[InfoSec MASHUP] 46/2024
Amazon Confirms Employee Data Stolen; Security Flaws in Popular Machine Learning Toolkits; US DoJ Sentencing Various Cybercriminals; Gov. Abuse Using Pegasus Spyware; Android Malware via Letter;
Welcome to the 16 new members from the last 30 days! This newsletter now has 1,593 subscribers.
Partners and Affiliates
🔐 NordVPN - Save up to 75% + 3 Extra Months!
Breaches & Security Incidents
🇺🇸 🔓 Amazon confirmed a data breach involving employee work contact information due to a security event at a third-party vendor. The company stated that sensitive data like Social Security numbers was not affected. A hacker claimed to have published data stolen from various organizations, including Amazon, as part of a larger breach related to the MOVEit Transfer exploit.
🇺🇸 🔓 A data breach has exposed the personal information of nearly 57 million customers from Hot Topic, Box Lunch, and Torrid. The leaked data includes names, email addresses, birth dates, and partial credit card information. Customers are advised to be cautious of phishing attacks and to monitor their financial accounts closely.
🇺🇸 💸 Halliburton reported a $35 million loss from a ransomware attack in August that forced them to shut down IT systems and disconnect customers. The RansomHub gang was responsible for the breach, stealing data from the company's network. Although the financial impact was minor for Halliburton, the potential legal costs from the stolen data could pose future risks.
➝ More breaches:
🔊 Interested in Reaching a Cybersecurity Audience?
Amplify your brand’s presence by sponsoring the InfoSec MASHUP newsletter!
Reach dedicated readers in the cybersecurity field with each issue! Contact us to explore sponsorship opportunities.
Cybercrime, Cyber Espionage, APT’s
🇨🇳 💳 A Chinese fraud group called "SilkSpecter" is using nearly 4,700 fake online stores to steal credit card information from shoppers in the U.S. and Europe. These sites impersonate well-known brands and offer enticing Black Friday discounts to trick victims. Shoppers are advised to only visit official brand websites and enable security measures on their accounts to protect themselves.
🇺🇸 ⚖️ Ilya Lichtenstein was sentenced to five years in prison for his role in the 2016 Bitfinex hack, which involved stealing nearly 120,000 bitcoins worth over $10.5 billion. He and his wife, Heather Morgan, were charged with laundering the stolen funds using fake identities and cryptocurrency exchanges. Morgan is set to be sentenced on November 18.
🇺🇸 ⚖️ Robert Purbeck, a 45-year-old man from Idaho, was sentenced to ten years in prison for hacking and extorting healthcare providers — He stole personal information from over 132,000 people and threatened to leak it unless he was paid a ransom. In addition to his prison term, he must pay his victims over $1 million in restitution.
🇮🇷 🦠 Iranian hackers, known as TA455, are targeting the aerospace industry by using fake job offers to deploy SnailResin malware since September 2023. They employ social engineering tactics, including fake recruiting websites and LinkedIn profiles, to trick victims into executing malicious files. This campaign is similar to tactics used by North Korean hackers, raising concerns about potential tool sharing or deliberate copying.
🇺🇸 ⚖️ Two hackers, Connor Moucka and John Binns, have been charged with stealing about 50 billion customer records from AT&T — They accessed sensitive data through Snowflake, a cloud service, and extorted at least three companies for a total of $2.5 million in Bitcoin. AT&T confirmed the breach affected nearly all of its customers, but the hackers did not take the content of calls or messages.
🇺🇸 ⚖️ Roman Sterlingov, the founder of the Bitcoin Fog cryptocurrency mixer, has been sentenced to 12 years and six months in prison for money laundering. His service helped criminals hide over $400 million in illegal proceeds from activities like drug trafficking and identity theft. In addition to his prison term, Sterlingov must forfeit nearly $400 million and his Bitcoin Fog wallet containing $103 million.
Government, Politics, and Privacy
👀 ⚖️ NSO Group has admitted to cutting off access to its Pegasus spyware for 10 government customers due to abuse — Newly unsealed court documents reveal details about how NSO's tools targeted WhatsApp users, including high-profile individuals. WhatsApp continues to pursue legal action against NSO for violating user privacy and security laws.
🌍 ⚖️ The UN's new cybercrime convention could harm security research by criminalizing actions that ethical hackers take to improve cybersecurity — This vague language may lead to legal risks for researchers, making it harder for them to operate safely. The U.S. should work with other countries to ensure protections for good-faith security research are included in national laws.
HackerOne urges U.S. to advocate for research protections in UN cybercrime treaty
🇺🇸 🇨🇳 Chinese hackers compromised the private communications of some U.S. government officials by breaching multiple telecom networks. They also stole customer call records and other sensitive information. The hackers had access for months, allowing them to collect a large amount of data.
🇺🇸 A top cyber official recommended that the Trump administration prioritize minimum cybersecurity standards, grants for critical infrastructure, and international partnerships in its first 100 days. Anne Neuberger emphasized the importance of industry consultation and compliance measurements after learning from past cyber incidents. She also suggested expanding programs to help smaller governments detect cyber threats and collaborating more with other countries on cybersecurity issues.
Partners and Affiliates
🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.
Malware & Threats
🦠 🕸️ A botnet is exploiting a serious vulnerability in outdated GeoVision devices to install Mirai malware for attacks. About 17,000 of these devices are exposed online, with most located in the United States. Users are advised to reset their devices and change passwords, as these devices no longer receive security updates.
🦠 🇨🇭 Cyber criminals are sending fake letters that pretend to be from Switzerland's weather service, asking people to download a non-existent weather app. The letter includes a QR code that leads to malware called 'Coper', which can steal data from many smartphone apps. If someone has downloaded the fake app, they should reset their phone to factory settings to remove it.
🦠 🇻🇳 A Vietnamese hacker group is using a new malware called PXA Stealer to target sensitive information from government and educational institutions in Europe and Asia. This malware can steal online account credentials, financial data, and even Facebook cookies. The attacks start with phishing emails that contain malicious ZIP files, leading to significant data breaches.
🦠 🇰🇵 North Korean hackers were found using new types of malware hidden in macOS applications — Researchers discovered this malware, which used programming languages like Golang and Python, while analyzing files on VirusTotal. Although it was sophisticated enough to bypass Apple’s security, there’s no clear evidence it was actively used in any attacks.
🦠 📄 Cybercriminals are using a phishing campaign to spread a new fileless variant of Remcos RAT malware through malicious Excel attachments. This malware allows attackers to remotely control victims' computers and collect sensitive information without leaving traces on the local system. The attack exploits a known vulnerability in Microsoft Office, making it difficult for security tools to detect.
🦠 🇨🇳 The Chinese hacking group Volt Typhoon is rebuilding its KV-Botnet after a disruption by U.S. authorities in January 2024. They are targeting outdated Cisco and Netgear routers to install malware and regain access to networks. Security experts warn that older devices should be replaced and updated to prevent such attacks.
🦠 🗂️ Hackers are now using a technique called ZIP file concatenation to hide malware in compressed archives, making it harder for security software to detect. This method involves combining multiple ZIP files, with one containing malicious content and others appearing harmless. To protect against these attacks, users should be cautious with ZIP files in emails and use security tools that can unpack nested archives.
🦠 💸 A new ransomware called Ymir targets corporate networks by exploiting memory management for stealthy attacks. It follows an initial breach using a malware called RustyStealer, which stole corporate credentials. Researchers warn that this tactic marks a potential shift in ransomware strategies, making it harder to detect and defend against.
AI, Crypto, Tech & Tools
🤖 📞 Google is introducing a new AI feature for Pixel phones that detects scam calls by analyzing conversation patterns in real-time — This feature, along with enhanced protection from harmful apps in Google Play, aims to make Android devices safer. Currently, it is available for Pixel 6 and newer models in the US and works only for English conversations.
☁️ 🔐 IBM has launched Autonomous Security for Cloud (ASC), an AI-powered solution to automate cloud security management for organizations using Amazon Web Services (AWS). The tool aims to mitigate risks by addressing common issues like misconfigurations and compliance failures through continuous monitoring and automated controls. By leveraging generative AI, ASC helps organizations streamline security processes and adapt quickly to changing cloud environments.
🛠️ Bitdefender has released a free decryptor for victims of the ShrinkLocker ransomware, which encrypts data using Microsoft's BitLocker utility. The ransomware, first identified in May 2024, exploits trusted relationships to infiltrate networks and can encrypt multiple systems quickly.
🧪 🤖 Researchers discovered two vulnerabilities in the Vertex AI platform that can lead to serious security risks. By exploiting custom job permissions, attackers can gain unauthorized access to sensitive data, and deploying a malicious model allows them to exfiltrate other models in the environment. This highlights the danger of using unverified models, which can compromise an entire AI system.
Vulnerabilities, Research, and Threat Intelligence
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
Patch Tuesday:
Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws
Microsoft patches Windows zero-day exploited in attacks on Ukraine
CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
🦆 Experts have discovered that 70,000 legitimate domains have been hijacked using a technique called "Sitting Ducks", which exploits DNS misconfigurations. This method allows cybercriminals to take control of domains for phishing and fraud, often without being detected due to the trusted reputation of the hijacked sites. The attacks have been ongoing since 2018, affecting various organizations, including well-known brands and non-profits.
🪳 🔓 A serious security flaw in PostgreSQL allows unprivileged users to change environment variables, which could lead to code execution or data leaks. This vulnerability, known as CVE-2024-10979, has a high severity score of 8.8. PostgreSQL has released updates to fix the issue, and users are urged to apply them and restrict permissions on extensions.
💥 🔓 Attackers are exploiting a serious vulnerability in old D-Link NAS devices, allowing them to run harmful commands remotely. D-Link will not fix this issue since these devices are no longer supported, urging users to replace them. Security experts found many vulnerable devices still online, highlighting the risk of attacks.
☁️ 🔓 Google Cloud is enhancing its security efforts by issuing Common Vulnerabilities and Exposures (CVEs) for critical vulnerabilities in its products, even if no customer action is needed. This initiative aims to improve transparency and help users track and prioritize vulnerabilities effectively. By collaborating with the security community, Google Cloud seeks to build trust and enhance security practices.
Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform
🔓 🤖 Cybersecurity researchers have found nearly two dozen security flaws in 15 popular machine learning open-source projects, which could allow attackers to hijack servers and escalate privileges. Vulnerabilities include issues in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, potentially leading to severe breaches in MLOps pipelines. These flaws could enable attackers to manipulate ML datasets and models, increasing cybersecurity risks in organizations.
ICS, OT & IoT
☁️ 🔓 A security analysis revealed 10 vulnerabilities in the OvrC cloud platform, which could let attackers remotely execute code on connected IoT devices like cameras and routers. The U.S. Cybersecurity and Infrastructure Security Agency warned that these flaws could allow unauthorized access and control over these devices. Although the company has released fixes for most issues, the need for stronger security measures remains critical as more devices connect to the internet.