Last week, breaches and cyberattacks occurred across several industries from the public sector, apparel, financial, to the higher education industry. Devastating consequences have been uncovered from earlier data breaches and attacks, with millions of individual's personal data stolen and outages of systems persists disrupting services to customers. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Majorca City Calvià hit by ransomware attack: Extorted for $11 million by cybercriminals. The Calvià City Council in Majorca announced that they were targeted by a ransomware attack last Saturday, which hit their systems, forcing the council to form a crisis committee to evaluate the damage done and formulate mitigation measures. The City Council is working to restore their systems as soon as possible, and the mayor Juan Antonio Amengual stated that a team of IT specialists are investigating the attack to estimate the extent of unauthorised access and to recover the impacted systems and services. The IT outages caused the City to suspend any administrative deadline for submitting allegations, requests etc. till 31 January. However, citizens who need to urgently submit any document for registration can still do so through the General State Administration portal. The announcement also stated that citizen services can also still be reached via the phone, and that telephone and face-to-face communication is maintained normally. A local media outlet has learned that the ransom set by the cybercriminals is €10,000,000 or approximately $11M. The mayor has told the local press that the municipality would not be paying the ransom. VF Corp, Supreme and Vans owner, states 35 million customers’ personal data were stolen. VF Corp, the parent company of Supreme, Vans, and The North Face, stated on Thursday that 35.5 million customers’ personal data were stolen by hackers in the December cyberattack. The company reported the data breach to regulators in a filing on Thursday. However, the filing did not specifically state the kinds of personal data stolen, or if the company yet knows what was stolen. VF Corp did state they do not retain customers’ social security numbers, bank account information, or payment card information. Furthermore, the company also stated that they did not find evidence of customers’ passwords being stolen. Canterbury, Dover and Thanet Councils in Kent hit by simultaneous cyberattacks. 3 local authorities in Kent - Canterbury City Council, Dover District Council, and Thanet District Council - have been hit by near-simultaneous cyberattacks, knocking multiple public-facing systems offline. All 3 authorities are working with the National Cyber Security Centre (NCSC) on incident response and remediation. For Canterbury, services including their planning department, online forms and maps have been taken offline. Meanwhile, Dover residents have lost access to online forms, and Thanet also appears to have lost its planning department and online forms. In a coordinated statement, Canterbury and Dover councils stated they are taking a precautionary approach and are investigating the incident. They will provide updates as soon as possible. A spokesperson for Thanet Council told reporters that they had proactively limited access to their online systems following reports of an incident. Several Swiss federal government websites were temporarily down after a cyberattack. On 17 January 2024, several federal government websites were temporarily down after a cyberattack. The attack was claimed by a pro-Russian group ‘NoName’, and they cited the presence of Volodymyr Zelensky at the World Economics Forum in Davos as the reason for the attack. According to the NCSC, the group launched a DDoS attack, which sends a high volume of requests to online services to overload them, making websites unavailable. In a press release, NCSC stated that the attack was promptly detected, and the Federal Administration's specialists took action to quickly restore access to the websites. LoanDepot outage continues into the 2nd week after ransomware attack. LoanDepot customers say that they have been unable to make mortgage payments or access their online accounts after a suspected ransomware attack on LoanDepot last week. On social media and forums, customers say they have struggled to access their account information or submit payments. Some even say that they have been unable to close deals during the ongoing disruption at LoanDepot, while others were able to do so on the phone with the company. LoanDepot’s cyber incident page states that several LoanDepot customer portals returned online as of 19 January 2024, although with limited functionality. Payoneer accounts in Argentina were hacked and users had their funds stolen. Starting last weekend, many Payoneer, a financial services platform providing online money transfer and digital payment services, users in Argentina reported that they lost access to their accounts or logged in to empty wallets - losing from $5000 to $60,000. The hackers were able to bypass 2FA which the accounts were protected by. The users report that right before the incident, they would receive an SMS requesting approval from a password reset on Payoneer, which they did not grant. Many stated that they did not click on the URLs, and some even claimed that they did not see the SMS until after their accounts were hacked. Many impacted users said that their stolen funds were sent to an unknown email address at the 163.com domain. Local journalists have found that most affected users were customers of the mobile service providers Movistar and Tuenti, with the majority using Movistar. This raised suspicions that the recent Movistar data leak may be behind the accounts hacked, however the leak did not expose users’ email addresses which are required for Payoneer users to reset their passwords. An official statement from Movistar simply states that they are not responsible for messages sent through its network. However, they have taken preventative measures with those numbers used in the smishing campaign. Payoneer also released a statement stating that they are aware of the hack which impacted “a very limited number of customers”. In the statement, Payoneer placed the blame on the users, alleging that those impacted clicked on the fake links and shared their account login information. However, many affected users state they did not click on phishing links, and accused Payoneer of attempting to deflect responsibility and failing to acknowledge a potential error or vulnerability within the platform. The company also stated that they are currently working with relevant authorities on this incident, and took swift action to contain the attempts at fraud from spreading. Kansas State University(K-State) hit by a cyberattack: IT network and services disrupted. K-State announced on Tuesday that they were experiencing disruption in some IT systems such as VPN, K-State Today emails, and video services on Canvas and Mediasite. By the afternoon, they confirmed that a cyberattack caused the disruption. Impacted systems were immediately taken offline once the attack was detected. This resulted in VPN, emails, Canvas and Mediasite videos, printing, shared drives, and mailing list management services (Listservs) being unavailable. K-State has engaged with 3rd party IT forensic experts to assist them in ongoing investigation, and have provided guidance to academic deans to maintain educational continuity - this includes using alternative resources. On 17 January, another status update was published, which informs that email services for K-State Today, which delivers daily announcements and research news, will become available starting on 18 January. However, the service will resume in a temporary format that features a different header image and a lower volume with select content. A 48-hour delay in the email delivery is also to be expected. On 18 January, it was updated that KSU Wireless is currently unavailable, and recommended to use KSU Guest during this time. On 19 January, the University stated that they will be working on the IT disruption this weekend, and ask students and staff to be vigilant against possible phishing attempts. Microsoft ‘senior leadership’ emails suffered a cyberattack from the same Russian SolarWinds hackers. Microsoft revealed on 20 January 2024 that they discovered a ‘nation-state attack’ on their corporate systems from the Russian SolarWinds hackers known as Nobelium. They were able to access email accounts of some memberships of their senior leadership team late last year. In the beginning of late November 2023, the hackers used a password spray attack to compromise a legacy non-production test tenant account, which allowed them to access a very small percentage of Microsoft corporate email accounts. This included members of their senior leadership team and employees in their cybersecurity, legal, and other functions. The hackers were able to exfiltrate some emails and attached documents. Microsoft discovered the attack on 12 January, and has not yet disclosed how long the attackers were able to access their systems. Ivanti VPN zero-day flaws being mass-exploited by hackers. 2 critical zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Invanti’s corporate VPN appliance are being mass-exploited by malicious hackers. Volexity, which previously reported that the 2 unpatched flaws in Ivanti Connect Secure, are being exploited by China state-backed hackers, now say that there is evidence of mass exploitation. According to Volexity, more than 1,700 Ivanti Connect Secure appliances worldwide have been exploited so far - this affects organisations in the aerospace, banking, defence, government and telecommunications industries. Volexity stated that victims are globally distributed, and vary in sizes (from small to some of the largest organisations in the world). It was also stated that Ivanti VPN appliances were “indiscriminately targeted”. However, Volexity notes that the number of compromised organisations are likely to be far higher. In Ivanti’s updated advisory on Tuesday, they confirmed that their findings are consistent with Volexity’s new observations, and that the mass-hacks appear to have started on 11 January, a day after Ivanti disclosed the vulnerabilities. Despite mass exploitation, Ivanti has yet to publish patches. They plan to release fixes on a staggered basis starting 22 January. For this while, admins are highly advised to apply the provided mitigation measures on all affected VPN appliances on their network - such as resetting passwords and API keys, and revoking and reissuing any certificates stored on the affected appliances. VMware confirms a critical vCenter flaw is being exploited in attacks. VMware confirmed that a critical vCenter Server remote code execution vulnerability (CVE-2023-34048) that was patched in October is now under active exploitation. The vulnerability was reported by Grigory Dorodnov, a Trend Micro vulnerability researcher. According to Shodan data, more than 2000 VMware Center servers are currently exposed online, potentially vulnerable to attacks and exposing corporate networks to breach risks given their vSphere management role. As there is no workaround, VMware urged admins who are unable to patch their servers to strictly control network perimeter access to all vSphere management components (e.g. storage and network components). The specific network ports linked to potential exploitation in attacks are 2012/tcp, 2014/tcp, and 2020/tcp. Google releases security updates to fix the first actively exploited Chrome zero-day vulnerability of 2024. On Tuesday Google published a security advisory stating that they are aware of reports that a zero-day vulnerability (CVE-2024-0519) is being exploited in the wild. This high severity zero-day vulnerability is due to a high severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine. This can allow attackers to gain access to data beyond the memory buffer, thus providing them access to sensitive information or triggering a crash. Furthermore, this zero-day can bypass protection mechanisms to make it easier to achieve code execution via another weakness. The company fixed the zero-day for users in the Stable Desktop channel, with patched versions being released globally to Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users. Those who prefer not to update their web browser manually can rely on Chrome to automatically check for new updates and install them after the next launch. Today, Google also patched V8 out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) flaws, allowing for arbitrary code execution on compromised devices. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|