CISO Daily Update - September 25, 2024
NEW DEVELOPMENTS
MoneyGram Says Cyber Incident Causing Network Outages
Source: The Record
MoneyGram is facing network outages caused by a recent cybersecurity incident–likely a ransomware attack. The company took systems offline to investigate and is working with cybersecurity experts and law enforcement to resolve the issue. The disruption impacted MoneyGram’s global remittance services; the company has not confirmed whether a ransom is involved.
Ransomware Attack on Kansas County Exposed Sensitive Info of Nearly 30,000 Residents
Source: The Record
A ransomware attack on Franklin County, Kansas exposed sensitive information of nearly 30,000 residents including social security numbers, medical records, and financial details. The breach was discovered in May and involved data from the county's poll book records. No evidence suggests the stolen data has been sold, and no group has claimed responsibility. The county has notified regulators as Kansas continues to struggle with ransomware incidents targeting public services and government entities.
Cybersecurity Incident Affects Arkansas City Water Treatment Facility
Source: Infosecurity Magazine
Arkansas City, Kansas experienced a cybersecurity incident at its water treatment facility on September 22, 2024–prompting a switch to manual operations. The city reassured residents that water quality and services remain unaffected, and cybersecurity experts are working to restore automated systems. Though not confirmed, the attack may involve ransomware. This incident highlights the vulnerability of critical infrastructure, especially in the water sector, which is increasingly targeted by cyberattacks. Efforts to improve cybersecurity across US water utilities are ongoing.
Twilio Purportedly Breached, Nearly 12K Call Records Compromised
Source: SC Media
Twilio reportedly suffered a data breach with nearly 12,000 call records compromised by the threat actor "grep." The exposed data includes call times, phone numbers, call status, and interpreter IDs, which could lead to voice and SMS phishing attacks. This breach follows a recent phishing campaign targeting corporate VPN credentials. Legal ramifications are expected due to the sensitive nature of the leaked information.
Kaspersky Users Shocked by Automatic Antivirus Replacement Without Explicit Permission
Source: Cybernews
Kaspersky users in the U.S. were surprised when UltraAV antivirus and UltraVPN were automatically installed–replacing Kaspersky software on their systems without warning. This change follows a U.S. ban on Kaspersky's products due to alleged ties to the Russian government. This ban is effective on September 29th. While Kaspersky had emailed users about a transition to UltraAV, many were unprepared for the abrupt update. UltraAV is provided by Pango Group (owned by Aura) and offers similar protection features. Users expressed frustration over the forced installation and difficulties in removing Kaspersky software.
AI-Generated Malware Found in the Wild
Source: Security Week
HP identified an email campaign utilizing an AI-generated dropper to deliver malware payloads. In June 2024, researchers discovered a phishing email featuring an encrypted HTML attachment designed to evade detection, where the AES decryption key was embedded in JavaScript—a notable deviation from typical methods. The decrypted content masqueraded as a website but contained a VBScript that deployed the AsyncRAT infostealer. Uniquely, the VBScript was well-structured with comments and written in French, suggesting it may have been generated by AI rather than crafted by a human hacker.
Telegram Will Provide User Data to Law Enforcement in Response to Legal Requests
Source: Security Affairs
Telegram's updated privacy policy will now allow sharing of user data–including phone numbers and IP addresses–with law enforcement in response to valid legal requests linked to violations of its Terms of Service. Following his own legal challenges in France related to serious criminal allegations, CEO Pavel Durov announced these changes as efforts to combat criminal activities on the platform. The updates aim to enhance accountability and moderation on Telegram, which has faced scrutiny for its role in facilitating cyber crime activities.
Cyberthreats to Railroads Loom as Industry and TSA Grow an Uneasy Partnership
Source: The Record
U.S. railroads are increasingly vulnerable to cyberattacks, with the industry lagging in cybersecurity compared to other sectors. New TSA regulations issued in 2022 aimed to address this by requiring basic security measures, but challenges persist due to the railroads' slow adoption of cybersecurity practices and the complexity of securing vast, interconnected systems. While progress has been made, the rail industry and TSA must strengthen their uneasy partnership to protect critical infrastructure–particularly as geopolitical tensions increase the risk of cyber sabotage.
Recommended by LinkedIn
VULNERABILITIES TO WATCH
Apache Tomcat Vulnerability Lets Attackers Trigger Dos Attack
Source: Cyber Security News
A newly discovered vulnerability in Apache Tomcat (CVE-2024-38286) allows attackers to trigger Denial of Service (DoS) attacks by exploiting the TLS handshake process. The Apache Software Foundation urges users to mitigate the risk by upgrading to the latest secure versions of Apache Tomcat. Organizations should promptly review and update their systems to prevent potential exploits, as the vulnerability can severely impact system availability.
Critical Unauthenticated RCE Flaw Impacts all GNU/Linux systems
Source: Cyber Security News
A critical unauthenticated Remote Code Execution (RCE) vulnerability affecting all GNU/Linux systems was confirmed by major distributors like Canonical and RedHat, rating it 9.9 out of 10 in severity. Despite existing for over a decade, no CVE identifiers have been assigned, and no working fixes are available as developers debate the impact. The researcher who discovered the flaw has expressed frustration with the disclosure process. With complete disclosure coming, immediate action is required to defend systems from this serious threat.
Researcher Details Cisco Smart Licensing that Lets Attacker Control Device
Source: GBHackers
Cisco disclosed a critical vulnerability (CVE-2024-20439) in its Smart Licensing Utility that exposes organizations to significant security risks due to a hardcoded static password–allowing unauthorized access and control over affected devices. This vulnerability impacts versions 2.0.0 to 2.2.0 and listens on all network interfaces–which increases the potential for exploitation. Organizations are urged to update to version 2.3.0 or later to eliminate this risk.
10 Nasty Software Bugs Put Thousands of Fuel Storage Tanks at Risk of Cyberattacks
Source: The Register
Critical vulnerabilities in Automatic Tank Gauge (ATG) systems from multiple vendors leave thousands of fuel storage tanks at risk of cyberattacks. Ten CVEs, including seven rated as critical, enable unauthorized access and control over these devices. Despite efforts from CISA and Bitsight to address these issues, around 1,200 to 1,500 vulnerable devices remain unpatched–affecting systems at gas stations, airports, and utility companies. Users are urged to implement firewall protections, isolate systems from public networks, and update to the latest software versions to mitigate these risks. However, some vulnerabilities lack fixes.
SPECIAL REPORTS
MFA Bypass Becomes a Critical Security Issue as Ransomware Tactics Advance
Source: Help Net Security
Ransomware is now the biggest cybersecurity threat, with session hijacking and MFA bypass via infostealer malware emerging as critical risks according to SpyCloud. Traditional defenses like MFA and antivirus are proving inadequate, as 54% of infected devices had security solutions in place. Companies in sectors like insurance and healthcare are at heightened risk. Despite rising confidence among CIOs and CISOs, many security teams feel underprepared for ransomware attacks. Organizations are paying more ransoms, but fewer fully recover their data. SpyCloud urges a shift to identity-centric protection to prevent ransomware by addressing exposed credentials and session cookies.
65% of Websites Are Unprotected Against Simple Bot Attacks
Source: Help Net Security
A recent analysis by DataDome revealed that 65% of websites are vulnerable to simple bot attacks, and 95% of advanced bot attacks go undetected–particularly within consumer-centric industries like e-commerce and luxury. These sectors are prime targets for cybercriminals, risking financial losses, data breaches, and reputational damage. The study shows that only 5% of luxury brand websites and 10% of e-commerce sites have full protection. Advanced bots using AI can evade traditional defenses, posing threats like fraud and spreading disinformation. The urgency for multi-layered bot protection is growing as these attacks rise.
14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Source: Infosecurity Maagzine
In 2024, over 14 million patients were impacted by data breaches in US healthcare organizations, primarily driven by ransomware attacks that exploit critical vulnerabilities. Healthcare's volume of sensitive data and the potential for life-threatening disruptions make it an attractive target for ransomware groups. Key vulnerabilities exploited include Microsoft Exchange, PaperCut servers, Citrix, and older Windows protocols. The growing digital integration in healthcare has significantly expanded the attack surface and increased ransomware incidents.
Finding value in this newsletter? Like or share this post on LinkedIn