SAN MATEO, CA, July 22, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
US Postal Service “unaware” it was sharing addresses
Researchers at TechCrunch discovered that the US Postal Service was sharing the postal addresses of its online customers with Meta, LinkedIn, and Snap by way of “hidden data-collecting code (also known as tracking pixels) used across its website.” USPS spokesperson Jim McKean said that the organization has taken “immediate action to remediate this issue,” claiming that they were “unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media.” Other companies and organizations, such as WebRX and BetterHelp, have come under fire in recent years for using web tracking code, facing millions of dollars in fines for selling sensitive information belonging to their users to advertisers. Read more.
US data breach victim numbers increase annually by 1170%
The number of US data breach victims has seen a surge of 1170% in the second quarter of 2024, as the total number of incidents decreased by 12%. The figures come from the Identity Theft Resource Center (ITRC). The ITRC claims that the vast increase is due to a small number of breaches in total that impacted large numbers of people. Their data also indicates that “the number of data breach victims in the first six months of 2024 (1,078,989,742) increased 490% compared to the first half of 2023 (182,645,409).” Eva Valesquez, president and CEO of ITRC, said, “The takeaway from this report is simple: Every person, business, institution, and government agency must view data and identity protection with a greater sense of urgency.” Read more.
Crypto exchange WazirX loses $230 million in security breach
A breach at Indian cryptocurrency exchange WazirX has resulted in the theft of $230 million in assets, the company has confirmed. “A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million,” the company said. “This wallet was operated utilizing the services of Liminal’s digital asset custody and wallet infrastructure from February 2023.” WazirX says the attack was carried out via a compromised wallet created “outside of the Liminal ecosystem.” Blockchain security experts Elliptic claim that the attack appears to have the characteristics of those originating from North Korea, specifically those spearheaded by Lazarus Group. Read more.
CrowdStrike update causes global Windows outages
Airports, TV stations, hospitals, and other services and organizations worldwide are experiencing system outages caused by Windows system crashes resulting from a faulty update to CrowdStrike Falcon. CrowdStrike acknowledged the glitch and published an alert statement that the company had “identified a content deployment related to this issue and reverted those changes… Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.” A fix is available for the issue, but with the impact of the bug leaving so many organizations scrambling, flight passengers delayed, and even emergency response services interrupted, it is believed that the pain from this faulty update will be felt for some time. Read more.
Scattered Spider adds RansomHub and Qilin to its toolbox
Scattered Spider, a notorious ransomware group noted for its successful social engineering and ransomware attacks against Caesars Palace and MGM Entertainment in 2023, has added RansomHib and Qilin to its weaponry. RansomHub’s RaaS platform is growing in popularity among threat actors, resulting in its wide adoption. At the same time, Qilin is “known to have targeted and claimed more than 130 companies, demanding ransoms from as low as $25,000 and well into millions, and is developing a customizable Linux encryptor to target VMware ESXi servers, according to Microsoft.” Adopting these two variants shows that Scattered Spider continues to evolve its tactics and employ the tools necessary to remain effective and sophisticated. Read more.
15 million Trello email addresses leaked to hacker forum
A threat actor has shared a list of 15,115,516 Trello account email addresses on the Breached hacking forum. Using the name “emo,” the threat actor claims to have acquired the information “using an unsecured REST API that allowed developers to query for public information about a profile based on users’ Trello ID, username, or email address.” Emo then fed the resulting list of 500 million email addresses into the API to see if they were associated with any Trello accounts and combined it “with the returned account information to create member profiles for over 15 million users.” The data available to hackers includes Trello account information, email addresses, and the full names of the associated users. The data can be used to stage phishing scams or launch other types of attacks against affected Trello users. Read more.
CISA adds critical security flaw to its KEV catalog
CVE-2024-36401 is a critical security flaw impacting OSGeoServer GeoTools that has just been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after the agency collected evidence that it is being exploited in the wild. A recent advisory regarding the bug released by project maintainers says that “multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.” It is not currently known how threat actors are exploiting the flaw. However, GeoServer reported that the issue is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.” The bug has been patched and users are urged to update as soon as possible. Read more.
Kaspersky shutting down its US operations
Since the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Kaspersky executives on June 21 and designated the company to its Entity list, the company is now scheduled to shut down all of its US operations on July 20. The sanctions and designations prevent American companies from doing business with Kaspersky, making a presence in the US “no longer viable.” According to the Bureau of Industry & Security, Kaspersky’s “continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.” Kaspersky will lay off its US-based workforce, which is said to be fewer than 50 people. Read more.
AT&T breach exposes phone numbers called and texted
Snowflake’s recent and devastating compromise has resulted in criminals making off with six months of text and phone message records from “nearly all” of AT&T’s customers. According to the company, the compromised data includes “phone numbers that an AT&T mobile phone communicated with, including AT&T landline users. In some cases, the data also contains specific cell site ID numbers linked to these interactions.” AT&T said the stolen data does not include the content or timestamps of calls or texts, Social Security numbers, birth dates, or other personally identifiable information. They also said that they do not believe the data has been made public, which is of little consolation considering that it was stolen by criminals who are likely to sell it or use it for scams, pig butchering schemes, and even state-sponsored activity. The information can be used to deduce approximate locations, and the numbers can match identities and businesses. Read more.
Facebook ads used to spread info-stealer malware
A campaign that sees threat actors posting ads for Windows desktop themes and popular software is spreading info-stealing malware, according to research from Trustwave. Promoting cracks for free game downloads and applications like Photoshop and Microsoft Office, the advertisements originated from new Facebook pages or hijacked legitimate ones. “The threat actors assume the business identity by renaming the Facebook pages; this allows them to leverage the existing follower base to amplify the reach of their fraudulent advertisement significantly,” reads Trustwave’s report. When a victim clicks the “download” button after following the link embedded in an ad, they inadvertently end up downloading the SYS01 malware that can be used to procure data from their computer stealthily. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
