Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Scammers Exploit Ukr ...

 Cybersecurity News

Scammers on the social media platform X (formerly known as Twitter) have escalated their tactics by exploiting global crises to deceive users into clicking on fake content. Recent reports reveal that these bad actors are leveraging the ongoing war in Ukraine and earthquake warnings in Japan to entice unsuspecting   show more ...

users into visiting fraudulent websites, which ultimately lead to adult sites, malicious browser extensions, and shady affiliate marketing pages. The Evolution of the Bot Problem on X X has long struggled with a bot problem, with spammers and scammers continuously finding new ways to exploit the platform. However, recent developments indicate that these schemes have become more sophisticated, now targeting users with content that appears to be relevant and urgent. For months, X has been inundated with posts that seemingly link to pornographic videos. However, upon clicking, users are redirected to fake adult sites—a classic bait-and-switch tactic. But the scammers have not stopped there. New Tactics: Exploiting the Ukraine War and Japanese Earthquake Warnings As tracked by Vigilant X users, including "Slava Bonkus" and "Cyber TM," scammers have recently begun to diversify their bait, using sensational news stories to lure users. Posts have been circulating that purport to contain breaking news about Ukrainian forces invading the Russian city of Kursk or critical warnings about an impending earthquake in Japan's Nankai Trough. These posts, designed to evoke a sense of urgency and fear, have successfully tricked many users into engaging with the content. For example, one fake tweet about the Nankai Trough earthquake reads: "Emergency information on the Nankai Trough mega-earthquake: What should we be careful of from now on? It's all summarized in this article. Please read it carefully and plan your schedule." The language used is designed to mimic the tone of genuine emergency communications, adding a layer of credibility to the scam. The Mechanics Behind the Scam Unlike the traditional bait-and-switch that redirects users to fake pornographic sites, these new posts feature what appear to be legitimate content warnings from X. However, these warnings are, in fact, just images embedded in the posts. When users click on these images, they are redirected to a URL at the app.link domain. From there, users are taken through a series of websites before landing on a scam site. The final destination of these redirects varies. While many users end up on adult sites, others may find themselves on sites that attempt to install malicious browser extensions or push tech support scams. Some sites are part of affiliate marketing scams designed to generate revenue for the scammers at the expense of the victims. How Scammers Avoid Detection on X One of the reasons these scams are so effective is the way they manipulate X's content display system, specifically the use of Twitter Cards. Twitter Cards are a feature that allows users to attach rich media—such as photos, videos, and summaries—to their tweets, thereby enhancing the visual appeal and click-through rate of the content. When a post containing a URL is first created, X automatically reads the content at that URL to generate a preview, or "card," that appears alongside the tweet. This preview includes an image, description, and other metadata that make the post appear legitimate. However, scammers have found a way to exploit this system. When the app.link site detects that the connection is coming from X, it does not redirect the user to the scam site. Instead, it serves up a harmless HTML page containing the necessary Twitter Card metadata. This trick fools X into displaying the fake content warning image as if it were a genuine part of the post. Once the post is live, and users click on the image, the redirect sequence begins, leading them to the scam site. The Impact and Response The use of global crises as bait in these scams is particularly insidious, as it preys on users' fears and concerns. By presenting what appears to be urgent and relevant information, scammers increase the likelihood that users will click on the links, thus falling into their trap. The consequences can range from exposure to explicit content to the installation of harmful software on their devices. X has been working to combat these scams, but the ever-evolving tactics of scammers present a significant challenge. The platform relies on automated systems to detect and remove malicious content, but as scammers find new ways to evade detection, the effectiveness of these systems is put to the test. Staying Safe on X As users navigate X, it's crucial to remain vigilant. Always double-check the legitimacy of content, especially when it appears to be linked to breaking news or emergency alerts. Avoid clicking on links from unfamiliar sources, and be cautious of posts that seem too sensational to be true. By staying informed and exercising caution, users can protect themselves from falling victim to these increasingly sophisticated scams. In the meantime, X will need to continue refining its detection and prevention mechanisms to stay ahead of the scammers who continue to find new ways to exploit the platform and its users.

image for Sinkclose Vulnerabil ...

 Firewall Daily

AMD is currently confronting a major security challenge involving the Sinkclose vulnerability, a critical flaw affecting a wide range of its processors. The Sinkclose vulnerability allows malicious actors to execute code within a processor’s System Management Mode (SMM), a highly protected chip area. This mode is   show more ...

generally shielded from the operating system and most software, making the flaw exceptionally dangerous. AMD's response has been mixed, as the company has decided not to patch several older processor models impacted by this security issue. The issue, first uncovered by researchers at IOActive and highlighted in a Wired report, impacts AMD chips dating back to 2006. This AMD vulnerability, which affects hundreds of millions of processors, enables attackers to infiltrate systems in a nearly undetectable manner, posing significant risks, particularly for high-profile targets such as government agencies and large corporations. Decoding the Sinkclose Vulnerability and Lapses in Security Updates In a statement provided to Tom's Hardware, AMD confirmed, "There are some older products that are outside our software support window." Specifically, AMD has chosen not to release updates for its Ryzen 1000, 2000, and 3000 series processors, as well as the Threadripper 1000 and 2000 models. This decision affects a substantial number of users who rely on these processors, many of which are still in active use. The decision to exclude these older models from updates stems from AMD's policy regarding software support for outdated hardware. For many users, this will mean that their systems remain vulnerable to attacks exploiting the Sinkclose flaw. However, AMD has been proactive in addressing the issue for its newer processors.  The company has already rolled out or is in the process of releasing updates for all recent AMD EPYC processors, the latest Threadripper series, and Ryzen processors. Additionally, the MI300A data center chips have also been included in the patch rollout. AMD has assured users that these updates are designed to address the Sinkclose vulnerability without introducing significant performance penalties. "No performance impact expected," the company stated regarding the updates. However, AMD is still conducting performance assessments to ensure the patches do not degrade overall system performance. What is Sinkclose Vulnerability? The Sinkclose vulnerability, while serious, is considered more of a risk for high-value targets rather than average consumers. Exploiting the flaw requires deep access to the affected systems, which is a considerable hurdle for most attackers. The nature of the Sinkclose flaw means that it is more likely to be used in targeted attacks against entities with significant resources or sensitive information. Krzysztof Okupski from IOActive provided insight into the potential implications of the AMD vulnerability. Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it's still going to be there," Okupski explained. "It's going to be nearly undetectable and nearly unpatchable." This highlights the depth of the problem, suggesting that once the Sinkclose flaw is exploited, the malicious code could remain in the system even after multiple clean installations of the operating system. Given the severity of the Sinkclose vulnerability, it is particularly concerning for entities such as governments and large organizations, which may be targeted due to their sensitive data and high-value assets. The ability of attackers to execute code within the SMM means they could potentially control or monitor affected systems with a high degree of stealth. AMD's approach to mitigating this issue involves focusing on its newer processors and embedded systems. All Ryzen-embedded and EPYC-embedded processors are slated to receive updates, as these systems often operate continuously with minimal human oversight, making them critical targets for security breaches if left unpatched. For the broader user base, the impact of the Sinkclose vulnerability is less immediate but still significant. While average consumers are unlikely to be targeted by attackers exploiting this flaw, it remains important for all users to apply any available updates to their processors. By doing so, they can ensure their systems remain secure against potential exploits and avoid data loss or system compromise.

image for BREAKING: Internatio ...

 Ransomware News

In a coordinated international takedown, the FBI, in collaboration with law enforcement agencies across the globe, has dismantled the infrastructure of the "Radar/Dispossessor" ransomware group. The operation, led by the online alias "Brain," targeted small-to-mid-sized businesses across various   show more ...

sectors, causing significant disruption and financial losses. The FBI's Cleveland division announced the successful dismantling on August 12th. The operation resulted in the takedown of servers and domains crucial to the group's operations. This included seizing three servers each in the United States and the United Kingdom, along with 18 servers located in Germany. Additionally, authorities seized eight U.S.-based and one German-based domain used by the cybercriminals. [caption id="attachment_86408" align="aligncenter" width="1024"] Seizure Banner Displayed on the Leak Site. (Source: FBI)[/caption] The investigation and joint takedown were conducted in collaboration with the the U.K.'s National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and U.S. Attorney’s Office for the Northern District of Ohio. Rapid Rise, Global Reach of 'Radar/Dispossessor' Emerging in August 2023, Radar/Dispossessor quickly established itself as a formidable threat. The group employed the now-common "dual-extortion" model, encrypting victim data while simultaneously exfiltrating it for potential public release if ransom demands weren't met. Their targets spanned various sectors, including production, development, education, healthcare, finance, and transportation. While initial attacks focused on the U.S., the investigation revealed victims in 13 countries, including Argentina, Australia, Belgium, and India. Preying on Weaknesses The investigation exposed the group's tactics. Radar/Dispossessor exploited vulnerabilities in victim systems, targeting weak passwords and a lack of two-factor authentication. Once initial access was established, the attackers escalated privileges to gain complete control over the system. This enabled them to deploy the ransomware for data encryption, rendering critical information inaccessible. Escalating Pressure Following the initial data encryption, the cybercriminals adopted a multi-pronged approach to pressure victims into paying. They would proactively contact individuals within the compromised organization, often via email or phone call. These communications included links to platforms showcasing the stolen data, a tactic employed to heighten the sense of urgency and increase the likelihood of ransom payment. To further pressure victims into paying the ransom, they even provided examples of previous victims who broke their rules, researchers at Broadcom said. The final act of coercion involved publicly announcing the data breach on a dedicated leak site. This announcement included a countdown timer, further pressuring victims to meet the ransom demands before their sensitive information was exposed. Seeking Information, Offering Support The FBI is actively seeking further information about Brain and his criminal network. Additionally, they encourage any business or organization that has been targeted by Radar Ransomware – or any other ransomware variant – to report the incident to the Internet Crime Complaint Center (IC3) at ic3.gov or by calling 1-800-CALL-FBI. Anonymity is guaranteed to those who report such crimes.

image for Critical OpenSSH Vul ...

 Firewall Daily

A newly discovered OpenSSH vulnerability in FreeBSD systems has been reported. This critical flaw, identified as CVE-2024-7589, could allow attackers to execute remote code with root privileges without any prior authentication. The vulnerability affects all supported versions of FreeBSD, highlighting the urgent need   show more ...

for immediate action to secure systems. The core issue lies in a signal handler within the SSH daemon (sshd) that interacts with logging functions not deemed async-signal-safe. This handler is activated when a client fails to authenticate within the default LoginGraceTime period of 120 seconds. The problem arises from this signal handler calling logging functions that are unsafe to execute in an asynchronous signal context, creating a race condition that attackers can exploit for arbitrary remote code execution. Critical OpenSSH Vulnerability in FreeBSD Specifically, this flaw is linked to the integration of the backlisted service within FreeBSD's OpenSSH implementation. The faulty code is situated in a part of the sshd process that operates with full root privileges, which amplifies the risk associated with this vulnerability. Attackers who manage to exploit this race condition could gain unauthenticated remote access and execute code as the root user. In response to the critical OpenSSH vulnerability, FreeBSD has released security advisories and patches. These updates address the issue across multiple versions of the FreeBSD operating system, with corrections applied to Stable/13 and Stable/14 on August 6, 2024, and to Releng/13.3, Releng/14.0, and Releng/14.1 on August 7, 2024. These patches are available for both binary and source code updates. For binary patching, users on the amd64, arm64, or i386 platforms can use the FreeBSD-update utility to fetch and install updates. For those opting for source code updates, the process involves fetching the relevant patch, verifying its PGP signature, applying the patch, and recompiling the operating system. Detailed instructions are provided in the FreeBSD security advisory, which also outlines how to verify the applied patches and associated commit hashes. Workaround and Recommendations If immediate patching is not feasible, FreeBSD administrators can mitigate the risk by setting LoginGraceTime to 0 in the /etc/ssh/sshd_config file and restarting the sshd service. This adjustment eliminates the remote code execution risk but may expose the system to denial-of-service attacks due to the potential exhaustion of all MaxStartups connections. Given the severity of CVE-2024-7589, system administrators are strongly advised to apply the available updates as soon as possible. The vulnerability's nature, allowing unauthenticated remote code execution in a privileged context, means that it poses a significant risk of full system compromise. Exploitation could lead to unauthorized access, data exfiltration, or malware installation. The OpenSSH vulnerability in FreeBSD shares similarities with CVE-2024-6387, which affected OpenSSH on Linux systems. However, CVE-2024-7589 is specific to FreeBSD’s implementation, particularly its integration with blacklistd. This distinction highlights the critical need for tailored security measures across different operating systems and configurations.

image for Ukrainian Government ...

 Cyber Warfare

Over 100 Ukrainian state and local government computers have been compromised with MeshAgent malware in a phishing campaign leveraging trust in the Security Service of Ukraine (SBU). The attack detected by the Computer Emergency Response Team of Ukraine (CERT-UA) on Monday, involved emails seemingly originating from   show more ...

the SBU. These emails contained a link to download a file named "Documents.zip." Clicking the link downloaded a Microsoft Software Installer (MSI) file instead. For example: "Scan_docs#40562153.msi". Opening this MSI file unleashed the ANONVNC - also known as MeshAgent malware. This malware gave attackers potential covert, unauthorized access to infected machines, the CERT-UA said. "As of 12:00 on August 12, 2024, CERT-UA identified more than 100 affected computers, including those operating within state bodies and local self-government bodies of Ukraine." - CERT-UA [caption id="attachment_86373" align="aligncenter" width="1024"] ANONVNC aka MeshaAgent Malware Attack Chain (Source: CERT-UA)[/caption] Malware with Familiar Traits The ANONVNC malware, based on the source code observed by CERT-UA researchers, used a configuration file strikingly similar to the MeshAgent software tool. MeshAgent is typically a remote management tool that works with the open-source platform MeshCentral. It is compatible with Windows, Linux, macOS, and FreeBSD. Although it is not designed to be malicious, threat actors exploit this tool to establish backdoors on endpoints, allowing remote access through programs like VNC, RDP, or SSH. Recently, security researchers at Wazuh noted a rise in the misuse of MeshAgent by attackers to maintain persistence on compromised systems and issue remote commands. Why Threat Actors Use MeshAgent as Malware Seamless Connection: Once installed, MeshCentral requires no user intervention to connect with endpoints. Unauthorized Access: MeshCentral can access MeshAgent directly or via RDP without the endpoint's consent. System Control: It can wake, restart, or power off endpoints. Command and Control: MeshCentral acts as a command server, executing shell commands and transferring files on the endpoint without the user's knowledge. Undetectable Operations: Actions initiated by MeshCentral run under the NT AUTHORITYSYSTEM account, blending in with routine background tasks. Unique File Hashes: Each MeshAgent instance is uniquely generated, making detection by file hash challenging. Attackers often deploy MeshAgent through phishing emails. Its communication over standard ports like 80 and 443 increases the likelihood of bypassing firewalls. On a Windows endpoint, MeshAgent typically: Launches the MeshCentral background service. Connects to the MeshCentral server. Establishes a communication channel via pipes. Installs using the -fullinstall command flag. Places its executable at C:Program FilesMesh AgentMeshAgent.exe. Creates a registry key at HKLMSystemCurrentControlSetServicesMesh Agent for configuration storage. Adds another registry key at HKLMSystemCurrentControlSetControlSafeBootNetworkMeshAgent, enabling network access during Safe Mode. Modifies Windows services to achieve persistence, including creating a registry key to allow WebRTC traffic through the firewall. Executes most actions using the highly privileged NT AUTHORITYSYSTEM and LocalService accounts. When reconnecting to MeshCentral, MeshAgent: Reestablishes the communication channel. Creates a registry key at HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeMeshUserTask for scheduling tasks like wake, sleep, and command execution. If MeshCentral reconnects without permission, it changes the connection manager service from "demand start" to "auto start." MeshAgent's source code is publicly available on Github, suggesting potential code reuse for the latest campaign. Due to this code similarity, CERT-UA has temporarily named the discovered malware ANONVNC. Wider Campaign Suspected The latest campaign is believed to have begun in July 2024 and may extend beyond Ukraine's borders, according to CERT-UA's researchers. Analysis of the pCloud file storage service revealed over a thousand EXE and MSI files uploaded since August 1, with some potentially linked to this broader campaign. Ukraine sprung a surprise attack on Russia in the Kursk region on Aug. 6 and today for the first time a top military commander publicly stated that Kyiv's forces now controlled over 1,000 square kilometers (approximately 386 square miles) of Russian territiory. “The troops are fulfilling their tasks. Fighting continues actually along the entire front line. The situation is under our control,” Gen. Oleksandr Syrskyi said. The timing of the phishing campaign on Monday that deployed a backdoor malware on government computer systems follows this intense Ukrainian offensive but Kyiv did not name Russia or the Kremlin's cyber army up front for these targeted attacks. Instead it tracked the campaign to a threat actor it tracks as UAC-0198. Russian hackers were previously found using similar tactics where they used legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers were hidden among the legitimate Python code of the “Minesweeper” game from Microsoft. CERT-UA has promptly implemented measures to mitigate the latest cyber threat. Specific details regarding these measures were not disclosed.

image for Cyble Named a Sample ...

 Cybersecurity News

Gartner highlights Cyble as a sample vendor in the Gartner® Hype Cycle™ for Managed IT Services, 2024, according to a report published by Gartner on July 9, 2024. This recognition underscores Cyble’s commitment to delivering advanced cybersecurity solutions that address the evolving needs of organizations   show more ...

worldwide. The report highlights the crucial role of Digital Risk Protection Services (DRPS) in mitigating risks across various digital platforms, including the dark web, and enhancing brand protection. Cyble’s inclusion in this category signifies the company’s strong capabilities in offering comprehensive cybersecurity solutions, essential for safeguarding organizations against modern digital threats. This acknowledgment also positions Cyble as a key player in the managed IT services space, reflecting its dedication to helping enterprises navigate the complexities of today’s digital landscape. Gartner Highlights Cyble as a Key Vendor for Managed IT Services As digital environments become more complex, the demand for sophisticated IT services continues to grow. In its July 2024 report, Gartner emphasized that “driven by complexity and constant change, IT services remain highly focused on automation, acceleration, and cloud adoption.” The “Hype Cycle™ for Managed IT Services” report explores how Managed Detection and Response (MDR) services offer advanced threat detection and rapid response capabilities, crucial for protecting a company’s IT infrastructure. In this report, Gartner highlights Cyble as a sample vendor for DRPS. Additionally, Gartner acknowledged Cyble as a sample vendor for Cyber-Risk Management and Security Operations in their respective Hype Cycle reports. These recognitions highlight Cyble’s ability to provide robust cybersecurity solutions that meet the challenges of today’s dynamic threat landscape. Importance of Cyble Being Named a DRPS Sample Vendor Digital Risk Protection Services (DRPS) are vital for proactively identifying and mitigating external risks to safeguard an organization’s reputation. By monitoring social media, the web, and other digital channels, DRPS enriches insights and manages threat responses. Gartner has identified a more hybrid workforce and the increasing use of cloud assets as key drivers of DRPS adoption. The Hype Cycle report for Security Operations also notes a growing interest in DRPS capabilities, particularly among small and medium-sized enterprises (SMEs), which often struggle to extract value from Threat Intelligence (TI) due to limited resources and expertise. Why It Matters That Cyble Is Recognized as a Managed IT Services Sample Vendor Being named a Managed IT Services Sample Vendor by Gartner is a significant achievement for Cyble, serving as a strong endorsement of the company’s capabilities and credibility in the IT services sector. Gartner’s recognition signals to the market that Cyble is a trusted and reliable provider, enhancing its reputation and making it a preferred choice for potential clients who rely on Gartner’s insights. This recognition not only sets Cyble apart from its competitors by showcasing its unique offerings and strengths but also positions the company as a leader in the industry. The increased visibility from this recognition can lead to new business opportunities and strategic partnerships, reinforcing Cyble’s expertise in cybersecurity and threat intelligence. As a result, Cyble is well-positioned to expand its market reach and continue its growth trajectory in the industry. Hype Cycle for Managed IT Services, 2024 The Hype Cycle for 2024 highlights managed IT services across the entire technology stack, emphasizing a shift from merely supporting technology products to driving digital transformation and delivering business outcomes. The focus is now on accelerating digital transformation to build adaptable, resilient platforms that enhance business performance. Cyble’s Recognitions by Gartner Cyble’s inclusion in the Hype Cycle highlights its innovative approach to managing cybersecurity challenges. The company’s Digital Risk Protection Services (DRPS) are designed to proactively detect and address external threats across digital landscapes. Leveraging advanced threat intelligence and machine learning, Cyble provides valuable insights into threat actors and their methods. Cyble’s next-generation platform, Cyble Vision, integrates Dark Web Monitoring, Threat Intelligence, External Attack Surface Management, Brand & Social Media Monitoring, Third-Party Risk Scoring, and Risk Management into a unified solution.

image for Australian Mining Gi ...

 Cybersecurity News

Australian mining company Evolution Mining Limited has become the latest victim of a ransomware attack. The company, known for its significant presence in the global gold mining industry, announced on Monday, August 12, that it had become aware of the cybersecurity incident just last week, on August 8. This Evolution   show more ...

Mining cyberattack adds to a growing list of attacks that have recently targeted Australian companies, highlighting the persistent and evolving nature of cyber threats in the country. In an official statement, Evolution Mining disclosed that the ransomware attack had impacted its IT systems. Evolution Mining Cyberattack and Immediate Response The company acted swiftly by engaging external cyber forensic experts to investigate and contain the incident. “The Company believes the incident is now contained,” Evolution Mining stated, reflecting their confidence in the measures taken to prevent further damage. The company emphasized that the incident has been proactively managed with a strong focus on safeguarding the health, safety, and privacy of individuals, as well as the integrity of its systems and data. Evolution Mining reassured stakeholders that it does not foresee any material impact on its operations as a result of the cyberattack. This prompt and decisive action demonstrates the company’s commitment to minimizing disruption and protecting its assets. Evolution Mining has reported the ransomware attack to the Australian Cyber Security Centre (ACSC), a government agency responsible for enhancing Australia’s cybersecurity capabilities. Despite this, the ACSC informed Reuters that they have not received substantial information from Evolution regarding the details of the incident, leaving many questions unanswered about the scope and nature of the Evolution Mining cyberattack. Evolution Mining: A Global Leader in Gold Mining Evolution Mining is a prominent player in the global gold mining industry, operating a portfolio of high-quality assets across Australia and Canada. The company manages six mines, including five wholly-owned operations: Cowal in New South Wales, Ernest Henry and Mt Rawdon in Queensland, Mungari in Western Australia, and Red Lake in Ontario, Canada. Additionally, Evolution holds an 80% stake in the Northparkes mine in New South Wales, further solidifying its position as a leading gold miner. The company’s diverse operations and strategic assets have made it a key contributor to the gold mining sector, which remains a vital part of the global economy. However, this latest Evolution Mining cybersecurity incident serves as a reminder that even the most robust and well-established companies are not immune to the growing threat of cybercrime. The Broader Context: Rising Cyber Threats in Australia The ransomware attack on Evolution Mining is not an isolated incident but rather part of a broader trend of increasing cyberattacks targeting Australian businesses. The ACSC reported that it received approximately 94,000 cybercrime reports in the financial year 2023, marking a significant increase from the roughly 76,000 reports filed in the previous financial year. This sharp rise highlights the escalating cyber threat landscape in Australia, where businesses across all sectors are facing heightened risks. Ransomware attacks, in particular, have become a major concern for organizations worldwide. These attacks involve malicious actors encrypting a victim’s data and demanding a ransom payment in exchange for the decryption key. The impact of such attacks can be devastating, ranging from operational disruptions to financial losses and reputational damage. For industries like mining, where operational continuity is critical, the stakes are especially high. A successful cyberattack can halt production, compromise sensitive data, and undermine investor confidence. As such, companies like Evolution Mining must remain vigilant and invest in robust cybersecurity measures to protect their operations and stakeholders. The Importance of Cyber Resilience The incident at Evolution Mining highlights the importance of cyber resilience for companies operating in today’s digital landscape. Cyber resilience refers to an organization’s ability to prepare for, respond to, and recover from cyberattacks. It involves not only having the right technology and processes in place but also fostering a culture of cybersecurity awareness and preparedness among employees. For Evolution Mining, the quick containment of the ransomware attack suggests that the company has effective cybersecurity protocols and incident response plans in place. However, the lack of detailed information shared with the ACSC and the public may raise concerns about transparency and the extent of the incident’s impact.

image for Amazon India Custome ...

 Cybersecurity News

An Amazon customer in India has raised concerns about a potential data breach at Amazon after receiving duplicate orders and fake products. The customer, through a Facebook post, highlighted how online shoppers could be vulnerable to breach of personal data. Responding to the allegations, an Amazon representative told   show more ...

The Cyber Express that it is investigating the claims made by the user. On August 9, 2024, Facebook user Swati Singal posted that Amazon is allegedly compromising people ‘s data. In her post, Singal detailed a disturbing incident that occurred when she placed two orders on Amazon in a single day. The first order was paid for through Cash on Delivery (COD), and the second was completed with online payment. Surprisingly, both order bills were identical, suggesting that something was amiss. According to Singal, when the first order arrived, she received fake speakers instead of the tablet she had originally purchased. The second order, which arrived later, contained the correct product. However, she noticed that she had been charged twice for the same item. This led her to suspect that her order information had been leaked or compromised, allowing for the fraudulent activity to take place. [caption id="attachment_86305" align="alignnone" width="856"] Source: Facebook[/caption] “This message us to all who relies on Amazon, it is shocking to see how Amazon is forging people, data gets compromised at the back end for cheating people. In a day received orders twice, one I did COD and other online payment. Both order slips were identical. In the first order, received fake speakers instead of tablet which we ordered, and second was right order. But we paid twice,” Singal wrote on Facebook. “The info about the order got leaked from Amazon, so as to forge. It's to spread the awareness when you buy high value product from such a trusted online shopping portal Stay alert!.” Amazon Customer Data at Risk? Singal's post highlights a worrying issue: the possibility that customer data may be at risk when shopping on Amazon, a platform that many consider to be highly reliable. She believes that the information related to her order was accessed by someone with malicious intent, leading to the dispatch of fake products and duplicate charges. This incident serves as a stark reminder for consumers to be vigilant, especially when purchasing high-value items online. Singal urges others to stay alert and double-check their orders to avoid falling victim to similar scams. She also stresses the importance of spreading awareness about such incidents to help others protect themselves from potential fraud. While Amazon is known for its robust security measures, this case underlines the need for customers to take extra precautions when shopping online. Ensuring that orders are accurate and payments are secure can help mitigate the risks associated with online transactions. Responding to the allegations, Amazon told The Cyber Express that it is investigating into the allegations made by the customer. For now, shoppers are advised to remain cautious and report any suspicious activity immediately. Previous Claims of Amazon Customers’ Data Breach In July 2021, Amazon faced a significant challenge when it was hit with the largest General Data Protection Regulation (GDPR) fine at the time, due to data breaches. The Luxembourg-based regulatory authority, Commission Nationale pour la Protection des Données (National Commission for the Protection of Data), imposed a staggering €746 million ($877 million) fine on the retail giant. The case originated in France following a complaint lodged by La Quadrature du Net, an advocacy group dedicated to safeguarding privacy rights. La Quadrature du Net outlined their concerns in a comprehensive document (PDF in French), accusing Amazon of various transgressions. The allegations revolve around Amazon’s alleged use of customer data without explicit consent or adequate disclosure, the absence of accessible opt-out mechanisms without penalties, and insufficient options for users to revoke consent among others.

image for Which IT, and IoT de ...

 Business

Infosec teams know all about cyberattacks on servers and desktop computers, and the optimal protective practices are both well-known and well-developed. But things get a lot more complicated when it comes to less visible devices — such as routers, printers, medical equipment, and video surveillance cameras. Yet they   show more ...

too are often connected to the organizations general network along with servers and workstations. The question of which of these devices should be the top infosec priority, and what risk factors are key in each case, is the subject of the Riskiest Connected Devices in 2024 report. Its authors analyzed more than 19 million devices: work computers, servers, IoT devices, and specialized medical equipment. For each individual device, a risk level was calculated based on known and exploitable vulnerabilities, open ports accessible from the internet, and malicious traffic sent from or to the device. Also factored in were the importance of the device to its respective organization, and the potential critical consequences of compromise. Here are the devices that researchers found to be most often vulnerable and high-risk. Wireless access points, routers, and firewalls The top two places in the list of the riskiest devices in office networks — by a comfortable margin, went to network devices. Routers are typically accessible from the internet, and many of them have open management ports and services that are easy for threat actors to exploit: SSH, Telnet, SMB, plus highly specialized proprietary management services. In recent years, attackers have learned to exploit vulnerabilities in this class of equipment — especially in its administration interfaces. Much the same holds for firewalls — especially since these two functions are often combined in a single device for SMBs. Access points have insecure settings even more often than routers do, but the threat is somewhat mitigated by the fact that compromising them requires being in close proximity to the device. The initial attack vector is usually a guest Wi-Fi network, or a dedicated network for mobile devices. Printers Although printer exploitation by hackers isnt that common, such cases are nearly always high-profile. The risk factors associated with printers are as follows: Theyre often connected directly to the office network and at the same time to the manufacturers central servers; that is — to the internet. They often operate in a standard configuration with default passwords, allowing a potential attacker to view, delete, and add print jobs, among other things, without having to exploit any vulnerabilities. They usually lack infosec tools, and often get added to firewall allowlists by network administrators to ensure accessibility from all computers in the organization. Software updates are slow to appear, and installation by users is even slower — so dangerous vulnerabilities in printer software can remain exploitable for years. The printers category includes not only network MFPs, but also highly specialized devices such as label and receipt printers. The latter are often directly connected to both POS terminals and privileged computers that process important financial information. Printers are a favorite target of hacktivists and ransomware groups because a hack that prints off thousands of copies of a threatening letter cant fail to make an impression. VoIP devices and IP surveillance cameras Like printers, devices in these categories are rarely updated, are very often accessible from the internet, have no built-in information security tools, and are regularly used with default, insecure settings. Besides the risks of device compromise and hackers lateral movement across the network that are common to all technology, unique risks here are posed by the prospect of attackers spying on protected assets and facilities, eavesdropping on VoIP calls, or using VoIP telephony for fraudulent purposes impersonating the attacked organization. Exploiting vulnerabilities isnt even necessary; a misconfiguration or default password will suffice. Automatic drug dispensers and infusion pumps The No. 1 niche devices in the hit parade are automated drug dispensers and digital infusion pumps, the compromising of which could seriously disrupt hospitals and threaten lives. According to the researchers, high-risk cases occur when such devices arent protected from external connections: in late 2022, 183 publicly accessible management interfaces for such devices were discovered; and by late 2023, that number had grown to 225. For a critical incident affecting patient care to arise, deep compromise of the target device is often not necessary — a denial of service or disconnection from the telecommunications network would be quite enough. Real attacks on healthcare facilities by the ransomware group LockBit have provoked such situations. Another risk is the malicious altering of drug dosage, which is made possible by both numerous device vulnerabilities and insecure settings. In some institutions, even a patient can do the altering simply by connecting to the hospitals Wi-Fi. How to protect vulnerable equipment in your organization Disable all unnecessary services on the equipment and restrict access to necessary ones. Control panels and service portals should only be accessible from administrative computers on the internal subnet. This rule is critical for network hardware and any equipment accessible from the internet. Segment the network by creating a separation between the office, production, and administrative networks. Ensure that IoT devices and other isolated resources cant be accessed from the internet or the office network available to all employees. Use strong and unique passwords for each administrator, with multi-factor authentication (MFA) where possible. Use unique passwords for each user, and be sure to apply MFA for access to critical resources and equipment. If the device lacks support for sufficiently strong authentication and MFA, you can isolate it in a separate subnet, and introduce MFA access control at the network equipment level. Prioritize rapid firmware and software updates for network equipment. Study the network and security settings of the equipment in detail. Change default settings if they arent secure enough. Disable built-in default accounts and password-less access. Study the router manual, if available, for ways to improve security (hardening); if not available, seek recommendations from reputable international organizations. When purchasing printers, multi-function peripherals (MFPs), and similar devices, explore the standard features for improving printer security. Some corporate models offer an encrypted secure print function; some are capable of updating their firmware automatically; and some are able to export events to a SIEM system for comprehensive infosec monitoring. Implement an all-in security system in your organization, including EDR, and comprehensive SIEM-based network monitoring.

 Trends, Reports, Analysis

A comprehensive analysis of data theft incidents investigated by ReliaQuest from September 2023 to July 2024 revealed that Rclone, WinSCP, and cURL are among the most prevalent exfiltration tools used by threat actors.

 Malware and Vulnerabilities

Recent findings indicate that the 7777 botnet (aka Quad7) has likely expanded, adding new bots with open port 63256, primarily including Asus routers. As of August 5, 2024, the total number of active bots stood at 12,783.

 Malware and Vulnerabilities

The malware attack flow involves luring users with fake websites imitating popular downloads, then executing PowerShell scripts to download and install malicious extensions that steal private data and control browser settings.

 Malware and Vulnerabilities

Quorum Cyber Incident Response team recently identified a new malware called SharpRhino utilized by the threat actor group Hunters International during a ransomware incident. The malware, written in C#, was distributed through a typosquatting domain posing as Angry IP Scanner.

 Trends, Reports, Analysis

Researchers at AppOmni revealed that adversaries no longer need to complete all seven stages of a traditional kill chain to achieve their goals. This shift requires organizations to rethink their cybersecurity strategies.

 Security Products & Services

RunZero recently released SSHamble, an open-source tool for testing the security of SSH services. This tool helps security teams detect dangerous misconfigurations and software bugs in SSH implementations.

 Geopolitical, Terrorism

The United Nations has unanimously passed its first cybercrime treaty, initially proposed by Russia. This treaty establishes a global legal framework for addressing cybercrime and data access.

 Malware and Vulnerabilities

The first vulnerability, CVE-2024-42219, allows bypassing inter-process communication protections and impersonation of trusted 1Password integrations. The second, CVE-2024-42218, lets attackers bypass security mechanisms using outdated app versions.

 Feed

Gentoo Linux Security Advisory 202408-33 - Multiple vulnerabilities have been discovered in protobuf-c, the worst of which could result in denial of service. Versions greater than or equal to 1.4.1 are affected.

 Feed

Gentoo Linux Security Advisory 202408-29 - Multiple vulnerabilities have been discovered in MuPDF, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.20.0 are affected.

 Feed

Gentoo Linux Security Advisory 202408-27 - A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD. Versions greater than or equal to 4.06c are affected.

 Feed

Gentoo Linux Security Advisory 202408-26 - Multiple vulnerabilities have been discovered in matio, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.5.22 are affected.

 Feed

Ubuntu Security Notice 6926-3 - 黄思聪 discovered that the NFC Controller Interface implementation in the Linux kernel did not properly handle certain memory allocation failure conditions, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service. It was   show more ...

discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service.

 Feed

Gentoo Linux Security Advisory 202408-24 - A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data. Versions greater than or equal to 6.1.6.1:6.1 are affected.

 Feed

Gentoo Linux Security Advisory 202408-22 - Multiple vulnerabilities have been discovered in Bundler, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.33 are affected.

 Feed

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

 Feed

Red Hat Security Advisory 2024-5194-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include deserialization and memory exhaustion vulnerabilities.

 Feed

Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.

 Feed

The Russian government and IT organizations are the target of a new campaign that delivers a number of backdoors and trojans as part of a spear-phishing campaign codenamed EastWind. The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut (LNK) file that, upon opening, activates the infection sequence, culminating in the deployment of malware such

 Feed

Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. The elevated access could then be weaponized to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even get correctly signed X.509 VPN certificates for foreign

 Feed

In 2023, no fewer than 94 percent of businesses were impacted by phishing attacks, a 40 percent increase compared to the previous year, according to research from Egress. What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails

 Feed

Cybersecurity researchers have identified a number of security shortcomings in photovoltaic system management platforms operated by Chinese companies Solarman and Deye that could enable malicious actors to cause disruption and power blackouts. "If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing

 Feed

After a good year of sustained exuberance, the hangover is finally here. It’s a gentle one (for now), as the market corrects the share price of the major players (like Nvidia, Microsoft, and Google), while other players reassess the market and adjust priorities. Gartner calls it the trough of disillusionment, when interest wanes and implementations fail to deliver the promised breakthroughs.

 Feed

The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. "A signal handler in sshd(8) may call a logging function

 0 - CT - CISO Strategics - Information S

Political organisations and election candidates have become targets for threat actors that wish to disrupt and interfere in the democratic process. This can be part of a wider hybrid campaign to influence voters. Cyber attacks that target election candidates or organisations can be very damaging to the candidate   show more ...

themselves, the political party they represent, or […] La entrada Cybersecurity_Political_Organisations_Election_Candidates se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Information S

Standardized guidelines & best practices THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CREATED A VOLUNTARY FRAMEWORK consisting of standard guidelines and best practices to address cybersecurity risks. The five pillars represent a holistic approach to cybersecurity.17 The Cybersecurity and   show more ...

Infrastructure Security Agency (CISA) explains and summarizes the framework’s five function areas. Cyber vulnerability DATA […] La entrada Cyber Technology Practice Playbook Part I: Common Adversary Attacks – A practical guide for executives to navigate best practices in cyber risk management se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Tools - MS Azure

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. Username or E-mail Password Remember Me     Forgot Password La   show more ...

entrada Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - SOC - CSIRT Operations - SOC Op

This Guide presents details about how to monitor and log cyber security events, some of which are potential indicatorsof compromise (IOC) that can lead to cyber security incidents if not addressed quickly and effectively. The Guide providesyou with practical advice on how to manage logs effectively, deal with   show more ...

suspicious events, use cyber security intelligenceand address […] La entrada Cyber Security Monitoring and Logging Guide se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Risk & Compli

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - Cybersecurity Architecture - Pe

WHAT IS A CPS? As defined by Gartner®, cyber-physical systems (CPS) are “engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). When secure, they enable safe, real-time, reliable, resilient and adaptable performance.”   show more ...

The term CPS encompasses the operational technology (OT) assets, building management system (BMS) equipment, […] La entrada Cyber Physical Systems CPS Security se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada CybercrimeTrends 2024 The latest threats and security best practices se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - SOC - CSIRT Operations - Threat

This guide provides an introduction to Cyber Threat Intelligence — CTI. It provides accessible advice on the theory and practice of CTI products and services. It outlines the key concepts and principles that underpin cyber threat intelligence, along with the ways organisations use cyber threat intelligence to   show more ...

predict, prevent, detect and respond to potential cyber […] La entrada Cyber Threat Intelligence Guide – What Is Cyber Threat Intelligence and How Is It Used? se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Risk & Compli

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. La entrada Cyber Security Politics Socio-Technological Transformations and Political Fragmentation se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0 - CT - CISO Strategics - Cybersecurity

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team. Username or E-mail Password Remember Me     Forgot Password La   show more ...

entrada Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500 se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-08
Aggregator history
Monday, August 12
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober