π What are the latest cybersecurity alerts, incidents, and news?
Russia, Main Intelligence, Unit 29155, Global, Cyberattack, Linux, Pluggable Authentication Modules, Persistent, Backdoors, Apache, OFBiz, Code Execution, LiteSpeed Plugin, Account Takeover, SonicWall, Access Control, Disney, Leak, Employee Data, Slack Channels, Confidant Health, Therapy Records, Unsecured Database, Blockaid, Angel Drainer, Web3, Protocols, Riverside Resort Data, Breach, Personal Information, Dr. Daniel Leeman, Patient Information, Australia, AI Regulations, Transparency, White House, Cyber, Hiring Sprint, Federal Jobs, Salesforce, Acquisition, Own, Kaspersky, U.S, Users, Pango, Commerce Department, Ban, North Carolina, Musician, $10M, Streaming Fraud, AI and Bots, Department of Justice
Listen to the full podcast
π¨Β Cyber Alerts
Russian GRUβs 161st Specialist Training Center, known as Unit 29155, has been linked to global cyber sabotage and espionage operations, following its earlier involvement in foreign assassinations and destabilization efforts in Europe. A joint advisory from the US and its allies revealed that the unit is responsible for aggressive cyber operations, including the deployment of destructive malware like WhisperGate, which wiped the Master Boot Record (MBR) of computers in Ukraine.
The Group-IB Digital Forensics and Incident Response (DFIR) team has identified a novel attack method exploiting Linux’s Pluggable Authentication Modules (PAM) to establish persistent backdoors on compromised systems. This emerging technique, which is not yet documented in the MITRE ATT&CK framework, involves manipulating the pam_exec module to execute malicious scripts during the PAM authentication process. By altering PAM configurations related to SSH authentication, attackers can silently run scripts to exfiltrate sensitive data and maintain access, bypassing traditional security monitoring.
Apache OFBiz has released an update to address a critical security flaw, tracked as CVE-2024-45195, which could lead to unauthenticated remote code execution on both Linux and Windows systems. This high-severity vulnerability, with a CVSS score of 7.5, affects all versions of the software prior to 18.12.16. The issue arises from missing view authorization checks, allowing attackers to execute arbitrary code without valid credentials. The latest patch also resolves a critical server-side request forgery (SSRF) vulnerability, CVE-2024-45507, with a CVSS score of 9.8, which could allow unauthorized access through specially crafted URLs.
A severe security flaw in the LiteSpeed Cache plugin for WordPress has been uncovered, exposing versions up to 6.4.1 to unauthenticated account takeover. Tracked as CVE-2024-44000, this vulnerability allows unauthorized visitors to gain access to any user account, potentially even obtaining administrator-level privileges. The issue arises from a publicly exposed debug log file, which can disclose sensitive information like user cookies if the debug feature is enabled.
SonicWall has issued an urgent security advisory for a critical access control vulnerability, tracked as CVE-2024-40766, affecting its firewall products. With a CVSS score of 9.3, the flaw impacts Gen 5, Gen 6, and Gen 7 SonicWall firewalls, potentially allowing unauthorized resource access and even causing firewall crashes if exploited. SonicWall has released patches to address the issue and urges immediate application. For those unable to patch right away, the company recommends restricting firewall management to trusted sources and disabling WAN management from the Internet.
π₯ Cyber Incidents
In a significant data breach, the Walt Disney Company has suffered a leak exposing sensitive information, including passport numbers of cruise line workers and revenue details from Disney+ and Genie+ (now Lightning Lane). The breach, attributed to the hacktivist group Nullbulge, involved 1.1 terabytes of data from Disneyβs internal Slack channels. The leaked data includes financial figures such as over $2.4 billion in Disney+ revenue and $724 million from Genie+.
Confidant Health, a virtual medical provider, recently suffered a major data breach due to an unsecured database. Discovered by security researcher Jeremiah Fowler, the breach exposed over 120,000 files and 1.7 million activity logs, including highly sensitive information such as audio and video recordings of therapy sessions, psychiatric intake notes, and personal health details. The exposed data, totaling 5.3 terabytes, also included administrative documents like IDs and insurance cards.
On September 5, 2024, Blockaid announced that it successfully thwarted a major threat from the newly upgraded Angel Drainer, codenamed AngelX, which targeted decentralized finance (DeFi) protocols and crypto wallets. This sophisticated malicious code, which re-emerged on August 31, showcased enhanced cloaking techniques and support for additional blockchains, including Tron and Toncoin. Despite its advanced capabilities and a 90% evasion rate from existing security measures, Blockaid’s intervention prevented potential losses of $700,000.
Riverside Resort & Casino has disclosed a data breach that occurred on July 25, 2024, involving unauthorized access to sensitive personal data, including names and Social Security numbers. The breach was detected following suspicious activity, prompting an immediate investigation and remediation efforts by cybersecurity specialists. While no fraudulent misuse of the data has been reported so far, Riverside is offering affected individuals complimentary credit monitoring and fraud assistance services
On September 4, 2024, Dr. Daniel J. Leeman, a Texas-based physician, notified over 20,000 patients of a significant data breach affecting their sensitive personal information. The breach, which was reported to the Attorney General of Texas, compromised a range of data including names, addresses, Social Security numbers, driverβs license numbers, financial accounts, medical records, and health insurance details. The source of the breach remains unclear, though it may involve a third-party vendor. Dr. Leeman has begun sending out notification letters to affected individuals, advising them to stay vigilant against potential fraud or identity theft.
π’ Cyber News
On September 5, 2024, the Australian government proposed new regulations aimed at improving transparency and accountability in artificial intelligence (AI). Recognizing that current regulatory frameworks are inadequate, the government introduced measures designed to ensure AI platforms disclose the origin and composition of their training datasets. This move, welcomed by the music industry and Indigenous groups, seeks to address concerns about bias, misinformation, and cultural appropriation.
On September 4, 2024, the White House, through the Office of the National Cyber Director, unveiled a major hiring initiative aimed at filling hundreds of federal cybersecurity, technology, and artificial intelligence roles. Known as the βService for Americaβ hiring sprint, this effort is designed to address the estimated 3,000 open positions across federal agencies. National Cyber Director Harry Coker emphasized that the initiative not only aims to enhance national security but also provides Americans with opportunities for good-paying, meaningful employment. The initiative includes a series of events, including a virtual career fair on September 27, and a new website showcasing available positions.
Salesforce has announced its acquisition of data management firm Own for $1.9 billion in cash, marking its largest acquisition since the $27.7 billion purchase of Slack in 2021. Own, based in New Jersey and rebranded from OwnBackup, specializes in enterprise data backup and disaster recovery solutions. This acquisition aligns with Salesforceβs commitment to enhancing its data protection and management capabilities. Ownβs solutions, which support a range of applications including those hosted on Salesforce, AWS, and Microsoft, will bolster Salesforceβs ability to offer comprehensive data resilience and security.
Kaspersky Lab is transferring its U.S. antivirus customers to Pango Group following a recent ban by the U.S. Commerce Department on sales of the Russian antivirus software. The acquisition, which affects approximately 1 million users, ensures that current Kaspersky customers will continue to receive updates through Pangoβs antivirus brand, Ultra AV. This move comes after Kaspersky began winding down its U.S. operations, including layoffs of local employees.
North Carolina musician Michael Smith has been indicted for a $10 million streaming fraud scheme involving AI-generated music and bots. From 2017 to 2024, Smith, along with a music promoter and an AI music company CEO, manipulated streaming platforms by using automated bots to artificially inflate the number of streams for thousands of AI-generated tracks. By utilizing virtual private networks (VPNs) to avoid detection, Smith amassed over 4 billion fake streams across platforms like Spotify, Amazon Music, Apple Music, and YouTube Music.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.