SAN MATEO, CA, July 31, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- New SEC rule imposes 4-day deadline for private companies to report cyberattacks
- Metabase BI software found to have major security flaw
- Organizations impacted by MOVEit data breach reach 455
- Nearly 40% of Ubuntu users are vulnerable to newly introduced exploits
- New Decoy Dog is a new breed of malware with unique capabilities
- Realst malware targets macOS users to steal crypto
- Flaw in AMD Zen 2 processors can be used to pilfer data and passwords
- Trio of Atlassian RCE bugs allow for complete takeover
- More than 15,000 Citrix servers exposed to zero-day exploit
- CISA tells government agencies to patch Adobe ColdFusion servers
New SEC rule imposes 4-day deadline for private companies to report cyberattacks
The SEC has voted to impose a new deadline for private enterprises to publicly report a cyberattack should they be hacked. “The rules will require companies to determine whether a cyber attack it has suffered will have a material impact on its operations, and then disclose the event within four days of that determination.” The rules, according to SEC Chair Gary Gensler, “will enhance and help standardize disclosures to investors with regard to these public company cybersecurity practices.” The SEC says the new rules will make disclosures “more consistent” and “comparable.” The 4-day deadline is set to become effective 30 days after the new rules are published in the Federal Register. Read more.
Metabase BI software found to have major security flaw
Business intelligence and data visualization software Metabase has been found to have an “extremely severe” security flaw that could allow an attacker to execute remote code. The bug affects “open-source editions before 0.46.6.1 and Metabase Enterprise versions before 184.108.40.206.” The exploit has yet to be observed in the wild, but data reported by Shadowserver Foundation reveals that 5,488 of the total 6,936 Metabase instances are at risk. Users are urged to update to the most recent version immediately. Read more.
Organizations impacted by MOVEit data breach reach 455
Clop’s attack on MOVEit continues to make waves, as the list of organizations impacted by the breach has reached 455. Newly reported victims include healthcare risk adjustment firm Cognisight, Pacific Premier Bank, Northwestern Mutual, Transactions Applications Group, Sutter Senior Care, the Brighthouse and TransAmerica life insurance companies, and the U.S. colleges of Collin, Foothill and Lake Forest. According to security firm Emsisoft, at least 23 million individuals have had their personal data stolen up to this point and held for ransom. Read more.
Nearly 40% of Ubuntu users are vulnerable to newly introduced exploits
Ubuntu, one of the most commonly used Linux distributions, has two new vulnerabilities allowing unprivileged local users to “gain elevated privileges on a massive number of devices.” The flaws are “unique to Ubuntu kernels since they stemmed from Ubuntu’s changes to the OverlayFS module,” warned the Wiz researchers who discovered the bugs. Only Ubuntu is affected by these flaws. Other Linux distributions, even Ubuntu forks, “not using custom modifications of the OverlayFS module should be safe.” Read more.
New Decoy Dog is a new breed of malware with unique capabilities
Decoy Dog is a newly discovered piece of malware that displays a significant upgrade over the Pupy RAT it is based on. It possesses previously unknown capabilities, including transferring victims to another controller. This allows for communication with compromised machines for extended periods, with some victims having been in contact with Decoy Dog servers for over a year. The malware uses the domain name system (DNS) for command-and-control purposes, and its controllers have adapted their tactics to maintain access to existing victims. The origin of Decoy Dog is uncertain, but it is suspected to be operated by nation-state hackers. Read more.
Realst malware targets macOS users to steal crypto
Apple users are again in the crosshairs, as a new malware called “Realst” has been discovered targeting macOS. The malware’s latest variants are compatible with macOS 14 Sonoma, which the company is still developing. The campaign targets victims by posing as “fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolution, Pearl, Olymp of Reptiles, and SaintLegend.” Promoted on social media, the threat actors share game “access codes” via direct message, but only after screening victims to ensure they aren’t security researchers or others who may be privy to their scam. Sixteen variants of Realst have thus far been discovered. Read more.
Flaw in AMD Zen 2 processors can be used to pilfer data and passwords
AMD’s Zen 2 processors have been found to have a security vulnerability that threat actors can exploit to steal encryption keys and passwords. Codenamed “Zenbleed,” AMD explains that “under specific microarchitectural circumstances, a register in ‘Zen 2’ CPUs may not be written to 0 correctly.” The company’s advisory says this “may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.” This exploit has not been witnessed in the wild at the time of this writing. Read more.
Trio of Atlassian RCE bugs allow for complete takeover
Three bugs can be exploited to allow threat actors to take over Atlassian instances, the company is warning. They say the “successful exploitation of any of the flaws” affecting Atlassian Confluence Data Center & Server and Bamboo “could offer a wide-open door into users’ cloud infrastructure, software supply chain, and more.” CISA is encouraging all users of Atlassian’s products to install updates immediately to protect their systems and data from exposure, theft, and takeover. Read more.
More than 15,000 Citrix servers exposed to zero-day exploit
Findings from the Shadowserver Foundation have revealed that more than 15,000 Citrix servers are vulnerable to a zero-day exploit that impacts NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). The CVE-2023-3519 bug is a “code injection that could result in unauthenticated remote code execution” and has a CVSS score of 9.8. CISA has reported that threat actors exploit the bug to “drop web shells on vulnerable systems.” The attacks have not been attributed to a specific threat actor. Read more.
CISA tells government agencies to patch Adobe ColdFusion servers
CISA has given US government agencies three weeks to patch a pair of bugs in Adobe ColdFusion servers, one of which is a zero-day flaw. Adobe issued a patch that addressed the two flaws earlier in the month, but researchers at Rapid7 found that the security update was “incomplete,” as one of the two flaws could still be exploited via a minor tweak to the already discovered bug. While CISA’s warning is directed at government agencies, private organizations are strongly encouraged to update immediately. Read more.