Bugs Found in OpenVPN by Microsoft

Microsoft recently discovered four security flaws in OpenVPN, a popular tool used for creating secure virtual private network (VPN) connections. These flaws could be combined to allow hackers to take full control of a targeted computer, leading to serious risks like data breaches and unauthorized access to sensitive information.

The vulnerabilities affect all versions of OpenVPN before 2.6.10 and 2.5.10, and exploiting them requires user credentials and a deep understanding of how OpenVPN works. Attackers could use stolen credentials or other methods to exploit these flaws, potentially bypassing security measures and compromising critical system functions.

As of now, the only way to avoid these vulnerabilities is to make sure that the version of OpenVPN being used is the most recent and up to date build. This is a great example of why security patches and updates to software should be addressed and placed as a high priority task.

Senators Introduce Bill to Tighten Vulnerability Disclosure

US Senators Mark Warner and James Lankford have introduced a bipartisan bill to improve cybersecurity for federal contractors. The proposed Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would require these contractors to follow specific guidelines from the National Institute of Standards and Technology (NIST) for handling and disclosing software vulnerabilities.

This legislation aims to ensure that contractors implement formal vulnerability disclosure policies, allowing researchers to report and address security issues before they can be exploited. By mandating these practices, the bill seeks to enhance the protection of critical infrastructure and sensitive data from cyberattacks.

Phishing Evolves in the Age of AI

Since late 2022, generative AI has significantly impacted cybersecurity, with cybercriminals leveraging these technologies to enhance their attacks. In 2023, over $1.1 billion was paid in ransomware, and AI's role in making attacks more efficient and sophisticated has raised concerns among business leaders and cybersecurity experts.

AI tools are improving phishing tactics, automating attacks, and evading traditional security measures. To combat these threats, businesses need to focus on continuous, engaging employee training and simulations, along with adopting advanced security technologies. Building a strong cybersecurity culture requires everyone in the organization to understand the evolving risks and stay vigilant against increasingly sophisticated threats.

If you are interested in training on spotting phishing attempts, please reach out to Cyber Defense to learn more!

Defensible Strategies

Learn from those who have been attacked

Record Ransom Payments Made to Ransomware Group

Recently, the ransomware group Dark Angels made headlines by receiving an unprecedented $75 million ransom payment from a major Fortune 50 company. Dark Angels, a low-profile group active since 2021, has gained notoriety for their massive data thefts rather than for disrupting operations. Unlike many ransomware gangs that aim to cause high-profile disruptions, Dark Angels focuses on stealing large volumes of data while keeping a low profile, avoiding the flashy tactics and public shaming sites common among their peers.

Ranked as a top ransomware threat for 2024 by security firm Zscaler ThreatLabz, Dark Angels stands out for their methodical approach and the sheer scale of data they exfiltrate, often ranging from 10 to 100 terabytes. Their recent victims include major companies like Sysco and Sabre.

The identity of the company that paid the record ransom is speculated to be Cencora, a pharmaceutical giant, though they have not confirmed the payment. This significant ransom reflects a broader trend, as reported by Sophos, where the average ransom payment has surged dramatically, with many payments now funded through a combination of organizational resources and insurance.

East Valley Institute of Technology Data Breach Affect over 200,000

The East Valley Institute of Technology (EVIT) has notified over 200,000 people that their personal and health information was compromised in a data breach that occurred on January 9. The breach exposed a wide range of sensitive data, including names, Social Security numbers, medical records, and biometric information.

The ransomware group LockBit claimed responsibility for the attack, though it's unclear if the stolen data was published online as their website was taken down. EVIT has since taken steps to secure their systems, report the incident, and is offering affected individuals one year of free identity protection and theft recovery services.

Microsoft Connects Scattered Spider to Qilin Ransomware

Microsoft has reported that the Scattered Spider cybercrime gang has started using a new type of ransomware called Qilin in their attacks. This group, also known as Octo Tempest, gained attention for targeting over 130 major companies, including Microsoft and AT&T.

The group employs various tactics to access networks, such as impersonating IT staff and using phishing techniques that have been warned against by both the FBI and CISA. Recently, the new ransomware being utilized by Scattered Spider, Qilin, has been noted for its advanced capabilities, especially targeting VMware systems used by businesses. The group utilizes Qilin to infiltrate a company’s network and extract data; Scattered Spider then utilizes this stolen data to leverage a ransom demand.

UK Regulators Receives Complaint About Meta’s AI Data Policies

The UK-based Open Rights Group (ORG) has filed a complaint against Meta for changing its privacy policy, which allows the company to use user data to develop AI models. Meta informed Facebook and Instagram users about this policy change, citing "legitimate interests" as the legal basis for using personal information. This complaint follows a similar action in the EU, where Meta paused its plans to train AI on EU user data after regulatory concerns.

ORG has argued that Meta's approach violates UK data protection laws and emphasizes that users should have clear consent, rather than just the option to opt out. ORG has also made the argument that despite Meta telling users they have the right to object, they have not committed to honoring those objects. The group has urged the UK's Information Commissioner’s Office (ICO) to investigate and stop these practices.

SquareSpace Migrations Become Target for Exploitation

Last week, several cryptocurrency platforms faced major issues after hackers gained access to their domain names registered with Squarespace. The attacks began on July 9, exploiting a flaw in Squarespace’s migration process for around 10 million domains acquired from Google Domains.

Hackers were able to create accounts using email addresses linked to the domains without proper validation, allowing them to take control and modify Domain Name System (DNS) records. This led to DNS hijacking, the practice of changing the registered information for a domain to redirect visitors to potentially harmful sites.

Although the affected platforms have since regained control and no further malicious activity has been reported, Squarespace has tightened its security measures and users are urged to enable two-factor authentication and check their account settings.

Defensible Strategies

Learn from those who have been attacked

AT&T Data Breach Affects Nearly All Customers

AT&T has revealed a data breach that exposed phone call and text message records for about 110 million customers, affecting nearly all of its users. The breach occurred in April when hackers accessed a cloud database protected only by a username and password, lacking multi-factor authentication.

While the stolen data did not include the content of calls or personal details like Social Security numbers, it contained information that could indicate the locations of cellular communications. AT&T delayed notifying affected customers due to federal investigations, which included input from the FBI.

This incident is part of a larger issue involving data breaches at several companies using the same cloud service, Snowflake, which is now requiring enhanced security measures.

Threat Agents Claim to Have Hacked Disney

A hacktivist group called NullBulge claims to have breached Disney's IT systems, stealing 1.1 terabytes of data from internal Slack channels. They allege that the data includes sensitive information such as project details, social security numbers, login credentials, and personal photos, taken from nearly 10,000 channels.

NullBulge, which claims to advocate for artists' rights, has criticized Disney for not paying royalties to writers of major franchises like Star Wars. Although the group initially intended to gather more information before revealing the breach, they decided to go public after an insider's involvement ended abruptly. Disney has not yet confirmed the breach, but if verified, it could lead to significant legal actions from the company against the hackers.

VMWare Gives Warning of Two Critical Flaws

VMware, managed by Broadcom, has identified two critical security flaws in its vCenter Server software, which is crucial for managing virtual machines and hosts in its Cloud Foundation and vSphere suites. These flaws, CVE-2024-37079 and CVE-2024-37080, have been rated 9.8 out of 10 in severity.

The vulnerabilities involve how a specific protocol (DCE/RPC) is implemented, potentially allowing a malicious attacker to execute remote code on the vCenter Server through specially crafted network packets. Although Broadcom has not detected any exploitation of these vulnerabilities in the wild, patches for affected versions have been released.

Additionally, a third flaw, CVE-2024-37081, has been identified, which could allow a local user to elevate their privileges on the server. This issue has been rated as important (7.8 score) and also has patches available.

Data Breach at Los Angeles County Public Health Agency Affects 200,000

The County of Los Angeles’ Department of Public Health has reported a data breach affecting 200,000 individuals, stemming from a phishing attack on February 19-20, 2024, targeting 53 employees' login credentials. Attackers accessed personal details like names, birth dates, Social Security numbers, medical records, and financial information using compromised credentials.

Although it's unclear if the data was misused, the agency is notifying affected individuals and offering one year of free credit monitoring. This incident follows similar breaches in other county health agencies earlier this year, affecting thousands more individuals.

Blackbaud on the Hook for Millions More in Settlement

Blackbaud, a software company specializing in apps for education and nonprofits, has agreed to pay $6.75 million to settle with California's attorney general over a 2020 data breach. This comes months after they were able to initially avoid fines from the FTC.

The settlement criticizes Blackbaud for poor cybersecurity practices and lack of transparency regarding the breach's impact, which affected millions worldwide. The company initially downplayed the breach, only revealing its full extent months later.

This fine concludes the final state-level investigation following earlier settlements with other states and regulatory bodies totaling $49.5 million. Blackbaud is also required to improve its data security measures as part of the settlement terms.

Defensible Strategies

Learn from those who have been attacked

CISA Warns of Being Impersonated by Scammers

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a rise in impersonation scams where fraudsters pretend to be CISA employees to deceive people into giving away money or personal information. These scams often involve fake communications that appear genuine, such as emails or phone calls, and employ urgent requests or threats to manipulate victims into immediate action.

CISA emphasizes that its staff will never ask for payments via wire transfer, cryptocurrency, or gift cards, nor will they demand secrecy. If targeted, individuals are advised to hang up, verify the contact details independently, and report the incident to CISA or law enforcement to prevent further harm.

If you would like to learn more about Phishing attempts, or social engineering and get your team trained on how to avoid instances like these, please reach out to us today!

Exploiting Mistyped URLS

Web users often click hyperlinks without verifying them, assuming they're correct. However, some links may contain errors that can be exploited by malicious actors to mimic legitimate websites and trick users into disclosing personal information through phishing. This practice, known as typosquatting, involves registering misspelled domain names to capitalize on user mistakes when typing URLs.

Research reveals that many active web links lead to unregistered "phantom domains," with over 572,000 dot-com domains currently unclaimed. By registering a sample of these domains, researchers found significant traffic potential, indicating a widespread issue that could be exploited by attackers at a minimal cost.

Over 500 Organizations Hit By Ransomware

Identified in April of 2022, the organization known as Black Basta has hit more than 500 organizations globally, according to warnings put out by multiple United States government departments, including CISA and the FBI. The group operates under a Ransomware-as-a-Service (RaaS) business model and works with affiliates to conduct cyberattacks and deploy malware against victim organizations while taking a percentage of the ransom payment in exchange.

The threat agents rely on phishing and the exploitation of known vulnerabilities, especially those that have only recently been publicly disclosed. This allows Black Basta to compromise a victim’s network and progressively move through the network to get further and further into the victim’s environment.

Of the 16 critical infrastructure sectors, 12 of them have been affected by these attacks, especially healthcare, which proves to be an attractive target due to their size, technological dependence, access to personal health information, and other facets. The authoring organizations of the reports urge all critical infrastructure organizations to apply the recommended mitigations to avoid ransomware attacks.

Gift Card Systems Being Targeted, Warns FBI

The FBI has raised concerns for US retailers regarding a cybercriminal group, STORM-0539 (also known as Atlas Lion), targeting employees through sophisticated phishing attacks to generate fraudulent gift cards. These attacks aim to infiltrate employee accounts and IT systems, allowing the criminals to move laterally within networks and steal sensitive data, including passwords and SSH keys.

The rise in gift card scams, resulting in $217 million in consumer losses in 2023 alone, highlights the urgency of the issue. Atlas Lion not only steals gift card details but also seeks employee and network data for potential sale or future attacks. The group's persistent tactics, including defeating multi-factor authentication, have prompted warnings from both the FBI and Microsoft, indicating the need for heightened cybersecurity measures and potential legislative action to safeguard consumers.

49 Million Customers Data Leaked in Dell API Hack

Dell recently notified customers about a data breach, revealing that personal data, including warranty information and order details, was stolen. The breach was attributed to a threat agent named Menelik, who accessed a portal meant for partners, resellers, and retailers by creating multiple fake accounts without verification.

Exploiting a lack of rate limiting, Menelik claimed to have harvested data from 49 million customer records over three weeks, including details on various Dell products. Although Menelik alerted Dell about the security flaw, they had already accessed the data before the company addressed the issue, underscoring the vulnerabilities associated with easy-to-access APIs and the urgent need for stricter security measures.

This incident underscores a broader trend of threat actors exploiting APIs to scrape sensitive data, with notable breaches involving Facebook, Twitter, and Trello in recent years. These breaches highlight the importance of implementing guard rails to limit how many times an action can be performed on the network and security protocols to safeguard user data.

Defensible Strategies

Learn from those who have been attacked

Post Millennial Hack Affected 26 Million People

The online data breach notification service Have I Been Pwned recently added information for over 26 million individuals affected by a hack targeting The Post Millennial, a Canadian news website. The hack, which also affected its American counterpart, resulted in the defacement of both sites' front pages with fake messages purportedly from The Post Millennial's editor.

The exposed data, encompassing names, email addresses, passwords, and even physical addresses and phone numbers, raises concerns about potential misuse by threat actors. While the exact source of the leaked data remains uncertain, Have I Been Pwned decided to include it in its breach notification service to alert potentially impacted individuals.

Despite the breach, neither The Post Millennial nor its parent company, Human Events Media Group, has issued a public statement regarding the incident, emphasizing the importance of users taking proactive measures such as password resets and heightened vigilance against suspicious communications.

New Attack on VPNs

Researchers have devised a new attack that can be used against nearly all virtual private network (VPN) applications. The attack forces them to send and receive all traffic outside of its encrypted tunnel that is designed to protect it from snooping or tampering.

The attack, which researchers have taken to calling TunnelVision, undermines the whole purpose of VPN’s which is to cloak the user’s IP address by taking incoming and outgoing Internet traffic and placing it within an encrypted tunnel. The researchers believe that there is no way to circumnavigate the attack when a user is connected to a hostile network and that the only VPN’s they noted that weren’t affected were those that ran on Linux or Android.

The researchers have warned that this attack they have discovered may have been possible since 2002, and that it may have already been used in the wild.