π What’s happening in cybersecurity today?
North Korea, Hackers, Chrome, Zero-Day, FudModule, Rootkit, Cicada3301, Ransomware, VMware,Β ESXi, Linux Encryptor, Godzilla, Fileless Backdoor, Atlassian, Confluence, SQL Injection, TSA, Cockpit Access, Latrodectus Malware, Evasion Techniques, APT-28, Germany, Air Traffic Control, Northwoods, Baseball League, Madison Mallards Fans, Wertachkliniken Clinics, Anderson Feazel Management, Data Breach, Marine Home Center, Email Accounts,Crypto, $300M, PeckShield, US, AI Safety Institute, OpenAI, Anthropic, Scottish Cyber Coordination Centre, Cyber Enhancement, Cambodia, Malaysia, Fake News, FTC, Verkada, Security Failures, Privacy Violations
Listen to the full podcast
π¨Β Cyber Alerts
North Korean hackers, operating under the Citrine Sleet alias, have recently exploited a zero-day vulnerability in Google Chrome, designated CVE-2024-7971, to deploy the sophisticated FudModule rootkit. Discovered on August 19, 2024, this high-severity type confusion bug in the V8 JavaScript engine allowed threat actors to execute remote code within the sandboxed Chromium renderer.
Cicada3301, a new ransomware-as-a-service (RaaS) operation, has swiftly gained attention for targeting VMware ESXi systems with its advanced Linux encryptor. Launched in late June 2024, this ransomware employs double-extortion tactics by first breaching corporate networks to steal data and then encrypting files to demand ransom. Written in Rust, the encryptor uses the ChaCha20 cipher and RSA encryption, mirroring techniques seen in the now-defunct ALPHV/BlackCat ransomware.
A new cyber threat has emerged with the Godzilla fileless backdoor exploiting the critical CVE-2023-22527 vulnerability in Atlassian Confluence. This high-severity flaw, affecting Confluence Data Center and Server products, allows for remote code execution through a template injection vulnerability. The Godzilla backdoor, a sophisticated in-memory malware, evades traditional detection by operating filelessly and using AES encryption for network traffic. The attack begins with exploiting the vulnerability to execute a payload that loads the Godzilla backdoor into the server.
Security researchers Ian Carroll and Sam Curry have discovered a critical SQL injection vulnerability in FlyCASS, a third-party web service managing airport security systems like the Known Crewmember (KCM) program and Cockpit Access Security System (CASS). This flaw could have allowed unauthorized individuals to bypass TSA security screenings and gain access to aircraft cockpits. By exploiting the vulnerability, researchers were able to create a fictitious employee account with access to KCM and CASS, effectively enabling them to skip security checks.
The Latrodectus malware, first discovered by Walmart in late 2023 and resembling IcedID, has significantly evolved with the release of version 1.4. This update introduces advanced capabilities and sophisticated evasion techniques. The malware now employs a new string deobfuscation method using AES256 encryption, making detection more challenging. Its delivery mechanisms include email spam campaigns by TA577 and TA578, and a BRC4 badger observed in July 2024.
π₯ Cyber Incidents
German air traffic control provider Deutsche Flugsicherung (DFS) has reported a cyberattack that has impacted its internal office communications, although air traffic operations remained unaffected. The attack, discovered last week, is suspected to be the work of the notorious APT-28 hacking group, also known as Fancy Bear, which is closely linked to the Russian military intelligence service GRU.
The Northwoods Baseball League has disclosed a data breach affecting customers who purchased tickets online for Madison Mallards and Night Mares games this summer. Detected on July 17, the breach compromised personal details including names, email addresses, phone numbers, and credit card information through the leagueβs online ticketing system. While the league has conducted an internal investigation and found no further evidence of compromise, they have enhanced security measures to prevent future incidents.
Wertachkliniken’s Bobingen and SchwabmΓΌnchen clinics in Germany experienced a significant cyberattack on September 1, 2024, leading to extensive IT disruptions and the encryption of virtual servers within the hospital information system. As a result, data access to the main IT system was blocked, prompting the cancellation of scheduled operations in Bobingen. The hospitals have initiated limited analog operations while their IT department, supported by external experts, works to restore normal functionality.
On August 30, 2024, Louisianaβs Anderson Feazel Management, Inc. notified affected individuals of a significant data breach that occurred on July 31, 2024. The breach involved unauthorized access to and exfiltration of unencrypted financial documents containing sensitive personal and business information, including names, Social Security numbers, addresses, salary details, and tax records. Upon discovery, Anderson promptly engaged federal and state law enforcement and initiated a comprehensive forensic investigation.
On August 30, 2024, Marine Home Center in Massachusetts disclosed a security incident involving unauthorized access to an employee’s email account. The breach, which occurred between June 3 and June 7, 2024, resulted in the exposure of one Maine resident’s personal information, including their name and Social Security number. The company immediately activated its incident response protocols, secured the account, and engaged a cybersecurity firm for a thorough investigation.
π’ Cyber News
The U.S. AI Safety Institute has secured an agreement with OpenAI and Anthropic to evaluate their models for safety prior to public release. This collaboration, part of the Department of Commerce’s National Institute of Standards and Technology, aims to advance testing methodologies and improve risk mitigation strategies for artificial intelligence. As part of the deal, the institute will access new models from both companies before and after their launch, offering suggestions for safety enhancements.
Scotland has unveiled its Strategic Plan for the Scottish Cyber Coordination Centre (SC3), designed to bolster the nation’s cyber defense capabilities from 2024 to 2027. This initiative aims to address significant cyber resilience challenges faced by the public sector, including fragmented security efforts, varying levels of cyber maturity, and insufficient resources. By fostering a unified approach, SC3 will provide specialized services, enhance national cyber maturity, and offer data-driven insights to improve overall resilience.
In a significant move to combat misinformation, Cambodia and Malaysia have joined forces to address the challenge of fake news. On September 2, 2024, during the 22nd League Conference and the 19th Asia Media Summit in Kuala Lumpur, Cambodian Minister of Information Mr. Neth Pheaktra and Malaysian Minister of Communications Mr. Ahmad Fahmi bin Mohamed Fadzil announced a new initiative to strengthen information security. Their collaboration aims to enhance information exchange between the Cambodian News Agency and Malaysia’s BERNAMA, as well as to foster partnerships in radio broadcasting.
In August 2024, cryptocurrency hacks reached alarming heights, with attackers stealing over $300 million in a single month. This spike in cybercrime was driven primarily by two significant phishing attacks that together accounted for $293 million of the total losses. The first attack led to a massive $238 million in stolen Bitcoin, while the second targeted DAI stablecoin, resulting in a $55 million loss. According to blockchain security firm PeckShield, Augustβs figures make it the third worst month of the year for crypto hacks, following only May and February.
The Federal Trade Commission (FTC) has fined security camera company Verkada $2.95 million following allegations of serious security failures and privacy violations. The FTC and Department of Justice (DOJ) revealed that Verkada’s inadequate security measures allowed hackers to access 150,000 live camera feeds, viewing individuals in sensitive locations such as psychiatric hospitals, schools, and prisons. In addition to the unauthorized access, hackers downloaded sensitive customer data, including personal details and camera geolocations.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
