π What’s going on in the cyber world today?
China, Raptor Train, IoT, Botnet, AliGater, Malvertising, Windows, GitLab, SAML,Β Authentication Bypass, iPadOS 18, iPad Pro, Vanilla Tempest, Ransomware, US, Healthcare, Data Leak, Total Tools, Pump-and-Dump Scheme, X, Accounts, Ethena Labs, Frontend Hack, Fireworks Software, Breach, American Theological Library Association, Hack, California, Laws, Deepfakes, Craig Newmark, US,Β Cybersecurity Funding, Vanir, Ransomware Group, Tor, Website, Germany, Authorities, Ghost App, International, Crime, Swiss Post, Open Systems, Cybersecurity, Enhancement
Listen to the full podcast
π¨Β Cyber Alerts
A new botnet called “Raptor Train” has compromised over 200,000 IoT devices worldwide, primarily targeting routers, IP cameras, and other network equipment. Discovered by Lumen’s Black Lotus Labs, the botnet is believed to be operated by the Chinese state-backed hacking group Flax Typhoon. Active since 2020, Raptor Train uses a three-tiered architecture to exploit vulnerable devices and carry out potential DDoS attacks, espionage, and network reconnaissance.
The newly discovered “AliGater” malvertising campaign is targeting outdated Windows users, particularly those using Windows 7 SP1 and 8.1, as well as older Chrome versions in Europe. Researchers at Gen Digital found that the campaign uses malicious ads to redirect users to a fake CAPTCHA page, where tailored exploits are deployed for known vulnerabilities. The multi-stage attack delivers a payload that includes WebAssembly, shellcode injection, and process hollowing, ultimately installing the Lumma stealer malware.
GitLab has released urgent patches for a critical Security Assertion Markup Language vulnerability (CVE-2024-45409) in its Community Edition (CE) and Enterprise Edition (EE) that could allow authentication bypass. The flaw, stemming from the ruby-saml library, enables unauthenticated attackers to forge SAML Responses and log in as arbitrary users within the system. GitLab has updated the omniauth-saml and ruby-saml libraries to versions 2.2.1 and 1.17.0, respectively, and urges users to enable two-factor authentication (2FA) and disable SAML two-factor bypass options as mitigations.
Apple has temporarily paused the rollout of iPadOS 18 for M4 iPad Pro models following numerous reports from users claiming the update has rendered their devices inoperable, or “bricked.” Affected owners have been unable to revive their iPads using standard recovery methods, prompting many to seek assistance at Apple Stores. The issue has generated significant chatter on support forums and social media, with users expressing frustration and confusion over the update process.
Microsoft has reported that the ransomware affiliate known as Vanilla Tempest has begun targeting U.S. healthcare organizations with its INC ransomware. This operation, which has been active since July 2023, employs sophisticated tactics to infiltrate systems. The attackers gain access through malware like Gootloader, subsequently deploying backdoors and using remote tools to spread INC ransomware across networks. While the specific victim of the latest attack has not been disclosed, a similar strain was linked to a recent cyber incident affecting Michigan’s McLaren Health Care hospitals, leading to significant operational disruptions.
π₯ Cyber Incidents
Total Tools, the hardware chain owned by Metcash, has reported a significant data leak affecting approximately 38,000 customers. The breach, attributed to professional cyber hackers, compromises sensitive information including credit card numbers, email addresses, and login details. Following the discovery of unusual activity in its IT systems, Total Tools has engaged a third-party forensic cyber specialist to investigate the breach’s scope. The company is actively notifying affected customers and has informed the Australian Cyber Security Centre.
A recent hacking spree on the social media platform X has led to a significant pump-and-dump scheme for the $HACKED cryptocurrency token on the Solana blockchain. High-profile accounts, including MoneyControl, People Magazine, and EUinmyRegion, were compromised to promote the token, with identical tweets urging followers to invest. Initially, $HACKED had only 42 holders and a market cap of about $5,000, but the campaign quickly propelled it to 436 holders and a market cap exceeding $166,000.
Ethena Labs has taken decisive action to suspend its website following a significant front-end hack that occurred on September 18. In a recent announcement, the company cautioned users against interacting with any platform claiming to be affiliated with Ethena, as their domain registrar account was compromised. While the website remains deactivated, Ethena Labs assured customers that the core Ethena protocol and all funds remain secure. Security firm Blockaid has also advised users connected at the time of the exploit to disconnect their wallets immediately and avoid signing any transactions.
Fireworks Software, a provider of customer relationship management services for higher education institutions, has notified users of a recent data security incident that may have compromised personal information. On June 28, 2024, the company detected unauthorized access to its network, prompting an immediate investigation in collaboration with cybersecurity professionals. Following a thorough review, it was revealed that between June 23 and June 26, 2024, some personal information may have been accessed by an unauthorized individual.
The American Theological Library Association (Atla) has notified its members of a recent data breach that may have exposed personal information, including names and Social Security numbers. The incident occurred between June 24 and June 27, 2024, when an unauthorized individual accessed an Atla employee’s email account, potentially viewing sensitive information from email exchanges. In response to the breach, Atla has secured the affected account, initiated an internal investigation, and engaged a forensic security firm.
π’ Cyber News
California has enacted five new laws aimed at combating the misuse of artificial intelligence (AI), particularly focusing on deepfakes in elections and the media industry. Signed by Governor Gavin Newsom, these regulations require large online platforms to remove deceptive election-related deepfakes and label less materially deceptive content. With the U.S. presidential election approaching, the laws also mandate that electoral campaigns disclose the use of AI in advertisements.
Craig Newmark, the founder of Craigslist, has pledged an impressive $100 million to bolster U.S. cybersecurity efforts, responding to the escalating threats posed by foreign governments. Announced in a recent interview, Newmark intends to allocate half of the funds to protect critical infrastructure, such as power grids, from cyberattacks, while the other half will focus on educating the public about essential cybersecurity practices. This commitment is part of Newmark’s broader philanthropic mission, having already donated over $400 million since 2015, with a particular emphasis on cybersecurity.
German law enforcement has taken decisive action against the Vanir Ransomware Group by seizing their onion site, which displayed a message confirming the seizure by the State Bureau of Investigation Baden-WΓΌrttemberg. The operation, announced on September 18, 2024, highlights ongoing efforts to combat cybercrime, although no arrests have been made and the identities of the threat actors remain unknown.
In a significant blow to organized crime, the Australian Federal Police (AFP) have arrested the mastermind behind Ghost, an encrypted communication platform used by criminals worldwide. The operation, dubbed Operation Kraken, involved nearly 700 officers executing search warrants across Australia, with coordinated raids in Ireland, Italy, Sweden, and Canada. Ghost had long evaded law enforcement, providing users with a false sense of security due to its sophisticated encryption features. However, a global task force, including Europol and the FBI, successfully infiltrated the network, allowing police to access encrypted messages and thwart ongoing criminal activities.
Swiss Post has announced its acquisition of Open Systems, a leading secure access service edge (SASE) provider, to strengthen cybersecurity for public authorities and private companies. This strategic move aims to enhance secure communications and data protection, reflecting Swiss Post’s commitment to delivering cutting-edge network and security management solutions globally. Open Systems, established in 1990 and known for its innovative cybersecurity services, will enable Swiss Post to offer advanced secure communication platforms.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
