October 1 2024 – Cyber Briefing

👉 What’s the latest in the cyber world today?

PHP, Nitrogen Malware, Sliver, Cobalt Strike, North Korea, Hackers, LinkedIn, RustDoor, Microsoft, Security Protocols, Edge, SQL Injection, WhatsUp Gold, Critical, Ransomware, UMC Hospital, Dist IT, Disruption, Kimsuky, APT, Germany, Diehl, Cincinnati Public Schools, Compromise, Germany, Digital Service Provider, VBG, White House, Initiatives, Ransomware, CISA, Funding, Medical Communications, T-Mobile, Settlement, Breach, Russia, Ukraine, Energy Sector, ISACA, Staffing, Funding, Crisis, Europe.

Listen to the full podcast

🚨 Cyber Alerts

1. PHP Vulnerabilities Trigger Urgent Updates

The PHP project has recently issued a security advisory regarding multiple vulnerabilities that affect various versions of PHP, emphasizing the urgent need for users to update to the latest patched versions. Among the vulnerabilities, CVE-2024–9026 allows log tampering in PHP-FPM, enabling attackers to manipulate log entries, which can hinder forensic investigations. Another significant vulnerability, CVE-2024–8927, permits attackers to bypass the cgi.force_redirect configuration, potentially leading to arbitrary file inclusion and unauthorized access to sensitive data.

2. Nitrogen Malware Deploys Cobalt Strike

A recent cyberattack involving Nitrogen malware has been discovered deploying Sliver and Cobalt Strike on hijacked servers. The attack began when a user unknowingly downloaded a fake version of the “Advanced IP Scanner” tool, initiating a sophisticated malware campaign. The malware delivered a malicious payload via a ZIP file, exploiting a legitimate Python executable to side-load malicious code. Over eight days, the attackers used reconnaissance tools like PowerView and BloodHound to map the network and performed lateral movements using RDP and WMI.

3. North Korean Hackers Target LinkedIn Users

In early September, the FBI alerted the public about a campaign by North Korean threat actors targeting the cryptocurrency industry through deceptive tactics on LinkedIn. These hackers impersonate recruiters from legitimate decentralized cryptocurrency exchange (DEX) firms, utilizing professional-looking websites to enhance the credibility of their false identities. The objective is to lure unsuspecting users into downloading RustDoor malware, a sophisticated tool designed to compromise systems and potentially steal sensitive data.

4. Microsoft Enhances Edge Extensions Security

Microsoft has introduced significant security enhancements to the publishing process for Edge extensions through an updated version of its Publish API. This overhaul requires developers to submit new extensions via the Partner Center, where they undergo approval before any subsequent updates can be made. The updated API incorporates dynamically generated API keys for each developer, reducing the risk of static credential exposure. Additionally, these keys are now stored as hashed values, further minimizing potential leaks.

5. Critical SQL Injection Flaw in WhatsUp Gold

A recently disclosed SQL injection vulnerability in Progress WhatsUp Gold, a prominent network monitoring software, has raised significant security concerns. This vulnerability allows unauthenticated attackers to potentially retrieve users’ encrypted passwords, posing a serious risk to sensitive information. Following reports of active exploitation related to this flaw, the Cybersecurity and Infrastructure Security Agency (CISA) has included it in the “Known Exploited Vulnerabilities Catalog.”

💥 Cyber Incidents

6. Texas Trauma Center Struck by Ransomware

The University Medical Center (UMC) Health System in Lubbock, Texas, is facing significant operational challenges following a ransomware attack that has forced the facility to divert both emergency and non-emergency patients to nearby healthcare providers. As the only Level 1 trauma center in West Texas and one of the few located outside major cities, UMC’s ability to provide critical care is essential for the surrounding community. In a statement released on September 27, UMC confirmed the attack and noted that while all facilities remain open, they are implementing measures to minimize disruption.

7. Dist IT Cyberattack Disrupts Operations

Dist IT, a leading IT product company in Sweden, has reported that one of its subsidiaries has fallen victim to a serious cyberattack, leading to disruptions in operations and potential financial consequences. The breach began on Thursday, prompting the company to shut down its IT systems to mitigate further impact. While customer orders can still be received, deliveries will be delayed until systems are restored. Early assessments indicate that the attackers may have accessed sensitive data, though the extent of the breach is still being evaluated.

8. Kimsuky Cyberattack Targets Diehl Defence

North Korea-linked advanced persistent threat group Kimsuky has reportedly executed a cyberattack on Diehl Defence, a prominent German manufacturer of advanced military systems, including missiles and ammunition. The attack was uncovered by Mandiant, a subsidiary of Google, and involved a sophisticated phishing campaign targeting Diehl employees with fake job offers from U.S. defense contractors. By enticing victims to open malicious PDFs, the hackers were able to deploy malware that compromised the company’s systems.

9. Cincinnati Public Schools Hit by Cyberattack

Cincinnati Public Schools recently confirmed it was the victim of a ransomware attack that occurred in mid-August, leading to potential unauthorized access to district systems and data. Fortunately, no funds were stolen during the incident. The district has notified law enforcement and is collaborating with cybersecurity experts to investigate the breach. In an email sent to families, officials emphasized their commitment to safeguarding the privacy and security of student and staff data, while advising parents and students to remain vigilant against suspicious emails or unfamiliar links.

10. VBG Ransomware Attack Exposes User Data

VBG, the German digital service provider for occupational health and safety seminars, recently experienced a ransomware attack that compromised a server on its online campus. Although immediate action was taken to shut down the affected server, there are concerns that sensitive data, including names, email addresses, phone numbers, employer details, and physical addresses, may have been leaked. While VBG confirmed that the integrity of its operations remains intact and that no insurance claim data was affected, they warned users of potential risks associated with the exposure of their email addresses, which could be exploited for phishing or further attacks.

📢 Cyber News

11. White House Launches Ransomware Initiative

The White House has launched a weeklong initiative to combat global ransomware attacks, coinciding with the fourth annual summit of the International Counter Ransomware Initiative (CRI) in Washington. This year’s summit brings together representatives from 68 member nations, emphasizing the collaborative effort to address rising ransomware threats. Deputy National Security Adviser Anne Neuberger announced significant new deliverables, including the introduction of a global counter-ransomware fund managed by the U.S. Agency for International Development.

12. CISA Awards $1M for Rural Emergency Services

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the awarding of a $1 million cooperative agreement to the Hawaii County Civil Defense Agency as part of the Rural Emergency Medical Communications Demonstration Project (REMCDP). This initiative, which aims to address communication barriers in emergency medical situations, will span two years, starting in September 2024. The funding will support the development of innovative solutions that enable effective communication among emergency responders and medical practitioners across diverse geographic and operational scenarios.

13. T-Mobile Settles for $31M Over Data Breaches

T-Mobile has reached a $31.5 million settlement with the Federal Communications Commission (FCC) in response to a series of significant data breaches that impacted tens of millions of U.S. consumers between 2021 and 2023. The settlement includes a $15.75 million civil penalty, along with an additional $15.75 million earmarked for enhancing its cybersecurity program over the next two years.

14. Russian Hackers Escalate Attacks on Ukraine

Russian military and intelligence hacking groups have intensified their cyberattacks on Ukraine’s energy sector as part of a broader strategy to support Moscow’s military operations. In the first half of 2024, Ukraine’s State Service of Special Communications and Information Protection reported a significant increase in attacks against the security, defense, and energy sectors, with the number of medium-severity incidents rising by one-third.

15. European Security Teams Face Staffing Crisis

A recent survey by ISACA highlights a troubling trend among European IT security teams, revealing that they are overstressed, understaffed, and underfunded. Polling over 1,800 cybersecurity professionals across the region, the study found that 61% believe their teams lack adequate staffing, with 19% reporting unfilled entry-level positions and 48% citing gaps in experienced roles. The survey also identified a significant skills gap, particularly in soft skills, with over half of respondents noting deficiencies in communication, problem-solving, and critical thinking.