Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Microsoft Patches 11 ...

 Firewall Daily

Microsoft has released the October 2024 Patch Tuesday, addressing a total of 117 Common Vulnerabilities and Exposures (CVEs). This month's Microsoft Patch Tuesday update includes three vulnerabilities rated as critical, 113 classified as important, and one rated moderate. Notably, among these vulnerabilities are   show more ...

two zero-days actively exploited in the wild: CVE-2024-43573 and CVE-2024-43572.   Zero-day vulnerabilities pose some of the most malicious threats, as they are actively exploited before patches are available. This section explores the recently discovered zero-day vulnerabilities identified in Microsoft products, highlighting their severity, potential impact, and the urgent need for updates to protect systems from exploitation.  Microsoft Management Console (CVE-2024-43572) Microsoft Management Console (MMC) has been updated to patch CVE-2024-43572, an important remote code execution (RCE) vulnerability with a CVSS score of 7.8. This flaw allows malicious Microsoft Saved Console (MSC) files to execute code on affected devices, potentially compromising sensitive information such as command history stored in console windows.   Microsoft has not disclosed specific details regarding the exploitation methods, but the security update aims to prevent untrusted MSC files from being opened, mitigating the risk of exploitation.  Windows MSHTML Platform (CVE-2024-43573) Another critical update addresses CVE-2024-43573, a moderate spoofing vulnerability affecting the Windows MSHTML Platform. With a CVSS score of 6.5, this vulnerability impacts a variety of applications within the Microsoft 365 suite and also affects Internet Explorer 11 and Legacy Microsoft Edge browsers.   The MSHTML platform has been a frequent target for attackers, having been exploited multiple times in recent years. Microsoft has not released further details on how this vulnerability was discovered or exploited, leaving the door open for further scrutiny.  Key Insights from Security Experts Commenting on the October 2024 Patch Tuesday, Satnam Narang, Senior Staff Research Engineer at Tenable, highlighted the seriousness of the vulnerabilities addressed. “This month, Microsoft patched two zero-day vulnerabilities that were exploited in the wild. CVE-2024-43573 is a spoofing bug in the Windows MSHTML platform, marking the fourth such zero-day in this area in 2024, following earlier vulnerabilities CVE-2024-30040, CVE-2024-38112, and CVE-2024-43461.”  Narang elaborated on the implications of these vulnerabilities, noting the necessity of user interaction for successful exploitation, typically through social engineering tactics.   “CVE-2024-43572 is a code execution flaw in Microsoft Management Console that was also exploited in the wild. While specific details about the exploitation remain unknown, the patch follows the discovery of a technique called GrimResource, which leveraged an old cross-site scripting (XSS) vulnerability alongside crafted MSC files to gain code execution privileges.”  Breakdown of Vulnerabilities Addressed The October 2024 Patch Tuesday not only tackled zero-day vulnerabilities but also addressed a range of other critical issues across various Microsoft products. Remote code execution (RCE) vulnerabilities made up 35.9% of the patched vulnerabilities, while elevation of privilege (EOP) vulnerabilities constituted 23.9%.  Critical Vulnerabilities Overview CVE-2024-43468: A critical RCE vulnerability in Microsoft Configuration Manager with a staggering CVSS score of 9.8. Exploitation could allow unauthenticated attackers to execute code remotely, posing significant risks to system integrity. Microsoft advises affected customers to install an in-console update promptly.  CVE-2024-43488: This critical flaw affects the Visual Studio Code extension for Arduino, which has a CVSS score of 8.8. Due to improper authentication, attackers can execute code on affected systems through network-based attacks. To mitigate risks, Microsoft has removed the extension from its marketplace and recommends using the Arduino IDE software instead.  CVE-2024-43582: This critical RCE vulnerability in the Remote Desktop Protocol Server carries a CVSS score of 8.1. It allows unauthenticated attackers to execute arbitrary code by sending specially crafted Remote Procedure Call (RPC) requests. Given the nature of this bug, it has the potential to be self-propagating if not addressed swiftly.  Conclusion It is crucial for users and administrators to prioritize the updates released in the Microsoft Patch Tuesday 2024 to mitigate potential risks. Organizations must also take proactive steps to educate their employees about the threats posed by social engineering and the importance of identifying untrusted files, particularly MSC files that could lead to remote code execution.

image for Time to Act: CISA & ...

 Cyber Essentials

In a joint effort to fortify the security of U.S. democratic institutions, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a crucial fact sheet aimed at safeguarding individuals and organizations associated with national political entities. The   show more ...

document, titled How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations, outlines the ongoing threats posed by cyber actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC) and provides actionable steps to mitigate their impact. Escalating Threat from IRGC-Affiliated Cyber Actors According to the fact sheet, cyber actors tied to the IRGC have been actively using social engineering techniques across email platforms and chat applications to target and compromise both personal and business accounts in the United States. Their primary targets include individuals involved in national political organizations and those working on issues related to Iranian and Middle Eastern affairs. By exploiting social networks and communication platforms, these actors aim to sow discord, undermine confidence in U.S. democratic institutions, and destabilize trust in key political figures and processes. Jeff Greene, CISA's Executive Assistant Director for Cybersecurity, expressed growing concern over the persistent threat. IRGC cyber actors pose an ongoing and escalating risk. We urge individuals and organizations associated with national political organizations or campaigns to review and implement actions in this joint fact sheet." CISA & FBI Key Recommendations for Strengthening Cybersecurity In response to this threat, CISA and the FBI have provided a range of mitigation strategies designed to protect individuals and organizations against phishing attempts, social engineering, and other forms of cyber intrusion. These recommendations, while relevant to all, are especially critical for those directly associated with high-risk groups such as political organizations and campaigns. The following are some of the top strategies outlined in the fact sheet: For Individuals Be Vigilant for Suspicious Contact IRGC actors frequently use unsolicited communications as a gateway for cyberattacks. Be cautious of unknown individuals or even familiar contacts who claim to be using a new phone number or email address. Pay close attention to unusual email requests from known contacts, especially if they involve sharing files or clicking on unfamiliar links. Avoid Accessing Accounts via Links in Emails One common phishing tactic is to trick individuals into clicking on malicious links in emails that appear to be from trusted sources. Always access sensitive accounts directly through their official websites rather than through email links. Watch for Shortened Links Emails or messages containing shortened URLs (e.g., tinyurl, bit.ly) should be treated with suspicion, especially if they come from an unknown source or seem out of context. Use Phishing-Resistant Multifactor Authentication (MFA) To add an extra layer of security, individuals are urged to implement phishing-resistant MFA for their email, social media, and collaboration tools. This form of MFA is much more difficult for threat actors to bypass. Keep Applications and Operating Systems Updated Regularly update your devices' operating systems and applications to reduce the risk of exploitation by cyber actors. Where possible, enable automatic updates to ensure your systems remain secure. Employ Antivirus and Anti-Malware Protections Ensure that your device's built-in antivirus and anti-malware tools are active and updated to provide ongoing protection against emerging threats. For Organizations For organizations, particularly those involved in political campaigns or national political matters, the stakes are even higher. The fact sheet outlines several essential steps to protect their infrastructure and workforce from cyberattacks: Implement Phishing-Resistant MFA for Employees Phishing-resistant MFA, such as physical security keys or passkeys, should be a standard for all employees. This method offers the highest level of protection against account takeover attempts. Provide Enterprise Password Managers Password managers can automatically generate strong, unique passwords for different accounts, making it much harder for attackers to gain access to multiple systems through password reuse. They also offer a useful way to detect phishing attacks by only filling in credentials on legitimate websites. Enable Anti-Phishing and Anti-Spoofing Features Many email service providers offer built-in features to block malicious emails and prevent email spoofing. These should be enabled to reduce the likelihood of employees falling victim to phishing schemes. Staff Training on Account Usage Employees should be trained to use only official business accounts for work-related communications. These accounts typically have stronger security measures than personal accounts, which are often more vulnerable to attack. Verification of Unusual Requests Organizations should encourage employees to verify suspicious or unusual email requests via a separate, secure communication method. For instance, if an employee receives a questionable email, they should confirm its legitimacy through a phone call or direct message on a different platform. Routine Software Updates and MFA for Personal Devices Organizations should strongly encourage employees to keep their personal devices updated and protected by MFA, particularly if these devices are used for any work-related tasks. Email Banner Alerts Adding a banner to emails received from outside the organization can serve as a helpful reminder for employees to exercise caution when interacting with unfamiliar contacts. Enable Alerts for Suspicious Activity Organizations should configure their systems to detect and alert on suspicious behavior, such as login attempts from foreign IP addresses or unusual account activity. These alerts can provide early warnings of potential security breaches. Conclusion: A Call for Vigilance and Action With the 2024 U.S. elections just around the corner, the risks posed by cyber actors targeting political organizations are more pressing than ever. As the country gears up for another pivotal electoral cycle, the threats from Iranian-affiliated groups like the IRGC highlight the importance of heightened cybersecurity measures. These malicious actors are not only looking to disrupt, but to shake public trust in the very democratic processes that form the backbone of the nation. As we approach a critical election year, ensuring the security of digital infrastructure is not just about safeguarding individual accounts — it's about protecting the integrity of democracy itself. By following guidance provided by CISA and the FBI, political organizations and individuals can help fortify the election process against those who seek to undermine it. The vigilance we maintain now could make all the difference in preserving the trust and transparency that are vital to the democratic system.

image for Casio Confirms Cyber ...

 Cyber News

Japanese tech giant Casio has confirmed it suffered a significant cyberattack on October 5, 2023, following unauthorized access to its networks, which led to considerable disruption of its services. Casio, well-known for its diverse range of electronic products—including watches, calculators, musical instruments,   show more ...

and cameras—released an official announcement detailing the Casio cyberattack incident. “Casio Computer Co., Ltd. confirmed that its network had been illegally accessed by a third party on October 5th of this year. After conducting an internal investigation, it was determined that the unauthorized access had caused a system failure, resulting in the inability to provide some services,” stated the announcement on Casio's website. Investigating the Casio Cyberattack The company is actively investigating the Casio data breach and has engaged an external specialist agency to determine whether any personal information or sensitive data was compromised during the attack. The ongoing Casio cyberattack investigations are critical for understanding the extent of the breach and for taking necessary remediation steps. The immediate response from Casio included reporting the incident to the relevant authorities and implementing measures to restrict external access to its networks. “We are currently investigating the details, and an external specialist agency is also investigating to confirm whether any personal information or other important information has been leaked,” the statement elaborated. While Casio has acknowledged the disruption to its services, it has not specified which services are affected. This lack of detail regarding Casio cyberattack raises concerns among customers and stakeholders about potential impacts on operations and the integrity of sensitive data. Casio Previous Cybersecurity Incidents This latest follows a troubling trend for Casio, as the company reported a previous data breach around a year ago. In that incident, hackers accessed the servers of Casio’s ClassPad education platform, exposing customer data. Information compromised in that breach included names, email addresses, countries of residence, service usage details, purchase information, license codes, and order details. Casio reassured the public that, during that incident, no other company assets were compromised. However, the repeat of such cybersecurity incidents puts a spotlight on the company's data protection measures and overall cybersecurity posture. Financial Implications and Shareholder Concerns The timing of the cyberattack poses additional challenges for Casio, as the company recently informed shareholders of an impending extraordinary loss of approximately $50 million due to large-scale personnel restructuring. This financial strain raises questions about how the company will navigate the dual pressures of operational disruptions from the cyberattack on Casio and the financial repercussions of restructuring. Casio is expected to provide updates as investigations unfold and more information becomes available. The company is working diligently to restore normal operations and reassure customers and stakeholders of its commitment to cybersecurity. The ongoing investigation into this latest attack will likely result in lessons learned and further improvements to their security posture, crucial for rebuilding trust among customers and shareholders alike.

image for Cyber Security Bill ...

 Firewall Daily

The Australian government has announced its first standalone cybersecurity law, known as the Cyber Security Bill 2024 to upgrade the nation’s defenses against increasingly complex and threatening cyber threats. The introduction of this legislation marks a critical step in enhancing the security and resilience of   show more ...

Australia’s cyber environment and critical infrastructure.   The government has recognized the urgent need for better cybersecurity measures. Minister for Home Affairs Tony Burke emphasized the importance of this new legislative framework, stating, "We need a framework that enables individuals to trust the products they use every day." He highlighted that the Cyber Security Bill would not only enhance protections for victims of cyber incidents but also promote engagement with the government in combating such threats.   The Cyber Security Bill encompasses several key initiatives under the 2023-2030 Australian Cyber Security Strategy, designed to address existing legislative gaps. It will implement seven core initiatives to align Australia with international best practices in cybersecurity, positioning the nation as a potential global leader in this critical field. Key Components of the Australian Cybersecurity Law   One of the standout features of the new Australian cybersecurity law is its mandate for minimum cybersecurity standards for Internet of Things (IoT) devices. Currently, Australia lacks mandatory cybersecurity standards for smart devices, with existing approaches deemed "fragmented and insufficient." The Cyber Security Bill 2024 aims to establish baseline security measures for internet-connected devices, including smart doorbells, watches, and other IoT gadgets. These standards will require secure default settings, unique passwords, and regular security updates to protect consumers and organizations alike.   In addition to setting standards for smart devices, the legislation introduces mandatory ransomware reporting for critical infrastructure organizations. This requirement mandates that private sector entities responsible for critical assets report any ransomware payments to the Australian Signals Directorate (ASD) and the Department of Home Affairs within 72 hours of the payment being made or becoming aware of it. Non-compliance with this obligation could result in civil penalties, emphasizing the government’s commitment to transparency and accountability in addressing ransomware threats.   The legislation also proposes to reform the Security of Critical Infrastructure Act 2018 (SOCI Act), which will clarify existing obligations related to systems holding critical business data and enhance government assistance measures during incidents affecting critical infrastructure. These reforms aim to streamline information sharing across industries and governmental bodies, thereby improving the overall response to cybersecurity incidents. Comprehensive Consultation Process   The formulation of the Cyber Security Bill involved extensive consultation, including the release of a Cyber Security Legislative Reforms Consultation Paper in December 2023 and further targeted discussions on an Exposure Draft in September 2024. This collaborative approach between the government, industry stakeholders, and the community is designed to ensure that Australia is well-prepared to prevent and respond to cybersecurity threats. Minister Burke reiterated the necessity of a comprehensive cybersecurity framework, stating, "We need a framework that enhances our ability to counter ransomware and cyber extortion." This framework is crucial for fostering trust among users and promoting a proactive stance against potential threats.   Future Implications of the Cybersecurity Law in Australia   The Cyber Security Bill 2024 represents advancements in Australian cybersecurity law, addressing critical vulnerabilities that have long existed in the country. By mandating minimum standards for smart devices and establishing clear reporting obligations for ransomware payments, the law is set to enhance the resilience of Australia's critical infrastructure and protect its citizens from cyber threats. 

image for Adobe Security Alert ...

 Firewall Daily

Adobe announced a series of important security updates aimed at addressing several vulnerabilities across its product suite. These vulnerabilities could potentially allow cybercriminals to execute arbitrary code and gain unauthorized access to systems. With the increase in cyber threats, this Adobe security update is   show more ...

a move to enhance the safety of its software and protect users. Adobe has released a security update for Substance 3D Painter (APSB24-52) on October 8, 2024. This update is classified with a priority level of 3 and addresses a memory leak vulnerability identified as CVE-2024-20787, which carries an important severity rating. Users of version 10.0.1 and earlier are advised to update to version 10.1.0 through Creative Cloud to mitigate this risk. Overview of Key Adobe Security Update Adobe has issued updates for Adobe Commerce and Magento (APSB24-73), also released on October 8, 2024. This update has a priority level of 2 and addresses multiple critical vulnerabilities that could lead to code execution and privilege escalation. Various affected versions across Adobe Commerce and Magento are detailed in the original advisory. Users are strongly encouraged to update to the latest specified versions to ensure their systems remain secure.   Importantly, Adobe has confirmed that it is not aware of any active exploits targeting these vulnerabilities, providing reassurance to users who depend on the company’s security measures.  Detailed Patches for Adobe Commerce B2B and Magento In a focused effort to address critical security issues, Adobe has released isolated patches for both Adobe Commerce B2B and Magento. For Adobe Commerce B2B, the company has introduced several patches: version 1.4.2-p3 for 1.4.2-p2 and earlier, 1.3.5-p8 for 1.3.5-p7 and earlier, 1.3.4-p10 for 1.3.4-p9 and earlier, and 1.3.3-p11 for 1.3.3-p10 and earlier.    This update carries a priority level of 2 and addresses several critical vulnerabilities, including CVE-2024-45115, which involves critical privilege escalation (CVSS score of 9.8), CVE-2024-45148, a critical security feature bypass (CVSS score of 8.8), and CVE-2024-45116, which relates to critical cross-site scripting (XSS) vulnerabilities (CVSS score of 8.1).   For Magento Open Source, Adobe has released patches as well: version 2.4.7-p3 for 2.4.7-p2 and earlier, 2.4.6-p8 for 2.4.6-p7 and earlier, 2.4.5-p10 for 2.4.5-p9 and earlier, and 2.4.4-p11 for 2.4.4-p10 and earlier. This update has a priority level of 3.   Additionally, Adobe has released updates for several other applications. Adobe Dimension (APSB24-74), released on October 8, 2024, affects version 4.0.3 and earlier, with an updated version now available as 4.0.4. This update, which also has a priority level of 3, addresses critical vulnerabilities that could lead to arbitrary code execution (CVE-2024-45146 and CVE-2024-45150).   Adobe Animate (APSB24-76) received its updates on the same date. The affected versions include 2023 (23.0.7 and earlier) and 2024 (24.0.4 and earlier), with the new updates being 23.0.8 and 24.0.5, respectively. This update is categorized with a priority level of 3 and resolves critical vulnerabilities that could lead to arbitrary code execution and memory leaks.  Additional Vulnerabilities This recent Adobe security update outlines several critical vulnerabilities that require attention. One of the highlighted issues is a stack-based buffer overflow, classified under CWE-121, which could lead to arbitrary code execution. This vulnerability has been assigned a critical severity rating with a CVSS score of 7.8, identified as CVE-2024-47410.   Additionally, there is a "Use After Free" vulnerability categorized as CWE-416, also capable of allowing arbitrary code execution. This vulnerability is critical in severity and includes multiple CVE numbers ranging from CVE-2024-47412 to CVE-2024-47415, all carrying a CVSS score of 7.8. Another critical issue is an integer overflow, designated as CWE-190, which similarly allows arbitrary code execution and holds a CVSS score of 7.8, noted as CVE-2024-47416. Moreover, a heap-based buffer overflow classified as CWE-122 has been identified, which can also lead to arbitrary code execution. This vulnerability has a critical severity rating and a CVSS score of 7.8, recorded as CVE-2024-47417. On a slightly less severe note, an out-of-bounds read classified as CWE-125 could result in a memory leak. This issue is deemed important, with a CVSS score of 5.5, associated with CVE-2024-47419 and CVE-2024-47420. Adobe expresses its gratitude to the researchers who reported these vulnerabilities, particularly yjdfy and Francis Provencher. Their contributions have played a crucial role in enhancing the security of Adobe products, ensuring that users can rely on safer software environments.  Conclusion With the latest Adobe update security, users are urged to take immediate action by updating their applications to safeguard against potential threats. As vulnerabilities in Adobe software can have serious implications, timely updates are critical for maintaining better security. 

image for Authentication codes ...

 Tips

Weve previously covered what to do if you receive an unexpected one-time login code for one of your accounts (spoiler alert: its probably a hacking attempt, and its time to consider getting reliable protection for all your devices). But sometimes the situation is different: you get a two-factor authentication code for   show more ...

a service where youve never had an account. In this post, well discuss why this might happen, and how to react to such messages. Why you might receive a code for an unknown account There are two basic explanations for receiving one-time login codes for an account youre certain doesnt belong to you. The first and most likely explanation: before you got your current phone number, it belonged to someone else. When they canceled their service, the number went back into circulation and eventually landed with you. This is called phone number recycling — a standard practice for mobile service providers. Thus, the previous owner of your number registered an account using it. And now, either theyre trying to log in, or someone else is attempting to hack their account. As a result, one-time login codes are being sent to the number (which now belongs to you). The less likely scenario is that someone is unintentionally trying to register an account using your phone number. Perhaps they mistyped their own number, or simply entered a random sequence of digits that happened to be yours. What to do No matter which of the above scenarios may have occurred, the good news is its not your problem. You dont need to do anything and theres nothing to worry about — unless you plan on creating an account with that service. If you do, you might run into a problem: your number is already associated with an existing (albeit abandoned) account. In that case, contact the services support team and explain the situation, and ask them to detach the unknown account from your number while mentioning that youre a potential new customer. If support cant or wont help, theres nothing you can do except get an extra SIM card and link your account to the new number. What NOT to do Now, lets talk about what you absolutely should not do: under no circumstances should you attempt to use the one-time codes you receive to access an account that doesnt belong to you. Curiosity killed the cat, and in this case it could have serious consequences. Accessing someone elses account isnt just unethical; its illegal in most jurisdictions. For example, in the U.S., the very strict Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), covers this. Germany has a Section 202 of its Criminal Code (StGB $ 202), and the list goes on for most if not all countries worldwide. Although the probability of facing legal consequences for accessing someone elses account may not be high, its not worth the risk. Keep in mind that this probability increases significantly if the account is linked to illegal activity. In that case, law enforcement might take a keen interest in anyone who accesses the account, and sooner or later you could find yourself facing some very uncomfortable questions. So, the best course of action when receiving a text message with a one-time login code for an account that doesnt belong to you is to simply ignore it. And to avoid any unnecessary trouble, absolutely do not try to log in to someone elses account.

image for Lamborghini Carjacke ...

 A Little Sunshine

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida   show more ...

as part of a botched plan to hold the parents for ransom. Image: ABC7NY.  youtube.com/watch?v=xoiaGzwrunY Late in the afternoon of Aug. 25, 2024 in Danbury, Ct., a married couple in their 50s pulled up to a gated community in a new Lamborghini Urus (investigators say the sports car still had temporary tags) when they were intentionally rear-ended by a Honda Civic. A witness told police they saw three men exit a van that was following the Honda, and said the men began assaulting the couple and forcing them into the van. Local police officers spotted the van speeding from the scene and pursued it, only to find the vehicle crashed and abandoned a short distance away. Inside the disabled van the police found the couple with their hands and feet bound in duct tape, the man visibly bruised after being assaulted with a baseball bat. Danbury police soon reported arresting six suspects in the kidnapping, all men aged 18-26 from Florida. They also recovered the abandoned Lamborghini from a wooded area. A criminal complaint (PDF) filed on Sept. 24 against the six men does not name the victims, referring to them only as a married couple from Danbury with the initials R.C. and S.C. But prosecutors in Connecticut said they were targeted “because the co-conspirators believed the victims’ son had access to significant amounts of digital currency.” What made the Miami men so convinced R.C. and S.C.’s son was loaded with cryptocurrency? Approximately one week earlier, on Aug. 19, a group of cybercriminals that allegedly included the couple’s son executed a sophisticated phone-based social engineering attack in which they stole $243 million worth of cryptocurrency from a victim in Washington, D.C. That’s according to ZachXBT, a frequently cited crypto crime investigator who published a lengthy thread that broke down how the theft was carried out and ultimately exposed by the perpetrators themselves. ZachXBT’s post included a screen recording of a Discord chat session made by one of the participants to the $243 million robbery, noting that two of the people involved managed to leak the username of the Microsoft Windows PCs they were using to participate in the chat. One of the usernames leaked during the chat was Veer Chetal. According to ZachXBT, that name corresponds to a 19-year-old from Danbury who allegedly goes by the nickname “Wiz,” although in the leaked video footage he allegedly used the handle “Swag.”  Swag was reportedly involved in executing the early stages of the crypto heist — gaining access to the victim’s Gmail and iCloud accounts. A still shot from a video screenshare in which one of the participants on the Discord voice chat used the Windows username Veer Chetal. Image: x.com/zachxbt The same day ZachXBT published his findings, a criminal indictment was issued in Washington D.C. charging two of the men he named as involved in the heist. Prosecutors allege Malone “Greavys” Lam, 20, of Miami and Los Angeles, and Jeandiel “Box” Serrano, 21, of Los Angeles conspired to steal and launder over $230 million in cryptocurrency from a victim in Washington, D.C. The indictment alleges Lam and Serrano were helped by other unnamed co-conspirators. “Lam and Serrano then allegedly spent the laundered cryptocurrency proceeds on international travel, nightclubs, luxury automobiles, watches, jewelry, designer handbags, and rental homes in Los Angeles and Miami,” reads a press release from the U.S. Department of Justice. By tracing the flow of funds stolen in the heist, ZachXBT concluded that Wiz received a large percentage from the theft, noting that “additional comfort [in naming him as involved] was gained as throughout multiple recordings accomplices refer to him as ‘Veer’ on audio and in chats.” “A cluster of [cryptocurrency] addresses tied to both Box/Wiz received $41M+ from two exchanges over the past few weeks primarily flowing to luxury goods brokers to purchase cars, watches, jewelry, and designer clothes,” ZachXBT wrote. KrebsOnSecurity sought comment from Veer Chetal, and from his parents — Radhika Chetal and Suchil Chetal. This story will be updated in the event that anyone representing the Chetal family responds. Veer Chetal has not been publicly charged with any crime. According to a news brief published by a private Catholic high school in Danbury that Veer Chetal attended, in 2022 he successfully completed Harvard’s Future Lawyers Program, a “unique pre-professional program where students, guided by qualified Harvard undergraduate instructors, learn how to read and build a case, how to write position papers, and how to navigate a path to law school.” A November 2022 story at patch.com quoted Veer Chetal (class of 2024) crediting the Harvard program with his decision to pursue a career in law. It remains unclear which Chetal family member acquired the 2023 Lamborghini Urus, which has a starting price of around $233,000. Sushil Chetal’s LinkedIn profile says he is a vice president at the investment bank Morgan Stanley. It is clear that other alleged co-conspirators to the $243 million heist displayed a conspicuous consumption of wealth following the date of the heist. ZachXBT’s post chronicled Malone’s flashy lifestyle, in which he allegedly used the stolen money to purchase more than 10 vehicles, rent palatial properties, travel with friends on chartered jets, and spend between $250,000 and $500,000 a night at clubs in Los Angeles and Miami. In the photo on the bottom right, Greavys/Lam is the individual on the left wearing shades. They are pictured leaving a luxury goods store. Image: x.com/zachxbt WSVN-TV in Miami covered an FBI raid of a large rented waterfront home around the time Malone and Serrano were arrested. The news station interviewed a neighbor of the home’s occupants, who reported a recent large party at the residence wherein the street was lined with high-end luxury vehicles — all of them with temporary paper tags. ZachXBT unearthed a video showing a person identified as Wiz at a Miami nightclub earlier this year, wherein they could be seen dancing to the crowd’s chants while holding an illuminated sign with the message, “I win it all.” It appears that all of the suspects in the cyber heist (and at least some of the alleged carjackers) are members of The Com, an archipelago of crime-focused chat communities which collectively functions as a kind of distributed cybercriminal social network that facilitates instant collaboration. As documented in last month’s deep dive on top Com members,  The Com is also a place where cybercriminals go to boast about their exploits and standing within the community, or to knock others down a peg or two. Prominent Com members are endlessly sniping over who pulled off the most impressive heists, or who has accumulated the biggest pile of stolen virtual currencies. And as often as they extort and rob victims for financial gain, members of The Com are trying to wrest stolen money from their cybercriminal rivals — often in ways that spill over into physical violence in the real world. One of the six Miami-area men arrested in the carjacking and extortion plot gone awry — Reynaldo “Rey” Diaz — was shot twice while parked in his bright yellow Corvette in Miami’s design district in 2022. In an interview with a local NBC television station, Diaz said he was probably targeted for the jewelry he was wearing, which he described as “pretty expensive.” KrebsOnSecurity has learned Diaz also went by the alias “Pantic” on Telegram chat channels dedicated to stealing cryptocurrencies. Pantic was known for participating in several much smaller cyber heists in the past, and spending most of his cut on designer clothes and jewelry. The Corvette that Diaz was sitting in when he was shot in 2022. Image: NBC 6, South Florida. Earlier this year, Diaz was “doxed,” or publicly outed as Pantic, with his personal and family information posted on a harassment and extortion channel frequented by members of The Com. The reason cited for Pantic’s doxing was widely corroborated by multiple Com members: Pantic had inexplicably robbed two close friends at gunpoint, one of whom recently died of a drug overdose. Government prosecutors say the brazen daylight carjacking was paid for and organized by 23-year-old Miami resident Angel “Chi Chi” Borrero. In 2022, Borrero was arrested in Miami for aggravated assault with a deadly weapon. The six Miami men face charges including first-degree assault, kidnapping and reckless endangerment, and five of them are being held on a $1 million bond. One suspect is also charged with reckless driving, engaging police in pursuit and evading responsibility; his bond was set at $2 million. Lam and Serrano are each charged with conspiracy to commit wire fraud and conspiracy to launder money. Cybercriminals hail from all walks of life and income levels, but some of the more accomplished cryptocurrency thieves also tend to be among the more privileged, and from relatively well-off families. In other words, these individuals aren’t stealing to put food on the table: They’re doing it so they can amass all the trappings of instant wealth, and so they can boast about their crimes to others on The Com. There is also a penchant among this crowd to call attention to their activities in conspicuous ways that hasten their arrest and criminal charging. In many ways, the story arc of the young men allegedly involved in the $243 million heist tracks closely to that of Joel Ortiz, a valedictorian who was sentenced in 2019 to 10 years in prison for stealing more than $5 million in cryptocurrencies. Ortiz famously posted videos of himself and co-conspirators chartering flights and partying it up at LA nightclubs, with scantily clad women waving giant placards bearing their “OG” usernames — highly-prized, single-letter social media accounts that they’d stolen or purchased stolen from others. Ortiz earned the distinction of being the first person convicted of SIM-swapping, a crime that involves using mobile phone company insiders or compromised employee accounts to transfer a target’s phone number to a mobile device controlled by the attackers. From there, the attacker can intercept any password reset links, and any one-time passcodes sent via SMS or automated voice calls. But as the mobile carriers seek to make their networks less hospitable to SIM-swappers, and as more financial platforms seek to harden user account security, today’s crypto thieves are finding they don’t need SIM-swaps to steal obscene amounts of cryptocurrency. Not when tricking people over the phone remains such an effective approach. According to ZachXBT, the crooks responsible for the $243 million theft initially compromised the target’s personal accounts after calling them as Google Support and using a spoofed number. The attackers also spoofed a call from account support representatives at the cryptocurrency exchange Gemini, claiming the target’s account had been hacked. From there the target was social engineered over the phone into resetting multi-factor authentication and sending Gemini funds to a compromised wallet. ZachXBT says the attackers also convinced the victim to use AnyDesk to share their screen, and in doing so the victim leaked their private keys.

image for Patch Tuesday, Octob ...

 Latest Warnings

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15   show more ...

“Sequoia” update that broke many cybersecurity tools. One of the zero-day flaws — CVE-2024-43573 — stems from a security weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. If that sounds familiar it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024. Nikolas Cemerikic, a cybersecurity engineer at Immersive Labs, said the vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate thanks to the way Windows handles certain web elements. “Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” he said. Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. “This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online,” he said. Probably the more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system. Satnam Narang, senior staff research engineer at Tenable, observed that the patch for CVE-2024-43572 arrived a few months after researchers at Elastic Security Labs disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges. “Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.” Microsoft also patched Office, Azure, .NET, OpenSSH for Windows; Power BI; Windows Hyper-V; Windows Mobile Broadband, and Visual Studio. As usual, the SANS Internet Storm Center has a list of all Microsoft patches released today, indexed by severity and exploitability. Late last month, Apple rolled out macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by a number of vendors, including CrowdStrike, SentinelOne and Microsoft. On Oct. 7, Apple pushed an update to Sequoia users that addresses these compatibility issues. Finally, Adobe has released security updates to plug a total of 52 vulnerabilities in a range of software, including Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker. Please consider backing up important data before applying any updates. Zero-days aside, there’s generally little harm in waiting a few days to apply any pending patches, because not infrequently a security update introduces stability or compatibility issues. AskWoody.com usually has the skinny on any problematic patches. And as always, if you run into any glitches after installing patches, leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.

 Feed

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about Falco as a mix between snort, ossec and strace.

 Feed

Ubuntu Security Notice 7043-4 - USN-7043-1 fixed vulnerabilities in cups-filters. This update improves the fix for CVE-2024-47176 by removing support for the legacy CUPS printer discovery protocol entirely. Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary   show more ...

printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol. Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this issue to manipulate PPD files and execute arbitrary code when a printer is used.

 Feed

Ubuntu Security Notice 7042-2 - USN-7042-1 fixed a vulnerability in cups-browsed. This update improves the fix by removing support for the legacy CUPS printer discovery protocol entirely. Simone Margaritelli discovered that cups-browsed could be used to create arbitrary printers from outside the local network. In   show more ...

combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.

 Feed

Ubuntu Security Notice 7058-1 - Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It   show more ...

was discovered that .NET components designed to process malicious input were susceptible to hash flooding attacks. An attacker could possibly use this issue to cause a denial of service, resulting in a crash.

 Feed

Ubuntu Security Notice 7057-2 - USN-7057-1 fixed a vulnerability in WEBrick. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that WEBrick incorrectly handled having both a Content- Length header and a Transfer-Encoding header. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack.

 Feed

Ubuntu Security Notice 7014-2 - USN-7014-1 fixed a vulnerability in nginx. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that the nginx ngx_http_mp4 module incorrectly handled certain malformed mp4 files. In environments where the mp4 directive is in use, a   show more ...

remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2024-7855-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7853-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7846-03 - An update for openssl is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

 Feed

Red Hat Security Advisory 2024-7842-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7822-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

 Feed

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

 Feed

Red Hat Security Advisory 2024-7590-03 - Red Hat OpenShift Container Platform release 4.12.67 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, open redirection, and out of bounds write vulnerabilities.

 Feed

Microsoft is warning of cyber attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic. The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise (BEC) attacks, which ultimately result

 Feed

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

 Feed

Social media accounts help shape a brand’s identity and reputation. These public forums engage directly with customers as they are a hub to connect, share content and answer questions. However, despite the high profile role these accounts have, many organizations overlook social media account security. Many lack the safeguards to prevent unauthorized access — a situation no organization wants as

 Feed

Google on Wednesday announced a new partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to combat online scams. The initiative, which has been codenamed the Global Signal Exchange (GSE), is designed to create real-time insights into scams, fraud, and other forms of cybercrime pooling together threat signals from different data sources in order to create

 Feed

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments. "The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution," Claroty researchers Mashav Sapir and Vera

 Feed

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret. The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview that Palo Alto Networks Unit 42 first disclosed in November 2023. "The threat actor behind CL-STA-0240

2024-10
Aggregator history
Wednesday, October 09
TUE
WED
THU
FRI
SAT
SUN
MON
OctoberNovemberDecember