SAN MATEO, CA, June 17, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Machine learning models vulnerable to attack
Trail of Bits has identified a new attack method that can be used against machine learning models using the Pickle format. Called “Sleepy Pickle,” the “hybrid machine learning (ML) model exploitation technique” works by weaponizing “the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an organization’s downstream customers.” The attack allows a threat actor to tamper with the learning model in a way that can result in it generating “harmful outputs or misinformation that can have disastrous consequences to user safety” or manipulated news stories. Security researchers at Hugging Face suggest “only “loading models from users and organizations you trust, relying on signed commits, and/or loading models from [TensorFlow] or Jax formats with the from_tf=True auto-conversion mechanism” to avoid the dangers of the exploit. Read more.
Stolen data fromTruist Bank for sale
Truist Bank, a top-10 commercial bank with total assets of $535 billion, confirmed a data breach in October 2023, resulting in company data listed for sale on a hacker forum. The stolen data, posted by a threat actor called Sp1d3r, is said to include “65k Employees; Bank accounts w/ acct #, transactions w/ names, balances; as well as the IVR transfer source code” and comes with a $1 million price tag. ​”In October 2023, we experienced a cybersecurity incident that was quickly contained,” a Truist Bank spokesperson told BleepingComputer. “We have found no indication of fraud arising from this incident at this time.” Sp1d3r has also listed data stolen from cybersecurity firm Cylance and Advance Auto Parts. Read more.
Biometric hardware provider’s products flawed
ZkTeco, a hybrid biometric access system provider based in China, has been found by Kaspersky to be providing products containing major vulnerabilities. 24 bugs in total were found, with some of them allowing threat actors to “bypass the verification process and gain unauthorized access by adding random user data to the database or using a fake QR code.” The flaws may also allow criminals to “steal and leak biometric data, remotely manipulate devices, and deploy backdoors.” ZkTeco’s biometric readers can be found in building access systems across all industries, including chemical plants, hospitals, and other places where a cyberattack could have a severe impact. Kaspersky informed the manufacturer of the flaws before publicizing them. No patches are yet available. Read more.
Phone calls impersonate CISA employees
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about criminals posing as agency employees and attempting to trick people into transferring money to them. “The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency,” reads the advisory. “As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.” Anyone on the receiving end of a phone call from someone claiming to be a CISA employee should validate the contact or report the attempt to law enforcement. Read more.
Microsoft patches critical RCE bug
Microsoft’s June Patch Tuesday contained fixes for 49 bugs and vulnerabilities, with one in particular standing out. CVE-2024-30080 is “remotely exploitable, with low attack complexity, requires no privileges, and takes no user interaction; and it carries high impacts on confidentiality, integrity, and availability.” Receiving a CVSS score of 9.8, the flaw can be leveraged to allow an attacker to “completely take over an affected server by sending a specially crafted malicious MSMQ packet.” Users are urged to update immediately, as the ease with which this bug can be exploited leads security experts to expect it to be widely used by threat actors soon. It is the only bug in Microsoft’s June update that has received a critical rating. Read more.
Russian crypter developer arrested
A 28-year-old Russian man has been arrested in Kyiv by Ukrainian police. He is accused of working with both the Conti and LockBit ransomware groups and of conducting an attack by himself. According to BleepingComputer, “the Ukrainian police reported that the arrested individual was a specialist in developing custom crypters for packing the ransomware payloads into what appeared as safe files, making them FUD (fully undetectable) to evade detection by the popular antivirus products.” The Dutch police, whose initial investigation into a ransomware attack informed the Ukrainian authorities, say that the suspect orchestrated a ransomware attack in 2021 using Conti’s malware, acting as an affiliate. The suspect has been charged and faces up to 15 years in prison if convicted. Read more.
Phishing campaign hides malware in phony resumes
The job-seeking and hiring world continues to be a prime target for threat actors looking to slip malware into the process by tricking applicants and hiring managers alike. A phishing attack distributing More_eggs, “a modular backdoor that’s capable of harvesting sensitive information,” has been observed being presented as a resume to job recruiters. Upon clicking a link provided by an applicant, the victim is sent to a website where they end up downloading the malware instead. More-eggs has a history of appearing in job-related scams on LinkedIn and is offered as a Malware-as-a-Service model to criminals. Victims are often specifically targeted, contrary to many other campaigns with similar goals that distribute their malware over a large number of potential marks. Read more.
Netgear router flaw allows device takeover
Netgear WNR614 N300, a popular low-cost router found in many homes and small businesses, has been found to harbor half a dozen vulnerabilities. According to researchers at RedFox Security, the router’s flaws “range from authentication bypass and weak password policy to storing passwords in plain text and Wi-Fi Protected Setup (WPS) PIN exposure.” Netgear is no longer supporting the router, as it has reached its end of life, but the device remains installed in many systems, as it’s easy to use, performs well, and has proven reliable despite its age. Users of the WNR614 N300 are urged to replace their routers with options that are still receiving support or perform several suggested mitigations that could help prevent an attack. Read more.
Internet of Things vulnerabilities surge
Data from Forescout’s “The Riskiest Connected Devices in 2024” report indicates that Internet of Things (IoT) devices containing security vulnerabilities have increased by 136% compared to last year. The most vulnerable devices, according to their findings, were wireless access points, routers, printers, VoIP, and IP cameras. These vulnerable devices offer access points for threat actors who can use them to penetrate the networks and systems of organizations. “There are tutorials shared in underground forums about how to compromise and use them for lateral movement, exfiltration and command and control, because they are invisible in most cases to the enterprise security stack,” said Rik Ferguson, VP Security Intelligence at Forescout. Read more.
Google takes down thousands of YouTube channels
Google has reported that the company has taken down 1,320 YouTube channels and 1,177 Blogger blog posts associated with an influence campaign for the People’s Republic of China. “The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs,” Google Threat Analysis Group (TAG) researcher Billy Leonard said. The company also took down 378 YouTube channels from a Russian consulting firm. The channels’ content featured material lauding Russia and insulting Ukraine. Additional Russia-friendly content was designed to undermine the legitimacy and fairness of the International Olympic Committee, an organization that has banned Russian athletes from the games in the past. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
