CISO Daily Update - August 16, 2024
NEW DEVELOPMENTS
TD Bank Employee ‘Improperly’ Accessed Customer Data
Source: Cybernews
A TD Bank employee's unauthorized access to customer data compromised the personal information of 41 clients. Sensitive data including social security numbers, debit card details, and addresses were exposed. The breach spanned several months before detection. TD Bank claims to have reimbursed affected accounts and is conducting a thorough internal investigation with law enforcement involvement.
The Washington Times Newspaper Claimed by Rhysida Ransomware Cartel
Source: Cybernews
The Washington Times is the latest victim of the Rhysida ransomware group, with the gang claiming to auction the newspaper's data for 5 bitcoin ($304,518). Rhysida has attacked various sectors including healthcare and government, and operates as a ransomware-as-a-service outfit often engaged in double extortion. The group recently leaked data from the City of Columbus, Ohio, and previously targeted entities such as the British Library and children's hospitals. Rhysida's victim count has reached 114 since its emergence in May 2023.
EFG Companies Breached Through Third-Party VPN
Source: Cybernews
Enterprise Financial Group (EFG) experienced a breach affecting nearly 20,000 clients. The incident was discovered on February 18th and impacted EFG’s internal systems. The company investigated, contained, and eradicated the breach with external cybersecurity experts. The root cause was “unknown vulnerabilities” in a third-party VPN appliance. EFG implemented patches and collaborated with the provider to mitigate future risks. Data exposed included sensitive client data including full names, social security numbers, driver’s license numbers, passport numbers, bank account/payment card details, and medical/insurance information. As a precaution, EFG replaced the third-party VPN appliance without disclosing the provider’s name.
5,000 AI-Controlled Fake X Accounts Linked to China Disinformation Campaign
Source: The Cyber Express
Researchers uncovered at least 5,000 fake AI-controlled X accounts linked to China's "Green Cicada" disinformation campaign. The disinformation network targets divisive political issues in the U.S. and other democracies–aiming to interfere in the upcoming U.S. election. Though currently ineffective, Chinese AI and academic institutions have been improving to make their campaigns harder to detect. The study highlights concerns over X’s weakened ability to combat disinformation after reversing earlier anti-inauthentic content initiatives. The disinformation campaigns could become more effective as the election approaches.
Black Basta Ransomware Gang Linked to a SystemBC Malware Campaign
Source: Security Affairs
Rapid7 researchers linked Black Basta ransomware to a SystemBC malware campaign. The attack chain involves email bombing, fake tech support calls via Microsoft Teams, and the deployment of tools like AnyDesk, SystemBC, and AntiSpam[.]exe for credential harvesting. Attackers also exploit CVE-2022-26923 for privilege escalation and use remote monitoring tools for lateral movement. Mitigation includes blocking unauthorized RMM tools, educating users on spotting social engineering, and applying security patches.
A Group Linked to Ransomhub Operation Employs EDR-Killing Tool EDRkillshifter
Source: Security Affairs
A cybercrime group linked to the RansomHub ransomware operation was observed using a new tool (EDRKillShifter) to disable endpoint detection and response (EDR) software on compromised systems. The tool was identified by Sophos; it operates by exploiting vulnerable drivers to enable attackers to bypass security measures. Despite similarities between RansomHub and Knight ransomware, Symantec suggests that they are operated by different groups. Sophos recommends enabling tamper protection, separating user and admin privileges, and keeping systems updated to mitigate such threats.
VULNERABILITIES TO WATCH
Critical Vulnerabilities in IBM QRadar Lets Attackers Trigger Arbitrary Code Remotely
Source: Cyber Security News
IBM QRadar Suite Software and IBM Cloud Pak for Security are affected by several critical vulnerabilities including denial of service, cross-site scripting, plaintext credential storage, and potential arbitrary code execution. Attackers could exploit these vulnerabilities to cause service disruptions or execute remote code. IBM advises upgrading to version 1.10.24.0 or later to address these issues as no workarounds are currently available.
Recommended by LinkedIn
Vulnerability in Palo Alto Networks Prisma Access Browser Let Attackers Trigger RCE
Source: Cyber Security News
Palo Alto Networks issued a high-severity update for the Prisma Access Browser (PAN-SA-2024-0007), addressing multiple vulnerabilities in the Chromium engine. The flaws include "use after free" and type confusion, and could allow remote code execution (RCE) to compromise systems. Users are advised to update to version 127.100.2858.4 or later. Other addressed vulnerabilities include command injection in Cortex XSOAR (CVE-2024-5914) and local privilege escalation in the GlobalProtect App on Windows (CVE-2024-5915).
Microsoft Disables BitLocker Security Fix, Advises Manual Mitigation
Source: Bleeping Computer
Microsoft disabled the fix for a BitLocker security bypass vulnerability (CVE-2024-38058) due to firmware issues causing devices to enter BitLocker recovery mode. Instead, users must apply manual mitigation steps from the KB5025885 advisory, which include a complex 4-stage process. Once the mitigation is applied on devices with Secure Boot, it can't be removed even by reformatting. Microsoft advises testing thoroughly before implementing the changes.
Thousands of Oracle NetSuite Sites Said to Be Exposing Customer Data
Source: SC Media
A critical flaw in Oracle NetSuite's SuiteCommerce platform was discovered–potentially exposing sensitive customer data for thousands of businesses. Due to improper configuration, unauthorized users can easily access personal information like addresses and phone numbers through simple API calls. This issue comes from a misconfiguration rather than a vulnerability in NetSuite itself. Fixing the problem requires significant effort, and many businesses may be unaware of the data exposure.
SPECIAL REPORTS
74% of IT Professionals Worry AI Tools Will Replace Them
Source: Help Net Security
AI poses significant cybersecurity threats and fuels IT professionals' job security fears. A Pluralsight survey reveals 74% of IT professionals worry about AI replacing their roles, while 56% of security experts are concerned about AI-powered threats. Many organizations lack structured AI training, which exacerbates the issue. To counter this, cybersecurity professionals must upskill in areas like threat intelligence, reverse engineering, and threat hunting. Emerging roles like Cybersecurity Data Scientists and Exploit Developers are crucial for defending against advanced AI threats. Investing in continuous learning and development is imperative for the future of cybersecurity.
Cyber-criminals Exploited Paris Olympics With Fake Domains
Source: Infosecurity Magazine
A surge in malicious online activity targeted Olympic enthusiasts during the Paris 2024 Games. Cybercriminals created fake social media accounts, online stores, and ticketing platforms to defraud unsuspecting fans. These fraudulent websites often used deceptive domain names and keyword stuffing to appear legitimate. Consumers are urged to exercise extreme caution when purchasing Olympics-related merchandise or tickets online, verify website authenticity and avoid suspicious links. Additionally, fake cryptocurrency offerings linked to the Olympics pose significant financial risks.
Ransomware Gangs Rake In More Than $450 Million in First Half of 2024
Source: The Record
Ransomware gangs extorted over $459 million in the first half of 2024–surpassing last year’s figures with attacks targeting larger businesses and critical infrastructure. Despite a decline in ransom payments, the median payment surged, indicating a shift toward higher-value targets. Law enforcement efforts and fragmentation of ransomware groups, like ALPHV/BlackCat, have helped reduce payments, but new ransomware strains continue to emerge. Additionally, crypto thefts have risen with cybercriminals netting nearly $1.6 billion in the first half of 2024 largely due to the increased value of cryptocurrencies.
Finding value in this newsletter? Like or share this post on LinkedIn