Cyber News Roundup for July 5, 2024
1. Update on the TeamViewer network breach
The remote access software company is now attributing Wednesday’s attack on its corporate networks as being the work of Russian state-sponsored hacking group Midnight Blizzard, also known as Cozy Bear and APT29. They clarify that “TeamViewer’s internal corporate IT environment is completely independent from the product environment”. According to The Record, the hack was traced back to the credentials of a standard employee account within the company’s corporate IT environment. (BleepingComputer, The Record)
2. U.S. businesses struggle to obtain cyber insurance
At the hearing before the House Homeland Security Committee’s cyber-focused subcommittee, representatives from companies and associations described the difficulties they are experiencing, trying to obtain insurance against breaches, finding them hard to come by and with terms that are very difficult to understand, especially in terms of exclusions and definitions of breaches as “acts of war.” This has only led to increasing insurance premiums, which has caused some clients calling for a “so-called backstop for the market in which the federal government would step in and guarantee large-scale insurance losses. (Cyberscoop)
3. Microsoft expands scope of mail compromise warning
The hack to Microsoft’s internal email systems, which was revealed in January of this year, was initially described as having affected “a very small percentage of Microsoft corporate email accounts.” Now, however, Microsoft has started alerting organizations and individuals, specifically more than a dozen state agencies and public universities in Texas, that emails between themselves and Microsoft were accessed. This is according to reporting by Bloomberg. This hack is also being attributed to Midnight Blizzard. (Bloomberg, Yahoo News)
4. Hackers exploit critical D-Link DIR-859 router flaw to steal passwords
A critical vulnerability affecting all D-Link DIR-859 WiFi routers is currently being exploited by hackers “to collect account information from the device, including passwords.” The flaw has a CVE number and a 9.8 severity score. According to BleepingComputer, the D-Link DIR-859 WiFi router model reached end-of-life (EoL) and no longer receives any updates, [but] the vendor did still release a security advisory explaining that the flaw exists in the “fatlady.php” file of the device, affects all firmware versions, and allows attackers to leak session data, achieve privilege escalation, and gain full control via the admin panel.” (BleepingComputer)
5. 14 million Linux systems threatened by ‘RegreSSHion’ vulnerability
Researchers at Qualys have uncovered a critical vulnerability, “regreSSHion” (CVE-2024-6387), which some experts are comparing to the notorious Log4Shell in terms of potential severity. This flaw, with a CVSS score of 8.1, affects glibc-based Linux systems running sshd in its default configuration. Exploiting this vulnerability could allow attackers to completely take over systems, install malware, manipulate data, and create backdoors for persistent access. The vulnerability poses a severe threat, enabling unauthorized remote code execution with root privileges, leaving over 14 million servers potentially vulnerable. (Bleeping Computer), (Security Week), (Dark Reading)
Read about how RedSeal responds to the “regreSSHion” vulnerability and helps fortify your network security HERE.
6. Critical patch issued for Juniper routers
It’s going to be a perfect 10 on the CVSS scale for a critical vulnerability (CVE-2024-2973) impacting Juniper Networks routers. The company released patches outside of their usual schedule, indicating the severity of the flaw. According to Juniper, the issue affects all Session Smart routers and conductors running in high-availability redundant configurations. This vulnerability allows for a network-based attack to bypass authentication and take over the device. (Juniper), (Dark Reading), (The Register)
7. Chinese hackers exploit zero-day in Cisco Devices
State-backed Chinese hackers, known as Velvet Ant, exploited a newly identified zero-day vulnerability (CVE-2024-20399) in Cisco NX-OS software used in Nexus-series switches. The discovery was made by Sygnia during a forensic investigation where the hackers gained administrator-level access to deploy custom malware for remote control of compromised devices. Cisco has issued software updates to address the vulnerability, with no available workarounds. (Bleeping Computer) , (The Record)
8. CDK Global gives update on restoration timeline
An update to a story we’ve been following for the last two weeks: CDK Global says all car dealerships using their platform will be back online by this Thursday, July 4th. The software-as-a-service provider’s platform, which is used by over 15,000 car dealerships around North America, experienced not one but two attacks last month, forcing the company to take all IT systems offline. According to Bleeping Computer, the BlackSuit ransomware gang was tied to this attack. (Bleeping Computer)
9. Chinese threat actor exploits Cisco zero-day
A China-aligned cyberespionage actor dubbed “Velvet Ant” exploited a zero-day vulnerability (CVE-2024-20399) affecting a wide range of Cisco Nexus devices, according to researchers at Sygnia. The flaw is a command injection vulnerability in the Cisco NX-OS Software CLI that can “allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.” Cisco has issued patches for the flaw. Sygnia says Velvet Ant’s “exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.” (Sygnia)
10. Google fixes 25 Android flaws, including critical privilege escalation bug
Google has released patches for 25 security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug (tracked as CVE-2024-31320), impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. That flaw, along with fixes for seven other high-severity issues, were released by Google on Monday. This coming Friday, Google plans to release updates that resolve an additional 17 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components. (SecurityWeek)
11. French authorities seize nearly $6M in illicit online platform takedown
In a coordinated international effort, French authorities have seized servers and proceeds worth millions belonging to the “Coco” chat website. Authorities said the site facilitated child pornography, other sexual exploitation, drug dealing and violent acts including homicides. The website is owned by a Bulgarian company and had over 850,000 users in France alone as of 2023. Child rights activists have been lobbying against the site they referred to as a “predators den” since 2013. The Coco site has been replaced with a seizure notice from the French national police. (The Cyber Express)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.