Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Israeli Hackers Clai ...

 Cybersecurity News

The Israeli hacker group 'WeRedEvils' has claimed responsibility for reported WiFi outages in Iran, according to a report originally published by Israeli media Jerusalem Post. This is not the first time the group has targeted foreign countries, having previously hacked into the main project management system   show more ...

for oil infrastructure in Iran. Earlier, the group also claimed to have successfully blocked WhatsApp accounts of the Hadid family members and cut off the internet in Yemen in retaliation for Houthi missile launches. The recent attack against Iran follows an earlier threat of a strike against the country from the WeRedEvils hacker group. WeRedEvils' Statements and Previous History Shortly before the internet disruptions were reported in Iran, the hacking group posted a message on their Telegram channel, warning, "In the coming minutes, we will attack internet systems and providers in Iran. A severe blow is on the way." [caption id="attachment_85211" align="alignnone" width="1064"] Source: Telegram (https://t.me/weredevilsog/498)[/caption] True to their word, the group later claimed to have successfully breached Iran's communications system, stating, "We managed to get our hands on vital and sensitive software that we will not go into detail about here, we are sure that Iran already understands the extent of the damage it currently has." The extent of the internet outages in Iran remains unclear, with conflicting reports from the country. The Jerusalem Post reported that many users in Iran had commented on social media about experiencing internet disruptions in parts of the country, including internet blackouts in certain areas of Tehran. However, public communication networks in Iran are often patchy, with many relying on cellular connectivity rather than fixed-line internet. According to a X account identifying as an independent media channel covering news in Iran, public reports have identified the following regions as having their internet disrupted or severely reduced: Karaj Borujerd, Arstan  Region 15, Kianshahr Mashhad Golestan Darab Kermanshah Izeh Zahedan Rasht Hamadan Khuzestan [caption id="attachment_85206" align="alignnone" width="950"] Source: X.com (@Simorgh_News)[/caption] This is not the first time the "We Red Evils Original" hacking group has claimed responsibility for attacks on foreign countries. In October 2023, the group asserted responsibility for a hack into the management system for oil infrastructure in Iran, warning that the damage could potentially "cause mass destruction in the event of internal leaks or overheating." The group warned that the next warning that the next strike would be harder and more harmful. "don't play with fire. The next strike will be harder with many more harmed, and it will be different from the cyber attacks that you're familiar with. In November 2023, the hackers also claimed to have successfully blocked all members of the Hadid family from their WhatsApp accounts, providing screenshots and contact details as proof along with cuting off the internet in Yemen, in retaliation for Houthi missile launches, a claim that was corroborated by the Internet Observatory Netblocks. Timing and Potential Retaliation The timing of this latest attack on Iran's internet infrastructure is particularly significant, as it comes shortly after the reported assassination of Hamas' political leader, Ismail Haniyeh, in Tehran on Wednesday. The attack has been attributed to Israel's military, and Iran is reportedly preparing to avenge the killing. As the weekend begins in Iran, it remains to be seen whether any further details or confirmation of the extent of the internet outages will emerge from within the country. The situation underscores the ongoing cyber warfare between Israel and Iran, with each side seeking to gain the upper hand through digital means.

image for EPA Urged to Enhance ...

 Firewall Daily

The latest report from the Government Accountability Office (GAO) highlights a pressing need for the Environmental Protection Agency (EPA) to bolster its strategy for water sector cybersecurity. As cyber threats increasingly jeopardize the safety and reliability of water and wastewater systems across the United   show more ...

States, the GAO is calling for more cybersecurity measures to protect these critical infrastructures from attacks. The water sector, encompassing nearly 170,000 water and wastewater systems nationwide, faces escalating cybersecurity risks. The GAO’s new report highlights the vulnerability of these systems to cyberattacks, which have the potential to disrupt public health and the environment significantly.  Water Sector Cybersecurity is Priority Amid Rise of Cyberattacks In 2023, Iranian-linked hackers targeted a water system near Pittsburgh in an act of geopolitical protest. Similarly, China-backed hackers have been implicated in attempting to breach drinking water systems, possibly aiming to gain control during times of political tension. Moreover, insider threats are a concern, as demonstrated by a 2019 incident where a former employee allegedly compromised a Kansas utility’s water treatment systems. [caption id="attachment_85202" align="alignnone" width="650"] Source: GOA[/caption] Despite these laps in water sector cybersecurity, the water sector’s approach remains fragmented and reactive. Many utilities are grappling with outdated technology that complicates efforts to integrate modern cybersecurity measures. Furthermore, the sector's investment in cybersecurity is often overshadowed by the immediate need to comply with regulatory requirements, which tend to prioritize water quality over cybersecurity. Currently, the EPA’s approach relies on voluntary cooperation from utilities, which has proven insufficient given the magnitude and sophistication of current cyber threats. As a result, improvements in cybersecurity have been largely voluntary and inconsistent. The GAO's report highlights that while the EPA has engaged in some efforts to improve water sector cybersecurity, it has not conducted a comprehensive assessment of risks or developed a risk-informed strategy. This lack of a unified approach hampers the EPA’s ability to address the sector's most significant threats effectively. The Need for a National Cybersecurity Strategy The GAO recommends that the EPA take decisive steps to strengthen water sector cybersecurity. Specifically, the report calls for the development of a national cybersecurity strategy that addresses sector-wide risks. The EPA must assess whether it requires additional authority to enforce cybersecurity improvements and ensure that water systems adhere to best practices for safeguarding against cyber threats. Although the EPA has made some strides, such as enhancing enforcement activities and collaborating with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), a more structured and proactive strategy is necessary. The report also points out gaps in the current cybersecurity framework for water systems, including workforce skill deficiencies and the challenge of updating older technologies. The EPA’s efforts to mandate cybersecurity assessments at drinking water systems were stymied by legal challenges, demonstrating the need for a clearer and more authoritative regulatory approach. The GAO has outlined four key recommendations for the EPA: conducting a comprehensive sector risk assessment, developing and implementing a national cybersecurity strategy, evaluating the adequacy of its legal authority, and seeking additional authority if necessary. The EPA has agreed with these recommendations and is expected to release an evaluation of its authorities and a risk assessment strategy by mid-2025. Cybersecurity risks to water systems are not just theoretical; they present a real threat as recent attacks against these systems from nation-state actors and cybercriminals have shown.

image for 4.6 Million Illinois ...

 Cybersecurity News

In a shocking discovery, cybersecurity researcher Jeremiah Fowler had recently uncovered a trove of over 4.6 million sensitive voter data and election documents that were left vulnerable and exposed online. The documents, which included voter records, ballot templates, and other election-related materials, were found   show more ...

in 13 unprotected databases managed by the Illinois-based technology contractor. According to the researcher's findings, the databases belonged to a company called Platinum Technology Resource, which provides election technology and services to counties across Illinois. By simply replacing the county name in the database URLs, the researcher was able to identify additional exposed databases, some of which were password-protected but still at risk of unauthorized access. 4.6 Million Illinois Voter Data Exposure Raises Concerns The exposed databases contained a trove of sensitive personal information, including voter names, addresses, dates of birth, Social Security numbers, and driver's license numbers. Fowler also discovered documents with candidate information, such as phone numbers, email addresses, and home addresses, as well as petitions with voter signatures. [caption id="attachment_85151" align="alignnone" width="1720"] Source: https://www.vpnmentor.com/[/caption] [caption id="attachment_85150" align="alignnone" width="1724"] https://www.vpnmentor.com/[/caption] While the researcher found no immediate signs of wrongdoing, the potential risks posed by this data exposure are significant. Malicious actors could use the information for voter intimidation, disinformation campaigns, or even identity theft and fraud. "Having PII of voters would potentially allow malicious actors to send them misleading information (about voting dates, locations, or requirements) based on their party affiliation," the researcher explained. He added, "Another possible risk is voter intimidation, which includes using past voter history to threaten or harass voters." According to the contractor's website, the company had served election related services to the region for decades: “Platinum Technology Resource has been providing election technology and services to counties throughout the State of Illinois for over thirty-five (35) years. Through voter registration, election-day support, ballot management, tabulation, and election management software, we have incorporated lessons learned into our product PlatinumVR”. Need for Enhanced Data Protection Measures The exposure of the huge volume of sensitive election data underscores the importance of robust cybersecurity measures to protect the integrity of the electoral process. Since 2017, the Department of Homeland Security has classified election infrastructure as critical, recognizing the devastating impact that an attack on these systems could have. "It is important to maintain public trust in the electoral process in the United States and democracies around the world," the researcher said. "This trust is especially true in the wake of the 2020 election, when the integrity of the process was called into question," he added. To address this issue, the researcher recommends that organizations managing sensitive election data implement a combination of access controls and encryption to secure their databases. This includes using unique, time-limited access tokens to grant authorized users the ability to retrieve documents, rather than relying solely on password protection. "Voters and election officials alike need access to documents for tracking and validation purposes, and those documents must be stored somewhere," the researcher said. It is important that these storage areas are fully protected at the database level and not just when using a front-facing password-protected dashboard that still exposes the document itself to anyone who knows the URL address," the researcher expressed. As the 2024 election season approaches, the need to safeguard the electoral process of the United States has never been more urgent. The exposure of this vast trove of voter and election data serves as a stark reminder of the critical importance of cybersecurity in preserving the integrity of democratic institutions.

image for Security Bypass Vuln ...

 Firewall Daily

A security flaw in Rockwell Automation's Logix controllers has been highlighted. This security bypass vulnerability, identified as CVE-2024-6242, affects various models within the Logix family of programmable logic controllers (PLCs) and presents a notable risk to industrial automation systems worldwide.   show more ...

 Specifically, it exploits a weakness in the Trusted Slot feature of the ControlLogix 1756 chassis, integral to many industrial control systems.  Decoding the Rockwell Automation Security Bypass Vulnerability The Rockwell Automation Logix controller is designed to prevent untrusted communication channels from interacting with the PLC's central processing unit (CPU). However, the flaw allows an attacker to circumvent this safeguard, potentially enabling unauthorized modifications to user projects and device configurations. Claroty's detailed analysis, published on August 1, 2024, highlights the potential for an attacker with access to an affected 1756 chassis to exploit this vulnerability. The flaw allows attackers to send commands that can change settings or add unauthorized programs to the PLC CPU, bypassing the Trusted Slot security. The security bypass vulnerability affects various Rockwell Automation products, including the ControlLogix® 5580 (1756-L8z) and GuardLogix 5580 (1756-L8zS) with firmware versions up to V28 and V31, respectively. These issues are resolved in firmware versions V32.016, V33.015, V34.014, and V35.011 or later. The 1756-EN4TR with version V2 is also affected but fixed in V5.001 and later.  Series A/B/C models of 1756-EN2T, 1756-EN2F, 1756-EN2TR, and 1756-EN3TR lack fixes and are advised to upgrade to Series D or C. For those unable to upgrade, Rockwell Automation suggests mitigating the risk by limiting CIP commands through the RUN mode switch set to prevent potential exploitation of the security bypass vulnerability. Technical Details and Risk Evaluation As outlined in the CVE-2024-6242 advisory by CISA, this flaw enables an attacker to exploit the CIP protocol to jump between local backplane slots within the chassis. This results in bypassing the intended security boundary and allows communication with the CPU from an untrusted network card. [caption id="attachment_85163" align="alignnone" width="901"] Source: Claroty[/caption] CVE-2024-6242 has been rated with a CVSS v3.1 Base Score of 8.4/10 and a CVSS v4.0 Base Score of 7.3/10. The vulnerability is categorized under CWE-420: Unprotected Alternate Channel. The CVSS v3.1 vector includes metrics for access vector, attack complexity, privilege required, and others, while the CVSS v4.0 vector includes additional metrics for attack type, version complexity, and security impact. Rockwell Automation’s ControlLogix 1756 series, a robust platform for high-performance industrial automation, uses the CIP protocol for communication. This protocol facilitates data exchange between devices like sensors, actuators, and controllers within a network. The 1756 chassis serves as a modular enclosure housing various I/O modules and communication processors, crucial for device interoperability. Mitigation Strategies To address CVE-2024-6242, Rockwell Automation recommends updating affected products to the latest firmware versions. Users with devices that cannot be upgraded should apply the following mitigation strategies: To mitigate the risk of exploitation from the recent security bypass vulnerability in Rockwell Automation’s Logix controllers, it is recommended to limit CIP commands by setting the mode switch to the RUN position and minimize network exposure by ensuring control systems are not accessible from the internet.  Employing firewalls to isolate control system networks from business networks and using updated Virtual Private Networks (VPNs) for secure remote access is also advised. The Cybersecurity and Infrastructure Security Agency (CISA) stresses the importance of conducting thorough impact analysis and risk assessment before implementing any defensive measures. For future threat detection, a new Snort rule has been introduced to identify suspicious CIP routing behaviors that could indicate attempts to exploit vulnerabilities similar to CVE-2024-6242. This rule will monitor for abnormal CIP Forward Open Requests involving local chassis redirections, enhancing the capability to detect and respond to potential threats. Overall, the discovery of this vulnerability highlights the critical need for organizations to maintain up-to-date firmware and robust security practices. Affected users should apply patches or mitigations promptly and remain vigilant in following cybersecurity best practices to protect against evolving threats in industrial control systems.

image for Hong Kong’s Cybers ...

 Firewall Daily

Hong Kong’s Secretary for Security, Chris Tang Ping-keung, has sought to clarify concerns surrounding the newly proposed Hong Kong cybersecurity bill, particularly its impact on US businesses operating in the region. Tang’s reassurances come in response to queries raised by the American Chamber of Commerce in Hong   show more ...

Kong regarding the bill’s scope and implications for privacy. The bill in question, known as the Protection of Critical Infrastructure (Computer System) Bill, aims to bolster cybersecurity measures for essential infrastructures across eight key sectors. These sectors include energy, information technology, banking, communications, maritime, healthcare services, and land and air transport. If operators in these sectors fail to maintain up-to-date security for their critical computer systems, they could face fines of up to HK$5 million (approximately US$640,200), reported South China Morning Post.  The Controversy Surrounding Hong Kong Cybersecurity Bill During a recent radio program, Tang addressed the concerns of the American Chamber of Commerce, which had submitted feedback during the one-month consultation period for the bill. Out of the 53 submissions received, only one—a UK-based human rights organization—voiced opposition. Tang emphasized that the purpose of the bill is not to infringe on the privacy of businesses but to ensure the security of critical infrastructures. “We are not interested in the personal information or operational details of these businesses. Our sole focus is on ensuring that their systems are secure,” Tang asserted. “If anyone suggests that the bill aims to monitor personal information, they are trying to mislead or alarm you,” he cautioned. The American Chamber of Commerce had expressed concerns about the broad inclusion of the information technology sector, suggesting it might inadvertently capture a wide range of technology companies not directly involved in managing critical infrastructure.  They also requested clarity that the legislation would only apply to critical infrastructures and computer systems for Hong Kong cybersecurity, cautioning that any extraterritorial implications could impose excessive compliance costs and deter multinational investments. In response, Tang argued that the inclusion of the information technology sector is crucial. He pointed out that many countries, including the United States, Australia, and Singapore, have similar regulations that encompass information technology due to its integral role in daily operations and cybersecurity. “The IT sector’s involvement is essential to achieving the bill’s goals. Omitting it could undermine the legislative intent and leave significant gaps in our cybersecurity framework,” Tang explained. Concerns for Hong Kong Cybersecurity Furthermore, Tang addressed concerns about the new Hong Kong cybersecurity legislation, including the new office’s investigative powers. He assured that the office, which will be established under the Security Bureau, will focus solely on critical infrastructure and will not extend its reach to small and medium-sized enterprises or individual operators. In the event of a severe security incident, operators will be required to notify the new office within two hours. For less urgent issues, the timeframe for reporting is 24 hours. Failure to comply or neglecting to conduct required risk assessments could result in the substantial fines mentioned earlier. Tang also revealed that the government plans to keep the list of companies affected by the bill confidential to prevent potential threats or targeting. The bill is expected to be forwarded to lawmakers by the end of the year, with the government aiming to address any lingering concerns and finalize the legislation. In summary, Hong Kong’s cybersecurity bill, designed to enhance the Protection of Critical Infrastructure, seeks to establish rigorous standards for securing essential systems without infringing on individual privacy. The focus remains firmly on safeguarding critical infrastructures against cyber threats, with safeguards in place to ensure the bill does not inadvertently impact smaller enterprises or private data.

image for City of Columbus Off ...

 Firewall Daily

In response to a recent cyberattack, the City of Columbus is taking significant steps to protect its employees. On July 18, 2024, a ransomware group claimed the Columbus cyberattack, prompting an urgent response from city officials. As part of the precautionary measures, the city is offering Experian credit monitoring   show more ...

to all its employees, including those working for Franklin County Municipal Court judges and the clerk's office. The cyberattack on Columbus, which began as a ransomware threat, was identified over two weeks ago when an anomaly was detected in the city's IT systems. To contain the threat, officials took drastic measures by disconnecting their internet connection, effectively cutting off the cybercriminals’ access to critical systems. Decoding the City of Columbus Cyberattack The Columbus Police Union has reported that some of its members have already experienced compromised personal information due to the City of Columbus data breach. The city has advised employees to notify them of any unusual IT activity or if they suspect their city email accounts have been compromised.  Columbus Mayor Andrew Ginther revealed that the cyberattack was initiated when an employee inadvertently downloaded a malicious zip file from a compromised website. Despite the city’s efforts to contain the breach, data was reportedly stolen. [caption id="attachment_85136" align="alignnone" width="641"] Source: Dark Web[/caption] An international cybercriminal group, known as Rhysida ransomware, has claimed responsibility for the attack. The Rhysida ransomware group is offering the stolen data for sale on the dark web, which includes over 6.5 terabytes of sensitive information such as employee logins, passwords, and city emergency service applications. Rhysida has set a ransom price of 30 bitcoins, approximately $1.9 million, for the stolen data. The group’s auction of the stolen Columbus data is set to run for one week. In addition to the Columbus data, Rhysida has listed data from other recent breaches, including LawDepot and the Queens County Public Administrator, further illustrating the scale and reach of their operations. The Rhysida Ransomware’s Massive Hacking Spree The Rhysida ransomware group, which emerged around May 2023, has previously targeted various high-profile entities. Their tactics involve "double extortion," where they demand a ransom to decrypt stolen data and threaten to release it publicly if the ransom is not paid. Rhysida’s operations have impacted several organizations globally, including the British Library and the Chilean army. Their methods have raised significant concerns about the safety and security of digital infrastructure worldwide. Federal Cybersecurity and Infrastructure Security Agency (CISA) experts suggest that Rhysida's members are likely based in Russia, a country known for its complex relationship with cybercrime. Russian authorities are often accused of tacitly endorsing such activities by allowing cybercriminals to operate with relative impunity, provided they do not target Russian interests. As for the city of Columbus cyberattack, the officials are working closely with federal investigators to assess the full impact of the intrusion and to strengthen its defenses against future threats. As the investigation continues, city officials are focusing on supporting affected employees and bolstering cybersecurity measures to prevent similar incidents in the future. For now, employees are encouraged to remain vigilant, use unique passwords for their accounts, and promptly report any suspicious activity. The city’s measures, including the provision of credit monitoring services, are designed to mitigate potential harm and ensure the safety of its employees' personal information in the wake of the major breach of sensitive data relating to the city.

image for Newly Discovered BIT ...

 Cybersecurity News

The latest threat to Windows users has been discovered in the form of BITSLOTH, a sophisticated backdoor that leverages the Background Intelligent Transfer Service (BITS) for its command-and-control mechanism. Earlier this summer, the malware had been spotted during a detection of attempted intrusion into the Foreign   show more ...

Ministry of a South American government in the LATAM region, but has not been publicly documented and is believed to have been in development for several years. The BITSLOTH backdoor, which has been in development for several years, contains 35 handler functions, including capabilities for keylogging, screen capturing, discovery, enumeration, and command-line execution. These features suggest the tool is designed for exfiltrating data from targets. BITSLOTH Backdoor Capabilities and Features The BITSLOTH intrusion was initially observed on June 25 during an incident response engagement. Researchers from Elastic Labs observed that the attackers had used a variety of publicly available tools for their operations, with BITSLOTH being the only custom malware component. One of the primary forms of BITSLOTH execution was through the use of a program called 'RINGQ' intended for shellcode sideloading that can convert any WIndows executable file to generate custom shellcode after placing it into a text file, allowing the malware to bypass hash-based blocklists or static signature defenses in popular anti-malware programs. [caption id="attachment_85179" align="alignnone" width="1196"] Source: https://www.elastic.co/[/caption] The BITSLOTH malware has been under active development since at least December 2021, as evidenced by the discovery of older samples. The developer refers to the client component as the 'Slaver' and the C2 server as the 'Master.' One notable feature is the use of BITS for C2 communication. BITS is a Windows system administration feature that enables file transfers, and its typical association with software updates makes it appear as trusted traffic, often overlooked by security solutions. BITSLOTH cancels any existing BITS jobs on the victim machine that match specific display names, such as 'WU Client Download,' to operate from a clean state. It then creates a new BITS download job with the name 'Microsoft Windows,' masquerading the malware as a harmless routine update. When the BITS job state changes, BITSLOTH is executed through the SetNotifyCmdLine function, establishing persistence on the infected system. The malware then begins requesting instructions from the C2 server using the "WU Client Download" job, with the request URL containing the victim's MAC address. [caption id="attachment_85181" align="alignnone" width="1016"] Strings present in the BITSLOTH backdoor (Source: https://www.elastic.co/)[/caption] The BITSLOTH backdoor has 35 command handler functions, allowing the attackers to perform a wide range of activities, including running commands, uploading and downloading files, and collecting sensitive data through keylogging and screen capturing. The commands received from the C2 server are obfuscated using a single-byte XOR (0x2) before execution. Persistence and Communication BITSLOTH achieves persistence via the created BITS scheduled job named 'Microsoft Windows', which sets the destination URL to a legitimate-looking domain. This unique toolmark allowed researchers to pivot to additional samples showing that the malware family had been in circulation for several years. The malware has been configured with several persistence capabilities to remain on systems after initial infection. [caption id="attachment_85182" align="alignnone" width="917"] BITSLOTH persistence job (Source: https://www.elastic.co/)[/caption] The request URL is generated by combining the MAC address with a hard-coded string, and in response, the malware receives a 12-byte structure containing a unique ID for the job, command ID for the handler, and a response token. BITSLOTH presents a significant threat due to targets due to its stealthy nature and extensive capabilities, the researchers have shared a list of indicators of compromise to help organizations and entities in detecting potential intrusion of the BITSLOTH malware on systems and deployment of its backdoor.

 Feed

Cybersecurity researchers have disclosed details of a new distributed denial-of-service (DDoS) attack campaign targeting misconfigured Jupyter Notebooks. The activity, codenamed Panamorfi by cloud security firm Aqua, utilizes a Java-based tool called mineping to launch a TCP flood DDoS attack. Mineping is a DDoS package designed for Minecraft game servers. Attack chains entail the exploitation

 Feed

The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for "flagrantly violating" children's privacy laws in the country. The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service. They

2024-08
Aggregator history
Saturday, August 03
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober