This Month in Cybersecurity - October Edition

JetPack Plugin Patches After Affecting 27 Million Sites

The Jetpack WordPress plugin, used on millions of sites, has released a critical security update to fix a vulnerability that allowed logged-in users to view others' submitted forms. This issue was discovered during an internal audit and has existed since 2016. Jetpack, part of Automattic, collaborated with the WordPress.org Security Team to ensure that users receive the update automatically, addressing the flaw in numerous versions of the plugin.

In related news, a dispute has emerged between WordPress founder Matt Mullenweg and WP Engine regarding the security of the Advanced Custom Fields (ACF) plugin. WordPress has taken control of ACF to create a fork called Secure Custom Fields, which has been updated to fix a security issue. While WP Engine disputes the manner of this takeover, WordPress emphasizes its responsibility to ensure the safety of its plugins and users.


CISA Adds New Vulnerabilities to the KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Notably, a severe flaw (CVE-2024-23113) in Fortinet’s products allows attackers to execute unauthorized commands through specially crafted packets, with a high severity score of 9.8. Additionally, Ivanti's Cloud Service Appliance has been flagged for two vulnerabilities (CVE-2024-9379 and CVE-2024-9380) that enable attackers to exploit SQL injection and command injection attacks, scoring 6.5 and 7.2, respectively.

Ivanti recently reported that these vulnerabilities, particularly when combined with a previously addressed zero-day vulnerability (CVE-2024-8963), are being actively exploited in real-world attacks. The company confirmed that some customers using outdated versions of its software have already been targeted by these exploits. They emphasized that no other Ivanti products are affected by these vulnerabilities.

CISA has mandated that federal agencies must address these vulnerabilities by October 30, 2024, to secure their networks against potential attacks. Experts also advise private organizations to review the KEV catalog and take necessary actions to protect their systems from these identified vulnerabilities.


The Internet Archive Experiences DDoS Attack

The Internet Archive has partially restored its services after facing a DDoS attack on October 9, followed by a data breach that exposed users' information. For several days, the site struggled to load properly, showing a basic page instead of its usual content. As of October 14, the Archive's digital librarian, Brewster Kahle, announced that the Wayback Machine service, which preserves web pages, was functioning again, although other features were still being gradually restored.

Experts from Netscout analyzed the DDoS attack, which lasted about three hours and directed significant traffic toward the Archive's servers. They noted that the attack likely originated from a modern variant of Mirai malware, which turns devices into a botnet, with most of the traffic coming from devices in Korea, China, and Brazil. While the Archive has been busy getting back online, many users whose data was compromised are eagerly awaiting more information about the incident and how the organization plans to enhance security in the future.

 

Defensible Strategies

Learn from those who have been attacked

Cisco Investigates Breach After Stolen Data Surfaces

Cisco is currently investigating claims of a data breach after a hacker known as "IntelBroker" announced on a hacking forum that he, along with two associates, accessed and stole a significant amount of developer data from the company. Cisco has confirmed awareness of these allegations and is actively assessing the situation. The stolen data reportedly includes sensitive materials such as source code, project files, customer documents, and various credentials.

The hacker claims to have stolen this information on October 6, 2024, and has shared samples of the alleged data, including databases and customer management screenshots. While the full extent of the breach is still under investigation, it's noteworthy that IntelBroker has previously leaked data from other major companies, raising concerns about the security of third-party vendors connected to these firms. Cisco has not yet confirmed if this incident is related to earlier breaches involving other companies.


Gryphon Healthcare Discloses Breach that Exposed 400,000 Individuals

Gryphon Healthcare, a Houston-based company that provides services to healthcare organizations, has reported a significant data breach that may have exposed the personal information of up to 400,000 individuals. The compromised data could include sensitive details such as patients' names, Social Security numbers, and medical information, like treatment histories and insurance details. Gryphon stated that they take the security of this information very seriously and have begun offering affected individuals credit monitoring and identity protection services.

The breach was detected on August 13, with Gryphon finishing its review of the affected data by September 3, while unauthorized access reportedly began on July 6. The company has implemented measures to improve security following the incident but has not disclosed specific details about how the breach occurred. Legal action is already in motion, as a law firm is seeking to represent victims of the breach in a proposed class-action lawsuit.

Data breaches in the healthcare sector often lead to legal repercussions, as seen in previous cases where companies faced numerous lawsuits after their data was compromised. For example, Med-Data settled a similar case for $7 million earlier this year, while another company faced a $65 million settlement following a significant breach. The healthcare industry remains vulnerable to such incidents, emphasizing the importance of protecting patient information.

This Month in Cybersecurity - September Edition

Windows Vulnerability Exploited as Zero-Day

Microsoft has recently highlighted a significant security vulnerability in Windows, known as CVE-2024-43461, which affects the retired Internet Explorer browser. Although Internet Explorer is no longer actively used, the underlying platform it utilized remains part of Windows and can still pose risks. This vulnerability allows attackers to run malicious code if a user inadvertently visits a harmful webpage or opens a tainted file. The flaw, which can mislead users about the true nature of a downloaded file, was exploited in the wild prior to its patching in September 2024.

The issue was reported by Trend Micro’s Zero Day Initiative, which explained that the vulnerability tricks users by concealing the actual file extension, making a harmful file seem harmless. Microsoft has linked this flaw to a previous vulnerability, CVE-2024-38112, which was exploited in attacks by a sophisticated group known as Void Banshee.

To safeguard against these threats, Microsoft advises users to ensure they have installed both the July and September 2024 security updates, as these patches address the vulnerabilities and help protect against potential exploits.


WhatsApp View Once Fix Fails in One Week

Meta's attempt to secure WhatsApp's "View Once" feature, which allows users to send photos, videos, and voice recordings that disappear after being viewed, has been quickly undermined by white-hat hackers. Originally introduced in August 2021 as a privacy measure, the feature was intended to prevent recipients from saving or sharing content. However, hackers from the crypto wallet startup Zengo discovered a way to recover these supposedly self-destructing messages, leading to a public disclosure of the flaw after Meta failed to respond to their earlier reports through its bug bounty program.

In response to the security breach, WhatsApp modified its code to make it harder to exploit the vulnerability, initially appearing successful as some users reported their content-saving extensions no longer worked. However, Zengo's co-founder noted that the core issue remains unresolved: the View Once messages are still being sent to servers that can access them, which allows the exploits to continue.

Although Meta has indicated that a more comprehensive solution is in progress, the vulnerability persists, raising concerns about the effectiveness of the current measures and the company's communication with those who reported the issue.


Spyware Case Dropped Against NSO by Apple

Apple has decided to voluntarily dismiss its lawsuit against NSO Group, a company that creates commercial spyware, due to concerns about exposing sensitive security information. Originally filed in November 2021, the lawsuit aimed to hold NSO accountable for using its Pegasus tool to target users illegally.

Apple noted that while its efforts and those of others have weakened NSO, the emergence of new malicious actors in the spyware industry poses additional risks. The company believes that continuing the lawsuit could jeopardize vital intelligence that helps protect users from such threats.

The decision to withdraw the lawsuit reflects broader changes in the spyware landscape, with various new companies emerging and existing ones adapting to avoid detection. For example, NSO Group has faced challenges from both Apple and other organizations, yet the spyware market continues to evolve, complicating efforts to combat it.

Apple remains committed to fighting against spyware, but it recognizes the potential risks involved in the legal process, which could inadvertently reveal valuable information to malicious actors.

 

Defensible Strategies

Learn from those who have been attacked

Access Sports Data Breach Impacts 88,000

Access Sports Medicine & Orthopaedics is notifying over 88,000 individuals that their personal and health information has been compromised following a cyberattack. The New Hampshire-based organization detected suspicious activity on its network on May 10, 2024, leading to an investigation that revealed unauthorized access to files containing sensitive data. The attack was attributed to a ransomware group known as Inc Ransom, which has targeted various sectors, including healthcare, and is known for encrypting data and stealing valuable information to extort ransom payments.

The breach has exposed a range of personal information, including names, Social Security numbers, dates of birth, financial details, and medical records. Although Access Sports has stated that there is currently no evidence of misuse of this information, they are offering fraud protection services to those affected. The situation is concerning, as Inc Ransom has claimed responsibility for the attack and has leaked significant amounts of data, including contracts and confidential documents, further complicating the issue for the affected individuals.


Class-Action Breach Suit Settled by 23andMe

Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit related to a significant data breach that occurred in 2023. The breach affected about 6.4 million customers in the U.S., with hackers stealing sensitive data that was later found for sale on the dark web.

As part of the settlement, 23andMe will provide three years of privacy and medical monitoring services to those impacted. The breach specifically targeted Ashkenazi Jewish and Chinese customers, with the attacker gaining access to the company's systems for five months before the issue was discovered.

The settlement reflects 23andMe's challenging financial situation, exacerbated by the breach and ongoing litigation. The company has seen its stock value plummet and reported substantial losses, including a 34% drop in revenue year-over-year and a $69 million loss in a recent quarter. Despite these financial strains, 23andMe expects that around $25 million of the settlement will be covered by insurance, helping to mitigate the impact on its reserves.

This Month in Cybersecurity - August Edition

Bugs Found in OpenVPN by Microsoft

Microsoft recently discovered four security flaws in OpenVPN, a popular tool used for creating secure virtual private network (VPN) connections. These flaws could be combined to allow hackers to take full control of a targeted computer, leading to serious risks like data breaches and unauthorized access to sensitive information.

The vulnerabilities affect all versions of OpenVPN before 2.6.10 and 2.5.10, and exploiting them requires user credentials and a deep understanding of how OpenVPN works. Attackers could use stolen credentials or other methods to exploit these flaws, potentially bypassing security measures and compromising critical system functions.

As of now, the only way to avoid these vulnerabilities is to make sure that the version of OpenVPN being used is the most recent and up to date build. This is a great example of why security patches and updates to software should be addressed and placed as a high priority task.


Senators Introduce Bill to Tighten Vulnerability Disclosure

US Senators Mark Warner and James Lankford have introduced a bipartisan bill to improve cybersecurity for federal contractors. The proposed Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would require these contractors to follow specific guidelines from the National Institute of Standards and Technology (NIST) for handling and disclosing software vulnerabilities.

This legislation aims to ensure that contractors implement formal vulnerability disclosure policies, allowing researchers to report and address security issues before they can be exploited. By mandating these practices, the bill seeks to enhance the protection of critical infrastructure and sensitive data from cyberattacks.


Phishing Evolves in the Age of AI

Since late 2022, generative AI has significantly impacted cybersecurity, with cybercriminals leveraging these technologies to enhance their attacks. In 2023, over $1.1 billion was paid in ransomware, and AI's role in making attacks more efficient and sophisticated has raised concerns among business leaders and cybersecurity experts.

AI tools are improving phishing tactics, automating attacks, and evading traditional security measures. To combat these threats, businesses need to focus on continuous, engaging employee training and simulations, along with adopting advanced security technologies. Building a strong cybersecurity culture requires everyone in the organization to understand the evolving risks and stay vigilant against increasingly sophisticated threats.

If you are interested in training on spotting phishing attempts, please reach out to Cyber Defense to learn more!

 

Defensible Strategies

Learn from those who have been attacked

Record Ransom Payments Made to Ransomware Group

Recently, the ransomware group Dark Angels made headlines by receiving an unprecedented $75 million ransom payment from a major Fortune 50 company. Dark Angels, a low-profile group active since 2021, has gained notoriety for their massive data thefts rather than for disrupting operations. Unlike many ransomware gangs that aim to cause high-profile disruptions, Dark Angels focuses on stealing large volumes of data while keeping a low profile, avoiding the flashy tactics and public shaming sites common among their peers.

Ranked as a top ransomware threat for 2024 by security firm Zscaler ThreatLabz, Dark Angels stands out for their methodical approach and the sheer scale of data they exfiltrate, often ranging from 10 to 100 terabytes. Their recent victims include major companies like Sysco and Sabre.

The identity of the company that paid the record ransom is speculated to be Cencora, a pharmaceutical giant, though they have not confirmed the payment. This significant ransom reflects a broader trend, as reported by Sophos, where the average ransom payment has surged dramatically, with many payments now funded through a combination of organizational resources and insurance.


East Valley Institute of Technology Data Breach Affect over 200,000

The East Valley Institute of Technology (EVIT) has notified over 200,000 people that their personal and health information was compromised in a data breach that occurred on January 9. The breach exposed a wide range of sensitive data, including names, Social Security numbers, medical records, and biometric information.

The ransomware group LockBit claimed responsibility for the attack, though it's unclear if the stolen data was published online as their website was taken down. EVIT has since taken steps to secure their systems, report the incident, and is offering affected individuals one year of free identity protection and theft recovery services.

This Month in Cybersecurity - July Edition

Microsoft Connects Scattered Spider to Qilin Ransomware

Microsoft has reported that the Scattered Spider cybercrime gang has started using a new type of ransomware called Qilin in their attacks. This group, also known as Octo Tempest, gained attention for targeting over 130 major companies, including Microsoft and AT&T.

The group employs various tactics to access networks, such as impersonating IT staff and using phishing techniques that have been warned against by both the FBI and CISA. Recently, the new ransomware being utilized by Scattered Spider, Qilin, has been noted for its advanced capabilities, especially targeting VMware systems used by businesses. The group utilizes Qilin to infiltrate a company’s network and extract data; Scattered Spider then utilizes this stolen data to leverage a ransom demand.


UK Regulators Receives Complaint About Meta’s AI Data Policies

The UK-based Open Rights Group (ORG) has filed a complaint against Meta for changing its privacy policy, which allows the company to use user data to develop AI models. Meta informed Facebook and Instagram users about this policy change, citing "legitimate interests" as the legal basis for using personal information. This complaint follows a similar action in the EU, where Meta paused its plans to train AI on EU user data after regulatory concerns.

ORG has argued that Meta's approach violates UK data protection laws and emphasizes that users should have clear consent, rather than just the option to opt out. ORG has also made the argument that despite Meta telling users they have the right to object, they have not committed to honoring those objects. The group has urged the UK's Information Commissioner’s Office (ICO) to investigate and stop these practices.


SquareSpace Migrations Become Target for Exploitation

Last week, several cryptocurrency platforms faced major issues after hackers gained access to their domain names registered with Squarespace. The attacks began on July 9, exploiting a flaw in Squarespace’s migration process for around 10 million domains acquired from Google Domains.

Hackers were able to create accounts using email addresses linked to the domains without proper validation, allowing them to take control and modify Domain Name System (DNS) records. This led to DNS hijacking, the practice of changing the registered information for a domain to redirect visitors to potentially harmful sites.

Although the affected platforms have since regained control and no further malicious activity has been reported, Squarespace has tightened its security measures and users are urged to enable two-factor authentication and check their account settings.

 

Defensible Strategies

Learn from those who have been attacked

AT&T Data Breach Affects Nearly All Customers

AT&T has revealed a data breach that exposed phone call and text message records for about 110 million customers, affecting nearly all of its users. The breach occurred in April when hackers accessed a cloud database protected only by a username and password, lacking multi-factor authentication.

While the stolen data did not include the content of calls or personal details like Social Security numbers, it contained information that could indicate the locations of cellular communications. AT&T delayed notifying affected customers due to federal investigations, which included input from the FBI.

This incident is part of a larger issue involving data breaches at several companies using the same cloud service, Snowflake, which is now requiring enhanced security measures.


Threat Agents Claim to Have Hacked Disney

A hacktivist group called NullBulge claims to have breached Disney's IT systems, stealing 1.1 terabytes of data from internal Slack channels. They allege that the data includes sensitive information such as project details, social security numbers, login credentials, and personal photos, taken from nearly 10,000 channels.

NullBulge, which claims to advocate for artists' rights, has criticized Disney for not paying royalties to writers of major franchises like Star Wars. Although the group initially intended to gather more information before revealing the breach, they decided to go public after an insider's involvement ended abruptly. Disney has not yet confirmed the breach, but if verified, it could lead to significant legal actions from the company against the hackers.