Recent headlines highlight significant challenges in cybersecurity across the globe. Cloudflare blocked a massive 3.8 Tbps DDoS attack targeting finance and telecom sectors, while Adobe Commerce faces exploitation of critical vulnerabilities. Agence France-Presse experienced disruptions from cyberattacks, and UMC Health in Texas diverted patients due to a ransomware incident. Major providers like Verizon and PlayStation also faced outages. With state Chief Information Security Officers expressing budget concerns, the urgency for robust cybersecurity measures has never been clearer, emphasizing the need for ongoing vigilance in the face of evolving threats.

Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps

This denial-of-service campaign targeted organizations in the financial services, internet, and telecommunications sectors, part of a “month-long barrage of more than 100 hyper-volumetric DDoS attacks flooding the network infrastructure with garbage data.” According to Cloudflare, who successfully blocked the attack, the infected devices used were mostly located in Russia, Vietnam, the U.S., Brazil, and Spain. They consisted of a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. The peak at 3.8 Tbps lasted 65 seconds. (BleepingComputer)

Adobe Commerce and Magento stores compromised by CosmicSting bug

Researchers at Sansec have reported that numerous threat actors have exploited this vulnerability in Adobe Commerce, which comes with a CVSS score of 9.8, and has compromised more than 4,000 e-stores over the past three months. “An attacker could exploit this issue by sending a crafted XML document that references external entities, and exploitation of this issue does not require user interaction.” This vulnerability had been added to the CISA KEV catalog in July of this year. (Security Affairs)

A global news agency suffers a cyberattack

Agence France-Presse (AFP) experienced a cyberattack on September 27, disrupting its content distribution infrastructure, but its core news reporting remains unaffected. The attack targeted AFP’s IT systems, specifically content delivery networks and file transfer services used to deliver news to clients. While the type of attack and the responsible party are still unknown, AFP quickly responded, with the French cybersecurity agency ANSSI assisting in securing the systems. AFP warned clients that their FTP credentials might have been compromised, advising them to update passwords and secure their systems. Despite these technical issues, AFP assured that its newsroom continues to operate without interruptions, delivering news globally in multiple languages. No group has claimed responsibility for the attack so far. (Hackread)

A Texas health system diverts patients following a ransomware attack

UMC Health System in Texas has been diverting patients after a ransomware attack forced them to take their IT systems offline. The incident, disclosed on September 27, led to both emergency and non-emergency patients being diverted to nearby hospitals. UMC launched an investigation and disconnected its systems to contain the breach. By Monday, some services were restored, and only a few patients were still being diverted. UMC’s Emergency Center is now accepting ambulance patients, while other facilities remain open but are not fully operational. The hospital has engaged third-party experts to aid in the recovery process. Downtime procedures have been implemented, and patients are being informed of changes to appointments. UMC continues its efforts to restore services safely and provide updates on the investigation and remediation efforts. (SecurityWeek)

Western Digital patches a critical vulnerability in network attached storage devices

A critical vulnerability, CVE-2024-22170, has been identified in Western Digital’s My Cloud devices, affecting models like My Cloud EX2 Ultra and PR4100. This flaw, with a CVSS score of 9.2, allows attackers to exploit an unchecked buffer in the Dynamic DNS client through a Man-in-the-Middle attack, leading to arbitrary code execution. Western Digital has addressed the issue in a firmware update and urges users to update immediately. The vulnerability poses risks of unauthorized access, data corruption, and system crashes. Western Digital thanks researchers at Claroty for responsibly disclosing the issue.  (CyberSecurity News)

Verizon and PlayStation each suffer outages

On Monday morning, thousands of Verizon users across major U.S. cities, including New York, Los Angeles, and Chicago, experienced widespread cellphone service outages. Over 104,000 reports were logged on Downdetector by 11:30 a.m. Eastern, with the number later dropping to 78,000. Many users reported their phones showing “SOS” mode, preventing calls and messages. Verizon confirmed the issue, with engineers working to resolve it, though the cause was unclear. Simultaneously, the PlayStation Network (PSN) faced a global outage, affecting services like gaming, account management, and the PlayStation Store. Sony is working to fix the issue, which began at 8:41 PM ET, with some services still down, potentially due to overloaded servers. Both outages disrupted users’ daily activities and work. (Bleeping Computer) (The New York Times)

A Crypto Criminal Stretches His Limits—And His Legs 

And finally, Krebs on Security chronicles an absolutely bonkers mix of cybercrime and corruption straight out of a pulp novel.  A California man, Adam Iza (aka “The Godfather”), is accused of not only dodging taxes on millions allegedly earned from cybercrime but also paying off local cops to help intimidate rivals. Iza, co-owner of the cryptocurrency platform Zort, reportedly spent investors’ money on luxury cars, jewelry, and even leg-lengthening surgery. I swear I am not making this up.

According to the FBI, Iza hired Los Angeles Sheriff’s Department officers to help him extort former business partners, some of whom were tied to the notorious hacker group UGNazi. One incident involved trying to steal a laptop full of cryptocurrency, while another involved kidnapping attempts. Iza allegedly paid these officers $280k a month for their “services,” like forcing rivals to hand over assets.

Iza’s scheme came to light after he stiffed a private investigator, triggering a cascade of lawsuits and criminal investigations. His girlfriend, also allegedly involved, is now dating the star of reality TV show Love Island. This tale has everything—crypto, hackers, corrupt cops, and reality show romance!  With corrupt deputies, stolen millions, and custom legs, this saga truly stretches the limits of what we thought possible in cybercrime. (Krebs on Security)

Critical NVIDIA flaw affects AI applications 

Researchers at Wiz have disclosed a critical vulnerability (CVE-2024-0132) affecting NVIDIA Container Toolkit and GPU Operator. The flaw affects any AI application that uses the toolkit to enable GPU support. NVIDIA issued a patch on September 26th.

Wiz stated, “The vulnerability enables attackers who control a container image executed by the vulnerable toolkit to escape from that container and gain full access to the underlying host system, posing a serious risk to sensitive data and infrastructure.” The researchers add, “The urgency with which you should fix the vulnerability depends on the architecture of your environment and the level of trust you place in running images. Any environment that allows the use of third party container images or AI models – either internally or as-a-service – is at higher risk given that this vulnerability can be exploited via a malicious image.” (Wiz, Nvidia)

North Korean hackers breach German missile manufacturer

North Korean hackers linked to the Kimsuky APT group successfully targeted Diehl Defence, a German missile manufacturer, by using spear-phishing emails with fake job offers. The attack involved booby-trapped PDF files and advanced social engineering tactics designed to steal login credentials. The breach marks major concerns due to the sensitive nature of the manufacturer’s work on air defense systems, including a recent contract with South Korea. (Security Week)

State CISO’s struggle with budget constraints 

As per the story above, it seems a local community is being hit by a cyberattack every week, and new research shows why that might be. According to a new report from Deloitte and the National Association of Chief Information Officers (NASCIO), nearly 40% of U.S. state CISOs believe their cybersecurity budgets fall short of what they need to keep their citizens safe. In fact, more than a third stated they do not have a dedicated cybersecurity budget. The majority of CISOs surveyed said third-party breaches were the biggest threat they currently face, followed by AI-enabled attacks and foreign state-sponsored espionage. (InfoSecurity Magazine)

In today’s digital world, cyber threats are growing fast, and both skilled state-backed hackers and less sophisticated attackers are going after critical systems around the globe. From Russia’s Gamaredon group stepping up its cyber spying against Ukraine, to new vulnerabilities that allow hackers to remotely control everyday systems like Kia vehicles, the risks are more diverse and widespread than ever.

Recent events underline the need for taking proactive steps, whether it’s securing critical infrastructure like Kansas’ water systems or tackling malware that can get around two-factor authentication (2FA). With cyber campaigns like Salt Typhoon targeting U.S. broadband providers, and the CrowdStrike outage catching attention, organizations need to stay on their toes and keep up with the changing threat landscape.

As the risks grow, it’s a good time for businesses and governments to rethink their defenses and stay ahead of these evolving threats.

Russia’s Gamaredon remains highly active against Ukraine

ESET has published a report on the toolset used by the Russian threat actor Gamaredon to target Ukraine over the past two years. The researchers note that Gamaredon “is currently the most engaged APT group in Ukraine,” primarily conducting cyberespionage against Ukrainian government entities. The Security Service of Ukraine has attributed the threat actor to the FSB’s 18th Center of Information Security, based in Crimea.

ESET states, “In general, we can categorize Gamaredon’s toolset into downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. The group uses a combination of general-purpose and dedicated downloaders to deliver payloads. Droppers are used to deliver various VBScript payloads; weaponizers alter properties of existing files or create new files on connected USB drives, and stealers exfiltrate specific files from the file system. Additionally, backdoors serve as remote shells, and ad hoc tools perform specific functions, like a reverse SOCKS proxy or payload delivery using the legitimate command line program rclone.” (ESET)

Web vulnerability exposed Kia vehicles to hacks

A group of researchers today disclosed a vulnerability in a Kia web portal that could give an attacker remote control over vehicle functions using only a license plate number, WIRED reports. The attacker could exploit the flaw to reassign themselves as an owner of a vehicle, allowing them to unlock the car, start its ignition, or passively track its location. The researchers note, “These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.” WIRED says Kia appears to have patched the flaw. (Sam Curry, Wired)

NIST drops password complexity, mandatory reset rules

In the second public draft version of its password guidelines, the National Institute of Standards and Technology is making two changes. The first is that credential service providers stop requiring that users set passwords that use specific types or characters, and the second is to stop mandating periodic password changes (commonly every 60 or 90 days). This first suggestion actually paves the way for longer passwords of between 15 and 64 characters and that they include ASCII and Unicode characters. The second supports the idea that password resets should only occur in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords. (Dark Reading)

CISA speaks out regarding Kansas water incident

Following up on a story we covered on Wednesday regarding the cybersecurity issue at the water treatment facility in Arkansas City, Kansas, CISA released a new advisory yesterday, Thursday, as a reminder that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.” The agency urged operators to apply its previously released recommendations to defend their systems. (The Record)

Hackers claim a Chrome 2FA feature bypass takes less than ten minutes

Google introduced application-bound encryption in Chrome 127 for Windows to prevent cookie-stealing hackers from bypassing two-factor authentication (2FA) using infostealer malware. This security feature ties encrypted data to app identity, making it harder for hackers to access sensitive information. However, multiple infostealer malware developers, including those behind Lumma, Vidar, and Rhadamanthys, claim to have quickly bypassed this new protection. Reports from Bleeping Computer confirm that these malware updates can break Chrome’s cookie encryption, effectively rendering 2FA protections useless. Once attackers steal session cookies, they can bypass authentication and gain full access to users’ accounts and sensitive data. (Forbes)

CrowdStrike VP testifies before Congress

Adam Meyers, vice president for counter-adversary operations at CrowdStrike, appeared before a US congressional committee yesterday to address questions about the global outage caused by a faulty CrowdStrike update in July, Infosecurity Magazine reports. The outage was due to a mismatch between input parameters and the rules engine in CrowdStrike’s Falcon sensors, triggering “blue screen of death” errors on all Windows machines that installed the update. Meyers stated, “On July 19, 2024, new threat detection configurations were validated through regular validation procedures and sent to sensors running on Microsoft Windows devices. However, the configurations were not understood by the Falcon sensor’s rules engine, leading affected sensors to malfunction until the problematic configurations were replaced.” Meyers apologized for the disruption and outlined measures taken to prevent future incidents, including enhanced validation and testing processes, phased rollouts of updates, and added runtime safeguards. (Infosecurity Magazine)

Salt Typhoon strikes US ISPs

The Wall Street Journal’s sources say US investigators discovered a cyberattack campaign from a Chinese-linked threat actor dubbed Salt Typhoon. This campaign sought to establish footholds in several US-based cable and broadband providers. It’s unclear if the goal was simply reconnaissance or a potential staging for further cyberattacks. It’s been a busy year for China-linked threat groups operating under a “Typhoon” epithet. In January, the US disrupted operations by Volt Typhoon against critical infrastructure, and just last week, a Flax Typhoon botnet was disrupted. US officials frequently warn that due to the depth and frequency of China-linked cyberattacks, these campaigns likely represent the “tip of the iceberg.” (WSJ)

“Unsophisticated methods” used against industrial systems

Not all cyberattacks need the advanced capabilities of nation-states behind them. CISA warned that threat actors continue to target critical infrastructure OT and ICS devices with “unsophisticated” methods. This includes using default credentials or brute force attacks. The agency said it “continues to respond to active exploitation of internet-accessible” devices, particularly citing the Water and Wastewater Systems Sector being hit by pro-Russian hacktivists since 2022. CISA issued an advisory back in May on securing against these basic attacks, recommending changing default passwords, enabling MFA, applying security updates, and putting human-machine interfaces behind firewalls. (Bleeping Computer)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Recent cybersecurity updates include the National Vulnerability Database (NVD) struggling with a critical backlog, which hampers its effectiveness in vulnerability analysis. SonicWall is dealing with a significant access control vulnerability (CVE-2024-40766) in SonicOS, currently exploited in the wild. Avis has disclosed a breach affecting nearly 300,000 customers. On a positive note, Google Cloud has introduced new air-gapped backup vaults to boost ransomware protection, and MasterCard is set to acquire Recorded Future for $2.65 billion.

Read these stories and more in today’s Cyber News Roundup.

The Fall of the National Vulnerability Database

The National Vulnerability Database (NVD) has experienced a significant slowdown, leaving thousands of vulnerabilities without analysis, which is critical for identifying risks. This has raised concerns in the cybersecurity community, especially as many organizations and government contractors rely on NVD for vulnerability management. The issues stem from a backlog, underfunding, and challenges in handling the increasing volume of CVEs. While alternatives like Open Source Vulnerabilities (OSV) exist, NVD remains essential for many, especially under federal requirements​. (Darkreading)

SonicWall vulnerability exploited in the wild

A recently patched access control vulnerability (CVE-2024-40766) affecting SonicWall’s SonicOS is being exploited in the wild, BleepingComputer reports. The vulnerability affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. SonicWall urges customers to apply the patch as soon as possible. The company adds, “SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access. Users can change their passwords if the ‘User must change password’ option is enabled on their account. Administrators must manually enable the ‘User must change password’ option for each local account to ensure this critical security measure is enforced.” (Bleepingcomputer)

Car rental company Avis discloses data breach

According to notification letters sent to customers on Wednesday and filed with California’s Office of the Attorney General, the breach, which was discovered last Thursday, saw the unknown threat actor having access to its business applications from August 3 until August 6, resulting in the theft of “some customers’ personal information, including their names and other undisclosed sensitive data.” This is a developing story. (BleepingComputer)

Wisconsin Medicare users had information leaked in MOVEit breach

More fallout from the MOVEIt breach of last year: “the Centers for Medicare & Medicaid Services (CMS), which is a federal agency that manages the Medicare program, as well as the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.” The discovery follows a second investigation into the breach conducted by WPS in May, after receiving “new information” about the breach. (The Record)

1.7 million impacted in payment processing breach

In an ironic twist, payment gateway provider Slim CD says they’ve swiftly initiated an investigation into a breach affecting around 1.7 million individuals. While the company claims to be moving quickly to address the issue, the breach actually occurred in August 2023 but went undetected until almost a year later in June 2024. Information exposed in the attack includes names, physical addresses, credit card numbers, and payment card expiration dates. Despite the impact, Slim CD has not offered any free identity theft protection services to those affected, instead advising individuals to stay vigilant and order a free credit report. (Bleeping Computer), (The Register)

Avis breach impacts almost 300,000 customers

An update to a story we first brought to you on Monday: Car rental company Avis is now reporting that a breach discovered last week has impacted over 299,000 of its customers, which, according to Bleeping Computer, is less than 1% of the company’s customer base. The threat actor was able to access business applications last month and stole personal information, including names and other undisclosed data. (Bleeping Computer)

New RaaS operation is recruiting criminal affiliates

Palo Alto Networks’ Unit 42 has published a report on Repellent Scorpius, a ransomware-as-a-service operation that surfaced in May 2024. The group distributes the Cicada3301 ransomware and conducts double-extortion attacks by exfiltrating data before deploying the ransomware. The researchers state, “Unit 42 has evidence to suggest that the Repellent Scorpius operators have developed a RaaS affiliate program. It operates a control panel for affiliates and ransom payment pages for victims, and actively recruits initial access brokers (IAB) and network intruders on Russian-language cybercrime forums.” (PalloAlto)

Earth Preta deploys new malware in the Asia-Pacific

Trend Micro is tracking new variants of malware used by the China-aligned threat actor Earth Preta (also known as “Mustang Panda”). The threat actor is using spearphishing emails and removable drives to deploy malware against government entities in the Asia-Pacific region. Trend Micro states, “Earth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets’ networks via removable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various tasks, including the execution of tools such as RAR for collection and curl for data exfiltration. PUBLOAD was also used to introduce supplemental tools into the targets’ environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option.” (Trendmicro)

Slim CD notifies 1.7M customers of data breach

Electronic payment firm, ESlim CD, has notified nearly 1.7 million credit card holders that their data may have been stolen after an attacker accessed their systems between August 17, 2023, and June 15, 2024. A third party investigation uncovered the incident on June 15. Slim CD said it reviewed its data privacy and security policies and implemented additional safeguards following the incident. KnowBe4 awareness advocate, James McQuiggan said, “When organizations realize that cybercriminals are inside their network for long periods, there is a gap with continuous security monitoring. Accompanied by a robust Security Incident Management (SIEM) system integrated with threat intelligence, the breach could have been detected sooner.” (SC Media)

Google Cloud introduces air-gapped backup vaults

Google Cloud has introduced air-gapped backup vaults as part of its enhanced Backup and Disaster Recovery (DR) service, now available in preview. These vaults provide robust protection against ransomware and unauthorized data manipulation by creating immutable and indelible backups, preventing modification or deletion until a set retention period elapses. Isolated from the customer’s Google Cloud project, these air-gapped vaults reduce the risk of direct attacks on backups. (Cyber Security News)

Lazarus Group’s VM Connect campaign spoofs CapitalOne

New research from Reversing Labs shows that the Lazarus Group is continuing its campaign of tempting targeting developers with malicious software packages on open-source repositories by posing as employees of the financial services firm Capital One. Again seeking to lure developers into downloading the malware by directing them to a GitHub repository containing a “homework task.” This is similar, but different from a story we reported on last week in which the Lazarus Group was seen doing the same thing through LinkedIn using CovertCatch. In this case Reversing Labs researchers says it is connected to a 2023 VMConnect campaign focused on Python modules. They added, “It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that they would execute the package without performing any type of security or even source code review first.” (InfoSecurity Magazine)

Mastercard buys Recorded Future

Financial payment company MasterCard announced yesterday that it will acquire the threat intelligence company Recorded Future for $2.65 billion, adding to its current portfolio of security products, which include risk assessments and transaction protection. In its press release, MasterCard noted that “Recorded Future is a well-known intelligence firm that boasts more than 1,900 clients internationally, including 45 governments and over half of Fortune 500 companies.” The firm will remain an independent subsidiary, and the deal is expected to close in the first quarter of 2025. (Cyberscoop)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

In today’s rapidly evolving cybersecurity landscape, organizations are confronted with increasing challenges to stay ahead of emerging vulnerabilities, including critical issues such as the OpenSSH vulnerability (CVE-2024-6387). In response to these urgent threats, RedSeal unveiled its latest release, designed to empower customers with advanced tools for enhancing network integrity and safeguarding sensitive data.

The newly launched update not only addresses immediate security concerns but also introduces significant improvements in usability through a redesigned interface and streamlined administration features. With these enhancements, RedSeal ensures that users can navigate the complexities of modern cyber threats with greater confidence and efficiency.

What’s New?

RedSeal Version 10.1.3 is here.

Released on July 29, 2024, Version 10.1.3 of the RedSeal platform tackled the OpenSSH vulnerability (CVE-2024-6387) head-on. This crucial update ensures that your network remains protected against the latest threats, reinforcing our commitment to improving your security posture.

But that’s not all! Earlier in the month, Version 10.1.2 made several modules available in a redesigned user interface (UI) aimed at improving your overall experience:

1. Comprehensive inventory management

Staying informed about your network’s assets is crucial for effective management and security. Our enhanced UI provides a detailed summary of devices, subnets, and hosts, including any new additions. This means you can keep up with changes and ensure that your network inventory is always complete.

2. Advanced network investigation

Understanding the reachability of every asset helps you grasp the full impact of potential threats. With our advanced analysis tools in the enhanced UI, you can visualize the blast radius and perform hop-by-hop analyses with greater ease. This deeper insight allows you to better manage risk and make more informed decisions about how to improve your network’s security.

3. Simplified model administration

Managing your network model efficiently is key to maintaining accurate and up-to-date information. Our streamlined model administration tools in the new UI make it easier to collect data, complete your inventory, and refine your network model, saving you time and reducing complexity.

4. Sophisticated vulnerability management

To help you assess and manage risks more efficiently, the new UI for vulnerability management enables several additional views for prioritization that incorporate insights based on a Zero Trust approach to threats.

We’re committed to continually improving your RedSeal experience and ensuring that you have the tools you need to keep your network secure and resilient. Thank you for being part of our community—your feedback and engagement fuel our innovation!

For more information about RedSeal’s network exposure analytics solutions or to stay informed, please visit redseal.net or reach out to us at hello@redseal.net.

SonicWall warns of critical access control flaw

SonicWall released a bulletin detailing the vulnerability that impacts SonicOS’s use on its Gen 5, Gen 6, and some Gen 7 firewalls. The vulnerability doesn’t require authentication or user interaction, allowing an attacker to gain access to the device or cause a system crash. SonicWall released a security update and said those unable to install it immediately should disable WAN management access from the internet. While the company didn’t disclose any active exploitation, CISA previously warned about active exploitation of SonicWall vulnerabilities by advanced threat actors. (Bleeping Computer)

FBI taken to task on electronic media security

A recent audit by the Department of Justice’s Office of the Inspector General found three “significant weaknesses” in policies and procedures used by the FBI for managing and disposing of electronic media containing sensitive information. These included not adequately tracking media removed from laptops, failing to consistently label media with classification levels like Top Secret, and inadequate internal access controls with media awaiting destruction. This included pallets of exposed devices sitting unsecured in waste storage facilities. The FBI issued a new directive to address the issues. (Bleeping Computer)

Seattle-Tacoma International Airport hit by cyberattack

The airport confirmed the incident caused an IT systems outage, resulting in delayed flights and issues with its reservation system over the weekend. The Port of Seattle first noticed the problem on August 24th. No group has taken credit for the attack, yet. While IT systems were down, the airport used X to communicate with travelers, recommending using airline websites to check travel information. As of this recording, its website remains down. The FBI confirmed to The Seattle Times that it is working with partners to investigate. (Bleeping Computer)

Volt Typhoon suspected of exploiting Versa bug

Researchers at Lumen Technologies’ Black Lotus Labs discovered an actively exploited zero-day flaw (CVE-2024-39717) affecting the SD-WAN management platform Versa Director. Versa has issued a patch for the vulnerability, and users are urged to upgrade to version 22.1.4 or later. The flaw allows threat actors to execute code by uploading Java files disguised as PNG images.

The researchers found a custom-made web shell designed to exploit the vulnerability, which they attribute to the Chinese threat actor Volt Typhoon. Lumen states, “Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024. The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.” (Black Lotus, The Register and Ars Technica)

Texas credit union user data exposed in another MOVEit breach

Just when we thought MOVEit breaches had faded from the headlines, a new one has surfaced, this time involving the Texas Dow Employees Credit Union (TDECU). The credit union revealed that over 500,000 members had their personal info compromised, including names, dates of birth, social security numbers, bank account and credit card numbers, as well as driver’s license and taxpayer IDs. The breach occurred over a year ago but was just discovered in July 2024. This raises significant concerns about the credit union’s security measures and the extended exposure of sensitive information. TDECU confirmed the breach was isolated to files transferred via MOVEit and that its internal network security remained intact. (Infosecurity Magazine)

PoC exploit for zero-click vulnerability now available to the masses

A security researcher named “Ynwarcs” has published proof-of-concept exploit code for a critical zero-click remote code execution vulnerability in Windows TCP/IP (CVE-2024-38063). The vulnerability affects all Windows 10, Windows 11, and Windows Server systems that have IPv6 enabled and requires no user interaction. The researcher released a PoC exploit code for the flaw on GitHub. Microsoft said affected orgs should apply the latest security updates and monitor for unusual IPv6 packet activity. (Dark Reading)

Woman uses AirTag to catch thieves stealing her mail

A California woman was tired of having mail stolen from her P.O. box so she took matters into her own hands by mailing herself an AirTag. Santa Barbara County police responded to a report of mail theft the morning of August 19 and were able to track down the AirTag and the suspects in Santa Maria, California. Deputies found the woman’s mail, including the package containing the AirTag, in addition to other items that may have been stolen from more than a dozen victims. Deputies arrested Virginia Franchessca Lara, 27, and Donald Ashton Terry, 37, who were booked on several felonies including possession of fictitious checks, identity theft, credit card theft, and conspiracy. (NPR)

Iran targeting presidential administration officials

CNN reports that a threat group believed to be working at the behest of Iran’s Islamic Revolutionary Guard Corps has targeted officials in both the former Trump and Biden administrations with phishing emails since at least 2022. This included former national security advisor John Bolton and an unnamed ex-diplomat with the Biden administration. Earlier this month the FBI announced It concluded that Iranian-linked attackers successfully attacked the Trump campaign and targeted the Harris campaign with similar tactics. Despite this, U.S. Cyber Command and NSA chief Gen. Timothy Haugh said that the US is “in a really good position” to respond to hacking attempts around the election compared to 2016. He also said he expected to see an increase in hacking activity ahead of the election. (CNN, The Record)

More Telegram arrest warrants in France

According to documents seen by Politico, French authorities also issued an arrest warrant for Telegram co-founder Nikolai Durov back in March, brother of CEO Pavel Durov. The document also showed authorities issued the warrants after Telegram gave “no answer” to judicial requests to identify a Telegram user suspected in a child sex abuse case. This lack of response seems par for the course. The U.S.-based National Center for Missing & Exploited Children, the Canadian Centre for Child Protection, and the U.K.-based Internet Watch Foundation all told NBC News that outreach to Telegram about CSAM issues largely goes ignored.

Additionally, French prosecutors announced they released Pavel Durov from police custody after a 96-hour window for questioning. They plan to have him brought to court for a possible indictment shortly. (Politico, NBC News, AP News)

Hitachi Energy urges SCADA upgrade

In a new security advisory, Hitachi Energy warned customers to update its MicroSCADA X SYS600 power monitoring systems to version 10.6 to mitigate several severe vulnerabilities. The two most critical vulnerabilities allow for an SQL injection attack due to an improper user query validation, and the other is an argument injection where attackers coil modify system files or applications on the systems. Hitachi Energy said it saw no signs of exploitation and discovered the flaws internally. Hitachi says over 10,000 substations use its MicroSCADA X systems, including critical infrastructure sites like airports, hospitals, railways, and data centers. (Dark Reading)

Mirai botnet variant exploits zero-day in CCTV cameras

Akamai says the Corona Mirai botnet variant is exploiting a zero-day remote code execution vulnerability affecting the brightness function of old CCTV cameras made by AVTECH, the Record reports. The affected camera models have been discontinued for several years, but they’re still widely used in critical infrastructure sectors. CISA issued an advisory on the vulnerability earlier this month, noting that organizations should take the following steps to mitigate the impact:

“Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

“Locate control system networks and remote devices behind firewalls and isolating them from business networks.

“When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.” (Akama,  The Record, CISA)

Telegram CEO Pavel Durov charged in France

Telegram CEO Pavel Durov has been charged in France with several counts related to criminal activity on Telegram and the company’s alleged unwillingness to cooperate with law enforcement, the Associated Press reports. According to the BBC, the charges include “complicity in the administration of an online platform to enable illicit transactions by an organized gang” and “complicity in organised criminal distribution of sexual images of children.” Durov has been released on a €5 million bail but is barred from leaving France. Slate notes that Durov’s arrest has been criticized by free-speech and privacy advocates, particularly concerning the two counts related to “cryptology services” which could “imply that France sees the use of internationally based, unregulated ‘encryption’ services as a crime all its own.” (AP)

DICK’S Sporting Goods suffers cyberattack

The largest chain of sporting goods retail stores in the U.S. has now confirmed that confidential information was exposed in a cyberattack that was detected Wednesday, August 21. An anonymous source quoted by BleepingComputer said that email systems had been shut down, and all employees had been locked out of their accounts. IT staff is now manually validating employees’ identities on camera before they can regain access to internal systems. Phone lines at local stores are also down due to the incident. (BleepingComputer)

Hacking Microsoft Copilot Is “scary easy”

One of the more intriguing presentations at Black Hat this month was from security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity. He demonstrated how attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links. Much of this has to do with modifying the behavior of bots, which Microsoft refers to as “copilots,” through prompt injection. Based on Copilot’s visibility deep into the enterprise, including emails, messaging applications, and much more, it is an attractive target for malicious actors, he said. A detailed description of his findings is available at DarkReading. The link is available in the show notes to this episode. (Dark Reading)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts