-after-free vulnerability in WebAudio and an out-of-bounds write in V8. The upgrades are available for Windows, macOS, and Linux. Although there is no evidence that these vulnerabilities were exploited in the wild, users are encouraged to upgrade their browsers immediately.
VMware Patches High-Severity Code Execution Flaw in Fusion
Source: Security Week
VMware issued a security update for its Fusion hypervisor–addressing a high-severity code execution vulnerability (CVE-2024-38811) with a CVSS score of 8.8/10. This vulnerability, triggered by an unprotected environment variable, could allow a malicious actor with standard user access to execute malware within the Fusion application, potentially leading to a complete system compromise. The issue affects VMware Fusion 13.x and has been addressed in version 13.6. Users are strongly encouraged to update to the most recent version, as there are no workarounds. The update also includes an OpenSSL 3.0.14 upgrade.
D-Link Says It Is Not Fixing Four RCE Flaws in DIR-846W Routers
Source: Bleeping Computer
D-Link announced it would not fix four remote code execution (RCE) vulnerabilities affecting its DIR-846W routers, as the product has reached end-of-life (EOL) and end-of-support (EOS). The flaws, three of which are rated critical and do not require authentication, were discovered by a researcher who has shared limited details and withheld proof-of-concept (PoC) exploits. Despite acknowledging the severity of the flaws, D-Link advises users to retire the DIR-846W routers immediately or, if that's not feasible, ensure the latest firmware is installed, use strong passwords, and enable WiFi encryption.?
Canonical Addresses Critical Linux Kernel AWS Vulnerabilities with New Patches
Source: The Cyber Express
Canonical has released critical updates for Ubuntu to address several Linux kernel vulnerabilities that impact Amazon Web Services (AWS). These vulnerabilities, including race conditions and memory management errors, pose risks such as system crashes and unauthorized access. The patches, now available for multiple Ubuntu versions, are critical for securing both Ubuntu-based systems and AWS environments. AWS users with Ubuntu instances are strongly advised to apply these updates immediately to mitigate these risks and maintain system stability.
Vulnerabilities in Microsoft Apps for macOS Allow Stealing Permissions
Source: Security Affairs
Cisco Talos identified eight vulnerabilities in Microsoft apps for macOS that could allow attackers to exploit app permissions and access sensitive data. These flaws enable malicious injection into Microsoft applications, potentially granting unauthorized access to resources like the microphone, camera, and screen recording. The vulnerabilities affect Microsoft Office apps (Word, Outlook, Excel, PowerPoint) and Microsoft Teams apps (main app, WebView.app, and modulehost.app). Despite the risks, Microsoft considers these issues low-risk and has only patched some of the affected applications. The flaws exploit the Transparency, Consent, and Control (TCC) framework’s weaknesses, particularly in apps using the com.apple.security.cs.disable-library-validation entitlement, which may undermine macOS’s hardened runtime security.
SPECIAL REPORTS
A Third of Organizations Suffered a SaaS Data Breach This Year
Source: Help Net Security
Despite increased awareness of SaaS security, a third of organizations experienced a SaaS data breach in 2024. Decentralization of SaaS adoption has led to confusion over security responsibilities, with many organizations unaware of the full extent of their SaaS usage and risks. Although 90% of organizations have policies to ensure that only sanctioned apps are used, enforcement is lacking, and many SaaS apps are integrated without adequate security vetting.
Active Ransomware Groups Surge by 56% in 2024
Source: Infosecurity Magazine
In the first half of 2024, the number of active ransomware groups surged by 56%, with 73 groups in operation compared to 46 in H1 2023, according to a Searchlight Cyber report. This fragmentation follows law enforcement crackdowns on major ransomware-as-a-service (RaaS) groups and the disappearance of BlackCat. Smaller, less-known groups are now rapidly emerging and launching targeted attacks. Notably, LockBit remained the most prominent group with 434 victims, while RansomHub, a new entrant, became the third most active. Despite the rise in active groups, the overall number of ransomware victims decreased.
Finding value in this newsletter? Like or share this post on LinkedIn
Freelance Cloud Security Architect | Strategic Innovator | Technical Leader
2 个月Love your CISO Daily Update(s). Interestingly I'll be at the Hyatt Centric until Friday and another week still in Chicago for vacation... please keep up the good work and how I could help. Have a good day!