Halliburton suffers cyberattack, Telegram CEO arrested, Georgia Tech lawsuit

Subscribe to Cyber Security Headlines podcast

Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.

In today’s cybersecurity news…

Halliburton takes systems offline following cyberattack

The oil field services company informed regulators and the media on Friday about a recent cyberattack that “necessitated the shut-down of certain systems.” The attack happened on Wednesday and affected operations at its headquarters in Houston. According to the 8-K report submitted on Thursday to the SEC, the company said hackers “gained access to certain of its systems.”

(The Record)

French police arrest Telegram CEO Pavel Durov

Durov, the 39-year-old billionaire, who founded Telegram in 2013, was detained after his private jet had landed at Le Bourget Airport, north of Paris, according to French media. The arrest was in relation to Telegram’s moderators, with Durov being accused of “failing to take steps to curb criminal uses” of the app. The app company itself has been accused of “failure to cooperate with law enforcement over drug trafficking, child sexual content, and fraud.” Durov’slawyer calls the arrest “absolutely ridiculous,” and calls the accusations “similar to blaming a car manufacturer for an accident, or for its cars being used for crimes.”

(BBC News and BBC News)

DOJ joins suit against Georgia Tech over Defense Department cybersecurity failures

The Justice Department has announced it has joined a whistleblower lawsuit over “claims that the Georgia Institute of Technology shirked its cybersecurity obligations in contracts with the U.S. Department of Defense.” The lawsuit was originally filed by current and former members of Georgia Tech’s cybersecurity team. U.S. prosecutors are referring to Georgia Tech’s activities as “flagrant disregard for federal cybersecurity rules that came [with] Department of Defense and Air Force contracts.” For its part, Georgia Teach states that the government told the school that “the research did not require cybersecurity restrictions, and in addition,?there was?no breach of information, and?no data leaked.”

(The Record)

Thanks to today’s episode sponsor, Scrut Automation

New Linux malware deploys credit card skimmers

Researchers at Aon’s Stroz Friedberg incident response services team have discovered a new strain of Linux malware that can achieve persistence on infected systems in order to hide credit card skimmer code. Named sedexp by the researchers, the malware makes use of udev rules to maintain persistence. Udev, provides a mechanism to identify devices based on their properties and configure rules to respond when there is a change in the device state, such as a device being plugged in or removed. It is then able to “hide credit card scraping code on a web server,” suggesting its owners are financially motivated.

(The Hacker News)

CISA adds Versa Director bug to its KEV catalog

The Versa Director Dangerous File Type Upload Vulnerability “resides in the Change Favicon feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Versa Director is a virtualization and service creation platform that simplifies the design, automation, and delivery of Secure Access Service Edge services, called SASE for short. Its placement in the Known Exploited Vulnerabilities catalog means federal agencies must fix this vulnerability by September 13.

(Security Affairs)

Hackers using AppDomain Injection to drop Cobalt Strike beacons

The technique behind this attack, which has been around since 2017, is being observed by researchers at Japan’s NTT Group. They are describing a wave of attacks that started in July 2024 and which use a technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows. The attacks have currently resulted in deployment of Cobalt Strike beacons targeting government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam. No definitive attribution has been made regarding who is behind the attacks, but current thinking suggests Chinese state-sponsored threat group APT 41 due to the pairing of AppDomainManager Injection with the GrimResource techniques cross-site scripting (XSS) attack technique.

(BleepingComputer)

New Qilin ransomware attack uses VPN creds to steal personal date on Chrome

Researchers at Sophos say this technique could have what they call cascading consequences. The specific attack, observed in July 2024, started with infiltration of a target network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). “Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO).? This enabled them to trigger a credential-harvesting script on their systems. ?The theft of credentials stored in the Chrome browser means that affected users are now required to change their username-password combinations for every third-party site.”

(The Hacker News)