SAN MATEO, CA, May 20, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Market forces do not incentivize cybersecurity
In a keynote address at the CyberUK 2024 conference in Birmingham, National Cyber Security Centre (NCSC) CTO Ollie Whitehouse said that current market forces cause companies to prioritize cost and profit over building resilient cyber protections into their products. He characterized this economic environment as the “enemy of cybersecurity” and mentioned that known security products’ vulnerabilities are a serious threat as adversaries continue to amass them. In his address, Whitehouse said the cyber community needs to address three main questions: “First, what do we want to achieve with cyber resilient technology in the next ten years? Second, how do we get there in an evidence-based way? Finally, how do we drive market incentives to achieve that aim?” Read more.
Apple blocks $7 billion in fraudulent App Store purchases
In Apple’s annual fraud prevention analysis, the company says it has blocked over $7 billion in fraudulent transactions on its App Store over the last four years and detected and blocked over 14 million stolen credit cards from 2020 through 2023. The data shows that Apple banned over 1.1 million accounts from making future transactions after determining that they were engaging in fraudulent activity. Additionally, Apple rejected more than 1.7 million app submissions that it says did not meet its security standards for reasons that include spam, privacy violations, copycat apps, bait-and-switch tactics, and more. Of the 1.1 billion app reviews submitted to the store in 2023, 152 million were deemed fake and removed. Read more.
Malware delivered via Facebook Messenger
North Korean hackers associated with Kimsuky are engaging in a social engineering campaign that uses fake Facebook accounts to target activists in the North Korean human rights and anti-North Korea sectors. The threat actors create accounts that purport to be public officials and then use Messenger to reach out to their targets and trick them into opening documents that contain malware capable of exfiltrating sensitive information. According to researchers at Genians, Kimsuky is using unusual file types such as MSC to avoid tripping any alarms during the attack and further disguising them as harmless Word documents. The company says, “Due to their one-on-one, personalized nature, they [attacks] are not easily detected by security monitoring and are rarely reported externally, even if the victim is aware of them. Therefore, it is very important to detect these personalized threats at an early stage.” Read more.
FBI takes over BreachForums for the second time
The FBI, working with a coalition of international law enforcement entities, has seized BreachForums. This is the second time the popular cybercrime forum has been taken over and its administrator arrested. However, the site was re-established by a new threat actor. This time, authorities also took over the forum’s Telegram channel and a channel belonging to one of the site’s owners. Both Telegram channels and the BreachForum website display an image declaring that the infrastructure is now “Under the control of the FBI,” with additional text encouraging anyone with information about the activity on the forum to reach out to the agency directly. Read more.
Microsoft fixes VPN failures resulting from recent update
Microsoft says it has fixed an issue in April 2024’s Windows security updates that broke VPN connections across client and server platforms. The cause was not initially described, with Microsoft advising home users to “Use the Windows Get Help app and small business and large enterprise customers to reach out via the dedicated ‘Support for Business’ portal if they need support.” However, the problem has been remedied in Windows cumulative updates released on May’s Patch Tuesday. Other fixed bugs include “a known issue causing domain controller reboots and NTLM authentication failures after installing last month’s Windows Server security updates and a zero-day bug actively exploited to deliver QakBot and other malware unpatched Windows systems.” Read more.
Botnet compromised 400,000 Linux servers
Ebury, a botnet active since 2009, has compromised 400,000 Linux servers in its lifetime, with 100,000 still affected as of late 2023, according to a Slovak cybersecurity firm ESET report. The company has described Ebury as one of the most sophisticated server-side malware campaigns designed for financial gain, stating that “[the] operators are also involved in cryptocurrency heists by using AitM and credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming.” ESET’s research has revealed that Ebury attackers deliver the malware via “SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploitation of flaws in Control Web Panel (e.g., CVE-2021-45467), and SSH adversary-in-the-middle (AitM) attacks.” Read more.
CISOs are not taken seriously by business leaders
Research from Trend Micro indicates that a third of chief information security officers (CISOs) are “routinely belittled and dismissed” by their board, with 79% of those interviewed saying that they felt pressured to downplay the severity of their company’s cyber risks. 34% of interviewees claimed that cybersecurity is still perceived as an IT issue as opposed to a business risk. 80% of respondents said that the powers that be would only be willing to act decisively on business risk if a breach took place. An estimated loss of £150,000 is the threshold that may encourage C-suite executives to take the matter seriously. On a more positive note, 43% of respondents report being given more budget, and 41% say they are involved in senior decision-making. Read more.
Cacti flaws patched
The Cacti open-source network monitoring and fault management framework has recently been updated to account for several security flaws, two of which could allow threat actors to execute arbitrary code: CVE-2024-25641, which has received a CVSS score of 9.1, is an “arbitrary file write vulnerability in the ‘Package Import’ feature that allows authenticated users having the ‘Import Templates’ permission to execute arbitrary PHP code on the web server, resulting in remote code execution.” CVE-2024-29895, which has received the maximum CVSS rating of 10.0, is a “command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the ‘register_argc_argv’ option of PHP is On.” Read more.
49 million customer records stolen in Dell data breach
A data breach affecting Dell allowed a threat actor to scrape the information of 49 million customer records after posing as a fake company and using a partner API, according to the hacker. The information accessed in the breach includes customer order data, warranty details, service tags, customer names, order numbers, and installed locations. The threat actor, Menelik, spoke to BleepingComputer about how they pulled it off by registering fake company names: “It is very easy to register as a Partner. You just fill an application form … I just created my own accounts in this way. Whole process takes 24-48 hours.” Menelik says they contacted Dell to tell them of the flaw but received no response. The bug was fixed two weeks later, and according to the company, “Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps.” Read more.
Advisory issued about Black Basta ransomware
Since emerging in April of 2022, the Black Basta ransomware-as-a-service operation has set its sights on over 500 entities in both the private and critical infrastructure sectors. CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory in response to Black Basta’s activities, stating that “Black Basta affiliates use common initial access techniques — such as phishing and exploiting known vulnerabilities — and then employ a double-extortion model, both encrypting systems and exfiltrating data.” Unique to Black Basta, victims are not given an initial ransom demand or payment instructions but a code and instructions for contacting the group through a .onion URL. “Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the advisory reads. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
