Cybersecurity News & Updates - September, 2024
Inspirisys Solutions Limited (a CAC Holdings Group Company)
Experience Possibilities
Check out the latest updates on high vulnerabilities, data breaches and ransomware attacks.
High Vulnerabilities
As of August 2024, global internet users have identified 52,000 new Common IT Security Vulnerabilities and Exposures (CVEs), surpassing the previous record of 29,000 reported in 2023.
A critical vulnerability in NVIDIA Container Toolkit impacts all AI applications in a cloud or on-premise environment?that rely on it to access GPU resources.
The security issue is tracked as CVE-2024-0132 and allows an adversary?to perform container escape attacks and gain full access to the host system,?where they could execute commands or exfiltrate sensitive information.
The particular library comes pre-installed in many AI-focused platforms and virtual machine images and is the standard tool for GPU access when NVIDIA hardware is involved.
According to?Wiz Research, more than 35% of cloud environments are at risk of attacks exploiting the vulnerability.
Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.
"Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality," the company?said?in a Thursday bulletin.
It also noted that the flaw could be chained with?CVE-2024-8190?(CVSS score: 7.2), permitting an attacker to bypass admin authentication and execute arbitrary commands on the appliance.
We observed the active exploitation of?CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already?released?a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organisations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.
The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.
A new set of vulnerabilities were discovered in a common component of Linux systems.
Researcher Simone Margaritelli disclosed four vulnerabilities in the Common Unix Printing System (CUPS) that could allow for remote code execution.
Dating back to the days of Unix systems, CUPS functions as the common interface for linking computers with printers. It made its way into Unix and is now a common component in everything from servers to PCs.
“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” Margaritelli explained.
A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory.
The technique, dubbed?SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger?said.
The issue, at its core, abuses a feature called?memory, which OpenAI introduced earlier this February before rolling it out to ChatGPT Free, Plus, Team, and Enterprise users at the start of the month.
What it does is essentially allow ChatGPT to remember certain things across chats so that it saves users the effort of repeating the same information over and over again. Users also have the option to instruct the program to forget something.
Ransomware Attacks
In 2024, 59% of organizations faced ransomware attacks, marking a slight decrease from the 66% reported in each of the previous two years.
The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.
The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said.
"Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations,"?according?to the tech giant's threat intelligence team.
Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name?SloppyLemming, which is also called?Outrider Tiger and Fishing Elephant.
"Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries," Cloudflare?said?in an analysis.
SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and?WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been attributed to?SideCopy, a threat actor likely of Pakistani origin.
Seattle library officials said they expect to pay about $800,000 on consultant fees and $200,000 on extra IT costs by the end of the year.
By the end of the year, officials from Seattle’s Public Library said, they will have spent about $1 million on the response to a?May ransomware attack.
The extent of the attack, which took down the public library’s systems, internet, public computers and library catalog at all 27 locations throughout the city, is still under investigation, The?Seattle Times?reported. During a library board of trustees meeting last Thursday, the library’s director of administrative services, Rob Gannon, said the library will have spent about $800,000 on consultant fees and $200,000 on extra IT costs by the end of the year in responding to the attack.
领英推荐
Threat actors linked to the?RansomHub?ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure.
"RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV)," government agencies?said.
American semiconductor supplier Microchip Technology Incorporated has confirmed that employee information was stolen from systems compromised in an August cyberattack, which was later claimed by the Play ransomware gang.
Headquartered in Chandler, Arizona, the chipmaker?has around 123,000 customers from multiple industry sectors, including industrial, automotive, consumer, aerospace and defense, communications, and computing markets.
On August 20,?Microchip Technology disclosed?that operations at multiple?manufacturing facilities were affected by a cyberattack discovered on August 17. The incident impacted the company's ability to meet orders and forced it to shut down some of its systems and isolate the affected ones to contain the?breach.
One of the largest hospitals in West Texas has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday.
The University Medical Center Health System in Lubbock confirmed on Friday that IT outages are being caused by a ransomware incident.
The hospital system said it is “temporarily diverting incoming emergency and non-emergency patients via ambulance to nearby health facilities until access to our systems is restored.”
“Third-parties that have helped other hospitals address similar issues have been engaged to assist in our response and investigation,” the hospital said.
The team responsible for the recovery effort could not provide a timeline for when services would be restored.
Experts were alarmed by the announcement, noting that UMC is the only level 1 trauma center within 400 miles.
Data Breaches
The average duration of a breach, from detection to containment, is 292 days.
China-linked threat actors have breached several U.S. internet service providers in recent months as part of a cyber espionage campaign code-named Salt Typhoon.
The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.
The Wall Street Journal?reported?that experts are investigating into the security breached to determine if the attackers gained access to?Cisco Systems?routers, which are core network components of the ISP infrastructures.
A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.
The cyber campaign is attributed to the China-linked APT group Salt Typhoon, which is also known as?FamousSparrow?and?GhostEmperor.
Singaporean crypto platform BingX said Friday that more than $44 million was stolen from their platform in a cyberattack.
Blockchain security firms began seeing millions flow out of the platform Thursday night before the company posted a message on social media about a shutdown related to “wallet maintenance.” The company quickly released a longer statement saying the disruption was triggered after the company “detected abnormal network access, potentially indicating a hacker attack on BingX's hot wallet.”
Mobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante.
"This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks," Dutch security company ThreatFabric?said.
"Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device."
A new variant of the RomCom malware called SnipBot, has been used in attacks that pivot on the network to steal data from compromised systems.
Palo Alto Network's?Unit 42 researchers discovered?the new version of the malware after analyzing a DLL module used in SnipBot attacks.
The latest SnipBot campaigns appear to target a variety of victims across various sectors, including IT services, legal, and agriculture, to steal data and pivot on the network.
The U.S. Centers for Medicare and Medicaid Services has updated the scope of the MOVEit hacking breach last year, telling a sister agency that the software supply chain attack affected more than 3.1 million individuals - about three times the number of victims disclosed publicly earlier this month.
CMS - a unit of the U.S. Department of Health and Human Services - reported the hacking incident on Sept. 6 to another agency of HHS - the Office for Civil Rights, which enforces HIPAA - as affecting 3,112,815 people.
But that same day, CMS issued a joint press release with Wisconsin Physicians Service Insurance Corp., saying they were notifying nearly notified nearly 947,000 individuals that their protected health information was breached involving the 2023 MOVEit attack.
Disney is reportedly phasing out its use of Slack following a significant data breach, with plans to migrate over to Microsoft Teams for internal communications and collaboration.
The move comes after a July incident where hackers accessed Disney’s internal Slack archives to leak 1.1TB of sensitive information, exposing confidential company messages, project details and employee information.
According to an internal memo seen by Business Insider, the California-based media and entertainment company plans to transition to Teams by the end of Q2 2025.
Why wait for a cyber attack to expose your weaknesses? Our Vulnerability Assessment and Penetration Testing (VAPT) services offer deep-dive assessments into your network, applications, and systems, uncovering vulnerabilities that hackers could exploit. Stay ahead of potential cyber threats and safeguard your critical assets
Take the first step in fortifying your security by booking a VAPT consultation now!