SonicWall warns of critical access control flaw

SonicWall released a bulletin detailing the vulnerability that impacts SonicOS’s use on its Gen 5, Gen 6, and some Gen 7 firewalls. The vulnerability doesn’t require authentication or user interaction, allowing an attacker to gain access to the device or cause a system crash. SonicWall released a security update and said those unable to install it immediately should disable WAN management access from the internet. While the company didn’t disclose any active exploitation, CISA previously warned about active exploitation of SonicWall vulnerabilities by advanced threat actors. (Bleeping Computer)

FBI taken to task on electronic media security

A recent audit by the Department of Justice’s Office of the Inspector General found three “significant weaknesses” in policies and procedures used by the FBI for managing and disposing of electronic media containing sensitive information. These included not adequately tracking media removed from laptops, failing to consistently label media with classification levels like Top Secret, and inadequate internal access controls with media awaiting destruction. This included pallets of exposed devices sitting unsecured in waste storage facilities. The FBI issued a new directive to address the issues. (Bleeping Computer)

Seattle-Tacoma International Airport hit by cyberattack

The airport confirmed the incident caused an IT systems outage, resulting in delayed flights and issues with its reservation system over the weekend. The Port of Seattle first noticed the problem on August 24th. No group has taken credit for the attack, yet. While IT systems were down, the airport used X to communicate with travelers, recommending using airline websites to check travel information. As of this recording, its website remains down. The FBI confirmed to The Seattle Times that it is working with partners to investigate. (Bleeping Computer)

Volt Typhoon suspected of exploiting Versa bug

Researchers at Lumen Technologies’ Black Lotus Labs discovered an actively exploited zero-day flaw (CVE-2024-39717) affecting the SD-WAN management platform Versa Director. Versa has issued a patch for the vulnerability, and users are urged to upgrade to version 22.1.4 or later. The flaw allows threat actors to execute code by uploading Java files disguised as PNG images.

The researchers found a custom-made web shell designed to exploit the vulnerability, which they attribute to the Chinese threat actor Volt Typhoon. Lumen states, “Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024. The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.” (Black Lotus, The Register and Ars Technica)

Texas credit union user data exposed in another MOVEit breach

Just when we thought MOVEit breaches had faded from the headlines, a new one has surfaced, this time involving the Texas Dow Employees Credit Union (TDECU). The credit union revealed that over 500,000 members had their personal info compromised, including names, dates of birth, social security numbers, bank account and credit card numbers, as well as driver’s license and taxpayer IDs. The breach occurred over a year ago but was just discovered in July 2024. This raises significant concerns about the credit union’s security measures and the extended exposure of sensitive information. TDECU confirmed the breach was isolated to files transferred via MOVEit and that its internal network security remained intact. (Infosecurity Magazine)

PoC exploit for zero-click vulnerability now available to the masses

A security researcher named “Ynwarcs” has published proof-of-concept exploit code for a critical zero-click remote code execution vulnerability in Windows TCP/IP (CVE-2024-38063). The vulnerability affects all Windows 10, Windows 11, and Windows Server systems that have IPv6 enabled and requires no user interaction. The researcher released a PoC exploit code for the flaw on GitHub. Microsoft said affected orgs should apply the latest security updates and monitor for unusual IPv6 packet activity. (Dark Reading)

Woman uses AirTag to catch thieves stealing her mail

A California woman was tired of having mail stolen from her P.O. box so she took matters into her own hands by mailing herself an AirTag. Santa Barbara County police responded to a report of mail theft the morning of August 19 and were able to track down the AirTag and the suspects in Santa Maria, California. Deputies found the woman’s mail, including the package containing the AirTag, in addition to other items that may have been stolen from more than a dozen victims. Deputies arrested Virginia Franchessca Lara, 27, and Donald Ashton Terry, 37, who were booked on several felonies including possession of fictitious checks, identity theft, credit card theft, and conspiracy. (NPR)

Iran targeting presidential administration officials

CNN reports that a threat group believed to be working at the behest of Iran’s Islamic Revolutionary Guard Corps has targeted officials in both the former Trump and Biden administrations with phishing emails since at least 2022. This included former national security advisor John Bolton and an unnamed ex-diplomat with the Biden administration. Earlier this month the FBI announced It concluded that Iranian-linked attackers successfully attacked the Trump campaign and targeted the Harris campaign with similar tactics. Despite this, U.S. Cyber Command and NSA chief Gen. Timothy Haugh said that the US is “in a really good position” to respond to hacking attempts around the election compared to 2016. He also said he expected to see an increase in hacking activity ahead of the election. (CNN, The Record)

More Telegram arrest warrants in France

According to documents seen by Politico, French authorities also issued an arrest warrant for Telegram co-founder Nikolai Durov back in March, brother of CEO Pavel Durov. The document also showed authorities issued the warrants after Telegram gave “no answer” to judicial requests to identify a Telegram user suspected in a child sex abuse case. This lack of response seems par for the course. The U.S.-based National Center for Missing & Exploited Children, the Canadian Centre for Child Protection, and the U.K.-based Internet Watch Foundation all told NBC News that outreach to Telegram about CSAM issues largely goes ignored.

Additionally, French prosecutors announced they released Pavel Durov from police custody after a 96-hour window for questioning. They plan to have him brought to court for a possible indictment shortly. (Politico, NBC News, AP News)

Hitachi Energy urges SCADA upgrade

In a new security advisory, Hitachi Energy warned customers to update its MicroSCADA X SYS600 power monitoring systems to version 10.6 to mitigate several severe vulnerabilities. The two most critical vulnerabilities allow for an SQL injection attack due to an improper user query validation, and the other is an argument injection where attackers coil modify system files or applications on the systems. Hitachi Energy said it saw no signs of exploitation and discovered the flaws internally. Hitachi says over 10,000 substations use its MicroSCADA X systems, including critical infrastructure sites like airports, hospitals, railways, and data centers. (Dark Reading)

Mirai botnet variant exploits zero-day in CCTV cameras

Akamai says the Corona Mirai botnet variant is exploiting a zero-day remote code execution vulnerability affecting the brightness function of old CCTV cameras made by AVTECH, the Record reports. The affected camera models have been discontinued for several years, but they’re still widely used in critical infrastructure sectors. CISA issued an advisory on the vulnerability earlier this month, noting that organizations should take the following steps to mitigate the impact:

“Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

“Locate control system networks and remote devices behind firewalls and isolating them from business networks.

“When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.” (Akama,  The Record, CISA)

Telegram CEO Pavel Durov charged in France

Telegram CEO Pavel Durov has been charged in France with several counts related to criminal activity on Telegram and the company’s alleged unwillingness to cooperate with law enforcement, the Associated Press reports. According to the BBC, the charges include “complicity in the administration of an online platform to enable illicit transactions by an organized gang” and “complicity in organised criminal distribution of sexual images of children.” Durov has been released on a €5 million bail but is barred from leaving France. Slate notes that Durov’s arrest has been criticized by free-speech and privacy advocates, particularly concerning the two counts related to “cryptology services” which could “imply that France sees the use of internationally based, unregulated ‘encryption’ services as a crime all its own.” (AP)

DICK’S Sporting Goods suffers cyberattack

The largest chain of sporting goods retail stores in the U.S. has now confirmed that confidential information was exposed in a cyberattack that was detected Wednesday, August 21. An anonymous source quoted by BleepingComputer said that email systems had been shut down, and all employees had been locked out of their accounts. IT staff is now manually validating employees’ identities on camera before they can regain access to internal systems. Phone lines at local stores are also down due to the incident. (BleepingComputer)

Hacking Microsoft Copilot Is “scary easy”

One of the more intriguing presentations at Black Hat this month was from security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity. He demonstrated how attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links. Much of this has to do with modifying the behavior of bots, which Microsoft refers to as “copilots,” through prompt injection. Based on Copilot’s visibility deep into the enterprise, including emails, messaging applications, and much more, it is an attractive target for malicious actors, he said. A detailed description of his findings is available at DarkReading. The link is available in the show notes to this episode. (Dark Reading)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts

Start this week in the know on the latest in cyber news. We’ve got headlines from around the globe to keep you informed, from the Justice Department taking the Georgia Institute of Technology to court over cybersecurity breaches related to Pentagon contracts, amateur radio enthusiasts reeling from a million-dollar ransomware attack, and Chinese hackers exploiting a zero-day flaw in Cisco appliances. Additionally, Halliburton faces operational disruptions following a cyberattack, and the Kremlin deals with a contentious DDoS incident affecting multiple digital platforms.

Discover more about these incidents and other pressing cybersecurity challenges in today’s update.

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts. The lawsuit, backed by the False Claims Act, purports that Georgia Tech’s Astrolavos Lab did not develop a proper system security plan as mandated by the Department of Defense, and falsely reported their cybersecurity assessment to the Pentagon. Despite implementing a plan in February 2020, the lab reportedly failed to cover all necessary devices. The whistleblower lawsuit, filed by two former Georgia Tech cybersecurity team members, alleges a lack of enforcement of cybersecurity regulations at the university. Georgia Tech disputes the claims, stating that the lawsuit misrepresents their commitment to innovation and integrity, and insists there was no breach or data leak involved. (Cyberscoop)

Ham radio enthusiasts pay a million dollar ransom

The ARRL (American Radio Relay League) is a national association for amateur radio enthusiasts in the United States. A letter to their members says that in early May 2024, ARRL’s network was compromised by threat actors (TAs) using dark web-purchased information. The attackers infiltrated both on-site and cloud-based systems, deploying ransomware across various devices, from desktops to servers. The highly coordinated attack took place on May 15, leading to significant disruption. Despite ARRL being a small non-profit, the attackers demanded a multi-million-dollar ransom. After tense negotiations, ARRL paid a $1 million ransom, largely covered by insurance. The organization quickly formed a crisis management team and involved the FBI, who categorized the attack as uniquely sophisticated. Most systems have been restored, with Logbook of The World (LoTW) back online within four days. ARRL is now simplifying its infrastructure and establishing an Information Technology Advisory Committee to guide future IT decisions. (ARRL)

Chinese threat actor exploited Cisco zero-day

Researchers at Sygnia warn that the China-aligned threat actor Velvet Ant exploited a zero-day vulnerability (CVE-2024-20399) affecting on-premises Cisco Switch appliances. The flaw, which was patched last month, “allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system.” Velvet Ant exploited the vulnerability to “deploy tailored malware, which runs on the underlying OS and is invisible to common security tools.” (Cisco)

Halliburton takes systems offline following cyberattack

The oil field services company informed regulators and the media on Friday about a recent cyberattack that “necessitated the shut-down of certain systems.” The attack happened on Wednesday and affected operations at its headquarters in Houston. According to the 8-K report submitted on Thursday to the SEC, the company said hackers “gained access to certain of its systems.” (The Record)

Kremlin complains of DDoS attack, digital experts not so sure

Disruptions that occurred on Wednesday for some Russian users of WhatsApp, Telegram, Skype, Discord, Twitch, Wikipedia, Steam and even PornHub, are being blamed by the Russian internet regulator Roskomnadzor on a DDoS incident targeting Russian telecom operators. Local digital experts disagree with this statement, arguing that it is impossible to organize a DDoS attack on all 2,000 Russian telecom operators simultaneously. Stanislav Shakirov, co-founder and technical director of the Russian digital rights organization Roskomsvoboda, suggested that the regulator “likely tried to block Telegram, which inadvertently impacted other services.” (The Record)

Windows Recall to reappear

Microsoft is deploying an updated version of its Recall feature, which had been initially announced this spring and immediately derided by industry analysts as keylogger or spyware. The idea behind Recall was to take snapshots of a user’s desktop every few seconds as tool for keeping track of things. It was removed from widespread Copilot+ PC release on June 13, but is now being deployed to testers in coming weeks. Microsoft has not fully clarified how the new version will differ but has said it will include “just in time” decryption and that Windows Insiders would need a Copilot+ PC. (The Register)

Two years later, Log4Shell still being exploited

This is according to researchers at Datadog Security Labs. “Cybercriminals are still finding targets for Log4Shell exploits that evade detection and plant malware scripts on unpatched corporate systems.” This is due to vulnerabilities that remain unpatched even though fixes have been made available. “Security experts have warned that eradicating the problem will be a long, laborious process because of software dependencies and so-called “transitive dependencies” that make patching very difficult.” Datadog for example has noted nation-state APT actors linked to China, Iran, North Korea and Turkey using obfuscated LDAP requests (that is an Active Directory protocol) to evade detection, leading to the execution of malicious scripts on compromised systems. (Security Week)

Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services

A privilege escalation vulnerability in Microsoft Azure Kubernetes Services (AKS) could have allowed attackers to access sensitive information, such as service credentials used by the cluster, Mandiant reports. The issue affected AKS clusters using Azure CNI for network configuration and Azure for network policy. Attackers with command execution in a pod within the cluster could exploit this vulnerability to download cluster node configurations, extract TLS bootstrap tokens, and access all secrets in the cluster. The flaw could be exploited even without root privileges or hostNetwork enabled. Microsoft resolved the issue after being notified. Mandiant highlights the risk of Kubernetes clusters lacking proper configurations, as attackers could use this vulnerability to compromise the cluster, access resources, and even expose internal cloud services. The flaw also allowed attackers to use the TLS bootstrap token to gain broader access to cluster secrets. (SecurityWeek)

Configuration flaw may affect thousands of apps using AWS ALB

Miggo Research has discovered a critical configuration flaw potentially affecting up to 15,000 applications that use AWS Application Load Balancer (ALB) for authentication. The researchers explain, “First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer. AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization.”

To mitigate this risk, Miggo says AWS customers should:

1. “Verify that every application using the ALB authentication feature checks the token signer.
2. “Restrict your targets to accept traffic only from your Application Load Balancer.”

AWS has updated its documentation to include this guidance, but it’s up to the customers to make the recommended changes. (miggo)

Feds tapping into encrypted messaging haul

According to a review of court records by 404 Media, US law enforcement agencies ramped up access to encrypted chat messages obtained as part of a trove of messages from European agencies from the phone company Sky back in 2021. Records show no indication US agencies have bulk access to this data, rather received from European partners for particular people under investigation. It’s unclear how authorities obtained this trove of messages, but Sky itself claimed someone created a fake version of the app and sold phones loaded with it on “unauthorized channels.” The cases profiled by 404 Media all involved prosecutions involving narcotics smuggling and distribution.  (404 Media)

Microchip Technology hit by cyberattack

The US chipmaker reported to the Securities and Exchange Commission that “potentially suspicious activity” over the weekend inhibited the use of “certain servers and some business operations.” As of this recording, it says it’s still operating “at less than normal levels,” with order volume impacted.  Its response to the incident sounds bog-standard: isolating impacted systems, shutting down services, and calling in third-party experts to help investigate. No other specific on who orchestrated the attack, but we’ll follow up as more details come to light. (The Record)

Poisoning LLMs to create insecure code

At the USENIX Security Symposium, a team of academic researchers presented details CodeBreaker, a set of techniques to poison large language model training sets to make them more likely to suggest vulnerable code. This saw the researchers systematically create code samples that don’t register as malicious with static analysis tools. This builds on previous research that used malicious code in comments and split workloads to introduce vulnerabilities to the training set. Of course, this kind of poisoning isn’t new. Research has previously found malicious code popping up in StackOverflow tutorials. And given the lack of quality control when ingesting code scraped from the internet, vulnerable code suggestions are already a reality in these training sets. (Dark Reading)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

This week, CISA issues warnings about Cisco device vulnerabilities, while APT42 targets U.S. presidential campaigns. A Tennessee man is arrested for aiding North Korean IT schemes, and a severe CPU flaw from AMD raises alarms. Plus, GPS spoofing hacks are grounding commercial airliners, researchers uncover flaws in Georgia’s voter portal, and ransomware operators exploit ESXi hypervisors for mass encryption. We’ve rounded up the highlights from this week’s headlines on critical issues shaping the digital security landscape.

CISA warns of actively exploited Cisco devices

CISA has warned organizations about threat actors exploiting improperly configured Cisco devices, specifically targeting the legacy Cisco Smart Install (SMI) feature. Malicious hackers are acquiring system configuration files, which can lead to network compromises. CISA noted the continued use of weak password types on Cisco devices, making them vulnerable to password cracking attacks. Additionally, Cisco disclosed critical vulnerabilities in their end-of-life Small Business SPA IP phones, which can be remotely exploited but will not receive patches. (SecurityWeek)

Iran’s APT42 targets US presidential campaigns

Google’s Threat Analysis Group (TAG) has published a report on the Iran-aligned threat actor APT42’s targeting of US presidential campaigns. Google confirms that APT42 has targeted both the Trump and Biden-Harris campaigns with spearphishing attacks: “In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns. We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals.” TAG adds that the group “successfully gained access to the personal Gmail account of a high-profile political consultant.” The researchers note that APT42 has also ramped up its phishing attacks against users in Israel, targeting “people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs.” (Google)

Tennessee man arrested for alleged participation in North Korean employment scheme

The US Justice Department has arrested a man in Nashville, Tennessee, for allegedly helping North Korean IT workers get remote jobs at companies in the US and the UK. Matthew Isaac Knoot is accused of running a “laptop farm” to make the North Korean workers appear as if they were located in the US. The Justice Department stated, “The victim companies shipped laptops addressed to ‘Andrew M.’ to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage tqqq o the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that ‘Andrew M.’ was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di.”

The Justice Department says North Korea’s remote IT workers “have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited WMD programs.” (DOJ)

Researchers find flaws in Georgia voter portal

Security researcher Jason Parker alerted ProPublica and Atlanta News First of a flaw in a portal run by the Georgia Secretary of State’s Office. This would allow someone to submit a voter cancellation request for anyone in the state. Parker said they attempted to contact the Secretary of State’s Office but did not receive a response. The portal launched on July 29th and already garnered attention for exposing driver’s license numbers.  Parker found that by inspecting the portal’s source HTML, anyone could delete code requiring them to submit a driver’s license number and proceed to request a voter cancellation. The state eventually patched the issues, but security researcher Zach Edwards told ProPublica “It’s shocking to have one of these bugs occur on a serious website.” (ProPublica)

AMD SinkClose flaw helps install nearly undetectable malware

A warning from chip maker AMD about a high-severity CPU vulnerability which has been named SinkClose. The vulnerability affects multiple generations of its EPYC, Ryzen, and Threadripper processors, and allows attackers with Kernel-level (Ring 0) privileges to gain Ring -2 privileges and install malware that becomes nearly undetectable. For context, “Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system’s Kernel.” SinkClose has apparently passed undetected for almost 20 years.(BleepingComputer)

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption

Microsoft has also uncovered a vulnerability in ESXi hypervisors which it says is being exploited by “several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.” The vulnerability “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation.” Microsoft has disclosed the findings to VMware, and recommends that administrators apply the updates released by VMware. (Microsoft)

GPS spoofers hack clocks on commercial airliners

The relatively recent phenomenon of GPS spoofing involves hackers modifying GPS signals used by commercial airlines to navigate. The technique is also used to disorient drones and missiles in conflict zones. But now, according to Ken Munro, founder of British cybersecurity firm Pen Test Partners, and speaking recently at DEF CON, the technology is being used to change the times and dates on the clocks in aircraft cockpits, sometimes by years, Causing the plane to lose access to its digitally-encrypted communication systems, and requiring them to be grounded for weeks while engineers manually reset their onboard systems. (Reuters)

At Defcon, researchers reveal significant vulnerabilities in Google’s Quick Share

At Defcon 32, researchers Or Yair and Shmuel Cohen from SafeBreach revealed significant vulnerabilities in Google’s Quick Share, a peer-to-peer file transfer utility for Android, Windows, and Chrome OS. Quick Share uses various protocols like Bluetooth and Wi-Fi Direct, but these were not originally designed for file transfers. The researchers identified ten vulnerabilities, including a critical Remote Code Execution (RCE) flaw on Windows systems, dubbed QuickShell. This RCE exploit combines five of the vulnerabilities, allowing attackers to bypass security controls and take full control of target devices. The flaws also enable attackers to force file downloads and hijack Wi-Fi connections. Google has acknowledged the seriousness of these issues, assigning CVEs to two of the vulnerabilities. (Hack Read)

U.S. operation of “laptop farm” for North Korea shutdown

Tennessee resident Matthew Isaac Knoot has been arrested for allegedly running a ‘laptop farm’ to help North Korean IT workers secure remote jobs with American companies. Here’s how the scheme worked: Knoot would steal the identities of U.S. citizens and pose as U.S.-based IT professionals. Once hired, the company would send the work laptop to Knoot’s home, which he then gave the North Koreans access to, allowing them to log in remotely. If convicted, Knoot could face up to 20 years in prison, including a mandatory minimum of two years for aggravated identity theft. (Security Week)

Millions on the line as AI Teams advance in security challenge

Ninety teams competed at DEF CON over the weekend in the Artificial Intelligence Cyber Challenge hosted by the U.S. government’s Defense Advanced Research Projects Agency (DARPA) to develop autonomous tools that can find and fix vulnerabilities in open-source software. Twenty-two unique vulnerabilities were discovered in major open-source programs like the Linux kernel, with 15 automatically patched.  The seven finalists are now tasked with building out their AI systems before the final competition at the 2025 DEF CON, with nearly $30 million up for grabs in prize money. (CyberScoop)

South Korean government says North Korean hackers stole tank and spy plane information

The South Korean government says North Korean hackers stole sensitive information on South Korea’s tanks and spy planes, BleepingComputer reports. The spy plane data was reportedly stolen from a South Korean defense contractor that produces operating manuals for military equipment. BleepingComputer cites local media reports as saying that “the leakage of the K2 tank data occurred when engineers working on one of the tank’s part makers moved to a competing company, taking along with them in external storage drives design blueprints, development reports, and details about the tank’s overpressure system.” (People Power Party, Bleepingcomputer)

NIST finalizes post-quantum encryption standards 

On Tuesday, the National Institute of Standards and Technology (NIST) published three new encryption algorithms to bolster global cybersecurity efforts against future attacks using quantum technologies. The new standards are designed for general encryption and digital signatures. The algorithms, called FIPS 203, FIPS 204, and FIPS 205, are published to NIST’s post-quantum cryptography (PQC) project website. Head of the PQC project, Dustin Moody, urges security practitioners to immediately begin using the new algorithms to keep their data secure. (Dark Reading)

Orion loses $60 million in BEC scam

Luxembourg-based company, Orion, who is a leading supplier of carbon black, a material used to make tires, ink, batteries, and plastics was tricked into making several wire transfers through a Business Email Compromise (BEC) attack. According to documents filed with the Securities and Exchange Commission (SEC), a non-executive employee “was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.” Orion expects to record “a one-time pre-tax charge of approximately $60 million.” if the funds are not recovered. (The Record)

Azure AI health bot infected with critical vulnerabilities

Multiple privilege escalation issues in Microsoft Azure’s cloud-based Health Bot service exposed the platform to server-side request forgery (SSRF) and access to cross-tenant resources. The Azure AI Health Bot Service enables healthcare organizations to build their own virtual health assistants to interact with patients and manage administrative workloads. Depending on the nature of the integration, the chatbots could potentially have privileged access to extremely sensitive health information. Researchers at Tenable, who identified the issues said, though Microsoft quickly patched the vulns, they showcase inherent concerns about chatbot risks. (Dark Reading)

Palo Alto Networks patches several vulnerabilities

Palo Alto Networks has issued patches for several vulnerabilities, including the high-severity CVE-2024-5914, which affects the Cortex XSOAR product. This flaw allows unauthenticated attackers to execute commands within certain configurations. Patches are available starting with version 1.12.33. Additionally, updates were released for Prisma Access Browser, addressing over 30 vulnerabilities in the Chromium-based browser. Two medium-severity flaws were also patched, impacting PAN-OS and the GlobalProtect app. Palo Alto Networks is not aware of any active exploitation of these vulnerabilities. (SecurityWeek)

Microsoft patches zero-click RCE vulnerability

Microsoft has issued a patch for a zero-click remote code execution vulnerability (CVE-2024-38063) that affects all Windows machines using IPv6, which is enabled by default, BleepingComputer reports. Microsoft says “[a]n unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.” The vulnerability was discovered by a researcher at Kunlun Lab, who noted that the bug is triggered before the packet reaches the Windows firewall. There’s no evidence of exploitation so far, but Microsoft has given the flaw its “Exploitation more likely” label. Users are urged to update Windows as soon as possible or disable IPv6 until patches can be applied. (Bleepingcomputer)

Massive cyberattack hits Central Bank of Iran and other Iranian banks

News agency Iran International has reported a massive cyberattack that has disrupted the operations of the Central Bank of Iran (CBI) along with several other banks in the country, disabling the computer systems of many banks in the country. As reported in Security Affairs, “this incident coincides with intensified international scrutiny of Iran’s operations in the Middle East,” amid announcement from Tehran regarding attacks on Israel as well as its widely reported attempts to influence the upcoming U.S. Presidential election. According to the news agency, this is one of the largest cyberattacks on Iran’s state infrastructure to date. (Security Affairs)

Kim Dotcom to be extradited from New Zealand

After a 12-year fight, the infamous Kit Dotcom is being extradited to the U.S. to face criminal charges relating to the operations of his now closed file-sharing website Megaupload. Dotcom, whose real name is Kim Schmitz, holds Finnish and German nationalities and has been living in New Zealand, and has faced numerous charges since the mid-1990s for computer fraud, data espionage, and many other nefarious activities. U.S. authorities say, “Dotcom and three other Megaupload executives cost film studios and record companies more than $500 million by encouraging paying users to store and share copyrighted material, which generated more than $175 million in revenue for the website.” (Reuters)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.