π What’s going on in the cyber world today?
NGINX Ingress, Kubernetes, Hunters International, Hive Ransomware, GHOSTPULSE, MSIX, Windows 11, Microsoft 365, Victorville, California, Boeing, Lazarus, APT38, North Korea, Kearny Bank, Stanford University, FTC, Gaza, Israel, CISA, Ukraine, Russia
π¨Β Cyber Alerts
Three critical vulnerabilities were disclosed by the Kubernetes security community, all pertaining to the widely-used NGINX Ingress component. These vulnerabilities, identified as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, enable attackers to pilfer sensitive credentials from the Kubernetes cluster, including high-privileged access to the Kubernetes API server. Although these attacks are typically challenging for outsiders to perform, they could still occur in certain scenarios, such as multi-tenant clusters and through the injection of malicious configurations.
A new ransomware operation known as Hunters International has surfaced, and it appears to be a possible rebrand of the Hive ransomware. Researchers have identified code overlaps and similarities between the two groups, suggesting a connection. While Hunters International claims they acquired the source code from Hive developers, concerns remain about their motives, as they focus on stealing data for extortion rather than encryption.
A recent cyber attack campaign has been discovered employing MSIX Windows app package files to distribute the GHOSTPULSE malware across Windows systems. MSIX is a format used to package and distribute Windows applications, requiring access to code signing certificates, making it an attractive target for well-resourced groups. This campaign entices potential victims to download the malicious MSIX packages through various techniques, ultimately delivering GHOSTPULSE through a multi-stage process.
Microsoft has enhanced Windows 11’s file archive compatibility by adding support for 11 new formats, including RAR, 7-Zip, Tar, and GZ archives. These additions come with the optional KB5031455 Preview cumulative update, although support for password-protected archives is not yet available. The company utilized the open-source libarchive project for this expansion, with plans to potentially introduce more formats in the future, such as LZH and XAR.
Microsoft has released a workaround for a prevalent issue affecting Microsoft 365 users, resulting in ‘Something Went Wrong [1001]’ sign-in errors and rendering desktop applications, including Excel, Word, Outlook, and PowerPoint, unusable for many customers. This problem has affected users of Microsoft 365 Apps for business, Microsoft 365, and Office apps for iOS and Android. When attempting to sign in to Microsoft 365 desktop applications, users have been encountering error messages.
In Victorville, California, residents were warned about a data breach following a ransomware attack that exposed sensitive information. City officials disclosed that hackers had access to their systems from August 12 to September 26, and the breached data included names, Social Security numbers, driver’s license information, medical records, and health insurance policy numbers. While the city has restored some services affected by the attack, web-based systems remain non-functional.
The LockBit ransomware gang has claimed the prestigious aerospace and military contractor, Boeing, as its latest victim. This Russian-linked group made the announcement on its dark web leak site, asserting that they possess a vast trove of sensitive data. Unless Boeing communicates with the ransomware group before November 2nd, 1:23 pm UTC, all this data will be made public. With Boeing and its subsidiaries valued at around $60 billion by the gang, this poses a significant threat to the global aviation and space technology leader.
A report by Kaspersky reveals that the North Korean Lazarus hacking group persistently targeted a software vendor through multiple breaches, with the aim of stealing source code or facilitating a supply chain attack. This campaign, spanning from March to August 2023, demonstrated Lazarus’s determination as they continued to exploit software vulnerabilities despite multiple patches and warnings. The attackers deployed SIGNBT malware and LPEClient, an info-stealer and loader, showcasing their sophisticated tactics and the need for organizations to proactively secure their software against such threats.
Kearny Bank, based in New Jersey, disclosed a data breach where credit card numbers and other sensitive client information were exposed due to the MOVEit Transfer attacks. The breach was linked to a zero-day vulnerability exploit affecting Fiserv, a third-party vendor providing financial technology services to the bank. While the bank reassured that its in-house systems were secure, over 17,000 clients were affected, prompting Kearny Bank to provide affected individuals with free credit monitoring, fraud consultation, and identity restoration services for 24 months.
In response to a ransomware gang’s claim of an attack on Stanford University, the institution is actively investigating a cybersecurity incident within its Department of Public Safety. The university has stated that they are working to determine the extent of the impact and the investigation is being conducted in collaboration with outside specialists. The Akira ransomware gang, which has targeted various U.S. educational institutions this year, including colleges and K-12 schools, claimed responsibility for the attack and the theft of 430 gigabytes of data, underscoring the growing challenges educational institutions face in the realm of cybersecurity.
The UK Parliament’s Science and Technology Committee has launched a call for evidence, inviting experts to contribute their insights. The UK, one of the world’s most targeted countries for cyberattacks, follows closely behind the United States and Ukraine. Recent incidents, including a breach of voter data at the U.K. Electoral Commission and the 2017 WannaCry attack on the National Healthcare Service, have highlighted the pressing need for increased cybersecurity measures.
Google is taking significant steps to enhance the security of its artificial intelligence (AI) systems. The company has expanded its bug bounty program to include AI-related vulnerabilities, allowing security researchers to report findings. Google is also applying supply chain security measures, like code signing and Supply-chain Levels for Software Artifacts (SLSA), to machine learning models to bolster AI security.
Amidst growing concerns of potential cyberattacks on internet-connected solar inverters in Australia, the government is moving closer to implementing security standards aimed at protecting the nation’s booming solar market. Researchers have highlighted cybersecurity vulnerabilities in rooftop inverters, with Chinese state-sponsored hackers suspected of targeting these systems, which are critical to converting solar energy into electricity for homes and businesses.
In the third quarter of 2023, Cloudflare faced a surge in hyper-volumetric HTTP DDoS attacks, marking a new chapter in the threat landscape. These attacks exploited a recently disclosed technique called ‘HTTP/2 Rapid Reset’ and reached unprecedented levels, with one attack peaking at 201 million requests per second. Cloudflare also observed an increase in mDNS, CoAP, and ESP DDoS attacks, while ransom DDoS attacks declined for the second consecutive quarter.
Nigerian authorities have successfully shut down a cybercrime recruitment and mentoring hub, culminating in the arrest of six individuals aged between 19 and 27. The suspects have confessed to participating in a range of cybercrimes, including identity theft, hacking, trading of hacked Facebook accounts, romance scams, and computer-related fraud. This operation has also revealed potential connections to more extensive cybercrimes, such as business email compromise and high-yield investment program fraud, with ongoing efforts to locate additional members of this criminal network.
