π What are the latest cybersecurity alerts, incidents, and news?
SolarWinds, Access Rights Manager, Play Ransomware, Linux , VMware, ESXi, DUSTPAN, BEACON, Revolver Rabbit, Domain Generation Algorithm, HotPage, Microsoft Driver, Hijack Browsers, CrowdStrike, Windows Blue Screen, Global Disruption, TeledifusΓ£o de Macao, Phishing Attack, WaldstΓ€tterhof Hotel, Email Scams, Loire-Atlantique Department, France, Vernon Company, Third-Party Vendor, Operation Spincaster, Approval Scams, Crypto Wallets, R.R. Donnelley, Settlement, Bangladesh, Internet Shutdown, Protests, Communications Disruption, Ctera, Funding, PSG Equity, Hybrid Cloud Data, Okta, Startup Contest, Identity, Privacy, SecurityΒ
Listen to the full podcast
π¨Β Cyber Alerts
SolarWinds has addressed 11 critical security vulnerabilities in its Access Rights Manager (ARM) software, potentially preventing unauthorized access to sensitive data and execution of arbitrary code. Of these flaws, seven are rated Critical with a CVSS score of 9.6, and the other four are rated High with a CVSS score of 7.6. Notable vulnerabilities include CVE-2024-23472, a directory traversal flaw allowing file deletion and information disclosure, and CVE-2024-28074, an internal deserialization remote code execution vulnerability.
Trend Micro threat hunters have discovered a new Linux variant of the Play ransomware that specifically targets VMware ESXi environments. This marks the first time the Play ransomware group, known for its double-extortion tactics, has focused on ESXi servers, potentially expanding its victim pool. The ransomware verifies if it is running in an ESXi environment before executing its encryption routines, effectively evading many security measures. The new variant has been particularly active in the United States.
In a recent report, Mandiant, in collaboration with Googleβs Threat Analysis Group (TAG), has uncovered a persistent cyber espionage campaign by APT41 targeting global sectors including shipping, media, technology, and automotive. The campaign, which began in 2023, employed a sophisticated toolkit comprising ANTSWORD and BLUEBEAM web shells, the DUSTPAN dropper, and the BEACON backdoor for command-and-control. APT41’s advanced tactics involved data exfiltration using SQLULDR2 and PINEGROVE, while deploying DUSTTRAP for minimal forensic footprints.
Cybersecurity researchers at Infoblox have uncovered the alarming use of Registered Domain Generation Algorithms (RDGAs) by the unidentified attacker known as “Revolver Rabbit.” This actor has registered an astonishing 500,000 domains using RDGA techniques, demonstrating a sophisticated method to evade detection and support various malicious activities. RDGAs allow for the programmatic creation and registration of numerous domains, significantly complicating traditional detection efforts.
Researchers have identified a new malware strain known as HotPage.exe, which disguises itself as a browser enhancement tool but instead hijacks web traffic and injects code into remote processes. Discovered at the end of 2023, HotPage.exe is particularly concerning due to its use of a Microsoft-signed driver from the obscure Chinese company Hubei Dunwang Network Technology Co., Ltd. This driver, which was removed from the Windows Server Catalog in May 2024, allowed the malware to manipulate browser content, redirect users to ad-filled sites, and collect data under the guise of improving internet security.
π₯ Cyber Incidents
A recent update to CrowdStrike’s Falcon sensor has caused widespread issues for Windows users, resulting in persistent blue screen of death (BSOD) errors with the message “DRIVER_OVERRAN_STACK_BUFFER.” This problem, which began on July 19, 2024, impacts both Windows 10 and 11 systems, rendering many devices, including critical servers, inoperable. CrowdStrike has acknowledged the issue and is working on a resolution, advising affected users to avoid opening individual support tickets at this time.
On July 18, 2024, Macao’s public broadcaster, TeledifusΓ£o de Macao (TDM), fell victim to a cyberattack that disrupted its website and mobile applications. The attack, which involved an abnormal surge in traffic, was first detected by the Macau Post and Telecommunications Bureau (CTT). TDM was able to restore normal operations by 8:18 PM after implementing recommended cybersecurity protocols from CTT and the Macau Cybersecurity Incidents Alert and Response Centre (CARIC). This incident follows a similar attack on five Macao government websites the previous week, highlighting an alarming rise in cyber incidents in the region.
Guests at the WaldstΓ€tterhof Hotel in Brunnen SZ were recently targeted by a sophisticated phishing attack. Cybercriminals sent emails that appeared to come from the hotel’s official address, using a personal greeting and professional photo to gain trust. The deceptive emails claimed to be a “verification of the payment method” and asked for credit card details, although the hotel only charges upon arrival. The hotel swiftly responded by alerting affected guests, clarifying that the emails were not from them, and reassuring that reservations remained valid.
On July 16, 2024, the Loire-Atlantique Department in France fell victim to a cyberattack, but officials have assured the public that no public services were affected. The attack, which targeted the departmental council network, did not disrupt essential services like the payment of Active Solidarity Income (RSA). In response, the department has issued a call for vigilance among its 5,000 employees, advising them to reset their passwords and enhance their cybersecurity practices.
The Vernon Company has notified individuals of a data exposure incident involving third-party vendor QAD Inc. On June 10, 2024, QAD informed Vernon Company that unauthorized access to their servers had compromised certain data. Following an investigation, it was confirmed that personal information, including names and credit card details, may have been affected. Vernon Company assures that their own systems were not compromised and is offering affected individuals twelve months of free credit monitoring through TransUnion.
π’ Cyber News
Chainalysis has launched Operation Spincaster, a global initiative aimed at disrupting approval phishing scams that have cost victims over $2.7 billion since May 2021. This operation, which involves collaboration between public and private sectors across six countries, leverages advanced blockchain analytics to identify and track compromised wallets. With over 100 participants from 12 public sector agencies and 17 crypto exchanges, Operation Spincaster has already led to significant interventions, including seizing funds and preventing theft.
R.R. Donnelley & Sons Company (RRD) has reached a $2.1 million settlement with the U.S. Securities and Exchange Commission (SEC) over allegations of inadequate cybersecurity controls related to a major data breach in late 2021. The SEC’s enforcement action, announced on July 18, 2024, highlights failures in RRD’s handling of cybersecurity incidents, including insufficient reporting and internal controls. The breach, discovered in December 2021, compromised sensitive data from 29 clients, leading to significant scrutiny of RRD’s incident response practices.
In response to escalating student protests and violent clashes in Bangladesh, authorities have imposed a nationwide shutdown of mobile internet services, severely disrupting communications across the country. The unrest, which has resulted in at least six deaths and numerous injuries, stems from student demonstrations against a controversial quota system for government jobs. The junior telecommunications minister, Zunaid Ahmed Palak, justified the internet disruption as necessary to maintain public security and counteract the spread of misinformation.
Ctera, a leading hybrid cloud data management provider, has secured $80 million in primary and secondary funding from PSG Equity. This investment, announced on July 18, 2024, will support Cteraβs expansion and enhance its AI-driven services. Founded in 2008, the New York-based company offers a global file system over public and private clouds, helping organizations manage and secure their unstructured data. The new funds will be used for business growth, AI integration, and buying out existing shareholders, reinforcing Ctera’s commitment to advancing hybrid cloud storage solutions.
Okta has launched its first SaaS Startup Competition aimed at early-stage US companies. The competition evaluates business potential, innovation, and identity-enabled workflows with finalists pitching at Oktane24 in Las Vegas. The winner may receive up to $500,000 and support from Oktaβs identity management experts and venture capitalists.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
