GitHub artifact warning, RansomHub’s EDR killer, SolarWinds latest hotfix

Subscribe to Cyber Security Headlines podcast

Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.

In today’s cybersecurity news…

GitHub vulnerability warning regarding ArtiPacked

This is a new attack vector, spelled ArtiPacked, and according to researchers at Palo Alto Networks, it could be exploited to take over repositories and gain access to organizations’ cloud environments. This vulnerability is the result of a leakage of artifacts, which are usually seen as helpful tools within GitHub for sharing data between jobs in a workflow. Palo Alto Networks says, “a combination of misconfigurations and security flaws can make artifacts leak tokens, both of third-party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume.”

(The Hacker News)

RansomHub affiliate launches new EDR-killing tool

With the appealing name of EDRKillShifter, this tool, deployed by a ransomware group linked to RansomHub, has been designed to terminate endpoint detection and response (EDR) software on compromised hosts. As such it joins the ranks of tools like AuKill, also known as AvNeutralizer, and Terminator. Cybersecurity company Sophos discovered this new tool while researching a failed ransomware attack that occurred in May 2024. The malware’s binary language property is in Russian. Sophos recommends enabling tamper protection in EDR software, and practicing strong hygiene for Windows security roles, as the “attack is only possible if the attacker escalates privileges they control.”

(The Hacker News)

SolarWinds issues hotfix for web help desk vulnerability

An advisory issued by SolarWinds describes this as a “Java deserialization remote code execution (RCE) issue” (CVE-2024-28986) and has a CVSS score of 9.8. It could allow attackers to run arbitrary commands on the host machine. This issue affects Web Help Desk versions 12.4 to 12.8. SolarWinds recommends that “all customers upgrade to Web Help Desk 12.8.3, download the hotfix from the SolarWinds Customer Portal, and install it as soon as possible.”

(Security Week)

Texas Attorney General sues GM for sale of driver data

Texas AG Ken Paxton has filed suit in the state district court of Montgomery County, for “false, deceptive, and misleading business practices.” His statement accuses General Motors of selling consumers “a comprehensive surveillance system that unlawfully records information about every drive they take and sells their data to any company willing to pay for it.” According to Politico, this is the first state lawsuit against an automaker for privacy violations. TechDirt does hasten to point out that both Republican and Democrat legislators have historically fought against passing comprehensive federal or state privacy protections that may have protected consumers from this type of exploitation.

(TechDirt)

Thanks to today’s episode sponsor, ThreatLocker

Biotech company pays states $4.5 million over breached data

The payment was made to New York, New Jersey, and Connecticut as a result of “failing to protect the diagnostic test information and personal data of nearly 2.5 million people.” This action stems from a ransomware attack that occurred in April 2023. An investigation led by New York’s Office of the Attorney General found that access to the company’s networks happened through employee login credentials that had been shared between five Enzo employees. One of these credentials had not been changed in ten years. The company also did not use multi-factor authentication for remote access to email, the investigators said.

(The Record)

SystemBC malware reappears in Black Basta malware campaign

According to researchers at Rapid7, the Black Basta ransomware operation is using a social engineering technique of broadcasting an email bomb and then calling targeted users,” often via Microsoft Teams, to offer a fake solution,” at which point they trick users into installing AnyDesk, allowing remote control of their computers. This allows them to install the credential harvesting tool AntiSpam.exe, which pretends to be a spam filter updater. The researchers recommend mitigating the threat by blocking all unapproved remote monitoring and management solutions.

(Security Week)

Massive cyberattack hits Central Bank of Iran and other Iranian banks

News agency Iran International has reported a massive cyberattack that has disrupted the operations of the Central Bank of Iran (CBI) along with several other banks in the country, disabling the computer systems of many banks in the country. As reported in Security Affairs, “this incident coincides with intensified international scrutiny of Iran’s operations in the Middle East,” amid announcement from Tehran regarding attacks on Israel as well as its widely reported attempts to influence the upcoming U.S. Presidential election. According to the news agency, this is one of the largest cyberattacks on Iran’s state infrastructure to date.

(Security Affairs)

Kim Dotcom to be extradited from New Zealand

After a 12-year fight, the infamous Kit Dotcom is being extradited to the U.S. to face criminal charges relating to the operations of his now closed file-sharing website Megaupload. Dotcom, whose real name is Kim Schmitz, holds Finnish and German nationalities and has been living in New Zealand, and has faced numerous charges since the mid-1990s for computer fraud, data espionage, and many other nefarious activities. U.S. authorities say, “Dotcom and three other Megaupload executives cost film studios and record companies more than $500 million by encouraging paying users to store and share copyrighted material, which generated more than $175 million in revenue for the website.”

(Reuters)