Cyber Security Headlines:  Gamaredon hits Ukraine, Paramount suffers breach, OpenFire gets swarmed

Gamaredon hackers hit Ukraine military

The Russian hacking group Gamaredon has started to increase its attacks on Ukraine’s military and government. Its primary area of focus remains espionage and data theft. According to The Record, the group hides its activities by having its “malware retrieve domain names from legitimate services such as Cloudflare, Telegram, and Telegraph instead of using its real IP addresses.” One of its most distinctive tools is called Pterodo, which Ukrainian researchers call “a potent threat, capable of infiltrating and compromising targeted systems with precision.”

(The Record)

Movie giant Paramount Global suffers data breach

The mass media giant with the big mountain logo announced the breach in a letter sent to those who had been affected. The breach, it said, involved files that contained some personal information and that were accessed in May or June of this year. Bleeping Computer has reported that less than 100 individuals were affected. Paramount has not any further information about the nature of this attack.

(Security Affairs)

Takeover swarm exploits OpenFire

An attack attributed to the Kinsing group is exploiting a known path traversal flaw in the Openfire enterprise messaging application. According to research firm Aqua Nautilus, this is enabling the creation of admin accounts which gain full control of OpenFire cloud servers, with the additional ability to upload malware and a Monero cryptominer. These attacks are using the vulnerability CVE-2023-32315 which was identified and patched in May and that we reported on last Friday regarding the large number of unpatched servers still exposed. Aqua Nautilus strongly recommends administrators of any enterprise system using OpenFire to check whether their instance is vulnerable, and of course, access the patch provided by OpenFire.

(Dark Reading)

National Safety Council leak impacts big names including NASA, Tesla, and Verizon

The National Safety Council (NSC) is a US-based non-profit that provides workplace and driver safety training, along with online resources for nearly 55,000 members. The Cybernews research team discovered public access to the web directories that exposed thousands of credentials – a vulnerability that has allegedly been left open to attack for five months. Almost 2,000 companies were affected including a great many blue-chip organizations like Coca-Cola, Pfizer, and Amazon, across all types of industries. The discovery of the vulnerability was made on March 7th when the Cybernews research team found a subdomain of the NSC website, which was likely used for development purposes.

(Security Affairs)

Thanks to this week’s episode sponsor, AppOmni

Over provisioned users could lead to your most sensitive data being exposed or leaked. Just a single attack on one of those users may compromise your entire SaaS estate.
With AppOmni’s SaaS Identity Fabric, secure and manage end-users, entitlements, and threat-based activity. Gain visibility and control over provisioned users, the SaaS data they have access to, and receive guided remediation. Get connected with SaaS security experts at

AirBnB platform exploited by cybercriminals

Analysis from cybersecurity specialists at SlashNext shows that threat actors are using stealers to obtain sensitive information such as login credentials allowing access to user accounts. There is also evidence of an underground marketplace that sells access to bots that can distribute the stealers more quickly and with broader reach.

(InfoSecurity Magazine)

Anonymous Sudan pressures X over Starlink

The enigmatic hacking group Anonymous Sudan has reappeared, and on Tuesday took down X (formerly known as Twitter) in more than twelve countries including the US and the UK. Their goal was to get Elon Musk to launch Starlink in Sudan and used a DDoS attack to get his attention. Anonymous Sudan has long been thought to be a disguised arm of the Russian military but in an interview with the BBC a spokesperson for the group denied this saying, their long-term goal was to show the world that Sudanese people are highly skilled. Neither X nor representatives of Elon Musk have acknowledged the disruption as of this recording.

(BBC News)

Juniper chained flaws now being exploited

Following up on a story we brought you last week, threat actors are now using the exploit chain in attacks on Juniper EX switches and SRX firewalls. Juniper Networks had released an “out-of-cycle” security update to address the four vulnerabilities numbered CVE-2023-36844 through 36847. Observers from the Shadowserver Foundation have started observing threat actors who are chaining the flaws, saying that since August 25th they have seen exploitation attempts from at least 29 IPs for the vulnerabilities. These happened shortly after a POC had been released.

(Security Affairs)

LockBit cuts the power in Montreal

The Commission des services electriques de Montréal (CSEM) is a century old organization that looks after the electrical infrastructure of Montréal, Canada’s second largest city. The Commission has confirmed that it suffered a ransomware attack on August 3, but refused to pay the ransom, and has since repaired its systems. LockBit made public some of the data it had stolen, but the Commission points out that “ all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction, and management – are already publicly available through the official process offices in Quebec.”

(The Record)

Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.