Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Critical WPML Plugin ...

 Cybersecurity News

A critical vulnerability has been discovered in the WPML (WordPress Multilingual) plugin, exposing millions of WordPress websites to potential Remote Code Execution (RCE) attacks. This WPML Plugin Flaw, identified as CVE-2024-6386 and classified as "critical" due to its severity, allows attackers with   show more ...

contributor-level access or higher to execute arbitrary code on the server, potentially leading to a complete site takeover. The WPML plugin is a popular choice for building multilingual websites on the WordPress platform. With over one million active installations, it plays a vital role in catering to a global audience for many businesses and organizations. However, this recent discovery highlights the importance of maintaining plugin security and the devastating consequences of vulnerabilities in widely used tools. Understanding Vulnerability The vulnerability lies in the plugin's handling of shortcodes, which are snippets of code used to insert various functionalities like audio, video, or social media feeds into website content. WPML utilizes Twig templates for rendering content within shortcodes. Security researcher Matt Rollings, who goes by the alias Stealthcopter, discovered that the plugin fails to properly sanitize user input within these templates, leading to server-side template injection (SSTI). In simpler terms, attackers can inject malicious code into seemingly harmless content like a shortcode. When this code is processed by the plugin, it gets executed on the server itself, granting the attacker unauthorized access and control. This could allow them to steal sensitive information, install malware, redirect website traffic, or even completely deface the website. [caption id="attachment_88239" align="alignnone" width="1523"] Source: Stealthcopter Research[/caption] WPML Patch The WPML team promptly responded to the vulnerability disclosure and released a patched version (WPML 4.6.13) on August 20, 2024. However, it's crucial for all WordPress website owners using the WPML plugin to update to this latest version immediately. Any delay in applying the patch leaves websites vulnerable to potential exploitation. Here's how to update the WPML plugin: Log in to your WordPress dashboard. Navigate to Plugins > Installed Plugins. Locate the WPML plugin and click "Update" if a newer version is available. Once the update is complete, click "Activate" to ensure the patched version is running. Additionally, website owners should consider the following security measures: Regular Plugin Updates: Maintaining all plugins and themes up-to-date is essential. Regularly check for updates and install them as soon as they become available. This helps ensure that known vulnerabilities are addressed promptly. Strong Passwords: Enforce strong and unique passwords for all user accounts, including those with Contributor or higher privileges. Avoid using easily guessable passwords or dictionary words. Security Plugins: Consider installing a reputable security plugin that can monitor website activity and alert you to suspicious behavior. These plugins may not prevent all attacks, but they can be a valuable tool for identifying and responding to potential threats. Regular Backups: Maintain regular backups of your website data. This ensures that you have a clean, uncompromised copy of your website in case of an attack. Backups can be used to restore your website to a functioning state quickly and minimize downtime. The WPML vulnerability serves as a stark reminder of the ever-evolving cybersecurity landscape. While patching the immediate flaw is critical, it highlights the need for a broader approach to website security.

image for Versa Director Zero- ...

 Cybersecurity News

A zero-day vulnerability in Versa Director servers is proof that a vulnerability doesn’t require a critical severity rating and thousands of exposures to do significant damage. CVE-2024-39717, announced last week, carries a 7.2 (high) CVSS rating from the NIST National Vulnerability Database (NVD) and a 6.6 (medium)   show more ...

rating from HackerOne. What’s more, Cyble’s ODIN vulnerability scanning platform found just 31 internet-exposed Versa Director instances, 16 of which were from the U.S. Here’s the problem: Versa Director servers manage network configurations for Versa’s SD-WAN software – which is often used by internet service providers (ISPs) and managed service providers (MSPs), so even a single exposure could be a big deal. As a result, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Versa Director ‘VersaMem’ Zero-Day Exploit Researchers from Lumen’s Black Lotus Labs discovered the exploit targeting ISPs, MSPs and IT companies as early as June 12, 2024. The vulnerability was publicly announced on Aug. 22 and affects all Versa Director versions prior to 22.1.4. The researchers identified a custom web shell tied to the vulnerability, which they dubbed “VersaMem.” The web shell was used to intercept and harvest credentials to gain access into downstream customers’ networks as an authenticated user. VersaMem is also modular in nature and allows the threat actors to load additional Java code to run exclusively in-memory. The researchers identified “actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability” at four U.S. and one non-U.S. victims in the ISP, MSP and IT space. The threat actors gained initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which led to the deployment of the VersaMem web shell. The researchers attributed the attacks “with moderate confidence” to the China state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette. VersaMem Mitigations Versa Director users are urged to upgrade to version 22.1.4 or later and to follow additional guidance from the vendor, such as applying hardening techniques and firewall rules. The researchers also posted Indicators of Compromise (IoCs) on GitHub. Additional mitigation recommendations include: Blocking external/northbound access to ports 4566 and 4570 and ensuring that they are only open between the active and standby Versa Director nodes for HA-pairing traffic. Updating Versa Director systems to version 22.1.4 or later, or applying a hotfix and other measures advised by Versa. Searching for interactions with port 4566 on Versa Director servers from non-Versa node IPs. Searching the Versa webroot directory (recursively) for files ending with a .png extension that are not valid PNG files. Checking for newly created user accounts and other abnormal activity. Auditing user accounts, reviewing system/application/user logs, rotating credentials, analyzing downstream customer accounts and triaging lateral movement attempts if any IoCs are identified or if ports 4566 or 4570 were exposed for any period of time. Cyble threat researchers also recommended a number of additional steps: Implement robust network traffic monitoring to detect unusual activities, such as lateral movement, unauthorized access, or data exfiltration. Enforce MFA for all users, especially those with access to Versa Director servers, to mitigate the risk of credential hijacking. Perform regular audits of user credentials and privilege levels to ensure that only authorized personnel have access to critical systems. Implement network segmentation to limit attackers' ability to move laterally across networks, particularly between critical infrastructure and less sensitive areas. Ensure that regular backups of critical systems and configurations are performed, stored securely, and tested for integrity.

image for Port of Seattle Reel ...

 Ransomware News

The Port of Seattle, an agency that oversees properties including the Seattle-Tacoma International Airport, has been grappling with a significant disruption to its systems since the morning of August 24, 2024. The officials have now reported the incident as a “possible cyberattack.” The widespread outages and the   show more ...

nature of the disruptions strongly suggest malicious intent. This incident highlights the growing vulnerability of critical infrastructure to cyber threats and the potential for cascading disruptions across vital services. Initial Disruptions in Operations in Port of Seattle The first signs of trouble emerged on Saturday morning when the Port of Seattle, which oversees the Seattle-Tacoma International Airport (Sea-Tac), reported experiencing "certain system outages indicating a possible cyberattack." These outages primarily impacted internet connectivity and internal systems, leading to a domino effect of disruptions across various airport operations. Flight information displays became dysfunctional, phone lines became non-functional, and airlines were forced to resort to manual processes for tasks like check-in and baggage handling. Passengers faced delays and confusion, with some international travelers encountering additional hurdles due to the disrupted systems. [caption id="attachment_88264" align="alignnone" width="932"] Source: Washington Ports Website[/caption] On Tuesday, the agency posted an update that “Seattle-Tacoma International Airport (SEA) is making progress on restoring the previously impacted elements of the baggage system. Multiple teams have implemented and are using a variety of methods to ensure bags reach their aircraft. Travelers should continue to prioritize carry-on luggage if possible.” “If you are traveling today, please check with your airline for flight and baggage information. Plan to arrive two hours before a domestic flight and three hours before an international flight,” it added. Response and Recovery Efforts The Port of Seattle quickly mobilized its IT team to isolate critical systems and prevent further damage from the potential attack. They prioritized restoring core functionalities, focusing on getting flight information displays back online and re-establishing internet connectivity. However, the full recovery process is expected to take time. Officials haven't provided a specific timeline for when all systems will be fully operational. Meanwhile, in its latest post on X, the SEA posted, “Customer service has recruited staff from the Port’s corporate and maritime divisions to help assist travelers during the system outage.” [caption id="attachment_88265" align="alignnone" width="762"] Source: X[/caption] Uncertainties and Ongoing Investigation While the Port of Seattle hasn't explicitly stated that a cyberattack is to blame, the nature of the disruptions aligns closely with known cyberattack tactics. The lack of internet access, system outages focused on critical information displays, and the timing all raise significant red flags of a ransomware attack. The incident at Sea-Tac is the latest in a series of cyberattacks targeting critical infrastructure in Seattle and elsewhere. It follows a July incident where a routine software update led to a mass internet outage, grounding flights and disrupting business operations nationwide. The Port of Seattle is collaborating with federal law enforcement agencies to investigate the cause of the disruptions and determine if a cyberattack was indeed the culprit. The Impact and Potential Concerns The disruptions at the Port of Seattle highlight the critical role technology plays in modern transportation infrastructure. While the incident hasn't caused any major safety concerns, it has undoubtedly caused significant inconvenience for passengers and airlines alike. Delays, cancellations, and manual processes can have a ripple effect, impacting not just the airport but also businesses, travel plans, and the overall efficiency of the region's transportation network. The incident also raises concerns about the overall cyber preparedness of critical infrastructure. The Port of Seattle, like many other transportation hubs, relies heavily on technology to manage daily operations. These systems are attractive targets for cybercriminals seeking to disrupt operations, extort money through ransomware, or steal sensitive data.

image for Shield Your Home fro ...

 Firewall Daily

We live in a digital time, and here the knowledge of online security has become indispensable. To stay safe with the growing number of threats online, making sure your website is secure has become more important than ever. Working from home, doing transactions online, or simply browsing the web; you could need a   show more ...

stronger security on those computers. In this article, we will take a look at some small steps you must follow to achieve maximum security online, in your home. Understanding the Threat Landscape Before diving into protective measures, it's crucial to understand the types of threats that exist in the online world. Cybercriminals employ various tactics to exploit vulnerabilities, including: Phishing Attacks: Deceptive emails or messages designed to trick you into revealing personal information. Malware: Malicious software that can damage your computer or steal your data. Ransomware: A type of malware that encrypts your files and demands payment for their release. Data Breaches: Unauthorized access to your personal or financial information stored online. Steps to Enhance Online Security By recognizing these threats, you can take proactive steps to enhance your online security. Step 1: Strengthen Your Passwords Easily the simplest but most effective way to boost your max security is by using strong, complex passwords less any accounts. A good password is at least 12 characters long and contains a mixture of upper case and lower case letter number symbols. Do not use easily guessable information, like birthdays or simple words. Consider using a password manager to keep track of your passwords. This tool can generate strong passwords and automatically fill them in for you, reducing the temptation to reuse passwords across multiple sites. Step 2: Enable Two-Factor Authentication (2FA) Two-factor authentication helps to protect your various online accounts with an additional layer of security. Just logging on to 2FA requires two factors of verification (more about this in the next point). This usually means you enter a combination of something that you know (in this case, your password) and have on hand or near out when prompted for two-factor auth typically e.g. via a code sent to your phone number/email address. They should also activate 2FA for any accounts that support it, in particular email, banking & social media. This extra step dramatically lowers the risk of an illegitimate attempt to enter. Step 3: Keep Your Software Updated Regularly updating your software, including your operating system, web browsers, and applications, is crucial for maintaining maximum security. Software updates often include security patches that address vulnerabilities that cybercriminals could exploit. Enable automatic updates whenever possible to ensure that you always have the latest security features and fixes. Step 4: Install Antivirus and Anti-Malware Software Using recognized antivirus and anti-malware software for your devices is a must thing to do in maximum security. These software programs can identify, isolate, and clean malware before there is thoroughly established harm. Keep your compatible AV software on and updated at all times to fend off new threats. Step 5: Use a Virtual Private Network (VPN) A VPN is an excellent tool for enhancing your online security, especially when using public Wi-Fi networks. A VPN encrypts your internet connection, making it difficult for hackers to intercept your data. This is particularly important when accessing sensitive information, such as online banking or personal accounts. Choose a reputable VPN service that does not log your online activities to ensure your privacy is maintained. Step 6: Be Cautious with Public Wi-Fi While public Wi-Fi is convenient, it can also be a hotbed for cybercriminal activity. Avoid accessing sensitive accounts or conducting financial transactions on public networks. If you must use public Wi-Fi, ensure you are connected to a VPN to secure your connection. Additionally, turn off sharing settings on your devices when using public networks to prevent unauthorized access. Step 7: Educate Yourself and Your Family True to fact, being heavily secured at home also means knowing about internet danger and safety modes. Train your family about standard scams, phishing attack tries, and safe browsing practices. Teach them to think twice before they click on a link or enter personal info onto social media! Everyone can be more vigilant and knowledgeable with regular conversations about online security. Step 8: Regularly Review Account Activity Finally, regularly review your account activity for any unusual behavior. Check your bank statements, email accounts, and social media profiles for unauthorized transactions or messages. If you notice anything suspicious, take immediate action, such as changing your passwords and contacting your bank or service provider. But making this security level maximum online at home is a combination of strong passwords, two-factor authentication, updated software, and antivirus, and educating your family. With these steps in place, the chances of being caught out by a cybersecurity threat are dramatically lowered and our digital footprints can be more suitably secure within an ever-connected world. Safeguarding yourself online is a no-brainer and something to be actively pursued in today's day of age.

image for A Conversation with ...

 Firewall Daily

In a recent chat with The Cyber Express, Kanesan Pandi shared the story of his 25-year journey through the world of information security. Starting his career in the UAE, Pandi has seen the IT and security landscape evolve dramatically, adapting and thriving through each change. When he's not navigating the   show more ...

complexities of cybersecurity, Pandi enjoys spending time with his family. He’s a proud father of two—one son is deep into a master’s program in Business Analytics, while the other is carving out his own path in Cybersecurity. Today, Pandi is the Head of Information Security at Galadaribrothers, where he draws on his extensive experience from the retail and financial sectors to lead and innovate. Kanesan Pandi Interview Excerpts TCE: Can you share your journey into the field of information security? What initially sparked your interest in cybersecurity?  My journey into information security began with a fascination for technology and problem-solving. Initially, I was drawn to the field through my interest in how systems work and the challenge of protecting them from bad actors. My early experiences in IT and exposure to security incidents deepened my curiosity, leading me to specialize in cybersecurity. Over time, I developed a passion for staying ahead of emerging threats and continuously improving security measures, which has driven my career in this dynamic and critical field.  TCE: With your extensive experience, what have been some of the most significant challenges you’ve faced in securing an organization's digital assets?  Some of the most significant challenges in securing an organization's digital assets include:  Evolving Threat Landscape: Constantly adapting to new and sophisticated cyber threats.  Balancing Security and Usability: Ensuring robust security without hindering business operations.  Managing Legacy Systems: Securing outdated systems that may not support modern security measures.  Compliance with Diverse Regulations: Navigating complex and varying legal requirements across regions.  Employee Awareness: Addressing human error through continuous training and awareness programs.  Resource Constraints: Managing limited budgets and resources while maintaining strong security defenses.  These challenges require ongoing vigilance, adaptability, and strategic planning to effectively protect digital assets.  TCE: When a company operates in a diverse range of industries, how do you tailor your cybersecurity strategies to meet the unique requirements of each sector?  When operating across diverse industries, cybersecurity strategies are tailored by:  Industry-Specific Risk Assessments: Identifying unique risks and compliance requirements for each sector.  Customized Security Controls: Implementing controls that address the specific threats and regulations relevant to each industry.  Flexible Security Frameworks: Adapting frameworks to fit the varying needs while maintaining a strong overall security posture.  Specialized Training: Providing sector-specific security awareness training for staff.  Collaboration with Industry Experts: Engaging with experts to stay informed on industry-specific threats and best practices.  This approach ensures that security measures are both effective and aligned with the distinct needs of each industry.  TCE: In your opinion, what are the key components of an effective threat intelligence program, and how do you ensure it remains relevant in the face of evolving threats?  Key components of an effective threat intelligence program include:  Real-Time Data Collection: Continuously gathering threat data from diverse sources.  Analysis and Correlation: Using tools to analyze and correlate data to identify actionable insights.  Integration with Security Operations: Embedding intelligence into daily operations for proactive defense.  Collaboration: Sharing intelligence with industry peers and participating in threat-sharing communities.  Continuous Update and Adaptation: Regularly updating intelligence to reflect the latest threat landscape and adjusting strategies accordingly.  To ensure relevance, the program must be dynamic, incorporating feedback and lessons learned from ongoing threats and emerging trends.  TCE: Could you describe the most complex security incident you’ve encountered in your career? How did you and your team manage the situation?  I managed a complex ransomware attack that started with a perimeter breach, a supply chain attack, and phishing emails, impacting multiple departments and encrypting critical files. We swiftly isolated the affected systems through our 24/7 SOC, assessed the situation, and engaged forensic experts. We identified Patient Zero and the root cause, cleaned the infected systems, restored data from backups, and rebuilt the compromised infrastructure. After the incident, we strengthened our security measures, updated response protocols and lessons learned, and conducted staff training. The attack was effectively controlled with minimal long-term impact, leading to a stronger overall security posture.  TCE: With the rise of AI and machine learning in cybersecurity, how do you see these technologies impacting threat detection and response? Are there any specific use cases you’ve explored?  We have chosen an AI-based endpoint protection solution that focuses on PPDR (Predict, Prevent, Detect, and Respond) rather than just AI feature sets. AI and machine learning significantly enhance threat detection and response by enabling accurate anomaly detection, predictive analytics, and automated incident responses. These technologies identify unusual patterns and potential threats more rapidly, automate routine tasks, and improve threat intelligence.  Specific use cases include:  Malware Detection: Using ML to identify and block new malware.  Phishing Prevention: Analysing emails to detect and filter phishing attempts.  Network Security Monitoring: Monitoring traffic for signs of malicious activity.  User Behaviour Analytics: Detecting abnormal user behaviors that may indicate insider threats.  While AI and ML provide substantial benefits, they also require ongoing training and careful management to reduce false positives and ensure effectiveness  TCE: Threat intelligence and dark web monitoring are becoming crucial in preempting cyber threats. How have you integrated these elements into your overall security posture?  Digital Risk Protection is a key element of our security strategy. We’ve incorporated threat intelligence and dark web monitoring into our approach by utilizing real-time data feeds, threat intelligence platforms, and dark web monitoring tools. This enables us to quickly detect and respond to emerging threats.  Our approach includes:  Proactive Threat Hunting: Actively seeking out potential threats before they impact the organization.  Enhanced Incident Response: Improving our ability to manage and mitigate incidents effectively.  Continuous Monitoring: Monitoring for compromised credentials, defamation, and leaked data.  By integrating these components with our security operations, including SIEM systems, we bolster our ability to anticipate, detect, and address potential threats, ensuring our defenses are robust and up-to-date  TCE: With the increasing reliance on cloud services, what are the most critical security measures you’ve implemented to protect cloud-based assets?  To protect cloud-based assets, we’ve implemented several critical security measures:  Zero Trust Architecture: Ensures all access requests are thoroughly verified.  Strong Identity and Access Management (IAM): Includes multi-factor authentication and role-based access controls.  Data Encryption: Protects sensitive data both at rest and in transit.  Continuous Monitoring: Detects and responds to unusual activities in real-time.  Regular Security Audits: Ensures compliance with industry standards.  Secure Configuration Management: Prevents misconfigurations through automated tools.  Backup and Disaster Recovery: Ensures quick data restoration if needed.  Vendor Risk Management: Assesses the security practices of third-party providers.  Security Awareness Training: Keeps staff informed about cloud security risks.  These measures collectively enhance the security of our cloud environment.  TCE: In a region like Dubai, where regulations and policies play a crucial role, how do you ensure that your cybersecurity policies align with local and international standards? What challenges do you face in maintaining compliance?  In Dubai, we ensure our cybersecurity policies align with local and international standards by staying up-to-date with regulations, conducting regular compliance audits, and adapting our security practices accordingly. We also engage with legal and regulatory experts to ensure adherence to frameworks like GDPR and local laws, if needed. Challenges include keeping pace with evolving regulations, managing diverse compliance requirements across regions, and ensuring that our policies are consistently applied across the organization while balancing operational efficiency.  TCE: Looking ahead, what do you see as the biggest cybersecurity challenges, and how are you preparing to address them?  Looking ahead, the major cybersecurity challenges include evolving threats such as ransomware, AI-driven attacks, supply chain vulnerabilities, and maintaining compliance with local and international regulations, all within a minimal budget. To address these challenges, we are:  Investing in Advanced Threat Detection Technologies: To enhance our ability to identify and respond to threats.  Enhancing Incident Response Capabilities: To manage and mitigate incidents more effectively.  Adopting Zero Trust Architecture: To strengthen security by verifying every access request.  Continuously Training Staff: To keep our team informed about the latest threats and best practices.  Improving Threat Intelligence: To better anticipate and address emerging risks.  Collaborating with Industry Peers: To stay ahead of evolving threats and share insights.  These steps will help us ensure robust defense mechanisms while navigating budget constraints.   TCE: What is the most recent project that impressed you and why? Recently, I’ve been concentrating on Zero Trust, a key topic among every security vendor and professional, and one that has captured my interest as well. After a thorough evaluation over the past three years, I’ve determined that Zero Trust offers more significant budgetary benefits than simply replacing VPNs. Zero Trust is a framework that incorporates various processes and technologies to create a unified network, cloaked infrastructure, and effective lateral movement prevention(ring-fencing), which are crucial for today’s security landscape. It operates under the assumption of malicious guys within us irrespective of internally and externally. I have reviewed several products and identified three primary types of zero-trust technologies: SASE-Based SDP-Based Firewall-Based I selected the best-in-class from SASE and SDP as a combination, along with PAM and EPAM, to ensure effective integration and deliverables. This approach has led to substantial cost savings and an optimized security stack.

image for Nacsa to Overhaul Cr ...

 Firewall Daily

The National Cyber Security Agency (Nacsa) is set to undertake a revamp of its critical infrastructure listings under the newly enacted Cybersecurity Act 2024. This sweeping legislation, which was ratified by Malaysia’s Dewan Rakyat in April and officially came into effect on August 26, 2024, brings with it a series   show more ...

of pivotal changes aimed at enhancing national cybersecurity. As part of the implementation of the Cybersecurity Act 2024, Nacsa will review and update the list of entities designated as National Critical Information Infrastructure (NCII). Dr. Megat Zuhairy Megat Tajuddin, the Chief Executive of Nacsa, highlighted in a recent briefing that the agency will reassess the 299 entities currently listed under the guidelines of the National Security Council Directive No. 26. Revising the National Critical Information Infrastructure (NCII) List with Cybersecurity Act 2024 Dr. Megat Zuhairy indicated that the new criteria established by the Cybersecurity Act 2024 are designed to provide greater clarity and precision in the designation of NCII entities. “We anticipate that the number of NCII entities will likely increase as the new criteria are more comprehensive and detailed. Additionally, sector heads have been given the authority to identify NCII entities within their own sectors,” he explained. [caption id="attachment_88218" align="alignnone" width="790"] Source: Malaysia Federal Legislation[/caption] The Cybersecurity Act 2024 introduces several critical measures aimed at strengthening the nation’s cybersecurity framework. Officially endorsed by His Majesty Sultan Ibrahim, King of Malaysia, on June 18, and published in the gazette on June 26, the Act mandates a more robust approach to cybersecurity management and response. The Cybersecurity Act 2024 introduces four key regulations to enhance cybersecurity protocols. The regulation on the Compounding of Offences allows for resolving certain offenses through financial penalties instead of judicial proceedings. This approach aims to streamline the handling of minor infractions and reduce the burden on the court system. Another crucial regulation, Notification on Cybersecurity Incidents, mandates that entities designated as National Critical Information Infrastructure (NCII) must promptly report any cybersecurity incidents via the NC4 email system. Initial notifications are required within six hours of discovering an incident, with more detailed reports to be submitted within 14 days, ensuring timely and thorough communication of security breaches. The Act also emphasizes the importance of Risk Assessment and Audit. Regular risk assessments and audits are required to ensure that cybersecurity measures remain current and effective, providing a proactive approach to managing potential vulnerabilities. Finally, the Licensing of Cybersecurity Service Providers regulation establishes a licensing system for entities offering cybersecurity services. This system ensures that only qualified and competent providers are authorized to deliver essential cybersecurity support, thereby upholding high standards in the industry. Sector-Specific Regulations and Confidentiality Measures The Cybersecurity Act 2024 impacts 11 distinct sectors, each identified as essential to the nation’s critical information infrastructure. These sectors include government, banking and finance, transportation, defense and national security, information and communication technology, healthcare services, water management, sewerage and waste management, energy, agriculture and plantation, trade and industry, and science and technology. Dr. Megat Zuhairy emphasized the confidentiality of the NCII list, noting that it will not be publicly disclosed to avoid exposing these entities to potential cyber threats. Instead, only the list of sector heads will be made available on the Nacsa website. “The list of NCII entities is classified to prevent them from becoming targets of cyberattacks,” he stated. One of the significant changes under the Cybersecurity Act 2024 is the stringent reporting requirements for NCII entities. According to the Cyber Security Regulations (Cyber Security Incident Notification) 2024, any cybersecurity incident must be reported through the NC4 system within six hours of detection. The initial report must include details such as the name of the authorized contact, information about the affected entity, the nature and severity of the incident, and the method of its discovery. Following the initial report, a more detailed account must be submitted to Nacsa within 14 days. This process aims to ensure that cybersecurity incidents are promptly and thoroughly addressed, enhancing the overall resilience of the NCII sectors. The Cybersecurity Act 2024 also outlines several legal provisions to support its enforcement. Authorized officers are granted powers to access computerized data, conduct searches, and require the attendance of individuals with relevant knowledge about cybersecurity incidents. These provisions are designed to facilitate thorough investigations and ensure compliance with the Act. Furthermore, the Act includes measures to protect against interference and ensure the integrity of the investigative process. For instance, individuals who obstruct or impede authorized officers in their duties face substantial fines and potential imprisonment.

image for Critical Apache OFBi ...

 Firewall Daily

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a security vulnerability affecting Apache OFBiz, the open-source enterprise resource planning (ERP) system. This Apache OFBiz vulnerability, identified as CVE-2024-38856, has been added to CISA's Known Exploited Vulnerabilities (KEV)   show more ...

catalog due to ongoing evidence of its exploitation in the wild. CVE-2024-38856 has been rated with a CVSS score of 9.8, classifying it as critical in severity. The vulnerability allows attackers to execute remote code without prior authentication, posing a severe risk to affected systems. This vulnerability can be exploited by attackers through maliciously crafted requests, leading to remote code execution. Decoding the Critical Apache OFBiz Vulnerability (CVE-2024-38856) Apache OFBiz versions up to 18.12.13 are affected by CVE-2024-36104, while versions up to 18.12.14 are impacted by CVE-2024-38856. Apache OFBiz is a popular open-source ERP system that supports various business functions, such as customer relationship management and order processing. Due to its widespread use, security vulnerabilities in OFBiz can significantly affect businesses. CVE-2024-38856, identified by the Apache Software Foundation, was published on August 5, 2024, and updated on August 28, 2024. This flaw involves incorrect authorization in Apache OFBiz versions up to 18.12.14, allowing unauthenticated access to certain endpoints.  This can potentially enable attackers to execute screen rendering code if specific conditions are met, particularly if screen definitions fail to check user permissions due to endpoint configuration issues. The vulnerability is classified as CWE-863 Incorrect Authorization. Recommended Actions Organizations using Apache OFBiz are urged to upgrade to version 18.12.15 to address the critical security issue of CVE-2024-38856. Federal Civilian Executive Branch (FCEB) agencies must apply this update by September 17, 2024, to protect against potential exploits. This recommendation follows the earlier identification of CVE-2024-32113, another Apache OFBiz vulnerability that was added to the KEV catalog in August. CVE-2024-32113 had been exploited in attacks using the Mirai botnet, highlighting the serious risks associated with such flaws. Although specific exploitation details for CVE-2024-38856 are currently limited, the presence of proof-of-concept exploits indicates that attackers are actively targeting this vulnerability. The emergence of these vulnerabilities in Apache OFBiz reflects a concerning trend of attackers exploiting known flaws in widely used software. This situation highlights the urgent need for organizations to implement timely updates and safeguard their systems against online threats and vulnerability exploration. For guidance on addressing these vulnerabilities, users should consult Apache OFBiz’s official security resources and advisories. Moreover, CISA "strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria".

image for Chip Gaint AMD Hit b ...

 Cybersecurity News

Advanced Micro Devices (AMD) has reportedly fallen victim to another cyberattack. This marks the second such incident in 2024, with hackers allegedly compromising sensitive internal communications and employee information. The AMD cyberattack has been linked to criminal groups IntelBroker and EnergyWeaponUser, who are   show more ...

now offering the stolen data for sale on dark web marketplaces. The second alleged cyberattack on AMD, as reported by Firstpost, has resulted in the theft of a range of sensitive data, including user credentials, internal resolutions, and detailed case descriptions. Details of the Latest AMD Cyberattack This latest AMD cyberattack follows an earlier breach in June 2024, when IntelBroker claimed responsibility for a massive data leak from AMD. That AMD data breach, also disclosed on BreachForums, saw details of the intrusion and multiple data samples shared on the notorious dark web forum. In response to previous claims, AMD had issued a statement indicating that it is actively investigating the alleged breach.  "We are working diligently to understand the implications of the reported breach and will provide updates as soon as we can," AMD told Reuters. The data purportedly stolen in this latest cyberattack on AMD has surfaced on BreachForums, a dark web marketplace known for hosting and selling stolen data. The listing describes the data as originating from various sources, further complicating efforts to ascertain the full scope of the breach. IntelBroker’s Track Record IntelBroker, the group that has claimed responsibility for both the current and previous attacks on AMD, has been linked to several high-profile breaches in recent months. In July 2024, The Cyber Express reported that IntelBroker had allegedly leaked a substantial amount of data from Cognizant Technology Solutions. This leak reportedly included a document with 12 million lines from Cognizant’s internal website and user data from the company’s Oracle Insurance Policy Admin System (OIPA), a cloud-based DevOps solution. However, following inquiries by The Cyber Express, a spokesperson from Cognizant confirmed that their investigation revealed the leaked data involved a cloud-based testing environment containing fictional test data, rather than sensitive real-world information. Awaiting Confirmation from AMD on Second Cyberattack As of now, The Cyber Express Team has reached out to AMD officials for further verification of the current alleged data breach claims. Unfortunately, no response has been received, leaving the situation in a state of uncertainty. The absence of confirmation from AMD has left many questions unanswered about the potential impact of the cyberattack on AMD and the security measures in place to address it. The recurring alleged cyberattacks on AMD highlight a growing trend of cyberattacks targeting major technology firms. The repeated involvement of IntelBroker highlights the persistent threat posed by cybercriminal organizations, emphasizing the need for enhanced cybersecurity measures and vigilance. As the situation develops, The Cyber Express will continue to monitor the incident closely, providing updates as more information becomes available.

image for Iranian State Hacker ...

 Cyber Warfare

A shadowy group of Iranian cyber actors is acting as access brokers for ransomware gangs and collaborating with affiliates to target the U.S. and its allies, exploiting vulnerabilities across sectors ranging from healthcare to local government. The FBI, CISA, and the Department of Defense Cyber Crime Center (DC3)   show more ...

warned today that these actors, believed to be state-sponsored, are focusing aggressively on access brokering and enabling ransomware attacks. 'Pioneer Kitten' Targets Critical Sectors These Iranian state-backed cyber operatives, tracked under a number of aliases such as "Pioneer Kitten," "Fox Kitten" and "Lemon Sandstorm," started as early as 2017 and have intensified their activities through August 2024. These threat actors have been leveraging their access to critical U.S. infrastructure to collaborate with ransomware groups, creating a nexus of threats. The group's focus spans across multiple critical U.S. industries, including education, finance, healthcare, and defense, as well as government entities. These cyber actors are not only breaching networks but are also selling access to ransomware affiliates, such as NoEscape and BlackCat (also known as ALPHV), enabling these groups to execute ransomware attacks more effectively. The partnership between the Iranian actors and ransomware groups goes beyond mere access sales; they actively strategize to lock networks and maximize ransom payouts. State-Sponsored Freelance Operatives? While the FBI assesses that these actors are associated with the Government of Iran (GOI), their activities appear to operate on two fronts. On one hand, they conduct state-sponsored operations, particularly targeting Israel, Azerbaijan, and the UAE, to steal sensitive technical data. On the other, they engage in ransomware-enabling activities that seem unsanctioned by the Iranian government, raising questions about the true extent of their independence. Microsoft also reported on an Iranian threat actor today - "Peach Sandstorm" - that is targeting satellite, communications, energy and government sectors in the U.S. and UAE, with espionage activities more expected of state threat actors. Access Brokers for Ransomware Affiliates Among Tactics The collaboration between these Iranian actors and ransomware groups is a significant development in the way in which state-sponsored actors work. They offer their partners full domain control and domain admin credentials, making it easier for ransomware groups to deploy their attacks. The affiliates, in turn, reward them with a cut of the ransom, which the Iranian actors receive in cryptocurrency—a method that further complicates tracking their activities. Historically, these actors focused on gaining access to networks and selling that access on underground marketplaces. Now, they’re taking a more hands-on approach. This collaboration isn’t just about selling access; these actors are now deeply involved in executing the ransomware attacks themselves, locking down networks and negotiating with victims. Exploiting Vulnerabilities These Iranian actors have been known to exploit a range of vulnerabilities in widely-used networking devices. For example, they have targeted Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887) and the latest being Palo Alto Networks' PAN-OS (CVE-2024-3400). Palo Alto had in April revealed this RCE bug as actively exploited. The threat actor use these vulnerabilities to gain initial access, often scanning IP addresses with tools like Shodan to identify exploitable devices. Once inside, they utilize web shells, deploy backdoors, and create malicious scheduled tasks to maintain persistence. They also repurpose compromised credentials to escalate privileges within the victim’s network, making their operations difficult to detect and stop. They’ve even been observed disabling security software and using legitimate tools like AnyDesk for remote access, making it harder for defenders to spot malicious activity. Hack-and-Leak Campaigns These Iranian actors have also been involved in hack-and-leak operations, such as the Pay2Key campaign in late 2020, which targeted Israel. They stole data and leaked it on the dark web to undermine Israel’s cyber infrastructure. Unlike typical ransomware campaigns, these operations are aimed more at causing political and social disruption than financial gain. Iranian Threat Mitigations and Recommendations To counter these threats, the FBI and CISA recommend that organizations review their logs for any traffic associated with known malicious IP addresses, apply patches to vulnerabilities like CVE-2024-3400, and check for unique identifiers linked to these actors. Regularly validating security controls against behaviors mapped to the MITRE ATT&CK framework is also advised. The increasing sophistication and collaboration between Iranian cyber actors and ransomware groups calls for heightened vigilance across all sectors, particularly those critical to national security. As these actors continue to evolve, the line between cybercrime and state-sponsored espionage blurs further. Staying vigilant is an imperative, as the consequences of these attacks go beyond financial loss—they strike at the heart of national security.

image for How to protect and p ...

 Tips

At the time of writing, Pavel Durov has been charged in France, but hasnt appeared in court yet. How things will pan out in court remains very unclear, but in the meantime scammers are already exploiting the massive attention and panic surrounding Telegram, while much dubious advice on social media is circulating   show more ...

regarding what to do now with the app. Our two-cents in a nutshell: Telegram users should remain calm, and act depending only on the facts as they currently stand. Now for what we can recommend today in detail… Chat privacy and the keys to Telegram Put simply, most chats on Telegram cannot be considered confidential — and this has always been the case. If youve been exchanging sensitive information on Telegram without using secret chats, consider it compromised. Move your private communications to another messenger following these recommendations. Many news outlets suggest that the main complaint against Durov and Telegram is their refusal to cooperate with the French authorities and provide the keys to Telegram. Supposedly, Durov possesses some kind of cryptographic keys, which can be used to read users messages. In fact, few people really know how the Telegram server is structured, but from the available information, it is known that the bulk of correspondence is stored on servers in minimally encrypted form — that is, the decryption keys are stored within the same Telegram infrastructure. The creators claim that chats are stored in one country, while keys are stored in another, but considering that all the servers communicate with each other, its not clear how effective this security measure is in practice. It would help if the servers were confiscated in one country, but thats about it. End-to-end encryption, which is standard in other messengers (WhatsApp, Signal and even Viber), is called secret chat in Telegram. Its somewhat hidden in the depths of the interface and needs to be manually activated for selected personal chats. All group chats, channels, and standard personal correspondence lack end-to-end encryption and can be read at least on Telegram servers. Moreover, for both secret chats and everything else, Telegram uses its own non-standard protocol — MTProto — which has been found to contain serious cryptographic vulnerabilities. Therefore, Telegram correspondence can theoretically be read by: Telegram server administrators Hackers whove successfully breached Telegram servers and installed spyware Third parties with some kind of access granted by Telegram administrators A third party that has discovered cryptographic vulnerabilities in Telegram protocols and can read (selectively or in full) at least non-secret chats by intercepting the traffic of some users Deleting correspondence Some categories of users have been advised to delete old chats in Telegram, such as work-related ones. This advice seems questionable, because in databases (where correspondence is stored on the server), entries are rarely actually deleted; theyre simply marked as such. Moreover, like any major IT infrastructure, Telegram likely implements a robust data backup system, meaning deleted messages will be kept at least in database backups. It may be more effective for both chat participants (or group admins) to completely delete the chat. However, the issue of backups would still remain. Backing up chats A number of observers have expressed concerns that Telegram could be removed from app stores, blocked, or otherwise disrupted. While this seems unlikely, backing up important correspondence, photos and documents is still good practice in digital hygiene. To save a backup of important personal correspondence, you need to install Telegram on your computer (official client here), log into your account, and then navigate to Settings -> Advanced -> Export Telegram data. In the pop-up window, you can select the data you want to export (personal chats, group chats — with or without photos and videos), set download size limits, and choose the data format — HTML, which can be viewed in any browser, or JSON for automated processing by third-party apps. Downloading the data to your computer could take several hours and may require dozens or even hundreds of gigabytes of free space, depending on how much you use Telegram and the export settings. You can close the export window, but be sure not to exit the app itself or disconnect your computer from the internet or the mains. We recommend only using the backup feature in the official client. Preventing Telegrams deletion from smartphones First, lets look at iOS. The folks at Cupertino dont remove apps from users smartphones — even if apps are removed from the App Store, so any advice about stopping Telegram being deleted from iPhones is bogus. Moreover, a popular method for Telegram deletion prevention circulating online — that using the Screen Time menu — doesnt prevent Apple from deleting apps; it only prevents certain users (e.g., children) from deleting apps themselves: as such its a parental control feature. And theres more: Durovs arrest has revived the old false claim about Telegram being removed remotely from iPhones, which both Apple and Telegram officially denied back in 2021. As for Android, Google also doesnt typically delete apps — except when its 100% malicious software. True, such guarantees dont apply to all holders of other ecosystems (Samsung, Xiaomi and so on), but on Android its easy to install Telegram directly from the Telegram website. Alternative clients There are unofficial but still functional and legal clients for Telegram, and even an official alternative client — Telegram X. These clients all use the Telegram API, but its unclear whether they provide any additional benefits or increased security. The top five alternative clients on Google Play each talk about improved security – but only refer to features like hiding chats on a device. Of course, you may end up downloading malware disguised as an alternative Telegram client — scammers dont miss an opportunity to exploit the apps popularity. If youre considering alternative clients, follow these safety guidelines: Download them only from official app stores. Make sure the app has been around for a while, and has high ratings and a large number of downloads. Use reliable antivirus protection across all platforms such as Kaspersky Premium. Fundraising for Durov and defending free speech This isnt directly related to Telegram chats, but its important to beware also of scammers posing as those raising funds for Pavel Durovs legal defense (like, he really needs the cash), while actually aiming to steal payment information or cryptocurrency donations. Treat such requests with extreme suspicion, and verify whether the alleged organization really exists and really is conducting such a campaign. For more on charity scams, check out our dedicated article.

 Feed

Red Hat Security Advisory 2024-5908-03 - An update for bind is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

 Feed

Ubuntu Security Notice 6981-1 - It was discovered that Drupal incorrectly sanitized uploaded filenames. A remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Drupal incorrectly sanitized archived filenames. A remote attacker could possibly use this issue to overwrite arbitrary files, or execute arbitrary code.

 Feed

Red Hat Security Advisory 2024-5906-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and out of bounds write vulnerabilities.

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, known as CVE-2024-38856, carries a CVSS score of 9.8, indicating critical severity.

 Feed

Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes. "By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves," Netskope Threat

 Feed

A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances. The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024. Arising due to missing input validation and sanitization,

 Feed

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections. "The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its

 Feed

Fortra has addressed a critical security flaw impacting FileCatalyst Workflow that could be abused by a remote attacker to gain administrative access. The vulnerability, tracked as CVE-2024-6633, carries a CVSS score of 9.8, and stems from the use of a static password to connect to a HSQL database. "The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are

 Feed

A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched critical remote code execution flaw in Kingsoft WPS Office to deploy a bespoke backdoor dubbed SpyGlace. The activity has been attributed to a threat actor dubbed APT-C-60, according to cybersecurity firms ESET and DBAPPSecurity. The attacks have been found to infect Chinese and East Asian users

 check

Source: www.databreachtoday.com – Author: 1 Advanced SOC Operations / CSOC , Next-Generation Technologies & Secure Development Acquisition Will Enhance Security Operations, Expand Managed Threat Intel Solutions Michael Novinson (MichaelNovinson) • August 27, 2024     Check Point plans to purchase an   show more ...

external risk management vendor led by an Israeli intelligence veteran to boost its SOC […] La entrada Check Point to Buy External Risk Management Vendor Cyberint – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime Cybersecurity Tech Accord Urges Nations to Reject the Treaty Chris Riotta (@chrisriotta) • August 27, 2024     The United Nations General Assembly is expected to vote in the fall on the proposed cybercrime treaty.   show more ...

(Image: Shutterstock) A coalition of technology organizations said a […] La entrada Tech Orgs: UN Cybercrime Treaty Will Worsen Global Security – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Incident & Breach Response Restoration Completed Days Ahead of Schedule But Still a Lot of Catch-Up Work to Do Marianne Kolbasuk McGee (HealthInfoSec) • August 27, 2024     Image: McLaren Health Care The   show more ...

nonprofit behind 13 Michigan hospitals and a network of […] La entrada McLaren Health: IT Operations Fully Back Online Post-Attack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cribl

Source: www.databreachtoday.com – Author: 1 Next-Generation Technologies & Secure Development Google Ventures Leads Round as Sales of Cribl’s Vendor-Agnostic Data Tools Grow Michael Novinson (MichaelNovinson) • August 27, 2024     Clint Sharp, co-founder and CEO, Cribl (Image: Cribl) A data   show more ...

management upstart led by an ex-Splunk product manager raised $319 million to accelerate product […] La entrada Cribl Gets $319M on $3.5B Valuation to Boost Data Management – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-08
Aggregator history
Wednesday, August 28
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober