[InfoSec MASHUP] Week 34/2024
Meta has shut down CrowdTangle; National Public Data Published Its Own Passwords; QNAP adds NAS ransomware protection; Data Exfiltration from Slack AI; Azure Kubernetes Services Vuln. Exposed;
Welcome to the 27 new members from the last 30 days! This newsletter now has 1,503 subscribers.
Partners and Affiliates
Save up to 73% + get free travel data! Users buying a 2-year NordVPN plan will get up to 20GB of free travel data from Saily:
Basic plan - 1GB; Standard & Plus plans - 3GB; Complete plan - 10GB; Ultimate plan - 20GB
Claim your gift right away. New NordVPN users will be able to claim their Saily travel data using a coupon code via the Saily app.
Breaches & Security Incidents
🔓 🤦🏻♂️ The creator of Styx Stealer accidentally leaked sensitive information from their computer, including client details and profit data — Styx Stealer is a malware designed to steal browser data and cryptocurrency information, and it was sold online for various subscription prices. This OPSEC failure allowed cybersecurity experts to identify numerous clients and cryptocurrency wallets linked to the creator.
🇺🇸 🔓 CannonDesign has informed over 13,000 clients about a data breach where hackers accessed and stole sensitive information in early 2023 — The breach is linked to the Avos Locker ransomware attack, which resulted in the exposure of personal data, including social security numbers and addresses. Although the company is offering credit monitoring to affected individuals, the breach and its investigation took significant time to address.
🔓 Qilin ransomware has been found stealing credentials from Google Chrome during attacks, raising concerns about its impact beyond the initial victims. The attackers gained access through compromised credentials and executed scripts that harvested saved passwords from users' browsers. This new tactic could lead to multiple breaches for individuals, as stolen credentials may be used to exploit various accounts.
🇺🇸 🔓 Halliburton, a major oilfield services company, was reportedly hit by a cyberattack that affected its operations in Houston and global networks. The company is investigating the issue and has activated its response plan while advising employees not to connect to internal networks. Experts warn that ongoing geopolitical tensions make such companies attractive targets for cybercriminals, which could lead to significant global disruptions.
🇺🇸 🔓 A hacker locked Unicoin staff out of their Google accounts for four days by changing their passwords — During this time, the hacker accessed sensitive internal information and attempted identity fraud. Unicoin has since regained access and does not expect the breach to significantly affect its finances.
🇺🇸 🔓 An email from Rockton School District 140 accidentally revealed personal information of nearly 300 families, including children's names and home addresses. Superintendent Glenn Terry apologized for the mistake and offered identity theft protection to those affected. Some parents are considering legal action, but many are understanding of the error.
🇯🇵 🔓 Toyota confirmed that it experienced a data breach after a hacker leaked 240GB of stolen data on a hacking forum. The stolen information includes employee and customer details, contracts, and financial data. Toyota is aware of the breach and is helping those affected, but has not disclosed when it occurred or how many people were impacted.
🇺🇸 🔓 National Public Data (NPD) experienced a major data breach, exposing personal information of over 272 million people, including Social Security Numbers. A sister site, recordscheck.net, mistakenly published its administrator passwords, putting more user data at risk. Experts recommend freezing credit files to protect against identity theft following this incident.
🇺🇸 🔓 FlightAware has informed users to reset their passwords due to a data security incident that may have exposed personal information since January 1, 2021 — A configuration error was discovered on July 25, 2024, affecting user data like names, addresses, and Social Security numbers. The company has fixed the error and is offering impacted users a free identity protection package for 24 months.
🇺🇸 Timeline — How the ransomware attack on Change Healthcare, a major health tech company, led to one of the largest data breaches in U.S. history, affecting millions of Americans. The hackers stole sensitive personal health information and demanded a ransom, which UnitedHealth paid. Despite the payment, the stolen data remained with the attackers, causing ongoing disruption in the healthcare sector.
➝ More breaches:
Cybercrime, Cyber Espionage, APT’s
🇷🇺 🇺🇦 Russia's Federal Security Service has detained scientist Artem Khoroshilov for allegedly conducting DDoS attacks for Ukraine's intelligence agency — He faces charges of treason and could receive a life sentence if convicted. The FSB claims he confessed and provided financial support to Ukrainian military efforts.
🇺🇸 🇱🇻 A member of the Russian Karakurt ransomware group, Deniss Zolotarjovs, has been charged in the U.S. with money laundering, wire fraud, and extortion. He was involved in negotiating ransoms for stolen data from American companies, with one case resulting in a payment of over $1.3 million. Zolotarjovs is the first Karakurt member to be arrested and extradited to the U.S., which may help authorities target more members of the gang.
🇺🇦 🤖 The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about new phishing attacks linked to a group called Vermin — These attacks use fake photos of prisoners of war to trick people into opening a malicious ZIP file that installs spyware. The spyware, known as SPECTR, steals data and sends it to remote servers.
🇮🇷 Iranian cyber group TA453 has launched phishing attacks targeting a prominent Jewish leader, using a new malware called AnvilEcho to gather intelligence. The group, linked to Iran's Islamic Revolutionary Guard Corps, employs social engineering tactics to trick victims into clicking malicious links. Recent campaigns included impersonating legitimate organizations to build trust before delivering malware through seemingly harmless documents.
🇮🇹 ⚖️ Four suspected hackers were arrested in Italy for stealing $14 million in cryptocurrency from Holograph. They had been living in luxury while evading capture, but law enforcement tracked them down. The authorities seized evidence that may help recover the stolen funds.
🇷🇺 🇪🇪 Researchers have discovered new infrastructure linked to the FIN7 cybercrime group, which is financially motivated. The investigation revealed communications between FIN7 and IP addresses from two companies: Post Ltd in Russia and SmartApe in Estonia. This analysis highlighted how the group may be using resellers to host their operations, leading to the suspension of some services by Stark Industries.
Government, Politics, and Privacy
🇺🇸 🚮 A recent audit revealed that the FBI fails to properly label and secure decommissioned electronic storage devices containing sensitive information — These devices were stored improperly and could not be tracked, leading to potential risks of loss or theft. The report recommends that the FBI improve its procedures for handling these devices to ensure better accountability and security.
🇺🇸 The Justice Department is suing Georgia Tech for allegedly not meeting cybersecurity standards needed for Pentagon contracts — The lawsuit claims that Georgia Tech failed to properly secure its Astrolavos Lab and submitted false cybersecurity assessments. Georgia Tech disputes the claims, stating there was no breach of information and that they will fight the lawsuit.
🇺🇸 The 2024 Democratic Party platform mentions cybersecurity only twice, a decrease from the five mentions in 2020 — While the platform includes some focus on privacy and protecting consumer data, it lacks specific details on cyber threats. Experts suggest that despite the limited platform coverage, cybersecurity will remain a priority for the Biden administration.
🇺🇸 ✈️ The Federal Aviation Administration (FAA) plans to propose new cybersecurity rules for future aircraft and equipment to enhance safety against cyber threats — These rules aim to standardize requirements and reduce certification costs and time. The public can comment on the proposal for 60 days after its official publication.
🇮🇷 🇺🇸 U.S. intelligence agencies have accused Iran of attempting to infiltrate the Trump and Biden presidential campaigns — They say Iran is conducting operations to influence the U.S. election process. Iran has denied these accusations, calling them unsubstantiated.
😤 👀 Meta has shut down CrowdTangle, a tool used by researchers and journalists to track misinformation on Facebook and Instagram — Many groups protested this decision, arguing it harms transparency during critical election periods. Meta's new tool, the Meta Content Library, is limited in access and less effective than CrowdTangle, according to critics.
🇺🇸 🇨🇳 House lawmakers are urging the Commerce Department to investigate TP-Link Technologies, a Chinese company that makes popular Wi-Fi routers in the U.S. They are concerned about potential national security risks due to vulnerabilities in TP-Link's devices and ties to the Chinese government. Lawmakers want a response by the end of the month on how these risks can be addressed.
Partners and Affiliates
🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.
Malware & Threats
Ransomware rakes in record-breaking $450 million in first half of 2024
🦠 🍎 A new macOS malware called "Cthulhu Stealer" has emerged, targeting Apple users to steal sensitive information like passwords and cryptocurrency. It is sold as a service for $500 a month and can disguise itself as legitimate software. Apple is enhancing security measures to protect users from such threats in future macOS updates.
🦠 🇰🇵 North Korean hackers are using a new remote access trojan called MoonPeak in a cyber campaign — This malware is an updated version of an existing tool and allows the hackers to control infected systems and communicate with their servers. The hackers are rapidly expanding their infrastructure to enhance their operations and avoid detection.
🦠 🇰🇵 Researchers have discovered new macOS malware called TodoSwift, linked to North Korean hacking groups like BlueNoroff — This malware uses a fake Bitcoin PDF to trick victims while secretly downloading harmful software. TodoSwift shares similar tactics with other known North Korean malware, aimed at stealing cryptocurrency.
🦠 Two years after the Log4j vulnerability was discovered, cybercriminals are still exploiting it to deploy malware, including cryptocurrency miners. Researchers found that many organizations remain unpatched, making them easy targets for attacks. The ongoing risk highlights the challenges of fixing critical vulnerabilities in software systems.
🎣 🇨🇿 Mobile users in the Czech Republic are being targeted by a phishing campaign that steals banking credentials through fake Progressive Web Applications (PWAs). Attackers trick users into installing these lookalike apps by posing as legitimate banking updates via voice calls and social media. The goal is to capture users' banking information, which is then sent to the attackers' servers.
🦠 A new malware called UULoader is being used to deliver harmful software like Gh0st RAT and Mimikatz, targeting Korean and Chinese speakers. It disguises itself as legitimate application installers and uses a decoy file to distract users. Recent phishing campaigns have also exploited popular topics like cryptocurrency and AI to trick people into clicking on malicious links.
🦠 🖥️ Cybersecurity researchers found that cybercriminals are using fake software searches to spread FakeBat malware — This malware disguises itself as popular applications like Brave and Zoom, tricking users into downloading harmful files. The attacks are linked to a group called UNC4536, which distributes various types of malware through these deceptive methods.
🎣 💬 Malicious actors are using a tool called Xeon Sender to send large-scale SMS phishing attacks by exploiting legitimate cloud services like Amazon SNS and Twilio. This tool allows attackers to use valid credentials to send bulk spam messages without exploiting weaknesses in these services. Organizations are advised to monitor SMS permissions and unusual changes in recipient lists to defend against such threats.
🦠 🇷🇺 Russian hackers are using fake brand websites to spread malware like DanaBot and StealC, tricking users into downloading harmful software. They employ phishing tactics to steal personal and financial information, which can be sold or used for fraud. This campaign, known as Tusk, involves multiple sub-campaigns that imitate popular platforms to deceive victims.
AI, Tech & Tools
🤖 🇺🇸 Nearly 200 workers at Google DeepMind have signed a letter urging the company to end its military contracts due to concerns that this violates Google’s AI principles — They believe that using AI for military purposes contradicts the company's commitment to ethical technology. Despite their concerns, Google has not taken any significant action in response to the letter.
🤖 🇺🇸 Lingo Telecom was fined $1 million for sending fake robocalls featuring a deepfake of President Biden's voice to discourage voting in New Hampshire. The company failed to verify the authenticity of the calls, which violated FCC rules on Caller ID authentication. As part of the settlement, Lingo Telecom must implement stricter compliance measures to ensure call legitimacy.
🔐 💸 QNAP has introduced a new Security Center in its latest QTS 5.2 operating system that protects against ransomware by monitoring file activities. If suspicious behavior is detected, it can automatically set volumes to read-only mode and create backups to prevent data loss. The update also improves NAS startup and shutdown speeds and enhances backup capabilities for Windows systems.
☁️ 🔐 Microsoft will require multi-factor authentication (MFA) for all Azure sign-ins starting in October to enhance account security. This change will gradually affect all users and include notifications for preparation. By early 2025, MFA will also be mandatory for additional Azure tools and services.
🇮🇷 🇺🇸 OpenAI banned several accounts linked to a covert Iranian influence operation that generated content on various topics, including U.S. elections — This action followed reports of cyber operations targeting political campaigns, allegedly connected to Iran. The Iranian efforts included using AI to create fake news and social media comments, but they did not gain significant engagement from users.
Vulnerabilities, Research, and Threat Intelligence
Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group
F5 Patches High-Severity Vulnerabilities in BIG-IP, NGINX Plus
Google fixes ninth Chrome zero-day exploited in attacks this year
GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges
Atlassian Patches Vulnerabilities in Bamboo, Confluence, Crowd, Jira
🪳 🧩 A serious vulnerability in the GiveWP WordPress plugin has put over 100,000 websites at risk of takeover — This flaw allows attackers to execute harmful code or delete files remotely by exploiting a weakness in how the plugin processes user input. Users are urged to update to the latest version of the plugin to protect their sites.
Litespeed Cache bug exposes millions of WordPress sites to takeover attacks
🔓 🛜 A French security firm found a major backdoor in millions of RFID cards made by Shanghai Fudan Microelectronics — This vulnerability allows attackers to clone the cards used for access to places like offices and hotels with just a few minutes of physical proximity. Consumers are urged to check their systems, as these vulnerable cards are widely used around the world.
🔓 A critical vulnerability in Microsoft Copilot Studio could allow attackers to access sensitive internal information, according to Tenable. Microsoft has reported that the flaw, dubbed CVE-2024-38206, has been fully fixed. The issue involved bypassing security measures to leak data from the service's internal infrastructure.
🪳 🔓 Cisco has identified serious vulnerabilities in several Microsoft apps for macOS, claiming they could let attackers bypass system permissions and misuse the applications — Microsoft, however, considers these flaws low risk and has only addressed some of them, stating that their software is designed to support unsigned libraries. Cisco argues that these vulnerabilities could allow attackers to access sensitive information and control user data without permission.
🔓 ☁️ Researchers have identified a security flaw in Microsoft Azure Kubernetes Services that could let attackers gain unauthorized access to sensitive credentials. This vulnerability allows an attacker to exploit TLS bootstrap tokens to read all secrets within the affected cluster. Microsoft has addressed the issue, and experts recommend implementing strict network policies to prevent such attacks.