π What’s going on in the cyber world today?
APT-C-60, Kingsoft, WPS Office, SpyGlace Backdoor, PoorTry, Windows, EDR Disabler, Wiper, APT33, Tickler, Malware, US, Government, Defense, CISA, Google, Chromium, Known Exploited Vulnerability, Dell, BIOS, Arbitrary Code, Dickβs Sporting Goods, Breach, IT Systems, Ireland, Fota Wildlife Park, Financial Information, England, Canvey Infant Primary School, Spanish Retailer, Alcampo, South Africa, OneDayOnly, KillSec, Ransomware, CrowdStrike, $60M, Sales Impact, Tech Meltdown, US, Reward, Angler, Exploit Kit, AppOmni, SaaS, Breaches, OpenAI, $100 Billion, Valuation, Wall Street Journal, Ransomware Attacks, US Schools, 6.7 Million Records, Comparitech
Listen to the full podcast
π¨Β Cyber Alerts
APT-C-60, a cyber espionage group aligned with South Korea, has been exploiting a critical zero-day vulnerability in Kingsoft WPS Office to deploy a custom backdoor named SpyGlace. The flaw, identified as CVE-2024-7262, allows remote code execution by manipulating file paths within the WPS Office plugin component, promecefpluginhost.exe. APT-C-60 weaponized this vulnerability by embedding a malicious hyperlink in a seemingly harmless spreadsheet document, deceiving users into triggering a multi-stage infection that ultimately installs SpyGlace.
The APT33 hacking group, also known as Peach Sandstorm, has recently utilized a new malware strain called Tickler to infiltrate networks within the US government and defense sectors, as well as those in the United Arab Emirates. Operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), APT33 exploited compromised Microsoft Azure subscriptions to conduct a sophisticated intelligence collection campaign from April to July 2024. Their attacks involved password spray techniques to gain access to numerous accounts, which were then used to establish command-and-control infrastructure.
The PoorTry Windows driver, originally developed as a kernel-mode tool to disable Endpoint Detection and Response (EDR) solutions, has now evolved into a full-fledged EDR wiper. This advanced version of PoorTry not only deactivates but also deletes critical files essential for security software, making recovery and restoration significantly more challenging. First noted by Trend Micro in May 2023, this evolution has been confirmed in recent attacks, such as a July 2024 RansomHub incident.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Google Chromium’s V8 JavaScript engine, identified as CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, with a CVSS score of 8.8, is categorized as an inappropriate implementation issue that could be exploited by attackers. Google has released a security update to address this and another zero-day vulnerability, CVE-2024-7965, which is actively being exploited.
A critical vulnerability in Dell Client Platform BIOS, identified as CVE-2024-39584, has been disclosed, posing a severe security risk. This flaw, classified as a “Use of Default Cryptographic Key” vulnerability with a CVSS base score of 8.2, allows high-privileged attackers with local access to bypass Secure Boot and execute arbitrary code, potentially leading to complete system compromise. Dell has released updates for affected Alienware models and other systems to address the issue, urging users to apply these updates immediately.
π₯ Cyber Incidents
Dickβs Sporting Goods has disclosed a cyberattack that compromised its IT systems, according to an SEC Form 8-K filing dated August 21, 2024. The breach involved unauthorized access by an unnamed third party to the companyβs information systems, although specific details about the targeted data remain unclear. Despite the intrusion, the company reported no disruption to its business operations.
Fota Wildlife Park in Ireland has urgently advised its customers to cancel their bank cards following a significant cyber attack on its website. The breach, affecting transactions and user accounts between May 12 and August 27, 2024, has raised concerns over the potential compromise of financial and personal information, including usernames, passwords, and email addresses. The park has engaged forensic cybersecurity experts, notified the Data Protection Commission, and is cooperating with An Garda SΓochΓ‘na.
Canvey Infant School in Canvey Island, England, has been forced to delay its reopening after a severe cyber-attack disrupted its IT systems. The breach has prevented teachers from accessing critical resources, leading to an extra day off for students as the school works to restore its services. Despite implementing precautionary security measures, the school remains affected, and Essex County Council is providing support.
Spanish retailer Alcampo has swiftly addressed the impact of a cyber attack that occurred between August 25 and August 26, 2024. Upon detecting the breach, the company engaged data protection experts to implement necessary technical, legal, and organizational measures. This proactive response included the activation of a contingency system to maintain normal operations, minimizing disruptions to store activities and supply chain processes.
South African e-commerce retailer OneDayOnly has fallen victim to a data breach by the hacking group Kill Security (KillSec). The breach, announced on KillSecβs dark web site, involved the extraction of private contact information, account details, and payment methods from the retailer’s cloud storage. KillSec is demanding a $100,000 ransom by September 3, 2024, threatening to release the stolen data if their demands are not met.
π’ Cyber News
CrowdStrike Holdings has estimated a $60 million impact on its sales pipeline due to a major technology outage caused by a software update failure last month. The incident, which occurred on July 19, 2024, led to significant disruptions, including delays at airports, and prevented the company from closing expected deals during the final weeks of its fiscal Q2. Despite the setback, CrowdStrike remains optimistic about securing these contracts by January 2025, thanks to continued customer trust.
The U.S. Department of State and the Secret Service have announced a $2.5 million reward for information leading to the arrest and conviction of Belarusian national Volodymyr Kadariya. Kadariya, also known by aliases such as “Stalin” and “Eseb,” is sought for his involvement in the Angler Exploit Kit, a notorious malware distribution network. Active between October 2013 and March 2022, the Angler Exploit Kit used malvertising to exploit vulnerabilities in outdated software, spreading malware to victims worldwide.
A recent report by AppOmni reveals that nearly one-third (31%) of global organizations experienced data breaches in their SaaS applications last year. The study, which surveyed 644 enterprises across the US, UK, France, Germany, Japan, and Australia, highlights significant gaps in cloud security. Key issues include a lack of awareness about cybersecurity posture, insufficient accountability, and poor policy enforcement. Despite 90% of respondents claiming they have policies in place, a third admitted these are not strictly enforced.
OpenAI is reportedly in advanced discussions to secure a new funding round that could value the company at over $100 billion, significantly surpassing its previous valuation of $86 billion. Thrive Capital is expected to lead the investment with a $1 billion contribution, with additional participation from Microsoft and possibly other existing backers such as Khosla Ventures, Infosys, and Y Combinator. This funding round represents OpenAIβs largest external capital infusion since Microsoft’s nearly $10 billion investment in January 2023.
Ransomware attacks on U.S. schools and colleges have surged dramatically, with 491 incidents recorded since 2018, affecting over 8,000 institutions and exposing 6.7 million individual records. A recent report by Comparitech reveals that these attacks have led to an estimated $2.5 billion in downtime costs as educational facilities struggle to restore systems and recover data. The frequency of attacks reached a peak in 2023, with 121 incidents reported, and the average downtime per attack increased to 12.6 days. Ransom demands have varied widely, from $5,000 to $40 million, with an average payment of $169,000.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
