π What’s trending in cybersecurity today?
Linux Vulnerability, Unprivileged Access, Microsoft Teams Phishing, DarkGate Malware, Zero-Days, Ivanti VPNs, Rust-Based KrustyLoader Attack, GitLab, Arbitrary File Writes, Hacktivists, Malaysian Telecom Aminia, ALPHV/BlackCat, Technica Corporation, NoName, Dutch High-Profile Sites, Fulton County, Georgia, USAID Colombia, US Legislators, Farm and Food Cybersecurity Act, Chinese Hacking, Brazilian Police, Grandoreiro Banking Trojan, Citibank, NY Lawsuit, Cyber Fraud Negligence, Alpha Ransomware.
Listen to the full podcast
π¨Β Cyber Alerts
Β Β A newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc) exposes unprivileged attackers to root access on default configurations of major Linux distributions. Tracked as CVE-2023-6246, this flaw impacts the widely-used syslog and vsyslog functions, presenting a heap-based buffer overflow weakness. Debian, Ubuntu, and Fedora systems, among others, are confirmed to be vulnerable, posing a significant threat of unprivileged users gaining full root access. The discovery highlights the urgent need for robust security measures in core libraries widely employed across various systems and applications.
Cyber attackers exploit Teams to distribute DarkGate malware, targeting users with malicious attachments through over 1,000 group chat invites. Upon acceptance, victims unwittingly download malware, highlighting the need for vigilance and considering disabling external access in Teams. The surge in DarkGate attacks underscores the urgency of securing collaboration platforms amid escalating cyber threats.
A pair of zero-day vulnerabilities in Ivanti Connect Secure VPNs are actively exploited, enabling unauthenticated remote code execution and delivery of the KrustyLoader, subsequently deploying the Sliver adversary simulation tool. While patches are pending, Ivanti has provided a temporary mitigation through an XML file. The flaws, weaponized by a Chinese nation-state threat actor, highlight the ongoing challenges in securing VPN infrastructure, with broader exploitation observed, including the deployment of XMRig cryptocurrency miners and Rust-based malware.
GitLab has released patches for a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files during workspace creation. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9. The issue affects various GitLab versions, and patches have been backported to address the bug. Alongside this critical fix, GitLab has also resolved four medium-severity flaws, including issues related to regular expression denial-of-service, HTML injection, and disclosure of a user’s public email address via the tags RSS feed. Users are advised to promptly upgrade their installations to the patched version to mitigate potential risks.
The Cybersecurity and Infrastructure Security Agency (CISA) has released eight advisories addressing security issues and vulnerabilities in various Industrial Control Systems (ICS) products. The advisories cover products from companies like Emerson, Mitsubishi Electric, Hitron Systems, and Rockwell Automation. CISA urges users and administrators to review the advisories for technical details and recommended mitigations, emphasizing the importance of staying informed about current security issues in ICS environments.
π₯ Cyber Incidents
The pro-Israeli hacktivist group, R00TK1T ISC Cyber Team, reportedly launched its inaugural cyberattack on Malaysian entities, singling out Aminia. The group alleges success in compromising Aminiaβs billing and Managed WiFi services portals, suggesting a potential data breach. This attack follows explicit threats by the hacktivist group to target Malaysian internet infrastructure, creating concerns about broader implications for the nation. The severity escalates as R00TK1T shares screenshots exposing sensitive information, intensifying worries about the security landscape in the midst of geopolitical tensions.
The ALPHV/BlackCat hacking group has allegedly breached Technica Corporation, boasting access to classified documents related to the FBI and US intelligence agencies. This cyberattack on Technica, known for its support to the Federal Government, raises serious concerns about potential national security implications. ALPHV/BlackCat’s motives remain uncertain, but their track record of bold moves, including a recent attack on BrightStar Care, suggests a pattern of targeting high-profile organizations.
The NoName group claims responsibility for a sophisticated cyberattack targeting major Dutch websites, including OV-chipkaart, the Municipality of Vlaardingen, and the Dutch Tax Office. The attack raises concerns due to the sensitive information held by these entities, especially OV-chipkaart, a vital contactless smart card system for public transportation. While details about the extent of the attack and data compromise are unclear, the situation underscores the persistent threat of cyberattacks on critical organizations and emphasizes the need for enhanced cybersecurity measures.
Georgia’s largest county, Fulton County, faces extensive IT disruptions following a cyberattack, impacting phone systems, court processes, and tax systems. With over 1 million residents, Fulton County, home to Atlanta, experiences outages in crucial technology platforms. While the investigation is in its early stages, the FBI is involved, and citizens are advised to contact Fulton County Customer Service via email during the system’s restoration, emphasizing the broader challenges faced by local institutions dealing with cyber threats.
The U.S. Agency for International Development’s Colombia office announced a Facebook page hack, urging the public to disregard any posts or links from the compromised account.
π’ Cyber News
New bipartisan legislation directs the Secretary of Agriculture to assess and address cyber threats every two years, enhancing security and resilience in the agriculture and food critical infrastructure sectors. The bill mandates thorough studies on cyberattacks’ nature, impact on food safety, and readiness to prevent and respond. Additionally, annual cross-sector crisis simulation exercises aim to bolster preparedness, identify vulnerabilities, and improve coordination, ensuring a robust defense against potential cyber threats to the nation’s food supply chain.
Β The U.S. government initiated an operation to combat a widespread Chinese hacking campaign targeting thousands of internet-connected devices. The Justice Department and FBI obtained legal authorization to remotely disable aspects of the Chinese hacking operation, with a specific focus on the Volt Typhoon hacking group. The Biden administration’s increased attention to hacking, driven by concerns about election disruption and the impact of ransomware on Corporate America in 2023, reflects efforts to safeguard critical infrastructure, including naval ports, internet service providers, and utilities, from cyber threats originating in China.
Brazilian law enforcement, with assistance from Slovak cybersecurity firm ESET, has arrested several operators responsible for the Grandoreiro banking trojan. The Federal Police of Brazil executed warrants and searches in multiple states, targeting individuals believed to be high up in the Grandoreiro operation hierarchy. ESET uncovered a design flaw in Grandoreiro’s network protocol, helping to identify victimology patterns. The banking trojan, active since 2017, targets countries like Spain, Mexico, Brazil, and Argentina, stealing data through keyloggers, screenshots, and siphoning bank login information.
Β New York Attorney General Letitia James has filed a lawsuit against Citibank, accusing the financial institution of failing to protect customers from cyber fraud and refusing to reimburse victims, leading to millions in losses. The lawsuit alleges a violation of the Electronic Fund Transfer Act, asserting that Citibank should compensate fraud victims using online and mobile banking, similar to protections for credit or debit card fraud victims. The investigation found shortcomings in Citibank’s response to fraudulent activities, with failures to recognize red flags, prevent fund transfers, and promptly report incidents to law enforcement, causing significant financial harm to consumers.
A recently surfaced ransomware group named Alpha introduces its Dedicated/Data Leak Site (DLS) on the Dark Web, showcasing data from six victims. Despite its recent appearance, Alpha ransomware has been active since May 2023, with a lower infection rate and no active samples currently in the wild for analysis. The group’s DLS, titled “MYDATA,” is considered unstable, featuring a victim login prompt and various functionalities, indicating the group is still setting up operations.
