Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for TeamViewer Reassures ...

 Cybersecurity News

TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity   show more ...

platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services. TeamViewer Breach Overview and Immediate Response The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement. Details of the Data Compromise According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement. The Role of NCC Group The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

image for Telangana Police Res ...

 Cybersecurity News

Nearly a month after The Cyber Express exposed a data breach in the digital assets of India’s Telangana State Police, the cops have restored services for the public on their official website. The Telangana Police data breach came to light in June when their Hawk Eye app, a popular citizen-friendly crime reporting   show more ...

app and TSCOP app, an internal crime detection app of the state police, were reportedly compromised. As a fallout over the twin data breaches, the Telangana Police shut down public access to the official department website, citing maintenance. The police also arrested a 20-year-old hacker who was responsible for the data breaches. In their report, the Telangana Police acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker. Telangana Police Website Access Restored The Telangana State Police website offers a variety of services to citizens, such as checking the status of their complaints and traffic tickets, making payments online, obtaining a police verification certificate for applying for a job or a passport, reporting stolen or lost mobile phones, reporting cybercrimes, and finding contact information for emergency services in the State. All the above services were suspended by the police for almost the entire month of June because of the data breach. On June 30, 2024, the Telangana Police wrote a post on X informing the public that services have been restored. [caption id="attachment_79723" align="aligncenter" width="826"] Source: X[/caption] “Access the Telangana Police services online! Visit **http://tspolice.gov.in** to report complaints, grievances, or concerns,” the police wrote in the post. The post added that citizens could now directly download FIRs from the website. FIR, or the First Information Report (FIR), is a written document prepared by the police in India to detail a cognizable offence. Improved Security Checks on Telangana Police Website When the Hawk Eye app data was breached on May 31, the hacker threatened to leak sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. Days later, the same hacker breached the TSCOP app, which had sensitive data of police officers, criminals and gun license holders in Telangana. Cybersecurity experts also warned the cops of multiple vulnerabilities that could be exploited. [caption id="attachment_79718" align="aligncenter" width="687"] Source: X[/caption] “It is easy to hack into their system as they used basic authentication and encoding,” India’s popular data security researcher Srinivas Kodali said. He condemned the state police for not hiring proper developers and putting the privacy of several thousand users at risk. Following the data breaches, the Telangana Police shut down access to the public to the website. The police then initiated a Vulnerability Assessment and Penetration Testing "across all police internal and external networks, web and mobile applications, as well as cloud and endpoints." The cops shared that security checks were being carried out to identify and address any weaknesses and to prevent any future breaches. To ensure that there is an added layer of security on its website, the Telangana Police have now added a security feature of a One-Time Password (OTP) to the registered mobile number once the user has typed in their login credentials. Despite the police officially declaring that the website services have been restored, many users shared that the services remained inaccessible. Most of the complaints were a 404 error message. [caption id="attachment_79722" align="aligncenter" width="702"] Source: X[/caption] But sources told The Cyber Express that the other digital assets of the Telangana Police were undergoing maintenance and access would be restored in a phased manner after mandatory security checks were completed.

image for Juniper Networks Iss ...

 Cybersecurity News

Juniper Networks has urgently released security updates to address a critical vulnerability affecting some of its routers, identified as CVE-2024-2973. This flaw, with a maximum CVSS severity score of 10.0, could potentially allow attackers to bypass authentication mechanisms and gain unauthorized control over   show more ...

affected devices. The router vulnerability specifically impacts Juniper Networks' Session Smart Router and Conductor products when deployed with redundant peers. In such configurations, a network-based attacker could exploit the flaw to circumvent authentication safeguards, thereby compromising the entire device. Juniper Networks Issues Patches for Router Vulnerability [caption id="attachment_79708" align="alignnone" width="1105"] Source: Juniper Networks[/caption] Juniper Networks issued an advisory, highlighting the severity of the vulnerabilities in routers: "An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device." Affected products include Session Smart Router versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts, as well as Session Smart Conductor versions before 5.6.15, from 6.0 before 6.1.9-lts, and 6.2 before 6.2.5-sts. Additionally, WAN Assurance Router versions 6.0 before 6.1.9-lts and 6.2 before 6.2.5-sts are impacted. Juniper Networks has moved swiftly to address this issue by releasing updated software versions that resolve the vulnerability. Users are strongly advised to upgrade affected systems to the following patched releases: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent versions. For deployments managed by a Conductor, upgrading Conductor nodes will automatically apply the fix to connected routers, though direct router upgrades are still recommended for comprehensive protection. No Threat Detected  It is reassuring that Juniper Networks' Security Incident Response Team (SIRT) has not detected any instances of malicious exploitation of CVE-2024-2973 in the wild. The company discovered this vulnerability internally during routine security testing and promptly took action to mitigate the risk. For users of MIST-managed WAN Assurance routers connected to the Mist Cloud, the patch has been applied automatically to safeguard against potential exploitation. Importantly, applying this fix is designed to be non-disruptive to normal network operations, with minimal downtime expected during implementation. Juniper Networks emphasizes that no other products or platforms in its portfolio are affected by this specific vulnerability, limiting the scope of necessary updates to the identified router models. While the discovery of CVE-2024-2973 highlights the importance of cybersecurity practices, Juniper Networks' proactive response through prompt patching and clear mitigation guidance exemplifies industry best practices in safeguarding against router vulnerabilities. Users are encouraged to promptly update their systems to the latest recommended versions to ensure optimal security posture against emerging threats.

image for The Reserve Bank of ...

 Firewall Daily

In a recent advisory, the Reserve Bank of India (RBI) has cautioned scheduled commercial banks about the increasing risk of cyberattacks. The RBI advisory, issued by the Department of Banking Supervision at the Central Office in Mumbai, highlights the critical importance of cybersecurity measures in today's   show more ...

digital banking domain. Central to the RBI advisory is the role of Corporate Governance in ensuring accountability within banks. It emphasizes that IT Governance forms an integral part of this framework, requiring strong leadership support, a well-defined organizational structure, and streamlined processes. Effective IT Governance, according to the RBI, is the responsibility of both the Board of Directors and Executive Management. Technological Adoption in Banking Highlighting the widespread adoption of technology across banking operations, the RBI cybersecurity advisory notes that nearly every commercial bank branch has embraced technology to some extent. This includes the implementation of core banking solutions (CBS) and various alternate delivery channels such as internet banking, mobile banking, phone banking, and ATMs. The RBI advisory provides clear guidance to banks on enhancing their IT Governance: Roles and Responsibilities: Clearly defining the roles and responsibilities of the Board and Senior Management is crucial for effective IT Governance. This ensures proper project control and accountability. Organizational Framework: Recommends establishing an IT Strategy Committee at the Board level, comprising technically competent members with substantial IT expertise. The committee's responsibilities include advising on strategic IT directions, reviewing IT investments, and ensuring alignment with business goals. IT Organizational Structure: Suggests structuring IT functions based on the bank’s size and business activities, with divisions such as technology and development, IT operations, IT assurance, and supplier management. Each division should be led by experienced senior officials to manage IT systems effectively. Implementing IT Governance Practices The RBI cybersecurity advisory stresses the implementation of robust IT Governance practices aligned with international standards such as COBIT (Control Objectives for Information and Related Technologies). These practices focus on value delivery, IT risk management, strategic alignment, resource management, and performance measurement. Information Security Governance Addressing the critical aspect of information security, the RBI advises banks to implement comprehensive security governance frameworks. This includes developing security policies, defining roles and responsibilities, conducting regular risk assessments, and ensuring compliance with regulatory requirements. The advisory recommends separating the information security function from IT operations to enhance oversight and mitigate risks effectively. Risk Management and Compliance Emphasizing the importance of risk management, the advisory highlights the need for banks to integrate IT risks into their overall risk management framework. This involves identifying threats, assessing vulnerabilities, and implementing appropriate controls to mitigate risks effectively. Regular monitoring and oversight through steering committees are essential to ensure compliance with policies and regulatory standards. Conclusion In conclusion, the RBI’s advisory highlights the importance of strengthening their cybersecurity posture amidst digital threats. By implementing IT Governance and information security frameworks, banks can enhance operational resilience, protect customer data, and safeguard financial stability. Adhering to these guidelines will not only ensure regulatory compliance but also bolster trust and confidence in the banking sector. The RBI continues to monitor cybersecurity developments closely and urges banks to remain vigilant against emerging threats. With technology playing an increasingly pivotal role in banking, proactive measures are essential to mitigate risks and maintain a secure banking environment. For further information and detailed guidelines on implementing RBI’s cybersecurity advisory, banks are encouraged to refer to the official communication from the Reserve Bank of India. Taking proactive steps today will safeguard the future of banking operations against cybersecurity challenges.

image for Niconico Confirms Cy ...

 Cybersecurity News

Niconico, the Japanese video-sharing website, and its parent company KADOKAWA Inc. have provided crucial updates regarding the significant cyberattack they experienced earlier in June 2024. The Niconico cyberattack, identified as a ransomware assault, has raised substantial concerns about data security and user   show more ...

privacy. Here’s a comprehensive look at the current situation after the cyberattack on Niconico, including the steps taken by the companies, the nature of the leaked information, and recommendations for users. Niconico Cyberattack: Incident Overview Niconico and KADOKAWA Inc. discovered the ransomware attack on their data center servers and immediately initiated a response plan. A specialized task force, along with external cybersecurity experts, was deployed to investigate the Niconico cyberattack and assess the extent of the data compromise. The attackers claimed to have exfiltrated sensitive information, a claim which has been substantiated by the initial findings of the investigation. [caption id="attachment_79668" align="aligncenter" width="631"] Source: Niconico X account[/caption] The data breach affected various types of information held by Niconico and KADOKAWA Inc. Notably, the Niconico data breach included: Business Partner Information: This includes contracts, quotations, and other documents related to business dealings. Personal Information of Creators: Creators using music monetization services (NRC) were impacted, with their personal details being leaked. Employee Information: Personal data of all employees, including contract employees, temporary workers, part-time staff, and even some retired employees of Dwango Inc., were compromised. Internal Documents: Various internal documents, potentially containing sensitive operational details, were also accessed. Password Security and Credit Card Information Niconico has assured its users that account passwords are stored in an encrypted format using cryptographically secure methods known as hashing. This measure significantly reduces the risk of passwords being immediately misused if they are leaked. However, Niconico advises users to change their passwords, especially if they use the same password across multiple services. Importantly, Niconico has confirmed that no credit card information was compromised during the attack. The company does not store such data within its systems, thus eliminating the risk of credit card information leakage. Immediate Actions and Recommendations In light of the breach, Niconico and KADOKAWA Inc. have taken several critical steps: Task Force Deployment: A specialized team was formed to handle the situation, investigate the breach, and mitigate further risks. External Investigation: External cybersecurity agencies have been engaged to conduct a thorough investigation, the results of which are expected by the end of July 2024. Law Enforcement Collaboration: The companies have reported the incident to the police and relevant authorities and are cooperating fully with ongoing investigations. User Notifications: Individual notices and apologies are being sent to all affected parties, including external creators, business partners, and former employees. For those who cannot be contacted individually, the public announcement serves as a notification. Precautionary Measures for Users Given the potential for personal information misuse, Niconico and KADOKAWA Inc. urge users to be vigilant against phishing attempts and other suspicious activities. Users are advised to: Change Passwords: Update passwords for their Niconico accounts and any other services where the same password might be used. Monitor Communications: Be cautious of unsolicited emails, especially those requesting personal information or directing to unfamiliar websites. Report Suspicious Activity: Utilize the dedicated contact point set up by Niconico for inquiries and to report any suspicious activities or potential breaches related to this incident. Both Niconico and KADOKAWA Inc. have expressed deep regret over the inconvenience and distress caused by this incident. Niconico and KADOKAWA Inc. sincerely apologized for the inconvenience and concern resulting from the cyberattack on Niconico, and expressed gratitude for the patience and understanding shown by all those affected during that challenging period.

image for National Australia B ...

 Firewall Daily

An executive from National Australia Bank says the country's four major banks are under constant attack, with threat actors launching a barrage of attacks every minute of every day. According to Chris Sheehan, National Australia Bank's executive for group investigations, "every bank is being attacked all   show more ...

the time." The aim of these attacks is to steal sensitive information and money from unsuspecting customers. The four major banks in Australia include ANZ Bank, Commonwealth Bank, National Australia Bank (NAB), and Westpac. These banks are officially recognized to be the largest within the country and are prohibited from mergers or acquisitions between each other as part of the "Four pillars policy." This relentless barrage of cyber assaults targets not only the banks' systems but also their customers, leaving millions potentially vulnerable to sophisticated scams and financial theft. Threat actors may employ various forms of attacks, including the distribution of malicious code, security breaches, and denial of service campaigns, making it a daunting task for banks to stay ahead. National Australia Bank Executive Raises Alarm The cyber attacks on Australian banks are not isolated incidents but a  stream of continuous attempts to breach security, deny services, and steal sensitive information. Sheehan describes the situation as "asymmetrical warfare," with threats ranging from amateur hackers to highly organized transnational crime groups and even malicious nation-state actors. Sheehan stated: From, being colloquial, Larry the loser, in the basement at home that's having a bit of a chop away at the laptop and trying to steal money from people or hack into a system, all the way to highly sophisticated, ruthless and resilient transnational organised crime groups and they're the ones that are driving 90 per cent of the scams that are hitting Australian victims. Criminals perceive online attacks as lower risk compared to traditional bank robberies, with the potential for much higher rewards. The extent of the problem is staggering, with Australians losing an estimated $3 billion annually to cyber scams. The official's statements come shortly after customers observed the bank's own website being down for several hours. NAB's website temporarily informed visitors that its services were not working and directed them to use the NAB app or telephone banking instead. [caption id="attachment_79748" align="alignnone" width="1182"] Source: X.com(@Tzarimas)[/caption] While the bank's services appear to have been restored, it is unknown if the downtime was the result of an attack or routine maintenance. Several customers expressed frustration over not being alerted of the downtime via email or text and concerns over pending transactions. [caption id="attachment_79752" align="alignnone" width="1174"] Source: X.com(@NAB)[/caption] Defending Australian Banks In response to this relentless assault, Australian banks have ramped up their defenses. The banks are working hard to stay ahead of the scammers, with NAB employing a dedicated call center and operations team to fight fraud and scams. The team consists of 350-400 people working around the clock and is available 24/7. Banks have also implemented new policies, such as eliminating hyperlinks in official communications with customers, to help distinguish legitimate messages from scams. Despite these efforts, the battle against cyber crime remains an uphill struggle. Once a customer falls victim to a scam and initiates a payment, recovery of funds is often impossible. Chris Sheehan advises, "if it looks or sounds too good to be true, or if someone's applying pressure to you that you're going to miss out on something, or you're going to suffer a penalty, if you don't make that payment, they are massive red flags." The Australian Banking Association acknowledges the severity of the situation, describing it as a "scams war." The banks are also implementing extra safeguards to prevent money from being lost to international criminal gangs. Amidst this persistent threat, it is crucial for customers of the major banks to remain vigilant against the tactics used by these scammers.

image for CISA and Fauquier Co ...

 Firewall Daily

CISA, in collaboration with the Fauquier County Sheriff’s Office, the Fauquier County Fire Rescue System, and Fauquier County Public Schools, recently conducted a comprehensive K-12 active shooter exercise to strengthen the safety and security of schools in the region.  This exercise, held at Kettle Run High School   show more ...

and Greenville Elementary School on June 27, aimed to evaluate and enhance emergency response strategies in simulated active shooter scenarios. The joint effort involved various local stakeholders, including law enforcement, school administrators, teachers, and emergency medical services. These participants played pivotal roles in testing the effectiveness of current safety protocols, particularly in scenarios involving mock injuries, evacuations, and the reunification of students with their families. CISA and Fauquier County’s K-12 Active Shooter Exercise David Mussington, CISA’s Executive Assistant Director for Infrastructure Security, highlighted the importance of K-12 active shooter exercise in fostering collaboration among federal, state, and local entities to safeguard educational environments. He emphasized that such initiatives are crucial for preparing communities to respond effectively to potential threats. Sheriff Jeremy Falls further highlighted the exercise's role in improving preparedness for real-world incidents, stating, “Our primary goal is the safety and well-being of our community. This exercise provided invaluable insight into our readiness and identified areas for further strengthening our response capabilities.” Dr. Major Warner, superintendent of Fauquier County Public Schools, emphasized the partnership’s role in enhancing school safety, noting, “Testing our emergency protocols has significantly bolstered our readiness as a school division, ensuring a safer learning environment for our students and staff.” Collaborative Training Exercises The exercise also aimed to assess the speed and coordination of law enforcement responses, emergency medical operations, and communication between agencies during crises. Chief Kalvyn Smith of the Fauquier County Fire Rescue System stressed the importance of collaborative training exercises in preparing agencies to protect and serve the community effectively. Janelle Downes, Fauquier County Administrator, highlighted the necessity of involving various stakeholders in such exercises, stating, “Large-scale critical incidents demand a coordinated response. This exercise allowed us to plan and refine our coordination for potential future emergencies.” Bill Ryan, CISA’s Regional Director, emphasized the value of these exercises in identifying strengths and areas for improvement, ensuring continuous learning and adaptation to maintain readiness. CISA remains committed to supporting local communities through training and collaborative initiatives aimed at enhancing security measures. This exercise with Fauquier County represents a significant step in these ongoing efforts to safeguard schools and promote community resilience.

image for Cyber Insurance Evol ...

 Firewall Daily

The need for cyber insurance has reduced drastically as businesses worldwide upgrade their defenses against rising cyber threats, according to a recent report by Howden. Despite an uptick in ransomware attacks, premiums for cyber insurance have declined globally. This shift comes as businesses enhance their   show more ...

cybersecurity measures, mitigating potential losses from cyber incidents. In the wake of the COVID-19 pandemic, cyber insurance premiums surged in 2021 and 2022 due to increased cybercrime activity. However, the latest annual report from Howden reveals a noteworthy decrease in premiums over the past year. The cyber insurance market experienced significant price reductions, reflecting improved security practices and technologies businesses adopt. The Need for Cyber Insurance Declines Sarah Neild, Head of UK Cyber Retail at Howden, emphasized the critical role of multifactor authentication (MFA) in safeguarding company data. "MFA is fundamental, akin to locking your door when leaving the house," Neild remarked. She highlighted the multi-layered nature of cybersecurity, noting increased investments in IT security and employee training which have collectively bolstered resilience against cyber threats. Despite the rising frequency of ransomware incidents, the report highlighted a drop in global ransomware attacks following geopolitical events. Nevertheless, recorded ransomware incidents spiked by 18% in the initial months of 2024 compared to the previous year. Ransomware typically involves encrypting data and demanding cryptocurrency payments in exchange for decryption keys. Business interruption remains a significant cost post-attacks; however, businesses are mitigating these costs with robust backup systems, including cloud-based solutions, as outlined in the report. Firms are Less Likely to Invest in Cyber Insurance While the United States dominates the cyber insurance market, Europe is expected to witness accelerated growth in the coming years, driven by increasing awareness and adoption among businesses. Smaller firms, despite facing heightened cyber risks, are less likely to invest in cyber insurance due to limited awareness and perceived complexities. Earlier in 2024, Howden introduced a new cyber insurance platform tailored for small and medium-sized enterprises (SMEs). This initiative aims to simplify the process of obtaining comprehensive cyber insurance coverage, crucial for protecting businesses from financial devastation following cyber incidents. The platform, designed for SMEs with revenues up to $250 million, offers streamlined access to up to $6 million in coverage, supported by leading global carriers. Jean Bayon de La Tour, International Head of Cyber at Howden, highlighted the platform's user-friendly interface and rapid quotation process, facilitated by open APIs. This approach ensures that SMEs receive high-quality cyber insurance without the traditional complexities associated with policy procurement. The platform also integrates advanced data analytics tools, including Cyberwrite, to empower businesses with actionable insights pre- and post-policy issuance. Shay Simkin, Global Head of Cyber at Howden, emphasized the platform's role in bridging the cyber insurance gap for SMEs, critical given the growing cyber threats faced by small businesses. Simkin stressed the platform's comprehensive coverage terms, including breach response and enhanced policy wording, aimed at fortifying businesses against cyber threats.

image for CocoaPods Vulnerabil ...

 Cybersecurity News

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." E.V.A Information Security researchers found that the three   show more ...

vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more. The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.” The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.” The CocoaPods Vulnerabilities The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed. The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration. For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.” “By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin. Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.” Earlier in 2014, a change was committed to the CocoaPods ‘Trunk’ source code implementing MX record validation for registered emails. The changes created a new attack path that was identified by analyzing the registration flow, resulting in the CVE-2024-38366 vulnerability. The changes created a new verification process for the user-provided email address using the third-party Ruby gem package rfc-822, which can be attacked in a few ways, potentially resulting in attacks that could “dump pod owners’ session tokens, poison client’s traffic or even shut down the server completely.” In CVE-2024-38367, the researchers found they could spoof XFH headers to engineer a zero-click account takeover by defeating email security boundaries. “Using this method, we managed to take over the owner accounts of some of the most popular CocoaPods packages,” the researchers said. “Potentially we could have used these accounts for highly damaging supply chain attacks that could impact the entire Apple ecosystem.” DevOps Teams: Get to Work While the vulnerabilities have been patched, the work for developers and DevOps teams is just getting started. Developers and DevOps teams that have used CocoaPods in recent years - particularly before October 2023 - "should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said. “The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.” Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them. Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages. "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools."

image for CDK Global Cyberatta ...

 Cybersecurity News

It’s been almost two weeks since the CDK Global cyberattack paralyzed the US automotive industry and many car sales outlets are still limping back to normalcy. The CDK Global cyberattack has reportedly raked up millions of dollars in losses for dealerships. According to a report by CNN, the cyber automobile, the   show more ...

cyberattack has made it difficult for dealers to track customer interactions, orders and sales. Background of CDK Global Cyberattack On June 19, 2024, CDK Global, a provider of software solutions to around 15,000 auto dealerships across the United States, experienced a cyberattack. On June 21, the company disclosed that it experienced twin cyberattacks in the same week. The cyberattacks, had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, Asbury Automotive Group, AutoNation, Lithia Motors, Penske, Sonic Automotive and Holman, which operates dealerships across the U.S. These dealerships rely heavily on CDK’s software to manage their daily operations, from sales transactions to inventory management. CNN reported that due to the outage, some dealers started fulfilling orders with pen and paper. Other services, such as state inspections, repairs and parts deliveries, came to a standstill in some parts of the country. After the initial attack, CDK Global shut down most of its systems to investigate the incident and restore systems. “We are actively investigating a cyber incident,” the company had said. “Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” How Victim Firms Responded to Cyberattacks In response to the cyberattacks, Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive activated their incident response plans and disconnected from CDK systems as a precaution. Sonic Automotive mentioned that as of June 24, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but “slower than normal.” It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands. Cyberattack Could Almost Cost a Billion in Losses: Report An estimate study prepared by the Anderson Economic Group, reported that the cyberattacks on CDK could result in approximately $944 million in direct losses due to business interruptions for affected car dealers if the outage lasts a full three weeks. In an automated voice message to its clients on Friday, CDK company said it was making progress in bringing some dealerships back online  but it did not expect the issue to be entirely resolved until July. “We do feel it’s important to share that we do not believe that we will be able to get all dealers live prior to June 30,” the message said. The CNN report, quoting a CDK spokesperson, said, “We have successfully brought two small groups of dealers and one large publicly traded dealer group live on the Dealer Management System (DMS). We are also actively working to bring live additional applications — including our Customer Relationship Management (CRM) and Service solutions — and our Customer Care channels. “We understand and share the urgency for our customers to get back to business as usual, and we will continue providing updates as more information is available,” the CDK spokesperson added.

image for Kaspersky Expertise ...

 Business

When writing about threats, vulnerabilities, high-profile investigations or technologies, we often mention our experts of various specializations. Generally speaking, Kasperskys experts are highly qualified employees specialized in their particular field who research new cyberthreats, invent and implement breakthrough   show more ...

methods to combat them, and also help our clients and to deal with the most serious of incidents. There are many fields for using their talents; most of them fall within the competence of one of our five so-called centers of expertise. Kaspersky Global Research and Analysis Team (GReAT) Our best known team in the cybersecurity industry is the Global Research and Analysis Team (GReAT). Its a tightly knit collective of top-notch cybersecurity researchers specializing in studying APT attacks, cyber espionage campaigns, and trends in international cybercrime. Representatives of this international team are strategically located in our offices around the world to ensure immersion into regional realities and provide the company with a global perspective of the most advanced threats emerging in cyberspace. In addition to identifying sophisticated threats, GReAT experts also analyze cyber-incidents related to APT attacks, and monitor the activity of more than 200 APT groups. As a result of their work, our clients receive improved tools to combat advanced threats, as well as exclusive Kaspersky APT and Crimeware Intelligence reports, containing tactics, techniques and procedures (TTP), and indicators of compromise (IoC) useful for building reliable protection. Kaspersky Threat Research Kaspersky Threat Research are the experts whose work lies at the foundation of our products protective mechanisms – as they study all the details of attackers tactics, techniques and procedures, and drive the development of new cybersecurity technologies. These experts are primarily engaged in analyzing new cyberthreats and are responsible for ensuring that our products successfully identify and block them (detection engineering). Threat Research includes (i) Anti-Malware Research (AMR), whose experts deal with software (including malware, LolBins, greyware, etc.) used by cyberattackers; and (ii) Content Filtering Research (CFR), which is responsible for analysis of threats associated with communication via the internet (such as phishing schemes and spam mailings). Attackers work hard to circumvent protective technologies, which is why we pay special attention to the security of our own products. The Threat Research expertise center also includes the Software Security team, which mitigates the risks of vulnerabilities in Kaspersky solutions. In particular, theyre responsible for the secure software development life cycle (SSDLC) process, bug bounty program, and for ensuring that our secure-by-design solutions (our own operating system – KasperskyOS – and products based on it) really are truly secure. Kaspersky AI technology research We all know how hyped AI technology is today, and how popular the topics of AI in cybersecurity and Secure AI are on the market. Our team provides a range of options in our solutions from ML (machine learning) and AI-enhanced threat discovery and triage alerts to prototype GenAI-driven Threat Intelligence. For over two decades, our products and services have incorporated aspects of artificial intelligence to enhance security, privacy, and business protection. Kaspersky AI Technology Research applies data science and machine learning to detect various cyberthreats, including malware, phishing and spam on a large scale – contributing to detection of more than 400,000 malicious objects daily. To detect more complex, targeted attacks, you have to juggle massive numbers of events and alerts coming from different levels of the IT infrastructure. Proper aggregation and prioritization of these alerts are crucial. Without AI-powered automation, its easy for a security-operations-center analyst to get overwhelmed and overlook critical alerts amid the multitude of security notifications. Better alert triage and prioritization – especially with machine learning – is top priority for our detection and response solutions (EDR, SIEM, XDR and MDR services). Generative AI (GenAI) technologies open up new possibilities in cybersecurity. Kaspersky researchers are working on applying GenAI to various tasks in products ranging from XDR to Threat Intelligence to help cybersecurity analysts cope with the daily deluge of information, automate routine tasks, and get faster insights, amplifying their analytical capabilities and enabling them to focus more on investigating complex cases and researching complex threats. We also use artificial intelligence to protect complex industrial systems. Our Kaspersky Machine Learning for Anomaly Detection (MLAD) solution enables our products to detect anomalies in industrial environments – helping identify early signs of potential compromise. As AI systems are inherently complex, Kaspersky AI Technology Research also works on identifying potential risks and vulnerabilities in AI systems – from adversarial attacks to new GenAI attack vectors. Kaspersky Security Services Kaspersky Security Services experts provide complimentary services for information security departments at the largest enterprises worldwide. Its service portfolio is built around the main task of security departments – addressing incidents and their impact: detection, response, exercises, and process-wise operations excellence. Whenever organizations face a security crisis, our team is dedicated to building a complete picture of the identified attack, and sharing recommendations for response and impact minimization. Our Global Emergency Response Team is located on all continents and is involved in hundreds of incident responses yearly. For organizations that require continuous incident detection, theres our Managed Detection and Response service. The Kaspersky SOC experts behind this service monitor suspicious activity in the customers infrastructure, and help to timely respond to incidents and minimize impact. Our MDR operates worldwide and is top-rated by customers. Developing and measuring security maturity, preparing for real-world attacks, discovering vulnerabilities and more are the goals of our various Security Assessment services. Among other things, they can: evaluate SOC readiness to protect critical business functions with attack simulations (red teams); assess attackers chances of penetrating your network and gaining access to critical business assets with penetration testing service; and identify critical vulnerabilities by deeply analyzing complex software solutions with our application security service. If a company needs to build its own SOC, or assess the maturity level or development capabilities of an existing one, our SOC Consulting experts share their vast experience in security operations gained while working with different industries, organizations of different sizes and with different budgets. Before, during and after an attack, cybercriminals leave traces of their activities outside the attacked organization. Our Digital Footprint Intelligence experts identify suspicious activities on cybercriminal marketplaces, forums, instant messengers and other sources to timely notify an organization about compromised credentials, or someone selling access to their internal corporate network or data from their internal databases, and so on. Kaspersky ICS CERT Our industrial systems cybersecurity research center (Kaspersky ICS CERT) is a global project whose main goal is assisting manufacturers, owners and operators, and research teams in ensuring the cybersecurity of industrial automation systems and other M2M (machine-to-machine) solutions (building automation systems, transportation, medical systems and so on). Kaspersky ICS CERT experts constantly analyze various products and technologies, evaluate their security level, report information about vulnerabilities to their manufacturers, and inform users of vulnerable solutions about the corresponding risks. In addition to searching for zero-day vulnerabilities, our CERT team analyzes publicly available information on vulnerabilities in ICS products, finds and eliminates multiple inaccuracies in it, and adds its own recommendations for reducing the risks to end-users. Also, Kaspersky ICS CERT specialists identify and study attacks on organizations in the industrial sector, provide assistance in incident response and digital forensics, and share analytical information about attacks as well as indicators-of-compromise data feeds based on the results of their research. In addition, our experts contribute to the engineering of sectoral and governmental regulations in the field of industrial cybersecurity, transportation, and the industrial Internet of Things; develop and conduct training for information-security specialists and employees of industrial organizations; and provide various consulting services. Kaspersky spends huge amounts of resources – including a significant portion of its profits – on developing its expertise. Our experts research cyberthreats relevant to even the most remote corners of the globe, and understand the specific needs of all customers – no matter where they are. Thanks to the contribution of the above-listed centers of expertise, our services and solutions are constantly being improved and so always remain ready to counter the most non-trivial of attacks and identify the latest cyberthreats.

 Companies to Watch

The Series C funding will allow San Francisco-based Odaseva to provide more robust support to clients dealing with stringent data residency regulations and evolving privacy laws around the globe, according to founder and CEO Sovan Bin.

 Malware and Vulnerabilities

Multiple critical vulnerabilities have been discovered in Emerson gas chromatographs, which could potentially enable unauthorized access to sensitive data, cause denial-of-service attacks, and execute arbitrary commands.

 Trends, Reports, Analysis

Scraper bots have a negative impact on various aspects of an organization, including revenue, competitive advantage, brand identity, customer experience, infrastructure costs, and digital experience.

 Feed

Ubuntu Security Notice 6859-1 - It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.

 Feed

Debian Linux Security Advisory 5724-1 - The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called   show more ...

asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

 Feed

Gentoo Linux Security Advisory 202407-8 - Multiple vulnerabilities have been discovered in GNU Emacs and Org Mode, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 26.3-r16:26 are affected.

 Feed

Qualys has discovered a a signal handler race condition vulnerability in OpenSSH's server, sshd. If a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions   show more ...

that are not async-signal-safe - for example, syslog(). This race condition affects sshd in its default configuration.

 Feed

This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.

 Feed

Ubuntu Security Notice 6858-1 - It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

 Feed

Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.

 Feed

Ubuntu Security Notice 6855-1 - Mansour Gashasbi discovered that libcdio incorrectly handled certain memory operations when parsing an ISO file, leading to a buffer overflow vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Gentoo Linux Security Advisory 202406-6 - Multiple vulnerabilities have been discovered in GStreamer and GStreamer Plugins, the worst of which could lead to code execution. Versions greater than or equal to 1.22.11-r1 are affected.

 Feed

Juniper Networks has released out-of-band security updates to address a critical security flaw that could lead to an authentication bypass in some of its routers. The vulnerability, tracked as CVE-2024-2973, carries a CVSS score of 10.0, indicating maximum severity. “An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor

 Feed

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex

 Feed

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware. The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24

 Feed

At the heart of every application are secrets. Credentials that allow human-to-machine and machine-to-machine communication. Machine identities outnumber human identities by a factor of 45-to-1 and represent the majority of secrets we need to worry about. According to CyberArk's recent research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we

 Feed

OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client

 Feed

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and

2024-07
Aggregator history
Monday, July 01
MON
TUE
WED
THU
FRI
SAT
SUN
JulyAugustSeptember