This Month in Cybersecurity - October Edition

JetPack Plugin Patches After Affecting 27 Million Sites

The Jetpack WordPress plugin, used on millions of sites, has released a critical security update to fix a vulnerability that allowed logged-in users to view others' submitted forms. This issue was discovered during an internal audit and has existed since 2016. Jetpack, part of Automattic, collaborated with the WordPress.org Security Team to ensure that users receive the update automatically, addressing the flaw in numerous versions of the plugin.

In related news, a dispute has emerged between WordPress founder Matt Mullenweg and WP Engine regarding the security of the Advanced Custom Fields (ACF) plugin. WordPress has taken control of ACF to create a fork called Secure Custom Fields, which has been updated to fix a security issue. While WP Engine disputes the manner of this takeover, WordPress emphasizes its responsibility to ensure the safety of its plugins and users.


CISA Adds New Vulnerabilities to the KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Notably, a severe flaw (CVE-2024-23113) in Fortinet’s products allows attackers to execute unauthorized commands through specially crafted packets, with a high severity score of 9.8. Additionally, Ivanti's Cloud Service Appliance has been flagged for two vulnerabilities (CVE-2024-9379 and CVE-2024-9380) that enable attackers to exploit SQL injection and command injection attacks, scoring 6.5 and 7.2, respectively.

Ivanti recently reported that these vulnerabilities, particularly when combined with a previously addressed zero-day vulnerability (CVE-2024-8963), are being actively exploited in real-world attacks. The company confirmed that some customers using outdated versions of its software have already been targeted by these exploits. They emphasized that no other Ivanti products are affected by these vulnerabilities.

CISA has mandated that federal agencies must address these vulnerabilities by October 30, 2024, to secure their networks against potential attacks. Experts also advise private organizations to review the KEV catalog and take necessary actions to protect their systems from these identified vulnerabilities.


The Internet Archive Experiences DDoS Attack

The Internet Archive has partially restored its services after facing a DDoS attack on October 9, followed by a data breach that exposed users' information. For several days, the site struggled to load properly, showing a basic page instead of its usual content. As of October 14, the Archive's digital librarian, Brewster Kahle, announced that the Wayback Machine service, which preserves web pages, was functioning again, although other features were still being gradually restored.

Experts from Netscout analyzed the DDoS attack, which lasted about three hours and directed significant traffic toward the Archive's servers. They noted that the attack likely originated from a modern variant of Mirai malware, which turns devices into a botnet, with most of the traffic coming from devices in Korea, China, and Brazil. While the Archive has been busy getting back online, many users whose data was compromised are eagerly awaiting more information about the incident and how the organization plans to enhance security in the future.

 

Defensible Strategies

Learn from those who have been attacked

Cisco Investigates Breach After Stolen Data Surfaces

Cisco is currently investigating claims of a data breach after a hacker known as "IntelBroker" announced on a hacking forum that he, along with two associates, accessed and stole a significant amount of developer data from the company. Cisco has confirmed awareness of these allegations and is actively assessing the situation. The stolen data reportedly includes sensitive materials such as source code, project files, customer documents, and various credentials.

The hacker claims to have stolen this information on October 6, 2024, and has shared samples of the alleged data, including databases and customer management screenshots. While the full extent of the breach is still under investigation, it's noteworthy that IntelBroker has previously leaked data from other major companies, raising concerns about the security of third-party vendors connected to these firms. Cisco has not yet confirmed if this incident is related to earlier breaches involving other companies.


Gryphon Healthcare Discloses Breach that Exposed 400,000 Individuals

Gryphon Healthcare, a Houston-based company that provides services to healthcare organizations, has reported a significant data breach that may have exposed the personal information of up to 400,000 individuals. The compromised data could include sensitive details such as patients' names, Social Security numbers, and medical information, like treatment histories and insurance details. Gryphon stated that they take the security of this information very seriously and have begun offering affected individuals credit monitoring and identity protection services.

The breach was detected on August 13, with Gryphon finishing its review of the affected data by September 3, while unauthorized access reportedly began on July 6. The company has implemented measures to improve security following the incident but has not disclosed specific details about how the breach occurred. Legal action is already in motion, as a law firm is seeking to represent victims of the breach in a proposed class-action lawsuit.

Data breaches in the healthcare sector often lead to legal repercussions, as seen in previous cases where companies faced numerous lawsuits after their data was compromised. For example, Med-Data settled a similar case for $7 million earlier this year, while another company faced a $65 million settlement following a significant breach. The healthcare industry remains vulnerable to such incidents, emphasizing the importance of protecting patient information.