Cybersecurity News & Updates - July, 2024
Inspirisys Solutions Limited (a CAC Holdings Group Company)
Experience Possibilities
Check out the latest updates on high vulnerabilities, data breaches and ransomware attacks.
High Vulnerabilities
The persistence of SQL Injection as the foremost critical severity vulnerability in web applications since 2022 signifies its position as a primary threat vector. Out of all the vulnerabilities detected, 19.47% were classified as high or critical severity.
Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances.
Tracked as?CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity.
"An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory.
Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions (19.03 and later).
Cybersecurity researchers at Wiz uncovered five security flaws, collectively tracked as SAPwned, in?the?SAP AI Core?cloud-based platform. An attacker can exploit the flaws to obtain access tokens and customer data.
SAP AI Core, developed by SAP, is a cloud-based platform providing the essential infrastructure and tools for constructing, managing, and deploying predictive AI workflows.
The researchers focused on the security risks associated with AI training services requiring access to sensitive customer data. The security firm discovered that by executing legitimate AI training procedures and arbitrary code, they could gain extensive access to customers’ private data and credentials across various cloud services. The researchers demonstrated that they could read and modify Docker images, artifacts, and gain administrator privileges on SAP’s Kubernetes cluster. These vulnerabilities potentially allowed attackers to access and contaminate customer environments and related services.
If your WordPress website is running the Modern Events Calendar plugin, make sure to update immediately, since it carries a high-severity vulnerability that can be abused for full website takeover. To make matters worse, researchers are saying that hackers are already abusing the flaw in the wild.
Cybersecurity researcher Friderika Baranyai first discovered the issue in late May 2024 during the Wordfence Bug Bounty Extravaganza. It is described as a?missing file type validation bug, now tracked as CVE-2024-5441. It carries a severity score of 8.8 (high).?
As explained by WordPress security group Wordfence, the plugin lacks file type validation in the ‘set_featured_image’ function, which people can use to upload and set featured images for events. Since the plugin doesn’t check what kind of files are getting uploaded, malicious actors can push harmful .PHP files, as well, which could lead to complete site takeover. Any authenticated user, including subscribers and registered members, can take advantage of the flaw.
Threat actors are exploiting the massive business disruption from CrowdStrike's glitchy update on Friday to target companies with data wipers and remote access tools.
As businesses are looking for assistance to fix affected Windows hosts, researchers and government agencies have spotted an increase in phishing emails trying to take advantage of the situation.
Ransomware Attacks
In 2024, about 65% of financial organizations globally reported ransomware attacks, up from 64% in 2023
MediSecure, an Australian?prescription delivery service provider, revealed that roughly 12.9 million people had their personal and health information stolen in an April ransomware attack.
The company was?forced to shut down?its website and phone lines to contain the attack, disclosing?it on May 16 as a "cyber security incident."
At the time, the Australian National Cyber Security Coordinator (NCSC), who was helping MEdiSecure to mitigate the breach, described it as a "large-scale ransomware data breach."
Evolve Bank & Trust has sent notification to more than 7.6 million individuals that their personal information was compromised in a recent LockBit ransomware attack.
The Arkansas-based financial services organization?confirmed the incident on July 1?shortly after the ransomware gang published data allegedly stolen during the attack. The company noted that no ransom demand was paid, which led to the stolen data being leaked online.??
Evolve Bank also said that the attackers exfiltrated personal information such as names, Social Security numbers, bank account numbers, and contact information for most of its personal banking customers and for customers of its Open Banking partners.
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware.
The attacks involve the exploitation of?CVE-2024-37085?(CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.
"A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD," Broadcom-owned VMware?noted?in an advisory released in late June 2024.
领英推荐
A?hacker working for the North Korean government has been indicted for his alleged role in ransomware attacks on U.S. hospitals and healthcare companies.?
A federal arrest warrant was issued on Wednesday for Rim Jong Hyok, an alleged member of the?Andariel Unit?within the country’s intelligence agency, the Reconnaissance General Bureau (RGB).
Rim was identified by several U.S. military agencies as the culprit behind?several ransomware attacks?using the Maui strain that were conducted in 2021 and 2022. At least one of the attacks targeted a hospital in Kansas, where the warrant for Rim’s arrest was issued. The attacks encrypted computers and servers used for medical testing or electronic medical records and disrupted healthcare services.
Pharmacy giant Rite Aid confirmed a data breach after suffering a cyberattack in June, which was claimed by the RansomHub ransomware operation.
Rite Aid is the third-largest drugstore chain in the United States, employing over 6,000 pharmacists (out of a total workforce of over 45,000) in more than 1,700 retail pharmacy stores across 16 states.
The company told BleepingComputer on Friday that it's currently investigating a cyberattack detected in June and working on sending data breach notifications to customers affected by the resulting data breach.
Data Breaches
35,900,145,035 records breached across 9,478 publicly disclosed incidents to date.
American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network.
"Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it?said.
This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.
The Iranian-backed MuddyWater hacking group has partially switched to using a new custom-tailored malware implant to steal files and run commands on compromised systems.
Dubbed BugSleep, this new backdoor is still actively being developed and was discovered by analysts at Check Point Research while being distributed via well-crafted phishing lures.
The campaign pushes the malware via phishing emails disguised as invitations to webinars or online courses. The emails redirect the targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.
Cisco has issued a patch that fixes a severe password weakness in many versions of its Smart Software Manager On-Prem (Cisco SSM On-Prem), used by a subset of customers to manage product licenses using an on-premises server.
The company is vague about the details of the vulnerability, identified as?CVE-2024-20419?(CWE-620), but it is serious enough to earn it a maximum CVSS rating of 10.0.
?It does say that the issue is in the password reset process, which can be exploited in an unspecified way to change this credential as a way of grabbing control of an SSM On-Prem server.
Recreational boat dealer MarineMax is sending data breach notification letters to over 123,000 individuals following a ransomware attack launched against the business in March.
While the Florida-based boat retailer provided no specific details regarding the cybersecurity incident and didn’t attribute the hack to any threat actor group, the Rhysida ransomware group soon claimed responsibility.
The gang’s leak site reveals further insight into the attack, showcasing a 225 GB archive containing 204,510 data files they could not sell.
In a significant blow to data privacy, BMW has reported a major?data breach?affecting approximately 14,000 customers in Hong Kong. The BMW data breach first flagged to the Office of the Privacy Commissioner for Personal Data on July 18, 2024, has raised serious concerns among affected individuals and sparked an investigation by local privacy authorities.
On Thursday, BMW Concessionaires (HK), the exclusive distributor of BMW vehicles in Hong Kong, revealed that sensitive information belonging to around 14,000 of its customers had been exposed. This includes names, mobile numbers, and SMS opt-out preferences, reported?South China Morning Post. The company disclosed that the compromised data was managed by a third-party contractor, Sanuker, which had alerted both the police and the?privacy?watchdog about the BMW data leak.