Slim CD data breach, International sextortion bust, TfL mixed messages
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Slim CD notifies 1.7M customers of data breach
Electronic payment firm, ESlim CD, has notified nearly 1.7 million credit card holders that their data may have been stolen after an attacker accessed their systems between August 17, 2023, and June 15, 2024. A third party investigation uncovered the incident on June 15. Slim CD said it reviewed its data privacy and security policies and implemented additional safeguards following the incident. KnowBe4 awareness advocate, James McQuiggan said, “When organizations realize that cybercriminals are inside their network for long periods, there is a gap with continuous security monitoring. Accompanied by a robust Security Incident Management (SIEM) system integrated with threat intelligence, the breach could have been detected sooner.”?
(SC Media)
Delaware men charged in international sextortion scheme?
Four Delaware men (Sidi Diakite, 30; Almamy Diaby, 22; Abdul Aziz Sangare, 26; and Adoul Aziz Traore, 31) face charges for their involvement in an international sextortion scheme targeting thousands of victims across the U.S., U.K. and Canada, including minors. The men posed as young females to persuade victims to expose themselves over web camera or live video chat, and then used the material to extort the victims. Prosecutors said the suspects successfully extorted $1.9 million through CashApp and Apple Pay and attempted to extort $6.9 million overall. The DoJ said each man faces up to 20 years in prison for each count of conspiracy, money laundering, and wire fraud.
London transit agency drops claim it has ‘no evidence’ of customer data theft
The cyberattack that hit Transport for London (TfL) is now dragging into its second week and some TfL services remain offline. In a brief update on its cyber incident page, TfL said it continues to deal with an “ongoing” incident. However, the update removed a line that previously said, “There is no evidence that any customer data has been compromised,” and replaced it with a statement about the importance of system and customer data security. A TfL spokesperson declined to comment on whether the company had technical means, such as logs, to determine whether customer or employee data was exfiltrated and also declined to comment on the company’s website update.
‘Crimson Palace’ campaign hacking Southeast Asian governments
On Tuesday, researchers at Sophos published its second report covering Crimson Palace, a Southeast Asia-based espionage campaign. Three Chinese state-backed hackers behind the campaign (Cluster Alpha, Cluster Bravo and Cluster CharlieSophos) renewed their activity in the fall of 2023 and have continued through this year.? Sophos said the groups are now expanding their operations across organizations and governments in Southeast Asia to steal sensitive documents, authentication keys and certificates, including those for cloud infrastructure and backups, and IT configuration and network data. Sophos said that, after having many of their custom tools identified and blocked by Sophos, the groups switched to more open-source tools illustrating “how quickly these attacker groups can adapt and remain persistent.”
领英推荐
Huge thanks to our sponsor, Vanta
RansomHub abuses Kaspersky utility to disable EDR software
The RansomHub gang has been using Kaspersky’s TDSSKiller to disable endpoint detection and response (EDR) services on target systems. Kaspersky created TDSSKiller to identify the presence of rootkits and bootkits. Because it’s a legitimate tool signed with a valid certificate, TDSSKiller does not get stopped by security solutions. Malwarebytes also reported RansomHub has been abusing TDSSKiller to interact with kernel-level services to disable their Malwarebytes Anti-Malware Service (MBAMService). Upon disabling defenses, RansomHub deploys a credential-harvesting tool to help move laterally on the network. Security experts recommend activating tamper protection on the EDR solutions and monitoring the ‘-dcsvc’ parameter that disables or deletes services.
You should probably patch that (Patch Tuesday Edition)
Attackers are already actively exploiting four of the 79 vulnerabilities that Microsoft has now addressed in its September 2024 Patch Tuesday release. Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows while the third allows escalation to system-level privileges. The final zero-day is a bug that rolled back, or reintroduced, vulnerabilities in certain versions of Windows 10 (CVE-2024-43491). Microsoft marked this last flaw as critical (9.8/10 CVSS score) and as being actively exploited but did not provide any indicators of compromise (IOCs)
Meanwhile Tuesday, Adobe released its own set of 28 security patches across a wide range of products. The two most critical bugs (CVE-2024-41869 – CVSS base score of 7.8/10 and (CVE-2024-45112 – CVSS 8.6/10) could be exploited for arbitrary code execution and privilege escalation.
Also of note, Ivanti has fixed a maximum severity vulnerability (CVE-2024-29847) in its Endpoint Management software (EPM) that can let unauthenticated attackers perform remote code execution on the core server.
(Dark Reading and Bleeping Computer and SecurityWeek [1][2])
Cyber staffing shortages remain CISOs’ biggest challenge
Researchers at Command Zero have released a report on challenges faced by chief information security officers (CISOs) and other leaders across 15 industries. The report highlights a skills shortage across all cybersecurity disciplines, but especially in the area of cyber investigations. 88% of leaders interviewed expressed concerns about the lack of staffing to address growing threats. Further, 74% of respondents said that they felt their team lacked sufficient public cloud skills to perform “high-quality investigations.” Due to the cyber skills shortage, teams are stretched thin, which could lead to burnout and decreased effectiveness mitigating potential threats. Due to the skills shortage many companies are competing for the same qualified individuals who have a lot of options, creating heavy turnover in an endless vicious cycle.
PIXHELL attack leaks secrets from LCD screen noise
Dr. Mordechai Guri of the Ben-Gurion University has discovered a novel acoustic attack named ‘PIXHELL’ that can leak secrets from air-gapped and audio-gapped systems through the LCD monitors they connect to. In a PIXHELL attack, malware modulates the pixel patterns on LCD screens to induce noise in the frequency range of 0-22 kHz, carrying encoded signals within those acoustic waves that can be captured by nearby devices such as smartphones. The tests showed data exfiltration is possible at a maximum distance of 2 meters (6.5 ft), at a data rate of 20 bits per second (bps). While this is too slow to make large file transfers practical, real-time keylogging and stealing small text files that might contain passwords or other information are still possible.