Gamaredon hackers hit Ukraine military
The Russian hacking group Gamaredon has started to increase its attacks on Ukraine’s military and government. Its primary area of focus remains espionage and data theft. According to The Record, the group hides its activities by having its “malware retrieve domain names from legitimate services such as Cloudflare, Telegram, and Telegraph instead of using its real IP addresses.” One of its most distinctive tools is called Pterodo, which Ukrainian researchers call “a potent threat, capable of infiltrating and compromising targeted systems with precision.”
Movie giant Paramount Global suffers data breach
The mass media giant with the big mountain logo announced the breach in a letter sent to those who had been affected. The breach, it said, involved files that contained some personal information and that were accessed in May or June of this year. Bleeping Computer has reported that less than 100 individuals were affected. Paramount has not any further information about the nature of this attack.
Takeover swarm exploits OpenFire
An attack attributed to the Kinsing group is exploiting a known path traversal flaw in the Openfire enterprise messaging application. According to research firm Aqua Nautilus, this is enabling the creation of admin accounts which gain full control of OpenFire cloud servers, with the additional ability to upload malware and a Monero cryptominer. These attacks are using the vulnerability CVE-2023-32315 which was identified and patched in May and that we reported on last Friday regarding the large number of unpatched servers still exposed. Aqua Nautilus strongly recommends administrators of any enterprise system using OpenFire to check whether their instance is vulnerable, and of course, access the patch provided by OpenFire.
National Safety Council leak impacts big names including NASA, Tesla, and Verizon
The National Safety Council (NSC) is a US-based non-profit that provides workplace and driver safety training, along with online resources for nearly 55,000 members. The Cybernews research team discovered public access to the web directories that exposed thousands of credentials – a vulnerability that has allegedly been left open to attack for five months. Almost 2,000 companies were affected including a great many blue-chip organizations like Coca-Cola, Pfizer, and Amazon, across all types of industries. The discovery of the vulnerability was made on March 7th when the Cybernews research team found a subdomain of the NSC website, which was likely used for development purposes.
Thanks to this week’s episode sponsor, AppOmni
With AppOmni’s SaaS Identity Fabric, secure and manage end-users, entitlements, and threat-based activity. Gain visibility and control over provisioned users, the SaaS data they have access to, and receive guided remediation. Get connected with SaaS security experts at AppOmni.com.
AirBnB platform exploited by cybercriminals
Analysis from cybersecurity specialists at SlashNext shows that threat actors are using stealers to obtain sensitive information such as login credentials allowing access to user accounts. There is also evidence of an underground marketplace that sells access to bots that can distribute the stealers more quickly and with broader reach.
Anonymous Sudan pressures X over Starlink
The enigmatic hacking group Anonymous Sudan has reappeared, and on Tuesday took down X (formerly known as Twitter) in more than twelve countries including the US and the UK. Their goal was to get Elon Musk to launch Starlink in Sudan and used a DDoS attack to get his attention. Anonymous Sudan has long been thought to be a disguised arm of the Russian military but in an interview with the BBC a spokesperson for the group denied this saying, their long-term goal was to show the world that Sudanese people are highly skilled. Neither X nor representatives of Elon Musk have acknowledged the disruption as of this recording.
(BBC News)
Juniper chained flaws now being exploited
Following up on a story we brought you last week, threat actors are now using the exploit chain in attacks on Juniper EX switches and SRX firewalls. Juniper Networks had released an “out-of-cycle” security update to address the four vulnerabilities numbered CVE-2023-36844 through 36847. Observers from the Shadowserver Foundation have started observing threat actors who are chaining the flaws, saying that since August 25th they have seen exploitation attempts from at least 29 IPs for the vulnerabilities. These happened shortly after a POC had been released.
LockBit cuts the power in Montreal
The Commission des services electriques de Montréal (CSEM) is a century old organization that looks after the electrical infrastructure of Montréal, Canada’s second largest city. The Commission has confirmed that it suffered a ransomware attack on August 3, but refused to pay the ransom, and has since repaired its systems. LockBit made public some of the data it had stolen, but the Commission points out that “ all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction, and management – are already publicly available through the official process offices in Quebec.”