SAN MATEO, CA, July 15, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Developers must eliminate OS command injection vulnerabilities
An alert from the FBI and CISA was sent out “in response to several high-profile threat actor campaigns in 2024 that exploited OS command injection defects in network edge devices to compromise users.” Both agencies framed command injection vulnerabilities as “entirely preventable” because software developers ” failed to properly validate and sanitize user input when constructing commands to execute on the underlying OS.” As a result, CISA and the FBI are urging tech companies to look into past instances of these vulnerabilities being exploited and create a plan to eliminate them in the future. The recommendations are part of a larger plan by the US government to emphasize security by design, putting more cybersecurity responsibility on software manufacturers. Read more.
Hacktivists release 2GB of data from the Heritage Foundation
Hacktivist group SeigedSec has released 2GB of data it claims to have stolen from the Heritage Foundation in response to the group’s “Project 2025” initiative, a conservative-backed playbook designed “to lay the groundwork for a White House more friendly to the right” should Donald Trump win the election. According to Heritage, the foundation was not hacked. SeigedSec “stumbled upon a two-year-old archive of The Daily Signal website that was available on a public-facing website owned by a contractor.” The foundation goes on to say that data breach claims are “a false narrative and an exaggeration by a group of criminal trolls trying to get attention.†The posted data includes the “full names, email addresses, passwords, and usernames†of people associated with Heritage.” Read more.
Huione Guarantee marketplace is hotbed of cybercrime
Elliptic blockchain analytics firm has reported that Huione Guarantee, a Chinese-language online marketplace owned by a Cambodian conglomerate, operates as a cybercrime platform. The marketplace is reportedly being heavily used for laundering money acquired from various online scams, especially pig butchering investment scams. The platform claims no responsibility for what users buy and sell, absolving them of the need to limit illegal transactions while guaranteeing a safe escrow system that buyers and sellers can use to trade illicit items. From AI-powered face-swapping software to stolen personal data and “torture and control equipment used in scam compounds,” nothing seems off limits on the marketplace, and its representatives even get in on the action by offering to launder funds for a percentage. Read more.
Ransomware attacks increase despite crackdown
Even with international law enforcement operations disrupting the operations and infrastructure of notorious ransomware groups, data from Symantec indicates an increase of 9% year-on-year in the number of successful ransomware attacks in the first quarter of 2024. Symantec claims it recorded “962 claimed attacks in the first quarter of 2024 — down from the 1190 attacks of the previous three months, but still more than the 886 claimed in the first quarter of 2023.” LockBit, one of several ransomware groups that have been compromised by law enforcement, remains the number one ransomware threat and accounts for 20% of claimed attacks, according to Symantec’s data. Read more.
Evolve Bank & Trust hack exposes 7.6 million customers
In a statement filed with Maine’s attorney general, Evolve Bank & Trust revealed that a data breach at the institution compromised the personal data of at least 7.6 million customers. The damage the breach has caused continues to unfold, and the compromised data types have not been specified. However, the bank has already reported that names, Social Security numbers, bank account details, and contact info were exposed. Evolve’s fintech partners and employees also had their data accessed. The breach resulted from a ransomware attack by LockBit in which the bank did not give in to the group’s ransom demands. The full extent of exposed data is currently unknown, as Evolve’s investigation into the attack is ongoing. Read more.
AI-powered Russian bot farm disrupted by US Justice Department
A bot farm distributing Russian propaganda via nearly 1,000 Twitter accounts has been disrupted in an international law enforcement operation led by the US Justice Department. The accounts were reportedly “managed by a deputy editor-in-chief at Russian state-run news organization Russia Today (RT) and a Russian FSB officer” and have been used to spread Russian influence through legitimate-looking social media accounts created by an AI-enabled software called Meliorator. “Russia intended to use this bot farm to disseminate AI-generated foreign disinformation, scaling their work with the assistance of AI to undermine our partners in Ukraine and influence geopolitical narratives favorable to the Russian government,” said FBI Director Christopher Wray. Read more.
Cisco warns of regreSSHion vulnerability in multiple products
Multiple Cisco products are affected by a critical OpenSSH vulnerability called “regreSSHion.” Discovered by researchers at Qualys, the bug impacts 42 products across the following areas: network and content security devices, network management and provisioning, routing and switching, unified computing, video, streaming, transcoding devices, and wireless. A patch has been scheduled for four affected products, with Cisco saying they will continue to monitor the situation and provide updates as they become available. Cisco said it is unaware of any malicious use of the flaw, but exploiting regreSSHion can allow an attacker to execute remote code and compromise entire systems. Cisco is urging users to stay on top of upcoming updates. Read more.
RansomHub alleges it published Florida Health Department data
The RansomHub hacking group has claimed to have published 100 gigabytes of data from the Florida Department of Health due to the department refusing to meet its demands. Florida has a general policy of not giving in to ransom demands to comply with CISA guidelines, including because paying up does not guarantee recovery. The department’s refusal has resulted in RansomHub publishing a link to the data and a description of its origin. The Florida Department of Health has not commented on RansomHub’s post but has acknowledged a “cybersecurity incident.” The US healthcare sector is frequently targeted by bad actors, as the nature of the data collected and the urgency in restoring network functionality creates a situation where the hackers have the upper hand. Read more.
New APT group steals Russian government data via cloud services
CloudSorcerer, a new APT group discovered by Kaspersky in May of this year, has been observed abusing cloud services to steal information from Russian government organizations. Kasperksy has not revealed how the hackers gain initial access to a network, but they did say that they are employing custom malware to execute Windows backdoors manually. The backdoor module can then be used to copy, move, or rename files, create a process as a dedicated user, add new network users or remove existing ones, create new services, and more. Kasperksy researchers designate CloudSorcerer as highly sophisticated due to the malware’s flexibility and adaptability. Read more.
Infostealer malware logs reveal visitors of child abuse sites
Recorded Future has reported that an analysis of information-stealer malware logs available on the dark web reveals thousands of users with links to sites containing child sexual abuse material (CSAM). “Approximately 3,300 unique users were found with accounts on known CSAM sources,” Recorded Future said in their report. “A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior.” The data has thus far been used to identify three people with accounts at at least four such websites. Stealer logs also contain crypto information that could be used to determine if the addresses had been used to purchase CSAM. “Info-stealer logs can be used by investigators and law enforcement partners to track child exploitation on the dark web and provide insight into a part of the dark web that is especially difficult to trace.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
