Cyber News Roundup for August 30, 2024
SonicWall warns of critical access control flaw
SonicWall released a bulletin detailing the vulnerability that impacts SonicOS’s use on its Gen 5, Gen 6, and some Gen 7 firewalls. The vulnerability doesn’t require authentication or user interaction, allowing an attacker to gain access to the device or cause a system crash. SonicWall released a security update and said those unable to install it immediately should disable WAN management access from the internet. While the company didn’t disclose any active exploitation, CISA previously warned about active exploitation of SonicWall vulnerabilities by advanced threat actors. (Bleeping Computer)
FBI taken to task on electronic media security
A recent audit by the Department of Justice’s Office of the Inspector General found three “significant weaknesses” in policies and procedures used by the FBI for managing and disposing of electronic media containing sensitive information. These included not adequately tracking media removed from laptops, failing to consistently label media with classification levels like Top Secret, and inadequate internal access controls with media awaiting destruction. This included pallets of exposed devices sitting unsecured in waste storage facilities. The FBI issued a new directive to address the issues. (Bleeping Computer)
Seattle-Tacoma International Airport hit by cyberattack
The airport confirmed the incident caused an IT systems outage, resulting in delayed flights and issues with its reservation system over the weekend. The Port of Seattle first noticed the problem on August 24th. No group has taken credit for the attack, yet. While IT systems were down, the airport used X to communicate with travelers, recommending using airline websites to check travel information. As of this recording, its website remains down. The FBI confirmed to The Seattle Times that it is working with partners to investigate. (Bleeping Computer)
Volt Typhoon suspected of exploiting Versa bug
Researchers at Lumen Technologies’ Black Lotus Labs discovered an actively exploited zero-day flaw (CVE-2024-39717) affecting the SD-WAN management platform Versa Director. Versa has issued a patch for the vulnerability, and users are urged to upgrade to version 22.1.4 or later. The flaw allows threat actors to execute code by uploading Java files disguised as PNG images.
The researchers found a custom-made web shell designed to exploit the vulnerability, which they attribute to the Chinese threat actor Volt Typhoon. Lumen states, “Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024. The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.” (Black Lotus, The Register and Ars Technica)
Texas credit union user data exposed in another MOVEit breach
Just when we thought MOVEit breaches had faded from the headlines, a new one has surfaced, this time involving the Texas Dow Employees Credit Union (TDECU). The credit union revealed that over 500,000 members had their personal info compromised, including names, dates of birth, social security numbers, bank account and credit card numbers, as well as driver’s license and taxpayer IDs. The breach occurred over a year ago but was just discovered in July 2024. This raises significant concerns about the credit union’s security measures and the extended exposure of sensitive information. TDECU confirmed the breach was isolated to files transferred via MOVEit and that its internal network security remained intact. (Infosecurity Magazine)
PoC exploit for zero-click vulnerability now available to the masses
A security researcher named “Ynwarcs” has published proof-of-concept exploit code for a critical zero-click remote code execution vulnerability in Windows TCP/IP (CVE-2024-38063). The vulnerability affects all Windows 10, Windows 11, and Windows Server systems that have IPv6 enabled and requires no user interaction. The researcher released a PoC exploit code for the flaw on GitHub. Microsoft said affected orgs should apply the latest security updates and monitor for unusual IPv6 packet activity. (Dark Reading)
Woman uses AirTag to catch thieves stealing her mail
A California woman was tired of having mail stolen from her P.O. box so she took matters into her own hands by mailing herself an AirTag. Santa Barbara County police responded to a report of mail theft the morning of August 19 and were able to track down the AirTag and the suspects in Santa Maria, California. Deputies found the woman’s mail, including the package containing the AirTag, in addition to other items that may have been stolen from more than a dozen victims. Deputies arrested Virginia Franchessca Lara, 27, and Donald Ashton Terry, 37, who were booked on several felonies including possession of fictitious checks, identity theft, credit card theft, and conspiracy. (NPR)
Iran targeting presidential administration officials
CNN reports that a threat group believed to be working at the behest of Iran’s Islamic Revolutionary Guard Corps has targeted officials in both the former Trump and Biden administrations with phishing emails since at least 2022. This included former national security advisor John Bolton and an unnamed ex-diplomat with the Biden administration. Earlier this month the FBI announced It concluded that Iranian-linked attackers successfully attacked the Trump campaign and targeted the Harris campaign with similar tactics. Despite this, U.S. Cyber Command and NSA chief Gen. Timothy Haugh said that the US is “in a really good position” to respond to hacking attempts around the election compared to 2016. He also said he expected to see an increase in hacking activity ahead of the election. (CNN, The Record)
More Telegram arrest warrants in France
According to documents seen by Politico, French authorities also issued an arrest warrant for Telegram co-founder Nikolai Durov back in March, brother of CEO Pavel Durov. The document also showed authorities issued the warrants after Telegram gave “no answer” to judicial requests to identify a Telegram user suspected in a child sex abuse case. This lack of response seems par for the course. The U.S.-based National Center for Missing & Exploited Children, the Canadian Centre for Child Protection, and the U.K.-based Internet Watch Foundation all told NBC News that outreach to Telegram about CSAM issues largely goes ignored.
Additionally, French prosecutors announced they released Pavel Durov from police custody after a 96-hour window for questioning. They plan to have him brought to court for a possible indictment shortly. (Politico, NBC News, AP News)
Hitachi Energy urges SCADA upgrade
In a new security advisory, Hitachi Energy warned customers to update its MicroSCADA X SYS600 power monitoring systems to version 10.6 to mitigate several severe vulnerabilities. The two most critical vulnerabilities allow for an SQL injection attack due to an improper user query validation, and the other is an argument injection where attackers coil modify system files or applications on the systems. Hitachi Energy said it saw no signs of exploitation and discovered the flaws internally. Hitachi says over 10,000 substations use its MicroSCADA X systems, including critical infrastructure sites like airports, hospitals, railways, and data centers. (Dark Reading)
Mirai botnet variant exploits zero-day in CCTV cameras
Akamai says the Corona Mirai botnet variant is exploiting a zero-day remote code execution vulnerability affecting the brightness function of old CCTV cameras made by AVTECH, the Record reports. The affected camera models have been discontinued for several years, but they’re still widely used in critical infrastructure sectors. CISA issued an advisory on the vulnerability earlier this month, noting that organizations should take the following steps to mitigate the impact:
“Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
“Locate control system networks and remote devices behind firewalls and isolating them from business networks.
“When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.” (Akama, The Record, CISA)
Telegram CEO Pavel Durov charged in France
Telegram CEO Pavel Durov has been charged in France with several counts related to criminal activity on Telegram and the company’s alleged unwillingness to cooperate with law enforcement, the Associated Press reports. According to the BBC, the charges include “complicity in the administration of an online platform to enable illicit transactions by an organized gang” and “complicity in organised criminal distribution of sexual images of children.” Durov has been released on a €5 million bail but is barred from leaving France. Slate notes that Durov’s arrest has been criticized by free-speech and privacy advocates, particularly concerning the two counts related to “cryptology services” which could “imply that France sees the use of internationally based, unregulated ‘encryption’ services as a crime all its own.” (AP)
DICK’S Sporting Goods suffers cyberattack
The largest chain of sporting goods retail stores in the U.S. has now confirmed that confidential information was exposed in a cyberattack that was detected Wednesday, August 21. An anonymous source quoted by BleepingComputer said that email systems had been shut down, and all employees had been locked out of their accounts. IT staff is now manually validating employees’ identities on camera before they can regain access to internal systems. Phone lines at local stores are also down due to the incident. (BleepingComputer)
Hacking Microsoft Copilot Is “scary easy”
One of the more intriguing presentations at Black Hat this month was from security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity. He demonstrated how attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links. Much of this has to do with modifying the behavior of bots, which Microsoft refers to as “copilots,” through prompt injection. Based on Copilot’s visibility deep into the enterprise, including emails, messaging applications, and much more, it is an attractive target for malicious actors, he said. A detailed description of his findings is available at DarkReading. The link is available in the show notes to this episode. (Dark Reading)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts