cyberlights – week 29/2024
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
🌍 Data Broker Files: How data brokers sell our location data and jeopardise national security privacy – Data brokers sell German location data, jeopardizing privacy and national security, leading to calls for regulation and concerns about data misuse. https://netzpolitik.org/2024/data-broker-files-how-data-brokers-sell-our-location-data-and-jeopardise-national-security/#netzpolitik-pw
🪪 It's best to just assume you’ve been involved in a data breach somehow privacy – Multiple data breaches in 2024, including AT&T and Snowflake, imply personal data compromise. Recommendations include strong passwords, multi-factor authentication, fraud alerts. https://blog.talosintelligence.com/threat-source-newsletter-july-18-2024/
🔍 Data breach exposes millions of mSpy spyware customers data breach – Data breach at mSpy exposes millions of customers who purchased phone spyware apps over a decade, revealing emails, personal documents, and requests for surveillance without consent by various individuals including U.S. officials. https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/
📱 The FBI says it has ‘gained access’ to the Trump rally shooter’s phone security news – The FBI has accessed the phone of the suspect who shot at a Trump rally without disclosing how, continuing analysis of electronic devices and urging the public for tips. https://www.theverge.com/2024/7/15/24199239/fbi-encryption-phone-trump-shooter-pennsylvania-gained-access
🧔♂️ Kaspersky leaves U.S. market following the ban on the sale of its software in the country security news – Kaspersky exits the U.S. market after a ban on its software due to national security risks posed by Russia. The company denies links to the Russian government and will shut down its U.S. operations by September. https://securityaffairs.com/165799/breaking-news/kaspersky-is-leaving-the-u-s-market.html
💰 AT&T ransom laundered through mixers, gambling services cybercrime – AT&T's $370,000 ransom is being laundered through cryptocurrency mixing platforms and gambling services, identified by TRM Labs. Money laundering tactics include using swap services and privacy coins, often employed by cybercriminals to hide the funds' origins. https://therecord.media/att-ransom-laundered-mixers-research
⛑️ Rite Aid says 'limited' cyber incident affected data of 2.2 million people data breach – Rite Aid reports a 'limited' cyber incident after a hacker impersonated an employee accessing purchase-related data. Law enforcement contacted, victims offered identity protection services. https://therecord.media/rite-aid-data-breach-2-million-people
🦠 Private HTS Program Continuously Used in Attacks malware – A threat actor has been distributing malware through the private home trading system (HTS) program named HPlus, replacing the NSIS installer with an MSI format installer and supporting remote assistance with AnyDesk. The malware includes Quasar RAT aimed at stealing personal data. https://asec.ahnlab.com/en/67969/
🪓 HardBit Ransomware – What You Need to Know malware – HardBit ransomware, a ransomware-as-a-service (RaaS), resurfaces with a new version, HardBit 4.0, focused on thwarting security researchers with passphrase protection and improved customization that caters to different criminal operator technical levels. https://www.tripwire.com/state-of-security/hardbit-ransomware-what-you-need-know
💦 Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock security news – Cellebrite struggled to unlock a significant portion of modern iPhones as of April 2024, per leaked documents. https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/
🏳️🌈 LGBTQ+ people in Middle East and North Africa subject to intense digital oppression, research finds privacy – LGBTQ+ individuals face intense digital oppression, with police using dating and social media apps for persecution. Research reveals high levels of violence, forced device searches, and abuse. https://therecord.media/lgbtq-mena-region-digital-harassment
🛜 Mobile internet and social media disrupted in Bangladesh amid student protests security news – Bangladesh orders a nationwide mobile internet shutdown amid violent student protests against a government job quota system. The disruption is linked to social media usage by protesters. https://therecord.media/bangladesh-mobile-internet-social-media-outages-student-protests
🏠 How a little-known tool is sweeping the real estate industry by giving instant access to vast amounts of homebuyer data security news – Forewarn app offers real estate professionals instant access to detailed data about prospective clients for a low fee. Although primarily marketed as a safety tool, it also provides financial and criminal records instantly. However, privacy concerns and potential for misusing the data exist despite its explosive adoption in the real estate industry. https://therecord.media/forewarn-app-real-estate-homebuyer-data
🏥 MediSecure data breach impacted 12.9 million individuals data breach – Australian digital prescription provider MediSecure suffered a ransomware attack exposing personal and health information of 12.9 million individuals. The breach resulted in the theft of 6.5TB of data impacting users between March 2019 and November 2023. https://securityaffairs.com/165932/uncategorized/medisecure-databreach-12-9m-individuals.html
Crowdstrike Corner 🚨 Global Microsoft Meltdown Tied to Bad Crowdstrike Update security news – Crowdstrike update causes global Windows system crashes; airports, hospitals, and businesses affected. Recovery may take time, requiring manual fix per machine. https://krebsonsecurity.com/2024/07/global-microsoft-meltdown-tied-to-bad-crowstrike-update/
🐦⬛ What is CrowdStrike, and what happened? security news – CrowdStrike caused a global outage after a faulty update to Windows machines, affecting essential services. The issue came from an update that caused Windows systems to crash. Recovery may take days to weeks. https://www.theverge.com/2024/7/19/24201864/crowdstrike-outage-explained-microsoft-windows-bsod
🛹 Threat actors attempted to capitalize CrowdStrike incident security news – Threat actors exploit CrowdStrike IT outage to distribute Remcos RAT malware in a Latin America-targeted campaign under the disguise of an emergency fix via a ZIP file named 'crowdstrike-hotfix.zip.' CrowdStrike provides IOCs for the malicious campaign. https://securityaffairs.com/165953/uncategorized/threat-actors-capitalize-crowdstrike-incident.html
Some More, For the Curious
➿ CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks security research – CVE-2024-38112 used by Void Banshee to exploit IE vulnerability, leading to Atlantida stealer deployment against Windows users. https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
🖼️ Fake AWS Packages Ship Command and Control Malware In JPEG Files security research – Fake AWS npm packages hide command and control malware in JPEG images, jeopardizing package installations and highlighting the need for increased vigilance in open source ecosystems. https://blog.phylum.io/fake-aws-packages-ship-command-and-control-malware-in-jpeg-files/
0️⃣ Zero Day Initiative – Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD security news – Gap in coordinated vulnerability disclosure leads to lack of vendor transparency, disputes on severity ratings, and challenges in bug reporting, highlighting the importance of improved communication and accountability within the cybersecurity industry. https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd
🥴 Weak Security Defaults Enabled Squarespace Domains Hijacks – Krebs on Security security news – Weak security defaults at Squarespace allowed domain hijacking incidents targeting cryptocurrency businesses, with vulnerabilities arising from the migration process from Google Domains, lack of email verification for new accounts, and limited control over account access and activity. https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/
🃏 Punch Card Hacking – Exploring a Mainframe Attack Vector security research – Article explores using punch card concepts in mainframe hacking for penetration testing, detailing JCL basics, FTP job submission, debugging with spool files, and potential privilege escalation. https://blog.nviso.eu/2024/07/16/punch-card-hacking-exploring-a-mainframe-attack-vector/
👻 ‘GhostEmperor’ returns: Mysterious Chinese hacking group spotted for first time in two years cybercrime – After a two-year hiatus, the sophisticated Chinese hacking group GhostEmperor, known for supply-chain attacks in Southeast Asia, has reappeared, deploying a rootkit to evade detection and carrying out attacks on business partners as seen in a recent incident investigated by cybersecurity company Sygnia. https://therecord.media/ghostemperor-spotted-first-time-in-two-years
🧑💼 Vulnerability in Cisco Smart Software Manager lets attackers change any user password vulnerability – Cisco Smart Software Manager On-Prem vulnerability (CVE-2024-20419) allows unauthorized users to change any user's password, posing a severe security risk with a maximum CVSS score of 10. https://arstechnica.com/security/2024/07/vulnerability-in-cisco-smart-software-manager-lets-attackers-change-any-user-password/
⚖️ Judge dismisses much of SEC suit against SolarWinds over cybersecurity disclosures security news – U.S. Judge dismissed most SEC claims against SolarWinds related to cybersecurity disclosures regarding the Sunburst attack. The ruling is seen as a victory for industry officials and a setback for SEC in holding executives accountable. https://cyberscoop.com/judge-dismisses-much-of-sec-suit-against-solarwinds-over-cybersecurity-disclosures/
🤒 APT41 Has Arisen From the DUST security research – APT41, in collaboration with Google's TAG, launched a campaign targeting various sectors across multiple countries, using techniques like web shells, backdoors, SQL export, and OneDrive exfiltration. https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/
🧑🏭 CISA publishes resilience-planning playbook for critical infrastructure cyber defense – CISA releases playbook for infrastructure resilience planning, aiming to enhance security and minimize impact of cyberattacks on critical infrastructure. https://statescoop.com/cisa-cybersecurity-resilience-planning-playbook-critical-infrastructure/
🔒 Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users vulnerability – Cisco fixed a critical vulnerability in Secure Email Gateway allowing attackers to add root users and crash SEG appliances. https://securityaffairs.com/165905/uncategorized/cisco-fixed-a-critical-flaw-in-security-email-gateway-that-could-allow-attackers-to-add-root-users.html
🖲️ Attacking Connection Tracking Frameworks as used by Virtual Private Networks security research – Study demonstrates successful attacks on VPN connection tracking frameworks, highlighting vulnerabilities and proposing mitigations for enhanced security and privacy. https://petsymposium.org/popets/2024/popets-2024-0070.pdf
CISA Corner KEV – Adobe, Solarwinds, vmware, OSGeo https://www.cisa.gov/news-events/alerts/2024/07/15/cisa-adds-one-known-exploited-vulnerability-catalog https://www.cisa.gov/news-events/alerts/2024/07/17/cisa-adds-three-known-exploited-vulnerabilities-catalog security updates – Cisco, Ivanti, Oracle https://www.cisa.gov/news-events/alerts/2024/07/18/cisco-releases-security-updates-multiple-products https://www.cisa.gov/news-events/alerts/2024/07/18/ivanti-releases-security-updates-endpoint-manager https://www.cisa.gov/news-events/alerts/2024/07/18/oracle-releases-critical-patch-update-advisory-july-2024 industrial – rockwell, Subnet, Philips, Mitsubishi https://www.cisa.gov/news-events/ics-advisories/icsa-24-198-01 https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-02 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01 https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-01
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.