SAN MATEO, CA, June 24, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Hacker claims to have breached AMD and Apple
Threat actor IntelBroker claims to have breached AMD and Apple and be in possession of “source code for internal tools, employees’ personally identifiable information (PII), and more.” The hacker posted the news about their breach of AMD on June 17 and Apple on June 18 on BreachForums and said they are “releasing the source code to three of Apple’s commonly used tools for their internal site.” IntelBroker has been a prolific threat actor, previously taking credit for breaching DC Health Link and General Electric, the latter of which allowed them to steal “DARPA-related military information.” AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin are the Apple tools affected. IntelBroker also says they are selling data on “products, spec sheets, employee databases, customer databases, property files, ROMs, source code, firmware, and finances” from their hack of AMD. Read more.
Research company exploits Kraken flaw then reports it
Nick Percoco, the Chief Security Officer for Kraken crypto exchange, revealed the platform was breached and $3 million in digital assets minted and taken. In a strange twist, the perpetrator of the theft seems to be a security researcher who discovered a zero-day flaw in Kraken’s funding system and leveraged it to credit their account. Kraken has accused the individual and CertiK, the security firm they work for of criminal extortion. CertiK says that the withdrawals were “minted out of [thin] air, and no real Kraken user’s assets were directly involved in our research activities.” They further assert that “the real question should be why Kraken’s in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing.” The company goes on to say that Kraken has threatened their employees, demanding that they repay a “mismatched amount of crypto in an unreasonable time even without providing repayment addresses.” Kraken CSI Nick Percoco stated the funds had been returned to the company minus fees. Read more.
Amtrak Guest Rewards accounts breached
In a disclosure filed with the state of Massachusetts, Amtrak disclosed that it experienced a data breach affecting travelers’ Guest Rewards accounts between May 15 and May 18. It determined that usernames and passwords compromised in previous breaches were likely used to access customer accounts and that Amtrak’s systems were not hacked or affected. Data exposed in the breach includes “name, contact information, Amtrak Guest Rewards account number, date of birth, payment details, gift card information, and/or information about your transactions and trips.” Travel reward accounts are prime targets for hackers, as personal information can be posted on the dark web or used to purchase tickets to resell. The company did not disclose how many accounts were affected by the intrusion and recommended that all travelers use multi-factor identification and change their passwords. Read more.
Chinese threat actor engages in long-term espionage
UNC3886, a China-nexus cyber espionage actor, uses zero-day flaws and persistence mechanisms for long-term espionage. UNC3886 is described as “sophisticated, cautious, and evasive” and has been observed “utilizing multiple persistence mechanisms to maintain unfettered access to compromised environments,” according to a report from Mandiant. “Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated,” Mandiant warns. UNC3886’s tactics see the actor digging deep into government and business networks to spy on them undetected by evading security software. The group’s victims are spread throughout North America, Southeast Asia, Europe, Africa, and other parts of Asia and encompass industries ranging from governments, telecoms, aerospace and defense, energy, and utility sectors. Read more.
Security bug allows spoofing of Microsoft employee emails
Security researcher Vsevolod Kokorin has discovered a flaw that allows anyone to impersonate Microsoft corporate email accounts. The researcher shared their findings on X but did not disclose how it is done. This was to prevent criminals from exploiting it to create convincing phishing attempts. “Microsoft just said they couldn’t reproduce it without providing any details,” Kokorin told TechCrunch in an online chat. “Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.” Microsoft has been in the hot seat lately, with President Brad Smith testifying in a House hearing necessitated after multiple security issues within the company’s products called into question their dedication and ability to protect their users’ data from hackers. Read more.
ASUS patches critical flaw that affects routers
ASUS has issued patches for a critical flaw that could be exploited to allow threat actors to bypass authentication. CVE-2024-3080 carries a CVSS score of 9.8. A second flaw, CVE-2024-3079, has a CVSS score of 7.2 and “could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device.” A possible means of attack could see a threat actor using both flaws in an exploit chain “in order to sidestep authentication and execute malicious code on susceptible devices.” The flaw affects seven ASUS router models. The patch follows a previous update that fixed an exploit that could “permit an unauthenticated remote attacker to upload arbitrary files and execute system commands on the device.” Read more.
VMware discloses critical vulnerabilities
VMware vSphere and VMware Cloud Foundation users are urged to update their products immediately to patch three critical vulnerabilities within VMware vCenter Server. CVE-2024-37079 and CVE-2024-37080 “relate to multiple heap-overflow vulnerabilities in implementing the DCERPC protocol. A malicious actor with network access to the vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet” and achieve remote code execution. CVE-2024-37081 “relates to multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.” The company is unaware of these bugs being exploited in the wild but is telling users to take action immediately due to their severity. Read more.
Australia’s Medibank ransomware attack due to negligence
In yet another case of corporate mishandling, Australia’s Office of the Australian Information Commissioner (OAIC) has issued a damaging report on Medibank that not only puts the blame squarely on the organization for a major ransomware attack but also alleges that the company did not respond to alerts regarding suspicious network activity for two months. The report states that a Medibank contractor used his personal browser profile on a work computer and saved his credentials, which were then synced to his home computer. When his home computer became infected with information-stealing malware, his saved passwords were stolen and used to access a Medibank admin account and the company’s Medibank’s Palo Alto Networks Global Protect Virtual Private Network (VPN) implementation, which did not have multi-factor authentication enforced. The threat actor was able to steal customer data belonging to more than 9 million people and, according to the report, Medibank did not properly react to August 24-25 warnings from the company’s EDR software until mid-October. Read more.
Scattered Spider cybercrime group member arrested
A 22-year-old man from the UK was arrested in the Spanish city of Palma de Mallorca for his alleged involvement with the notorious Scattered Spider cybercrime group. Caught as he attempted to board a flight to Italy, the man is said to be a SIM swapper “associated with several other high-profile ransomware attacks performed by Scattered Spider.” Security journalist Brian Krebs says that the individual is believed to be from Scotland and named Tyler Buchanan. Scattered Spider has been responsible for various cybercrimes, from social engineering campaigns and SIM swapping to ransomware. The law enforcement operation, believed to have been orchestrated via cooperation between the FBI and the Spanish police, is the latest in a series of high-profile arrests of individuals associated with criminal hackers and ransomware gangs. Read more.
Los Angeles Public Health Department discloses major breach
More than 200,000 people have had personal, medical, and financial data stolen in a Los Angeles County Department of Public Health (DPH) breach. The breach occurred in February of 2024 and was successful due to an attacker “gaining the log-in credentials of 53 Public Health employees through a phishing email.” Sensitive prescription information, health insurance information, and Social Security numbers belonging to those affected may have been exposed. After identifying the attack, the DPH stated that “numerous enhancements” to its security protocols have been implemented to help prevent future phishing attacks. Affected individuals may take advantage of a free year of identity monitoring. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
