Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Critical Flaw in Okt ...

 Cyber News

Okta, a leading provider of identity and access management solutions, recently disclosed the patching of a critical security vulnerability affecting its Classic product. The Okta vulnerability, first introduced in a July 17, 2024, update, could have allowed attackers to bypass key security controls tied to   show more ...

application-specific sign-on policies. After being identified on September 27, 2024, the issue was fully addressed in Okta’s production environment by October 4, 2024. The Nature of the Okta Vulnerability The vulnerability, now designated as a critical security issue, posed significant risks to organizations utilizing Okta Classic. It allowed attackers to potentially gain unauthorized access to applications by bypassing application-specific sign-on policies. These policies often include vital security controls such as device-type restrictions, network zones, and additional authentication layers designed to protect sensitive information. In Okta’s official security advisory, the company outlined that this vulnerability was only exploitable under a specific set of conditions. The vulnerability primarily affected organizations that had implemented application-specific sign-on policies, especially those relying on device-type restrictions or other advanced security configurations beyond Okta’s standard Global Session Policy. The flaw resided in the sign-on logic that allowed for the use of unrecognized or "unknown" device types, including scripts and uncommon user-agent types. Attackers using such device types could have bypassed certain security measures, such as additional authentication or device verification. Timeline and Okta's Response Okta’s internal security team identified the vulnerability on September 27, 2024, during routine security assessments. After thorough investigation, it was discovered that the flaw had been introduced during a regular update on July 17, 2024. Okta promptly activated its Product Security Incident Response Team (PSIRT) and began developing a fix. Over the next week, from September 27 to October 3, 2024, Okta worked on creating and testing the necessary patches. The patch was fully deployed across all vulnerable environments by October 4, 2024. Since the flaw only affected Okta Classic, the company's modern platforms remained unaffected. Okta’s swift response in addressing this vulnerability highlights the company's commitment to maintaining the highest security standards. However, given the nature of the flaw, organizations relying on Okta Classic for identity management were encouraged to review their systems for any signs of unauthorized access during the window of vulnerability. Exploitation and Risk Factors While the vulnerability itself presented a serious security risk, successful exploitation required a combination of factors. Attackers first needed to obtain valid login credentials, typically through methods like phishing, credential stuffing, or brute-force attacks. Once armed with valid credentials, the attacker would need to target an organization using application-specific sign-on policies that relied on the specific security configurations susceptible to the flaw. The most critical aspect of exploitation involved the use of unrecognized or "unknown" device types. In most cases, these would be scripts or obscure browser types not flagged by Okta’s standard device-type restrictions. Once the attacker was able to authenticate using such a device, they could bypass security layers that would otherwise prompt for additional authentication. Despite the seriousness of this vulnerability, Okta emphasized that the exploitation window was limited. Organizations not using application-specific sign-on policies or those employing stronger security configurations likely remained unaffected. However, for those using Okta Classic with custom sign-on policies, the vulnerability represented a significant risk, especially for high-value applications such as Microsoft Office 365 and other widely used cloud services. Recommendations for Affected Organizations Okta has issued detailed guidance to help organizations assess whether they were impacted by the vulnerability. Administrators were encouraged to comb through their system logs for any signs of unauthorized access or suspicious activity. Specifically, Okta recommended searching for successful authentication attempts from unknown user-agent types between July 17, 2024, and October 4, 2024. Administrators should also pay particular attention to geolocation data, IP addresses, and access times that deviate from typical user behavior. Further recommendations from Okta included: Log Analysis: Reviewing logs for unusual activity tied to unknown devices, particularly authentication events where user-agent types were flagged as “unknown.” Unsuccessful Authentication Attempts: Searching for failed login attempts, as these may indicate credential-based attacks preceding a successful login. Application-Specific Monitoring: Paying close attention to applications governed by default policy rules that are not customer-configurable, such as Microsoft Office 365 and Radius. By following these guidelines, affected organizations can determine whether their systems were breached and take appropriate actions to mitigate further risks. Resolution and Moving Forward The vulnerability was officially patched in Okta’s production and preview environments by October 4, 2024. Okta reassured customers that no widespread exploitation had been reported, and the majority of organizations using Okta Classic with Global Session Policies in place were unaffected by the issue. However, the company emphasized the importance of conducting thorough security checks to ensure no unauthorized access had occurred during the period in question. Key Timeline of the Incident: July 17, 2024: Vulnerability introduced during a standard product update. September 27, 2024: Vulnerability identified by Okta’s internal team. October 4, 2024: Vulnerability patched across all affected environments. Organizations utilizing identity management solutions should regularly review their security configurations and monitor for emerging threats to minimize the risk of unauthorized access.

image for Progress Telerik, Ci ...

 Cyber News

Cyble’s Vulnerability Intelligence unit has detected cyberattacks on several key IT products and systems, as threat actors have been quick to exploit vulnerabilities and enterprises slow to patch them. Some of the attacks have involved new vulnerabilities and delivery methods, while other exploited vulnerabilities   show more ...

have been known for months yet remain unpatched or unmitigated in many instances. Here are some of the highlights of Cyble’s weekly sensor intelligence report, which also looks at new phishing and brute-force attack detections. Hackers Take Aim at Telerik UI, QNAP, Cisco and More Progress Telerik UI for WPF (Windows Presentation Foundation) apparently drew the attention of hackers soon after vulnerabilities were announced on Sept. 25, two of them critical vulnerabilities that could allow code execution and command injection attacks (CVE-2024-7576 and CVE-2024-7575). Versions before 2024 Q3 (2024.3.924) are affected. Certain end-of-life routers from D-Link (DIR-859 1.06B01) contain a 9.8-severity path traversal vulnerability (CVE-2024-0769) that can be attacked remotely, continuing to draw the interest of threat actors. Users are urged to replace the devices. CISA also added another D-Link router, DIR-820, to its Known Exploited Vulnerabilities catalog. Cyble sensors also detected attacks on QNAP QTS firmware, which may contain command injection vulnerabilities that can lead to remote command execution on affected devices. QNAP issued a security advisory on the issue earlier this year. Cyble sensors have detected hackers scanning for the URL "/+CSCOE+/logon.html", which is related to the Cisco Adaptive Security Appliance (ASA) WebVPN Login Page. The URL is used to access the login page for the WebVPN service. The URL has also been found to have vulnerabilities ranging from cross-site scripting, path traversal, and HTTP response splitting. Cyble said the vulnerabilities “may allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.” Critical vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also continue to be targeted by hackers. Linux Malware Attacks Detected The Cyble Vulnerability Intelligence unit also detected attacks on Linux systems, including the CoinMiner trojan, which can be installed by other malware or downloaded unknowingly by users visiting malicious sites, and Linux IRCBot attacks, where the IRC connection is exploited as a backdoor, allowing attackers access to a compromised system. “Many affected systems are used as a botnet controlled by the IRC,” Cyble noted. Threat actors have become “increasingly innovative in delivering Linux malware,” Cyble researchers said. Earlier this year, for example, CoinMiner was found in PyPI (Python Package Index) packages. Brute-Force Attacks Observed The Cyble report also contains an interesting look at the ports, user names and passwords commonly targeted in brute-force attack attempts picked up by honeypot sensors. Some of the most commonly attacked ports are 22, 3389, 443, 445, 5900 and 3306; security analysts are urged to to add security system blocks for attacked ports when possible. The most common usernames and passwords in brute-force attacks detected by Cyble are typically aimed at hacking into key enterprise systems, with hackers targeting user names such as “elasticsearch,” “Hadoop," "mysql" and "Postgres" (see image below). [caption id="attachment_91119" align="aligncenter" width="500"] Common brute force attacks (Cyble)[/caption] The Cyble report also contains a number of recommendations for security teams.

image for Qualcomm Addresses D ...

 Firewall Daily

Qualcomm has released the latest security advisory for multiple vulnerabilities. Among them, a Qualcomm vulnerability, designated as CVE-2024-43047, has brought to light concerns surrounding the safety of devices utilizing Qualcomm's Digital Signal Processor (DSP). The CVE-2024-43047 refers to a specific security   show more ...

flaw identified in Qualcomm's DSP architecture, integral to numerous devices, including smartphones, tablets, and IoT gadgets. This vulnerability could allow malicious actors to exploit the DSP, potentially gaining unauthorized access to sensitive data or even executing arbitrary code.   Qualcomm's DSP is designed to handle various tasks, such as audio processing, image enhancement, and machine learning functions. The versatility of this component makes it a critical aspect of many modern devices. However, this very utility also increases the risk associated with any vulnerabilities in its architecture.   Uncovering the Qualcomm Vulnerability CVE-2024-43047 emerged from ongoing security assessments and research efforts within the cybersecurity community. Experts noted that the vulnerability could potentially enable attackers to escalate privileges on devices running affected versions of the Qualcomm DSP. With devices ranging from high-end smartphones to lower-cost options all potentially at risk, the scope of this vulnerability in Qualcomm is broad and concerning.   As security researchers analyzed deeper into the vulnerability, they found that the impact of this flaw could extend beyond individual devices. If exploited, it could allow attackers to manipulate system-level functions or intercept sensitive communications, leading to data breaches and privacy violations.   The technical specifics surrounding CVE-2024-43047 highlight the complexity of the vulnerability. It is rooted in improper input validation within the DSP's firmware. This flaw could be triggered through crafted inputs sent to the DSP, leading to memory corruption and the potential execution of malicious code. This chain of events underscores the necessity for better security measures in firmware design and implementation.   To better understand the implications of this Qualcomm vulnerability, it's essential to consider how DSPs operate. They function by processing data streams in real time, and any compromise in their integrity can have cascading effects throughout a device's system. The interconnected nature of modern hardware means that vulnerabilities in a single component can expose entire ecosystems to risk.   Responses from Qualcomm and Industry   Upon the identification of CVE-2024-43047, Qualcomm promptly initiated measures to address the issue. The company released security patches aimed at mitigating the risk associated with the vulnerability in Qualcomm's DSP. Users of affected devices are urged to update their software to the latest versions to ensure they are protected against potential exploits.   Qualcomm's response included a comprehensive assessment of their current products to determine the extent of the vulnerability's impact. They have also collaborated with manufacturers and stakeholders to ensure that the patches are rolled out effectively. This proactive approach highlights the importance of swift action in the face of emerging security threats.   While CVE-2024-43047 is a specific instance, it is part of a larger trend involving vulnerabilities in Digital Signal Processors. As these components become more sophisticated, they also present more complex attack vectors for malicious actors. The increasing integration of DSPs in various devices—from autonomous vehicles to smart home technologies—demands heightened attention to their security.   The prevalence of vulnerabilities in Qualcomm's DSP architecture raises questions about the overall security protocols within the industry. Many manufacturers rely heavily on third-party components, like those from Qualcomm, which can introduce additional risks. The shared responsibility for device security necessitates collaboration between hardware manufacturers, software developers, and cybersecurity experts.   User Awareness and Best Practices   Considering CVE-2024-43047 and similar vulnerabilities, user awareness becomes crucial. Here are several best practices individuals and organizations can adopt to enhance their security posture:   Keeping devices updated with the latest firmware and security patches is essential. Users should enable automatic updates whenever possible to ensure they receive critical patches promptly.   Staying informed about known vulnerabilities in devices and understanding the risks associated with them can help users make better security decisions.   Employing reputable security software can provide an additional layer of protection against potential exploits.   Users should review app permissions and limit access to sensitive functions, especially in cases where the application interacts with the DSP.   Participating in discussions within cybersecurity forums can provide insights into emerging threats and effective mitigation strategies.   The Future of Digital Signal Processor Security   As technologies advance, so will the methods employed by cybercriminals. The ongoing development of machine learning and artificial intelligence tools will shape the nature of DSP vulnerabilities, demanding a robust response from manufacturers and developers.   Qualcomm, along with its competitors, will need to prioritize security in the design phase of their products. Implementing comprehensive security measures, including rigorous testing for vulnerabilities, will be vital in protecting users from potential exploitations. Furthermore, industry-wide standards for firmware security and vulnerability disclosure will help create a more secure environment for consumers.

image for MoneyGram Cyberattac ...

 Firewall Daily

MoneyGram, the U.S. money transfer giant, has confirmed a cyberattack that led to the theft of sensitive customer information. The MoneyGram cyberattack, which occurred on September 20, 2024, has raised concerns among the millions of consumers who rely on the company for secure money transfers.  In a public statement   show more ...

released on October 7, MoneyGram acknowledged that an unauthorized third party had accessed and acquired personal data from its systems. The nature of the cyberattack on MoneyGram remains unclear, but it caused a week-long disruption, forcing the company to take its website and mobile app offline to address the breach.  Details of the MoneyGram Cyberattack  The MoneyGram data breach was identified on September 27, when the company confirmed that hackers accessed customer information between September 20 and 22. The affected data includes a variety of sensitive details, such as customer names, phone numbers, email addresses, and dates of birth.   In some instances, a limited number of Social Security numbers were also compromised. Moreover, the breach included government-issued identification documents, like driver’s licenses and utility bills, as well as bank account numbers and MoneyGram Plus Rewards numbers. The company stated, “The types of impacted information varied by affected individual,” suggesting that not all customers faced the same level of risk. Additionally, the stolen data encompassed transaction details, including dates and amounts, and for a limited number of consumers, even information related to criminal investigations, such as fraud.  In response to the breach, MoneyGram has taken immediate steps to contain the issue. The company temporarily took certain systems offline to mitigate any further risks, an action that directly impacted its service availability. They have since resumed normal business operations and are working alongside leading external cybersecurity experts to investigate the breach. The company has also coordinated with law enforcement to aid in the investigation.  Customer Precautions Following the MoneyGram Data Breach  Recognizing the potential for fraud and identity theft, MoneyGram has urged its customers to remain vigilant. They recommend that consumers review their account statements regularly and monitor their credit reports for any unusual activity. Under U.S. law, residents are entitled to one free credit report annually from each of the three major consumer reporting agencies. MoneyGram has provided resources for customers to access these reports, highlighting the importance of staying informed.  To further support those affected, MoneyGram has arranged for identity protection and credit monitoring services for two years at no cost to impacted U.S. consumers. This proactive measure aims to help mitigate the risks associated with the stolen data.  With over 50 million customers in more than 200 countries and territories, MoneyGram has reiterated its commitment to maintaining the security of customer data. The company expressed regret over the inconvenience this incident may have caused and emphasized that safeguarding consumer information is of utmost importance.   In the notice sent to consumers, MoneyGram stated, “We regret any inconvenience this issue may have caused,” and encouraged affected individuals to contact their support line for more information or assistance regarding the breach.

image for New MisterioLNK Load ...

 Cyber News

Cyble researchers have uncovered a new loader builder and obfuscation tool that has largely gone undetected by security tools. Cyble Research and Intelligence Labs (CRIL) researchers detailed their findings in a blog post today. The “MisterioLNK” loader builder, found on GitHub, “presents a significant challenge   show more ...

to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems,” the researchers wrote. The MisterioLNK open-source loader builder leverages Windows script engines to execute malicious payloads while employing obfuscation. “It is crafted to operate discreetly, downloading files into temporary directories before launching them, thereby enhancing its evasive capabilities and making detection by traditional security measures difficult,” Cyble said. MisterioLNK supports five loader methods—HTA, BAT, CMD, VBS, and LNK— along with obfuscation methods for VBS, CMD, and BAT, with plans to add support for HTA obfuscation. The project is currently in beta, and the developer “disclaims any responsibility for illegal activities conducted using this software.” Threat Actors Are Using MisterioLNK to Deploy Malware While security tools are struggling to detect the loader builder, cybercriminals have apparently had no problem finding it. The Cyble researchers said threat actors (TAs) have already started using MisterioLNK to generate obfuscated files for deploying malware such as Remcos RAT, DC RAT, and BlankStealer. “Alarmingly, these loaders are largely evading detection, with many remaining undetected by most security vendors,” the report said. The researchers generated all combinations of loader files to evaluate their ability to evade detection. Out of six files, only one was detected with 16 detections, two files had one detection each, and three files showed zero detections. Security vendors are having some success detecting LNK and obfuscated VBS loaders produced by the builder, but the detection rates for BAT, CMD, HTA, and VBS loader files were low (image below). [caption id="attachment_91106" align="aligncenter" width="500"] MisterioLNK detections on VirusTotal (Cyble)[/caption] Misterio’s Loader Builder, Obfuscator and LNK Modules Misterio.exe, a .NET-based tool, consists of two primary modules: a loader builder and an obfuscator, Cyble said. “The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection,” the researchers said. Those files are designed to connect to the URL, download the payload, and execute it. The BAT/CMD loader is designed to download files from specified URLs using the ‘curl` command and then executing the downloaded files. The resulting script is saved with a custom file icon for increased deception, and obfuscation adds an additional layer of concealment. The HTA (HTML Application) loader uses JavaScript and ActiveX objects to execute commands for downloading and running files. The HTA obfuscation feature is currently inactive but could be implemented in the future. The VBS Loader uses shell object commands for downloading and executing the target file, and also includes an obfuscation process. The LNK Loader Builder creates a shortcut file (.lnk) that when executed triggers a command to download and run the target file. “Together, these modules form a powerful toolkit for generating and concealing scripts that can deliver and execute payloads with minimal detection,” the researchers said. Cyble's Recommendations Security teams should ensure that their security solutions can recognize and detect the obfuscation patterns and script formats generated by MisterioLNK Builder, and add restriction policies and behavioral detection strategies to their defenses too. The full Cyble blog digs further into MisterioLNK’s capabilities and also lists MITRE ATT&CK Techniques and indicators of compromise (IoCs).

image for GoldenJackal APT Gro ...

 Cyber News

GoldenJackal, an Advanced Persistent Threat (APT) group that has been targeting government and diplomatic entities in Europe, the Middle East, and South Asia since at least 2019, has gotten attention from security researchers due to its successful breaching of air-gapped systems, a feat typically reserved for   show more ...

nation-state actors. Researchers have detailed operational tactics, techniques, and procedures (TTPs) used by GoldenJackal during the group's breach of these systems. GoldenJackal Tools One of the most striking aspects of GoldenJackal's operations is their prowess in compromising air-gapped networks – systems isolated from the internet to minimize the risk of cyberattacks. For cybercriminals, breaching air-gapped networks can be immensely challenging, with the task typically reserved for only the most sophisticated of APT groups. Researchers from ESET say that GoldenJackal appears to have developed and successfully deployed two separate toolsets designed to break such systems. The first toolset, used in an attack against a South Asian embassy in Belarus, consisted of three main components: GoldenDealer, GoldenHowl, and GoldenRobo. GoldenDealer: GoldenDealer is a malicious component that can deliver executables to air-gapped systems via USB drives. It monitors the insertion of removable drives on both air-gapped and connected PCs, as well as internet connectivity. GoldenDealer uses configuration files located in the directory from which the malware is running. These files store status fields, executable files sent by the C&C server, information about compromised PCs, and a mutex to prevent multiple instances from running. GoldenHowl: GoldenHowl is a modular backdoor from GoldenJackal’s 2019 toolset with various functionalities distributed as a self-extracting archive that contains legitimate Python binaries and libraries alongside malicious scripts. GoldenRobo: GoldenRobo is the final component of the toolset and is written in Go. It iterates across all drive letters from A to Z, trying to access each drive. In a later series of attacks against a European Union governmental organization, GoldenJackal deployed a second highly modular toolset that allows attackers to collect and process information, distribute files and configurations, and fully exfiltrate files from affected systems. Breach of Air-Gapped Systems The researchers note that for the level of sophistication usually required to compromise air-gapped systems, GoldenJackal's capability to build and deploy not just one but two specific compromise toolsets for these systems within five years is unprecedented. This may indicate the resourcefulness of the group along with the design of intricate attack processes involved in the use of GoldenDealer to monitor compromised internet-connected systems, downloading executables from a command-and-control (C&C) server, and executing them on the air-gapped machines. While these toolsets are quite sophisticated, the researchers stress that they are not without flaws and that defenders can prepare themselves better against future attacks by observing their tactics. The researchers have shared a public list of IOCs on GitHub for defenders to monitor.

image for Cyble Partners with ...

 Business News

Cyble, a global leader in cybersecurity, has announced an exciting new partnership with Yirigaa, an Aboriginal Australian company, to advance Indigenous engagement in the technology industry. Established in 2020 by Yawun and Julang Mundine, Yirigaa is rooted in First Nations cultural awareness and kinship, with a   show more ...

focus on empowering Indigenous and diverse communities to take part in the growing tech sector. This collaboration aims to merge Cyble’s expertise in cybersecurity with Yirigaa’s mission to create pathways for Indigenous people in technology. About Yirigaa: A Company with Cultural Foundations Yirigaa, which means "Morning Star" in the Wiradjuri language, symbolizes the dawn of new opportunities. This partnership highlights both companies' commitment to innovation, cultural inclusion, and the growth of future leaders in technology. The word "Morning Star" reflects the bright future Yirigaa envisions for Indigenous communities within the Australian technology landscape. Founded on strong cultural values, Yirigaa is dedicated to creating opportunities for Indigenous communities to thrive in various sectors, including technology, defense, and security. With certifications such as ISO 27001:2022, Supply Nation, and membership in the Defence Industry Security Program (DISP), Yirigaa has solidified its standing as a reputable entity in the Australian defense and information security landscape. Vision Behind the Partnership Cyble and Yirigaa’s partnership represents a shared vision of fostering greater Indigenous participation in Australia’s rapidly growing tech sector. By working together, the companies aim to strengthen security infrastructure across the country while empowering Indigenous-led businesses and communities to thrive in a digital age. In a statement on their LinkedIn page, Cyble emphasized the importance of this collaboration, stating, “Together, we will work to enhance security infrastructure across Australia, particularly within Indigenous-led businesses, government sectors, and diverse communities, ensuring that the First Nations people are an integral part of the rapidly evolving digital landscape.” The partnership between Cyble and Yirigaa is not just about technical collaboration—it is about creating sustainable pathways for Indigenous communities to build careers in the tech world. Yirigaa’s values of cultural awareness, kinship, and inclusivity are core to its mission of supporting the growth and development of these communities. Yirigaa’s co-founders, Yawun and Julang Mundine, have long envisioned a future where Indigenous people are empowered to lead and contribute to the tech industry. This partnership with Cyble will help bring that vision closer to reality by creating new opportunities for Indigenous Australians to develop careers in technology, information security, and related fields. In a statement, the two companies affirmed their joint mission: “By combining our strengths, Cyble and Yirigaa are dedicated to making a meaningful impact, driving both technological progress and cultural empowerment.” This partnership not only emphasizes the need for stronger security measures but also underscores the importance of cultural awareness and diversity in the tech industry. Cyble’s Role in Cybersecurity Cyble has built a strong global reputation as a leader in cybersecurity, using AI-driven platforms to help organizations manage cyber risks. The company specializes in identifying threats from the Deep Web, Dark Web, and Surface Web, providing critical intelligence to help clients stay ahead of evolving digital threats. This expertise in threat intelligence and risk management has earned Cyble widespread recognition in the cybersecurity industry. In 2024, Frost & Sullivan named Cyble an Innovation Leader in its Frost Radar: Cyber Threat Intelligence report. Additionally, Cyble was included in Gartner's Hype Cycle for Digital Risk Protection Services (DRPS) and recognized by Forrester in its Attack Surface Management (ASM) Landscape report for 2024. G2 also highlighted Cyble as a leader in its Dark Web Monitoring Providers grid. With its reputation for cutting-edge cybersecurity solutions and strong industry standing, Cyble is well-positioned to support Yirigaa’s mission of fostering technological growth and empowerment among Indigenous communities. A Path to Inclusion and Innovation In an industry that is often criticized for its lack of diversity, the Cyble Yirigaa partnership is a powerful example of how organizations can work together to foster inclusion while driving technological innovation. The collaboration aims to bridge the gap between Indigenous communities and the technology sector, helping to create a more inclusive and culturally aware tech ecosystem in Australia. As cybersecurity becomes an increasingly vital component of modern business and government operations, this partnership is well-timed. With both companies committed to improving security infrastructure and empowering Indigenous communities, the collaboration offers the potential to bring about lasting, meaningful change.

image for ADT Confirms Another ...

 Cyber News

ADT, a leading provider of home and small business security solutions has disclosed a cybersecurity breach after threat actors gained access to its systems using compromised credentials from a third-party business partner. In a Form 8-K filing submitted to the Securities and Exchange Commission (SEC) on Monday, ADT   show more ...

confirmed the cyberattack on ADT, which led to the exfiltration of encrypted employee account data. “ADT Inc. (‘ADT’ or the ‘Company’) recently became aware of unauthorized activity on the Company’s network, and discovered an unauthorized actor had illegally accessed ADT’s network using compromised credentials obtained through a third-party business partner,” the company stated in its SEC filing. This marks the second major cyberattack on ADT in the past two months, with the previous incident in August 2024 involving the theft of customer data. Details of Cyberattack on ADT According to the Form 8-K disclosure, the ADT data breach was caused by compromised credentials from one of ADT’s third-party business partners. These credentials allowed the attackers to gain unauthorized access to ADT’s internal network, leading to the exfiltration of certain encrypted employee data. ADT’s immediate response included shutting down the unauthorized access, notifying the affected third party, and launching a comprehensive investigation. In its SEC filing, ADT emphasized that the breach was promptly contained, stating, “ADT has hired leading third-party cybersecurity experts to assist with the Company’s response to the incident, and is working closely with federal law enforcement.” No Evidence of Customer Data Compromise Importantly, ADT reassured its customers that, based on their investigation thus far, there is no indication that customer data or security systems have been affected. “The Company does not believe customers’ personal information has been exfiltrated, or that customers’ security systems have been compromised,” the company explained. This assurance is likely to ease some concerns, especially after the August incident where customer order data was leaked online. However, in this latest ADT data breach, ADT’s internal data, specifically employee-related information, seems to have been the primary target. Ongoing Investigation and Containment Efforts ADT stated that it has taken swift action to safeguard its systems and assets, but noted that the containment measures have led to disruptions in some of its internal systems. Shutting down parts of its information systems is a common step to prevent the spread of an attack, but it can also cause temporary operational challenges. ADT confirmed that this disruption has affected its ability to access certain internal applications and data. As the investigation is still in its early stages, the company continues to work with both its third-party business partner and federal law enforcement to fully understand the scope of the breach and to prevent future incidents. Previous Incident in August 2024 This cyberattack on ADT follows another major cybersecurity incident ADT reported just two months ago. In August, ADT confirmed a separate breach where threat actors leaked stolen customer data on a hacking forum. At the time, ADT also filed a Form 8-K with the SEC, disclosing that unauthorized individuals had accessed certain databases containing customer order information. “The Company recently experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information,” ADT stated in August. That breach, which targeted customer data, marked a significant blow to ADT’s reputation, raising questions about the security of its systems. The company’s prompt disclosure and efforts to address the breach did little to prevent public concern, especially given the company’s role in providing security solutions for homes and businesses. Implications for ADT and the Industry ADT’s recent string of cybersecurity incidents highlights the growing challenge of securing even the most trusted companies against increasingly sophisticated cyberattacks. With a workforce of over 14,000 employees and an annual revenue of nearly $5 billion, ADT’s business is built around securing residential and small business environments. Any vulnerabilities in its own cybersecurity posture could undermine its core value proposition to customers who rely on its services for protection. The fact that both cyberattack on ADT in recent months involved third-party vulnerabilities also highlights the need for businesses to closely monitor and secure their supply chains. In an interconnected business environment, a breach through one third-party vendor’s systems can expose entire networks, as demonstrated in ADT’s case. The financial and reputational impacts of these cyberattack on ADT could be significant. Though ADT has been transparent in its filings with the SEC and is cooperating with authorities, the recurrence of breaches in such a short span of time could lead to a loss of trust among customers and investors. ADT’s experience mirrors a growing trend of supply chain attacks across industries, where cybercriminals target weaker links in a company’s network by exploiting third-party partners and vendors. Attacks like the infamous SolarWinds data breach have highlighted just how devastating supply chain vulnerabilities can be, and ADT’s two incidents emphasize the importance of robust third-party risk management. Looking Ahead As ADT continues to investigate the data breach, the company’s focus will likely shift toward strengthening its internal security measures and its third-party partnerships. Given the scrutiny it faces from both regulators and the public, any future incidents could result in severe financial penalties or reputational damage. The Cyber Express Team has reached out to ADT officials for further comments on the latest breach. As of the time of writing this report, no response has been received.

image for Comcast Data Breach ...

 Firewall Daily

Comcast Cable Communications LLC has confirmed a data breach that has impacted over 237,000 individuals, including 22 residents of Maine. This Comcast data breach was linked to Financial Business and Consumer Solutions, Inc. (FBCS), a third-party service provider.   The chain of events leading to the data breach at   show more ...

Comcast began on February 14, 2024, when an unauthorized party accessed the FBCS computer network. This cyberattack on Comcast resulted in the downloading and encryption of sensitive data during a ransomware attack. Initially, on March 13, 2024, FBCS informed Comcast that no consumer data had been compromised. However, a startling revelation occurred on July 17, 2024, when FBCS notified Comcast that customer data had indeed been affected.   New Details on the Comcast Data Breach   Following the incident, FBCS reported the breach to the Federal Bureau of Investigation (FBI) and sought the assistance of third-party cybersecurity specialists to investigate the extent of the compromise. The findings confirmed that personal information had been downloaded by the unauthorized party.   According to the investigation, the information acquired during the Comcast cyberattack included critical personal identifiers such as names, addresses, Social Security numbers, dates of birth, and Comcast account numbers. This information is not only sensitive but also poses a significant risk for identity theft and fraud.   FBCS noted that while they have no evidence suggesting that the compromised information has been misused, the potential for harm remains a serious concern for those affected. The data involved dates back to approximately 2021, as FBCS retained records for a period after their partnership with Comcast ended in 2020. Notification and Support for Affected Individuals   On August 16, 2024, Comcast began notifying individuals affected by the breach through written communications. The company is providing complimentary identity theft protection services for 12 months, partnering with CyEx Identity Defense Complete to offer credit monitoring and additional support.   In the notification letter, Comcast emphasized that the security incident occurred solely at FBCS and did not involve Comcast’s systems. However, to ensure consumer safety, Comcast has taken steps to assist those impacted by the breach, including direct communication and support services.   Michael Borgia, an attorney with Davis Wright Tremaine LLP and outside counsel for Comcast, stated, “We are committed to helping our customers navigate the aftermath of this incident and ensure that they have the resources necessary to protect themselves.”   Conclusion   The Comcast data breach highlights the vulnerability of consumer data, particularly when it is managed by third-party vendors. Consumers are advised to take precautionary measures in response to the breach. Comcast encourages individuals to review their account statements, monitor their credit reports for unauthorized activity, and consider enrolling in the offered identity theft protection services. Additionally, customers should implement two-step verification for their Xfinity accounts to enhance security. 

image for Trust and trustworth ...

 Technology

The turbulent waters of the internet of things (IoT) will soon become more navigable — thanks to the recently adopted ISO/IEC 30141 standard, which defines reference architecture for IoT solutions. For our part, Kaspersky has been actively involved in the development of trust principles for IoT devices as laid out   show more ...

by the ISO/IEC TS 30149:2024 specification. Lets use this example to explore why we need standards at all, what can be standardized in the IoT, and why IoT devices and their manufacturers must prove that theyre worthy of consumer trust. Why we need standards If youre already familiar with the basic principles of standardization in electronics, feel free to skip ahead to the next section. When you plug your smartphones charger into a hotel wall socket while on vacation, dozens of international standards are invisibly at play. Chargers are manufactured in accordance with IEC 60335-1:2020, which deals with the electrical safety of household appliances; plug shapes are governed by IEC 60906-1:2009 and its derivatives (such as CEE 7/16); and the supplied voltage itself is regulated by IEC 60038:2009+A1:2021. Widespread standardization has greatly simplified our lives: most countries worldwide use the same types of electrical appliances, barcodes on product packaging, and units of weight, length, and speed. In turn, unified approaches to controlling harmful substances in products, insulating and earthing household appliances, medication dosages, and traffic-sign coloring have massively improved safety and streamlined goods certification and testing. The International Electrotechnical Commission (IEC) summarizes the benefits of standardization as follows. Standards: Enable different products to interoperate Are used in testing and certification to verify that manufacturers deliver on their promises Contain technical details for inclusion in country-specific regulations Simplify international trade There are quite a few standardization bodies in existence — some regional, some industrial, some technical-field-specific. Besides the aforementioned IEC, there are, for example, the Internet Engineering Task Force (IETF) — responsible for developing internet standards; the American National Standards Institute (ANSI) — which issues standards for the US market; and the most universal of them all — the International Organization for Standardization (ISO). Where their areas of responsibility overlap, these bodies often collaborate to develop common recommendations. For example, electrical engineering standards are typically prefixed ISO/IEC. Note that manufacturer compliance with any standard is voluntary. However, individual countries may prohibit the sale of, say, electrical appliances that dont comply with local or international standards. Standards for smart technology Standards can describe not only the features of a finished product, but also how to manufacture it — addressing both hardware and software aspects. Therefore, the recently adopted ISO/IEC 30141:2024, which describes the architecture of IoT-related devices and services, is a logical — and long overdue — addition to the standards portfolio. Standardization based on this specification addresses several pressing issues: Wireless sensors and the hubs they interact with will use the same protocols so that equipment from different vendors can interoperate in homes and within companies. Standardized internet communications for IoT devices will reduce user dependence on the manufacturer (vendor lock-in), and eliminate situations where a server shutdown turns your smart home into a pumpkin — Cinderella-style. A standardized approach to IoT-solution development will enable the use of more mature implementations of communication protocols. Furthermore, standard outline mandatory security measures and their implementation in both hardware and software aspects of devices. All of this will cut the number of IoT devices harboring glaring security issues (1, 2, 3, 4). An important complement to IEC 30141 was the ISO/IEC TS 30149:2024 specification, released in May, which lays out principles for IoT trustworthiness. The document answers the question of how to prove that an IoT device is secure (rather than just relying on the vendors claims) — and Kaspersky helped develop it. Five aspects of verifiable security The key concept of the document is trustworthiness, which differs from trust. Trust is based on assumptions, some of which may be true and based on observable properties (made of metal), while others may be unfounded (doesnt contain secret backup passwords). According to the specification, trustworthiness is the verifiable ability to meet expectations. ISO/IEC TS 30149:2024 details how trust, trustworthiness, and risk correlate, and describes five aspects in which an IoT solutions trustworthiness can be demonstrated. These are: Safety Security Privacy Resilience Reliability For each of these aspects, trustworthiness is ensured through specific approaches to system design and construction. The document provides best-practice templates for building IoT systems and ensuring trust in them — from threat-assessment methodologies for trust-related violations, to architectural solutions for trusted systems (for example, MILS). What to expect from the IoT of the future The adoption of standards alone wont magically improve IoT security overnight. Old products already no longer comply, while for new ones compliance with standards needs to become a requirement of both national and international regulators. Manufacturers would then need to invest considerable time in developing new products that comply with these standards. That said, in a few years, we can expect significant improvements in the security of both industrial and consumer IoT devices. These should include simple yet effective measures — such as secure default settings, and long, pre-defined periods for update delivery. More complex yet crucial improvements should include the widespread adoption of secure-by-design approaches, plus standardized, publicly-verified communication protocols to make products less vulnerable. With these in place, experts would be able to more easily analyze the security of specific products thanks to better-documented system and protocol architecture. And the ultimate goal: consumers knowing for sure that the IoT devices they purchase are secure, reliable, and resilient to threats (both physical and cyber) throughout the entire lifecycle of those IoT devices.

 Feed

ABB Cylon Aspect version 3.08.01 suffers from an arbitrary file deletion vulnerability. Input passed to the file parameter in calendarFileDelete.php is not properly sanitized before being used to delete calendar files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter.

 Feed

Ubuntu Security Notice 7057-1 - It was discovered that WEBrick incorrectly handled having both a Content- Length header and a Transfer-Encoding header. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack.

 Feed

Ubuntu Security Notice 7043-3 - USN-7043-1 fixed a vulnerability in cups-filters. This update provides the corresponding update for Ubuntu 16.04 LTS Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary printers from outside the local network. In combination with   show more ...

issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.

 Feed

Ubuntu Security Notice 7041-3 - USN-7041-1 fixed a vulnerability in CUPS. This update provides the corresponding update for Ubuntu 16.04 LTS. Simone Margaritelli discovered that CUPS incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this issue to manipulate PPD files and execute arbitrary code when a printer is used.

 Feed

Red Hat Security Advisory 2024-7785-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a privilege escalation vulnerability.

 Feed

Red Hat Security Advisory 2024-7744-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.13.12 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.

 Feed

Red Hat Security Advisory 2024-7704-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7703-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7702-03 - An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters. The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally

 Feed

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption

 Feed

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho. "The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems," Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until

 Feed

Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an “evil twin” disaster. Read the full real-life case study here. The Invisible Threat in Online Shopping When is a checkout page, not a checkout page? When it's an “evil twin”! Malicious redirects can send unsuspecting shoppers to these perfect-looking

 Feed

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets. Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said. "The ultimate goal of

 Feed

Introduction Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management

 Feed

Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated

 Feed

Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware

 AI

In episode 19 of "The AI Fix" podcast, Graham and Mark discover some AI podcast hosts having an existential crisis, a robot dog climbs another step towards world domination, Mark makes a gift for anyone working in tech support, and William Shatner chews through Lucy in the Sky with Diamonds. Things can take a   show more ...

terrible turn when a pair of bored students think they're Ethan Hunt, and Mark thinks that an underwater IKEA might be the silver lining to the climate crisis. All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

2024-10
Aggregator history
Tuesday, October 08
TUE
WED
THU
FRI
SAT
SUN
MON
OctoberNovemberDecember