Last week, breaches and cyberattacks occurred across several industries from the public sector, automotive, shipbuilding, to the IT industry, with devastating consequences such as disruption in operation, data theft, and data leaks. Additionally, a sharp increase (nearly 30-fold increase!) has been found in Adobe-themed phishing attacks that targets specific businesses and mass credential campaigns by hackers that exploits Outlook and WinRAR vulnerabilities via phishing emails. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Nissan Australia & New Zealand suffers a cyberattack, with a potential data breach. Nissan is investigating a cyberattack that targeted their systems in Australia and New Zealand, which may have let hackers access customers’ personal information. Nissan informed their Nissan Oceania division customers of a potential data breach, warning them that there is a risk of scams in the upcoming days. A statement on their Australia and New Zealand websites informs that the systems of the Australian and New Zealand Nissan Corporation and Financial Services “have been subject to a cyber incident”. The company is currently determining the impact of the cyberattack, and are working to restore affected systems. Nissan clarifies that their dealers’ network have not been impacted, and all vehicle and service queries may be submitted and there will be no delays in processing them. HTC confirmed a cyberattack after BlackCat ransomware group leaked stolen data. HTC Global Services, a IT services and business consulting company, has confirmed that it suffered from a cyberattack after BlackCat ransomware group leaked photos of what they claimed to be stolen data from the company. The stolen data includes passports, contact lists, email addresses, and confidential documents. In a statement, the firm confirmed the cyber attack, stated they have enlisted cybersecurity experts, and are currently investigating and addressing the situation to ensure “the security and integrity of user data”. 23andMe updates user agreements to prevent data breach lawsuits. As 23andMe faces multiple lawsuits for the October credential stuffing attack that led to customers’ data theft, the company has modified their Terms of Use on 30 November to make it more difficult to take part in class-action lawsuits against the company. Provisions include increasing the initial dispute period from 30-60 days, and requiring customers to first have a telephone or videoconference with 23andMe to try and resolve the dispute. The new Terms also contain stronger language to prevent a party from bringing a class-action lawsuit against 23andMe - by stating that customers can bring disputes by only “in an individual capacity, and not as class-action or collective action or class arbitration”. 23andMe claims that these changes were added to provide more details and clarity around the dispute process. Navy contractor Austal USA confirms cyberattack after data leak. Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) confirmed that they suffered a cyberattack and are currently investigating the impact of the incident. On 6th December, the Hunters International ransomware and data extortion group claimed to have breached Austal USA and leaked some of the stolen data as evidence. Afterwhich, a spokesperson for the company confirmed the attack, adding that Austal USA were able to quickly mitigate the incident resulting in no impact on operations. Relevant authorities have also been informed of the incident. Hunters International has threatened to publish more stolen data in the following days. This includes compliance documents, recruiting information, finance details, certifications and engineering data. Austal USA did not share if the hackers were able to access data about engineering schematics or other proprietary US Navy technology. Nearly 30-fold increase in Adobe-theme phishing targeting businesses. Security researchers have warned of a sharp increase in phishing emails carrying Adobe InDesign links with attackers targeting specific organisations and users. Since October, there has been a near 30-fold increase in malicious emails with Adobe InDesign links. Many of the phishing links seen by researchers have the “.ru” domain, and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to hide the content source, and makes it more difficult to detect and block the attacks. The phishing emails carry legitimate brand logos, which are likely copied from other contents or scraped from websites by the attackers. The logos probably have been chosen as they are known and trusted by the targets. Other tactics used include using a publishing program to create highly convincing social engineering attacks, and moving recipients to another web page once the link is clicked so there is no known malicious URL in the main body of the message for security tools to detect and block. Hackers breach US government agencies using Adobe ColdFusion exploit. CISA (The U.S. Cybersecurity and Infrastructure Security Agency) is warning about hackers actively exploiting a critical vulnerability (identified as CVE-2023-26360) in Adobe ColdFusion to gain initial access to government servers. This vulnerability allows executing arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. The vulnerability is still being leveraged in attacks, whereby the exploitation of the vulnerability has impacted 2 federal agency systems in June. The agency notes that “both servers were running outdated versions of software which are vulnerable to various CVEs”. Luckily, in both cases the attacks were detected and blocked before the hackers were able to exfiltrate data or move laterally, and the compromised assets were removed from crucial networks within 24 hours. It is highly recommended for federal organisations and state services to upgrade ColdFusion to the latest available version, apply network segmentation, set up a firewall or WAF, and enforce signing software execution policies. Fancy Bear group exploits vulnerabilities in Outlook and WinRAR in mass credential campaigns. Fancy Bear group has carried out several mass attack campaigns via exploiting known flaws in Outlook and WinRAR (identified as CVE-2023-23397 and CVE-2023-39931). Security researchers detected that since March 2023, Fancy Bear has been engaging in phishing activity in which they leveraged patched vulnerabilities to send high-volume campaigns to targets in Europe and North America. They use the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing and technology sector targets to either disclose user credentials or initiate follow-on activity. It has been observed that over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. In September, Fancy Bear sent malicious emails from different Portugal email addresses exploiting the WinRAR vulnerability. The email senders spoofed geopolitical entities, and used the BRICS Summit and a European Parliament meeting as subject to entice targets to open the emails. They use this vulnerability to initiate remote code execution with the purpose of extracting NTLM credentials and information about the victim systems. Amazon sues REKK fraud gang that stole millions of dollars worth of products. Amazon’s Customer Protection and Enforcement team has taken legal action against REKK, an underground store refund scheme, that resulted in millions of dollars worth of products stolen from Amazon’s online platforms. This lawsuit targets 20 members of REKK, as well as 7 former Amazon employees who acted as malicious insiders. REKK operates as an Organised Retail Crime (ORC) gang across online forums and social media, whereby they provide illicit refunds for individuals in exchange for a fee. Individuals seeking free items like iPads or Macbooks, purchase an item, and then pay REKK a fee, usually a percentage of the product cost, to secure a deceptive refund. The customers placed an order through Amazon’s online retail platform and then provided the order details to the fraudulent refund service. REKK then requests a refund, manipulates Amazon’s support representatives via social engineering tactics, unauthorised access to Amazon systems, and bribes insiders to secure a refund without returning the purchased products. In November 2019., REKK claimed on Nulled to have fraudulently refunded over 100,000 orders across various retailers (e.g. LuLuLemon, bol., Samsung, ASOS, Nike, and Home Depot) to more than 30,000 customers worldwide, not just limited to Amazon. Fake WordPress security advisory pushes a malicious plugin that infect sites. WordPress administrators are being emailed fake WordPress security advisories for a fake vulnerability (tracked as CVE-2023-45124) to infect sites with a malicious plugin. The emails that imitate WordPress warn that a new RCE flaw was detected on the admin’;s site, and urge them to download and install a plugin that allegedly addresses the security issue. Clicking on the email’s ‘Download Plugin’ button will take the victim to a fake landing page at ‘en-gb-wordpress[.]org’ that looks identical to the legitimate ‘wordpress.com’ site. The entry to the fake plugin shows a likely inflated download count of 500,000, along with multiple fake user reviews elaborating on how the patch restored their compromised site and helped them defend against hacker attacks. The malicious plugin hides itself from the list of installed plugins, so a manual search on the site’s root directory is required to remove it. Although it is not clear what the malicious plugin does, PatchStack speculates that it might be used for injecting ads on compromised sites, performing visitor redirection, stealing sensitive information, or even blackmailing owners by threatening to leak their website’s database contents. New 5Ghoul attack impacts 5G phones with Qualcomm and MediaTek chips. A new set of vulnerabilities, collectively called 5Ghoul, in 5G modems by Qualcomm and MediaTek. This impacts 710 5G smartphone models from Android and Apple, routers and USB modems. 5Ghoul consists of 14 vulnerabilities in mobile communication systems, 10 of which have been publicly disclosed and 4 withheld for security reasons. 5Ghoul attacks range from temporary service disruptions to network downgrades. Vulnerable smartphone brands include POCO< Black, Lenovo, AGM, Google, TCL, Redmi, HTC, Microsoft, and Gigaset. Both Qualcomm and MediaTek released security bulletins last Monday for the disclosed 5Ghoul vulnerabilities. Security updates have already been made available to device vendors 2 months ago. However, given the complexity of software supply, especially on Android, it will be a while before the fixes reach the end users via security updates. Signs of a 5Ghoul attack include loss of 5G connections, inability to reconnect until the device is rebooted, and consistent drop to 4G despite the availability of 5G network in the area. If you are worried about the 5Ghouls vulnerabilities, the only solution is to avoid using 5G entirely until fixes are available. WordPress addresses POP chain vulnerability that exposes websites to RCE attacks. WordPress has released version 6.4.2 that addresses a Property Oriented Programming (POP) chain vulnerability that allows attackers to run arbitrary PHP code on the target website. Although the RCE vulnerability is not directly exploitable in core, the WordPress security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations. Due to the need for object injection on installed and active plugins or themes, the presence of an exploitable POP chain in WordPress core significantly increases the overall risk for WordPress sites. It is highly recommended for administrators to update to the latest WordPress version. Even if most updates install the new version automatically, it is highly advised to check manually if the update completed. Atlassian publishes critical RCE flaws across multiple products. Atlassian has published security advisories for 4 critical RCE vulnerabilities (identified as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471), that impacts Confluence, Jira, and BitBucket servers, along with a companion app for macOS. All RCE vulnerabilities received a critical-severity score of least 9.0 out of 10, based on Atlassian’s internal assessment. The company marked none of the security vulnerabilities as being exploited in the wild. However, due to the popularity of Atlassian products and their extension deployments in corporate environments, system administrators should prioritise applying the available updates. December 2023 Android security updates tackle 85 vulnerabilities, including critical zero-click RCE flaw. Google announced on 4 December that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click RCE flaw (tracked as CVE-2023-40088) found in Android's System component and doesn’t require additional privileges to exploit. User interaction is not needed for exploitation. As usual, Google released 2 patch sets with the December security updates month, identified as the 2023-12-01 and 2023-12-05 security levels. The latter includes all the fixes from the first set and additional patches for the 3rd party closed-source and Kernel components. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|