Cyber Security Headlines: Cisco fixes flaws, Windows BSOD reappears, FBI Barracuda warning

Cisco fixes flaws in NX-OS and FXOS software

Among the flaws that Cisco fixed this past week are three of high severity, found in NX-OS and FXOS software that had the potential to lead to denial of service. The three, part of a collection that formed part of Cisco’s semiannual FXOS and NX-OS Software Security Advisory Bundled Publication released last Wednesday, are numbered CVE-2023-20200 that resides in the Simple Network Management Protocol (SNMP) service of Cisco FXOS Software for Firepower appliances, 20169, which affects Nexus 3000 and 9000 Series Switches, and 20168, the TACACS+ and RADIUS remote authentication for NX-OS software. Cisco states it is not aware of any of these vulnerabilities being actively exploited in the wild.

(Security Affairs)

Windows preview updates bring blue screen of death

The Windows 11 and 10 preview updates that were released by Microsoft last week brought an old friend along. The updates, numbered KB5029351 and KB5029331 for Windows 11 and 10 respectively, triggered a blue screen with the Stop Code ‘UNSUPPORTED_PROCESSOR’. Affected users stated the updates were automatically rolled back after a few reboots. Microsoft is investigating.

(Bleeping Computer)

FBI warns Barracuda bug still has bite

The FBI states that Barracuda Networks Email Security Gateway appliances that have been patched against a recent Zero-Day bug continue to be at risk of potential compromise from suspected Chinese hacking groups. It calls the recent fixes “ineffective” and that it “continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.” The bug is numbered CVE-2023-2868 (CVSS score: 9.8) and is thought to have been active more than seven months before the fix was delivered.

(The Hacker News)

New Chinese hacking group spying on Taiwanese organizations

Microsoft has named this new group Flax Typhoon and states that its goal is to “not only perform espionage on targeted Taiwanese entities but maintain access to organizations across a broad range of industries for as long as possible.” The reach of this campaign also stretches to Africa and North America. Microsoft describes the group’s technique as one that “gains initial access by exploiting vulnerabilities in public-facing servers before deploying a VPN connection and collecting credentials from victim systems.” They further stated that the group’s traffic is nearly indistinguishable from legitimate HTTPS traffic, which most network security appliances would not block.”

(The Record)

And now a word from our sponsor, AppOmni

Over provisioned users could lead to your most sensitive data being exposed or leaked. Just a single attack on one of those users may compromise your entire SaaS estate. With AppOmni’s SaaS Identity Fabric, secure and manage end-users, entitlements, and threat-based activity. Gain visibility and control over provisioned users, the SaaS data they have access to, and receive guided remediation. Get connected with SaaS security experts at

Whiffy Recon uses WiFi to sniff out infected systems

According to the Secureworks Counter Threat Unit, the malware called SmokeLoader is being used to drop Whiffy Recon onto compromised Windows computers. This code triangulates the positions of the vulnerable systems through the use of nearby Wi-Fi access points and Google’s geolocation API. In its statement, Secureworks stated, “it is unclear how the threat actors use this data. Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands.”

(Security Affairs and SecureWorks)

Kroll data breach caused by SIM swapping

The NYC-based financial and risk advisory firm states in an advisory dated last Friday, that the incident, which occurred on August 19, happened because, “T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request.” This gave the unidentified assailant access to files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis. The company noted that it took immediate steps to secure the three affected accounts and notified impacted individuals by email. While an investigation is underway, Kroll said it found no evidence to indicate that other systems or accounts have been affected.

(The Hacker News and Kroll advisory)

LockBit 3.0 ransomware builder helps create numerous variants

Kaspersky says it has noticed a number of ransomware intrusions that used a variation of LockBit but with different ransom demand procedures accompanying it. This is apparently a result of the leak of LockBit 3.0 ransomware that occurred last year. These new demands ask for specific amounts and provide email addresses for communication, something that LockBit never did. Kaspersky adds that of 396 LockBit samples under its observation, 312 were created using the leaked builders, 77 samples making no reference to LockBit in the ransom note. Researchers suggest these may have been developed “for urgent needs or possibly by lazy actors.”

(The Hacker News)

Government agency in France suffers data breach

The unemployment registration and financial aid agency arm of the government of France, Pôle emploi, has confirmed a data breach that affects an estimated 10 million people. The breach involves full names and social security numbers, but not email addresses, phone numbers, passwords, or banking information. Emsisoft has listed Pôle emploi on its MOVEit page, but the Clop ransomware behind the massive MOVEit hacking spree has not yet published the French agency on its extortion site.

(Bleeping Computer)

Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.