CISO Daily Update - September 17, 2024
NEW DEVELOPMENTS
88,000 Impacted by Access Sports Data Breach Resulting From Ransomware Attack
Source: Security Week
Access Sports Medicine & Orthopaedics disclosed a data breach impacting over 88,000 individuals following a ransomware attack. The breach was discovered on May 10, 2024, and exposed personal, financial, and health information–including social security numbers and medical records. The ransomware group Inc Ransom claimed responsibility and leaked the stolen data online.?
DeltaPrime Suffers $5.98M Loss as Hacker Exploits Admin Key on Arbitrum
Source: Hackread
DeltaPrime DeFi platform suffered a $5.98 million loss due to a hack involving a compromised private key on its Arbitrum-based protocol DeltaPrime Blue. The attack began on September 16, 2024, and allowed the hacker to drain liquidity pools and upgrade proxy contracts to malicious ones. DeltaPrime confirmed that the breach is limited to Arbitrum, with their Avalanche-based DeltaPrime Red unaffected. The platform is working on asset recovery, insurance coverage for losses, and providing updates to users through social media and Discord.
Advanced Phishing Attacks Put X Accounts at Risk
Source: Infosecurity Magazine
Advanced phishing attacks are compromising X (formerly Twitter) accounts, even those with two-factor authentication (2FA). eSentire’s Threat Research Unit (TRU) discovered that attackers can bypass strong authentication methods–including security keys and passkeys–through adversary-in-the-middle (AiTM) attacks, SIM swapping, or by intercepting authentication codes. High-profile X breaches, including those affecting Sydney Sweeny, the Trumps, and Metallica, were used to promote cryptocurrency scams.? Researchers urge the use of robust authentication methods like FIDO2 hardware authenticators and stronger security measures.
US Cracks Down on Spyware Vendor Intellexa With More Sanctions
Source: Bleeping Computer
The U.S. Department of the Treasury sanctioned five executives and one entity tied to the Intellexa Consortium for their role in developing and distributing the Predator spyware that enabled state-sponsored actors to access sensitive information from victims' smartphones through intrusive, one-click or zero-click attacks. This spyware has targeted government officials, journalists, and opposition figures to suppress dissent and monitor activities globally. As a result of these sanctions, all U.S.-based assets linked to the sanctioned individuals and entities are frozen.
Prison Just Got Rougher as Band of Heinously Violent Cybercrims Sentenced to Lengthy Stints
Source: The Register
A notorious cybercriminal gang led by Remy Ra St Felix was sentenced to lengthy prison terms for violent cryptocurrency thefts including home invasions, abductions, and torture. St Felix received a 47-year sentence, along with orders to pay over $524 million in restitution for crimes spanning from 2020 to 2023. His gang targeted victims across several states, including an elderly couple in North Carolina and a family in Texas, stealing millions in cryptocurrency. Several accomplices, including Jarod Gabriel Seemungal were also sentenced with prison terms ranging from 12 to 25 years.
Medusa Ransomware Exploiting Fortinet Flaw For Sophisticated Attacks
Source: Cyber Security News
The Medusa ransomware group is exploiting a critical SQL injection vulnerability in Fortinet’s FortiClient EMS to execute sophisticated ransomware attacks. This flaw affects FortiClient EMS versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10. Medusa leverages this vulnerability to gain initial access, deploy ransomware, and evade detection by using compromised remote monitoring tools. The group’s attack involves sending malicious SQL commands to manipulate request headers, create webshells for data exfiltration, and employ tools like bitsadmin and PowerShell for persistence and payload delivery.
领英推荐
VULNERABILITIES TO WATCH
Azure API Management Vulnerability Let Users Escalate Privileges
Source: Cyber Security News
A critical vulnerability in Azure API Management (APIM) allowed users with Reader-level access to escalate their privileges to Contributor-level–enabling unauthorized modification and deletion of APIM resources. The flaw, identified by Binary Security researchers, exploited the Azure Resource Manager (ARM) API to bypass restrictions intended to block Reader-level users from sensitive data. Attackers could call a specific API endpoint to obtain admin keys and grant full management access. Microsoft has since patched the issue, restricting Reader access to the affected API.?
Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution
Source: The Hacker News?
Google patched a critical vulnerability in its Cloud Platform's Composer service, dubbed "CloudImposer," which could have been exploited via a supply chain attack known as dependency confusion. The flaw allowed attackers to upload a malicious package to the Python Package Index (PyPI) with the same name as an internal package–potentially leading to remote code execution on Composer instances. Google fixed the issue by ensuring the package is installed from a private repository and verifying its checksum. Developers are now advised to use the "--index-url" argument to mitigate future risks.
Microsoft Confirms Second 0-Day Exploited by Void Banshee Apt (CVE-2024-43461)
Source: Help Net Security
Microsoft confirmed that the Void Banshee APT group exploited a second 0-day vulnerability (CVE-2024-4346) in conjunction with CVE-2024-38112 to deliver the Atlantida malware. The attack chain involved tricking users into opening malicious HTA files disguised as PDFs, leveraging MSHTML's spoofing vulnerability to execute scripts via PowerShell and download trojan loaders. While CVE-2024-38112 was patched in July, CVE-2024-43461 has now also been fixed, and users are urged to apply both the July and September 2024 updates.
SolarWinds Fixed Critical RCE CVE-2024-28991 in Access Rights Manager
Source: Security Affairs
SolarWinds fixed a critical remote code execution vulnerability (CVE-2024-28991) in Access Rights Manager (ARM) 2024.3 and earlier versions. Discovered by Trend Micro’s Piotr Bazydlo, this flaw involves the deserialization of untrusted data, allowing authenticated users to execute arbitrary code. Despite requiring authentication, the vulnerability can be exploited by bypassing existing mechanisms. SolarWinds also addressed a related hardcoded credential vulnerability (CVE-2024-28990) in the same release.?
D-Link Fixes Critical RCE, Hardcoded Password Flaws in WiFi 6 Routers
Source: Bleeping Computer
D-Link addressed critical vulnerabilities in its popular WiFi 6 routers—COVR-X1870, DIR-X4860, and DIR-X5460—that could allow remote attackers to execute arbitrary code or access devices via hardcoded credentials. Discovered by Taiwan's CERT, the flaws include stack-based buffer overflows and issues with the telnet service, prompting D-Link to recommend firmware upgrades to v1.03B01, v1.04B05, and DIR-X5460A1_V1.11B04.
SPECIAL REPORTS
Trends and Dangers in Open-Source Software Dependencies
Source: Help Net Security
Open-source software dependencies pose significant security challenges due to their widespread use, potential vulnerabilities, and high remediation costs. Endor Labs research shows that only 9.5% of vulnerabilities are exploitable, meaning prioritizing vulnerabilities based on function-level reachability analysis can reduce remediation costs by over 90%. Additionally, a lack of detailed vulnerability information and delays in vulnerability advisories increase risk. Solutions include prioritization strategies such as focusing on the most critical vulnerabilities and phantom dependencies and using tools like EPSS to predict exploit likelihood.
Finding value in this newsletter? Like or share this post on LinkedIn
Principal Cybersecurity @Inherent Security | Helping Health Tech leaders achieve HIPAA Security & Privacy Compliance.
2 个月I look forward to seeing the updates with Access Sports.