π What’s trending in cybersecurity today?
North Korea, MISTPEN Malware, Energy Sector, Aerospace, Windows, MiniFilter, Endpoint Detection and Response, APT31, Espionage Tools, Asia-Pacific, Governments,Google, Chrome Update, Security Flaws, VMware, vCenter Patch, Code Execution, FleetPanda, Breach, Petroleum Industry, Russia, Security Firm, Doctor Web, Medusa, Ransomware, Compass Group, Sensitive Information, Remote, Pager Cyberattack, Explosions, Lebanon, Construction Firms, Brute Force, Foundation Accounting, Servers, Pennsylvania,Β Breach Portal, AT&T, Settlement, FCC, Privacy Failures, UK, Data Regulator, Sky Betting, Cookie Practices, Instagram, Teen Accounts, Safety, Discord, End-to-End Encryption, Voice, Video Chats
Listen to the full podcast
π¨Β Cyber Alerts
North Korean hackers, linked to the notorious Lazarus Group, have unveiled a new malware called MISTPEN, targeting high-level employees in the energy and aerospace industries. The cyber-espionage group, tracked as UNC2970, uses job-themed phishing attacks to infiltrate organizations in countries such as the U.S., U.K., Germany, and Singapore. Victims are lured through fake job offers containing malicious ZIP files that deploy the MISTPEN backdoor using a trojanized version of the Sumatra PDF reader.
A recent security finding reveals that the Windows MiniFilter driver can be exploited to bypass Endpoint Detection and Response (EDR) systems. Research by Eito Tamura from Tier Zero Security shows that attackers can manipulate MiniFilter driver Altitudes to prevent EDR drivers from loading, effectively blinding telemetry and impeding threat detection. This issue stems from the way MiniFilters manage their load order and Altitude values. Although Microsoft has implemented mitigations, such as terminating registry edits that attempt to manipulate Altitude values, some EDR solutions remain vulnerable.
The China-linked threat actor APT31, also known as Mustang Panda or Fireant, has recently introduced a range of new toolsβPUBLOAD, FDMTP, and PTSOCKETβin its ongoing espionage operations targeting government entities in the Asia-Pacific region. These tools are delivered via HIUPAN worm variants to exfiltrate various file types, including .DOC, .DOCX, .XLS, .XLSX, .PDF, .PPT, and .PPTX, from compromised systems. The group employs sophisticated spear-phishing campaigns with .url attachments to deploy downloader tools like DOWNBAIT, which then install further malware such as PULLBAIT and CBROVER.
Google has released a significant update for Chrome, addressing nine critical security vulnerabilities in the latest version. The update, now available for Windows, Mac, and Linux users, focuses primarily on fixing flaws that could potentially be exploited by attackers. Among the issues resolved are high-severity vulnerabilities in the V8 JavaScript engine and other security-related problems in various browser components. This release not only enhances security but also includes performance improvements to provide a better user experience.
Broadcom has issued an urgent update to address a critical security flaw in VMware vCenter Server, identified as CVE-2024-38812. This vulnerability, with a high CVSS score of 9.8, is a heap overflow issue within the DCE/RPC protocol that could enable remote code execution by an attacker with network access. Similar to past vulnerabilities CVE-2024-37079 and CVE-2024-37080, which were fixed in June 2024, this flaw poses significant risks. Additionally, a privilege escalation vulnerability (CVE-2024-38813) has been patched.
π₯ Cyber Incidents
A recent data breach involving FleetPanda, a software provider for the petroleum and fuel industry, has exposed nearly one million documents. Discovered by cybersecurity researcher Jeremiah Fowler, the breach involved a non-password-protected database containing 780,000 records and 193 GB of sensitive data. The exposed documents included invoices, driver applications, and high-resolution images of driverβs licenses, revealing personal information such as Social Security numbers and employment details.
On September 14, 2024, Russian antimalware firm Doctor Web, known for its Dr.Web products, was hit by a cyberattack that led the company to disconnect all its resources from its networks. The breach was detected and contained swiftly, preventing any impact on systems protected by Dr.Web. During the investigation, the company’s virus databases were temporarily suspended but have since been restored. While Doctor Web has not revealed the identity of the attackers, the incident highlights ongoing cybersecurity threats faced by security firms.
Sydney-based Compass Group has confirmed a significant ransomware attack by the Medusa gang, which has claimed to steal 785.5 gigabytes of sensitive data. The ransomware group has threatened to publish this data unless a $2 million ransom is paid, with an option to extend the deadline for an additional $100,000. Among the leaked documents are wage declarations, scans of international passports, and driver’s licenses.
On September 17, 2024, a devastating remote attack targeted Hezbollahβs pagers in Lebanon, resulting in nine deaths and injuries to nearly 3,000 individuals. This unprecedented attack highlights the vulnerability of even seemingly outdated technology to sophisticated hacking techniques. The explosions, which occurred when a coded message activated explosives embedded in the pagers, suggest a concerning new trend in cyber warfare.
Construction companies are facing a surge in brute force attacks targeting exposed Foundation accounting servers, according to researchers from Huntress. The attacks, which were first identified on September 14, 2024, exploit weak or default passwords on Microsoft SQL Server accounts. Attackers are aggressively attempting to breach these servers by sending up to 35,000 password guesses in an hour. Once successful, they leverage SQL commands to extract sensitive system information.
π’ Cyber News
On September 18, 2024, Pennsylvania Attorney General Michelle Henry introduced a new online portal designed to streamline the reporting of data breaches affecting over 500 residents. This initiative, aligned with recent updates to the Breach of Personal Information Notification Act (BPINA), aims to simplify compliance for businesses by providing a clear, step-by-step process for reporting breaches. The portal also supports the new legal requirement for affected individuals to receive 12 months of credit monitoring and access to credit reports if the breach involves sensitive personal information.
AT&T has agreed to a $13 million settlement with the Federal Communications Commission (FCC) following an investigation into a significant data breach that occurred in January 2023. The breach, involving a vendor’s cloud environment, exposed data from approximately 9 million AT&T wireless accounts, including customer names, account numbers, phone numbers, and email addresses. While sensitive personal details like credit card information or Social Security numbers were not compromised, the FCC found that AT&T had inadequately monitored the vendor’s data handling practices.
Sky Betting and Gaming has been reprimanded by the UK Information Commissionerβs Office (ICO) for unlawfully processing usersβ personal data via advertising cookies without prior consent between January and March 2023. The ICO found that Sky Bettingβs practices violated data protection laws by sharing users’ information with advertising technology companies before users had the chance to reject cookies. Although no deliberate targeting of vulnerable individuals was proven, the breach raised significant concerns about transparency and consent.
Instagram has unveiled its new “Teen Accounts,” a significant upgrade designed to enhance the safety and privacy of younger users. Effective immediately, teens under 16 will be automatically enrolled in these accounts, which feature strict privacy settings and content controls. The new protections include limiting who can contact them, restricting content exposure, and implementing automatic filters to block offensive messages. Additionally, teens will receive reminders to manage their screen time and will be subjected to a “Sleep Mode” that limits app use during late hours.
Discord has announced the rollout of end-to-end encryption (E2EE) for audio and video calls on its platform, enhancing user privacy by ensuring that conversations remain confidential even from Discord itself. Starting September 17, 2024, this new feature will apply to direct messages, group DMs, voice channels, and Go Live streams. While private messages will not be encrypted, this move marks a significant step towards improved security on the popular group chat platform, which boasts 200 million monthly users.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
