Cybersecurity News & Updates - October, 2024
Inspirisys Solutions Limited (a CAC Holdings Group Company)
Experience Possibilities
Check out the latest updates on high vulnerabilities, data breaches and ransomware attacks.
High Vulnerabilities
Do high vulnerabilities always make organizations easy targets? Not necessarily! Attackers often prioritize targets based on the value of assets, not just vulnerabilities. Even those with low vulnerabilities can be targeted if they hold valuable data or resources.
A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks.
"This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach researcher Alon Leviev?said?in a report shared with The Hacker News.
The latest findings build on an?earlier analysis?that uncovered two privilege escalation flaws in the Windows update process (CVE-2024-21302?and?CVE-2024-38202) that could be weaponized to rollback an up-to-date Windows software to an older version containing unpatched security vulnerabilities.
Amazon Web Services has fixed a flaw in its open source Cloud Development Kit that, under the right conditions, could allow an attacker to hijack a user's account completely.
The Cloud Development Kit (CDK) is an open source framework, developed by AWS, that allows developers to define cloud application infrastructure as code using programming languages such as Python, TypeScript, JavaScript, Go and others, and then provision these resources through AWS CloudFormation.
Bug hunters at Aqua?spotted?the CDK issue on June 27, according to the firm's security researchers Ofek Itach and Yakir Kadkoda. About two weeks later, the cloud giant?patched?the flaw with?CDK version v2.149.0.
Cisco announced patches on Wednesday to fix a security vulnerability in its Adaptive Security Appliance (ASA) that is being actively abused and might result in a denial-of-service (DoS) scenario.
The vulnerability, identified as CVE-2024-20481 (CVSS score: 5.8), impacts Cisco Firepower Threat Defence (FTD) software and the Cisco ASA Remote Access VPN (RAVPN) service.
The security vulnerability, which results from resource exhaustion, could be used by remote, unauthenticated attackers to disrupt the RAVPN service.
“An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device,” Cisco?said?in an advisory. “A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.”
Fortinet publicly disclosed today a critical?FortiManager API vulnerability, tracked as CVE-2024-47575,?that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.
However, news of the vulnerability began leaking online?throughout the week by customers on?Reddit?and by cybersecurity researcher?Kevin Beaumont?on Mastodon, who calls this flaw "FortiJump."
Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.
Russian cybersecurity company Positive Technologies said it discovered last month an email that was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024.
"The email appeared to be a message without text, containing only an attached document," it?said?in an analysis published earlier this week.
"However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code."
A recently disclosed high-severity security flaw (CVE-2024-47374) has been identified in the LiteSpeed Cache plugin for WordPress, affecting all versions up to and including 6.5.0.2. The vulnerability, which carries a CVSS score of 7.2, is classified as a stored cross-site scripting (XSS) issue. This flaw allows attackers to inject arbitrary JavaScript code that could potentially lead to the theft of sensitive information or privilege escalation on affected WordPress sites.
The vulnerability can be exploited via a single HTTP request, even by an unauthenticated user, making it particularly dangerous. It was responsibly disclosed by TaiYou, a researcher from Patchstack Alliance, and fixed in version 6.5.1, released on September 25, 2024. WordPress site owners using the LiteSpeed Cache plugin should update to the latest version as soon as possible to mitigate the risk.
This type of flaw emphasizes the importance of regularly updating plugins and being aware of security advisories.
Ransomware Attacks
Do you think ransomware only affects data on local devices? Think again! Ransomware can spread across networks, impacting not just your local files but also cloud storage, backups, and connected systems, resulting in widespread data loss.
Fog and Akira ransomware operators are increasingly breaching corporate networks through SonicWall VPN accounts, with the threat actors believed to be exploiting CVE-2024-40766, a critical SSL VPN access control flaw.
SonicWall?fixed the SonicOS flaw?in late August 2024, and roughly a week later, it warned that it was already under active exploitation.
At the same time, Arctic Wolf security researchers?reported?seeing Akira ransomware affiliates leveraging the flaw to gain initial access to victim networks.
A?new report by Arctic Wolf?warns that Akira and the Fog ransomware operation have conducted at least 30 intrusions that all started with remote access to a network through SonicWall VPN accounts.
Of these cases,?75%?are linked to Akira, with the rest attributed to Fog ransomware operations.
Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching?ransomware?campaigns by involving?Microsoft?Teams.
The most recent technique is highly targeted, and involves using social engineering to 'spear-spam' an employee's email inbox with an overwhelming amount of junk, to the point where the inbox simply isn’t usable.
The attackers would then phone the employee and pretend to be the organization’s IT helpdesk, offering assistance with the spam affecting the?video conferencing?platform.
Nidec Corporation is informing that hackers behind a ransomware attack is suffered earlier this year stole data and leaked it on the dark web.
The Japanese tech giant says the threat actors tried to extort the company and decided to leak the information after their demands were not met.
The attack did not encrypt files and the incident?is considered fully remediated at this time. However, Nidec employees, contractors, and associates, should be aware that the leaked data could be used in more targeted phishing attacks.
领英推荐
Nidec Corporation is a global leader in the manufacturing of precision motors, automotive components, industrial parts, home appliance parts, and robotic systems.
It operates in 40 countries, employs 120,000 people, and generates an annual revenue of more than?$11 billion.
Ransomware gang BianLian has listed Boston Children's Health Physicians - a pediatric group that practices in New York and Connecticut - on its dark web site, threatening to release stolen patient and employee data. The practice said the September incident involved an IT vendor.
In a notice posted on its website, Valhalla, N.Y.-based BCHP?said?that on Sept. 6, an unnamed IT vendor informed the pediatric practice that it identified unusual activity in its systems.
"On Sept. 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure," the practice said.
BCHP's investigation into the incident determined that an "unauthorized third party" gained access to the practice's network on Sept. 10, taking certain files from its network.
The scale of the ransomware problem has grown significantly over the last year, with hundreds of healthcare institutions attacked in the last 12 months, Microsoft reported Tuesday.
In the last fiscal year, 389 U.S.-based healthcare institutions were successfully hit with ransomware, causing “network closures, systems offline, critical medical operations delayed, and appointments rescheduled,” Microsoft said in its annual Digital Defense Report released on Tuesday. The company did not say how many were successfully attacked last year.
The 114-page report assessed cyber trends between July 2023 and June 2024 based on the company’s access to troves of intelligence.
The company’s researchers found that nation-states and cybercriminals have been coordinating their activity to a greater degree than ever before.
They warned that Russia, North Korea and Iran are now deploying ransomware as a way to gain financially from their offensive cyber operations.
Data Breaches
Do you think strong passwords alone can prevent data breaches? Not quite! While they’re important, strong passwords are just one piece of the puzzle. A security strategy also includes multi-factor authentication and regular software updates to keep your data safe.
UnitedHealth has confirmed for the first time that over 100 million people had their personal information and healthcare data stolen in the Change Healthcare ransomware attack, marking this as the largest healthcare data breach in recent years.
In May, UnitedHealth CEO Andrew Witty warned during a congressional hearing that "maybe a third" of all American's health data was exposed in the attack.
A month later, Change Healthcare?published a data breach notification warning that the February ransomware attack on Change Healthcare exposed a "substantial quantity of data" for a "substantial proportion of people in America."
One of the biggest third-party administrators for several large insurance firms said a cyberattack in May exposed the sensitive information of more than 800,000 people.
Landmark Admin told regulators in Maine that names, Social Security numbers and tax identification numbers were accessed by the hackers.
For an unknown subset of people, the breach also exposed driver’s license numbers, passport numbers, bank account information, routing numbers and medical information was also leaked. Health insurance policy information and life and annuity policy information.
Cybersecurity researchers have?disclosed?that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.
Tracked as?CVE-2024-34102?(CVSS score: 9.8), the?critical flaw?relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named "spacewasp," was patched by Adobe in June 2024.
Dutch security firm Sansec, which has?described?CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour.
More than $50 million worth of cryptocurrency was stolen from decentralized finance platform Radiant Capital on Wednesday evening.
In a post-mortem report published on Thursday, Radiant said the attack compromised three developers, all of whom are long-standing, trusted contributors to the platform. The company has marketed itself as a "one-stop shop" money market where users can deposit and borrow cryptocurrencies across different blockchains.
Several security experts said on social media that the hacker gained access to multiple private keys owned by company developers that allowed the threat actor to drain user funds from it.
“These developers used hardware wallets and were geographically distributed, reducing the likelihood of a coordinated physical attack,” the company said.
Hackers found installing malicious plugins on already compromised WordPress sites
A new variant of the infamous ClearFake (AKA ClickFix)?malware?has been detected in the wild, and has already managed to compromise thousands of WordPress?website builder?sites.
Researchers from GoDaddy claim to have spotted a variant of this campaign, which installs malicious plugins. The threat actors would use the credentials stolen elsewhere (or bought on the black market) to log into the website’s WordPress admin account, and install a seemingly benign plugin.
The victims are then enticed to download an update, which is just a piece of malware that steals sensitive data, or does something else but equally sinister.
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
An attack was discovered by Russian cybersecurity company Positive Technologies in September, but the researchers determined that the threat actor activity had started in June.
Roundcube Webmail is an open-source, PHP-based webmail solution with support for plugins to extend its functionality, that is popular?with commercial and government entities.
The threat actor exploited a?medium-severity?stored XSS (cross-site scripting) vulnerability identified as CVE-2024-37383, which allows the execution of malicious JavaScript code on the Roundcube page when opening a specially crafted email.
The issue is?triggered by improper processing of SVG elements in the email, which bypasses syntax checks?and allows malicious code to be executed on the user's page.
How secure are your systems against today’s evolving threats? Our Vulnerability Assessment and Penetration Testing (VAPT) services provide thorough evaluations of your networks, applications, and systems, pinpointing weaknesses that malicious actors could exploit. Stay one step ahead of potential threats and protect your vital assets with proactive security measures.
Don’t wait for a breach—take action now! Book your VAPT consultation to enhance your security.
Consultant Digital Transformation | Customer Experience | AI/ML |
3 周Very informative