Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberthreats. Show all posts
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Privacy
Camera Security Breach. Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Theft Privacy

Thousands of Users Exposed by Flawed Camera Streaming App

 


A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras. Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users. 

It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time. In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices. 

During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability. Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability. 

When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks. Password security is a significant concern for many people, especially when transmitting unencrypted data. 

Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security. In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level. 

ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware. To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities. 

The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy. Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files. 

 As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings. It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data. 

It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular. The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server. 

As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it. In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective. 

Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties. It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
TOUXtract Exploits
AI Models Cyber Researchers Cyberattacks CyberCrime Cyberhackers Cyberthreats Technology TOUXtract Exploits

AI Models at Risk from TPUXtract Exploit

 


A team of researchers has demonstrated that it is possible to steal an artificial intelligence (AI) model without actually gaining access to the device that is running the model. The uniqueness of the technique lies in the fact that it works efficiently even if the thief may not have any prior knowledge as to how the AI works in the first place, or how the computer is structured. 

According to North Carolina State University's Department of Electrical and Computer Engineering, the method is known as TPUXtract, and it is a product of their department. With the help of a team of four scientists, who used high-end equipment and a technique known as "online template-building", they were able to deduce the hyperparameters of a convolutional neural network (CNN) running on Google Edge Tensor Processing Unit (TPU), which is the settings that define its structure and behaviour, with a 99.91% accuracy rate. 

The TPUXtract is an advanced side-channel attack technique devised by researchers at the North Carolina State University, designed to protect servers from attacks. A convolutional neural network (CNN) running on a Google Edge Tensor Processing Unit (TPU) is targeted in the attack, and electromagnetic signals are exploited to extract hyperparameters and configurations of the model without the need for previous knowledge of its architecture and software. 

A significant risk to the security of AI models and the integrity of intellectual property is posed by these types of attacks, which manifest themselves across three distinct phases, each of which is based on advanced methods to compromise the AI models' integrity. Attackers in the Profiling Phase observe and capture side-channel emissions produced by the target TPU as it processes known input data as part of the Profiling Phase. As a result, they have been able to decode unique patterns which correspond to specific operations such as convolutional layers and activation functions by using advanced methods like Differential Power Analysis (DPA) and Cache Timing Analysis. 

The Reconstruction Phase begins with the extraction and analysis of these patterns, and they are meticulously matched to known processing behaviours This enables adversaries to make an inference about the architecture of the AI model, including the layers that have been configured, the connections made, and the parameters that are relevant such as weight and bias. Through a series of repeated simulations and output comparisons, they can refine their understanding of the model in a way that enables precise reconstruction of the original model. 

Finally, the Validation Phase ensures that the replicated model is accurate. During the testing process, it is subject to rigorous testing with fresh inputs to ensure that it performs similarly to that of the original, thus providing reliable proof of its success. The threat that TPUXtract poses to intellectual property (IP) is composed of the fact that it enables attackers to steal and duplicate artificial intelligence models, bypassing the significant resources that are needed to develop them.

The competition could recreate and mimic models such as ChatGPT without having to invest in costly infrastructure or train their employees. In addition to IP theft, TPUXtract exposed cybersecurity risks by revealing an AI model's structure that provided visibility into its development and capabilities. This information could be used to identify vulnerabilities and enable cyberattacks, as well as expose sensitive data from a variety of industries, including healthcare and automotive.

Further, the attack requires specific equipment, such as a Riscure Electromagnetic Probe Station, high-sensitivity probes, and Picoscope oscilloscope, so only well-funded groups, for example, corporate competitors or state-sponsored actors, can execute it. As a result of the technical and financial requirements for the attack, it can only be executed by well-funded groups. With the understanding that any electronic device will emit electromagnetic radiation as a byproduct of its operations, the nature and composition of that radiation will be affected by what the device does. 

To conduct their experiments, the researchers placed an EM probe on top of the TPU after removing any obstructions such as cooling fans and centring it over the part of the chip emitting the strongest electromagnetic signals. The machine then emitted signals as a result of input data, and the signals were recorded. The researchers used the Google Edge TPU for this demonstration because it is a commercially available chip that is widely used to run AI models on edge devices meaning devices utilized by end users in the field, as opposed to AI systems that are used for database applications. During the demonstration, electromagnetic signals were monitored as a part of the technique used to conduct the demonstration.

A TPU chip was placed on top of a probe that was used by researchers to determine the structure and layer details of an AI model by recording changes in the electromagnetic field of the TPU during AI processing. The probe provided real-time data about changes in the electromagnetic field of the TPU during AI processing. To verify the model's electromagnetic signature, the researchers compared it to other signatures made by AI models made on a similar device - in this case, another Google Edge TPU. Using this technique, Kurian says, AI models can be stolen from a variety of different devices, including smartphones, tablets and computers. 

The attacker should be able to use this technique as long as they know the device from which they want to steal, have access to it while it is running an AI model, and have access to another device with similar specifications According to Kurian, the electromagnetic data from the sensor is essentially a ‘signature’ of the way AI processes information. There is a lot of work that goes into pulling off TPUXtract. The process not only requires a great deal of technical expertise, but it also requires a great deal of expensive and niche equipment as well. To scan the chip's surface, NCSU researchers used a Riscure EM probe station equipped with a motorized XYZ table, and a high-sensitivity electromagnetic probe to capture the weak signals emanating from it. 

It is said that the traces were recorded using a Picoscope 6000E oscilloscope, and Riscure's icWaves FPGA device aligned them in real-time, and the icWaves transceiver translated and filtered out the irrelevant signals using bandpass filters and AM/FM demodulation, respectively. While this may seem difficult and costly for a hacker to do on their own, Kurian explains, "It is possible for a rival company to do this within a couple of days, regardless of how difficult and expensive it will be. 

Taking the threat of TPUXtract into account, this model poses a formidable challenge to AI model security, highlighting the importance of proactive measures. As an organization, it is crucial to understand how such attacks work, implement robust defences, and ensure that they can safeguard their intellectual property while maintaining trust in their artificial intelligence systems. The AI and cybersecurity communities must learn continuously and collaborate to stay ahead of the changing threats as they arise.
Read more »
Pumakit Rootkit
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Linux LKM malware PT Pumakit Rootkit

Pumakit Rootkit Challenges Linux Security Systems

 


According to the researchers from the Elastic Security Lab, a new rootkit called PUMAKIT can perform various advanced evasion mechanisms. When Elastic Security researchers discovered PUMAKIT while routinely hunting for threats on VirusTotal, they described it as PUMAKIT. Many stages are involved in deploying this multi-stage malware, including a dropper, two memory-resident executables, an LKM rootkit module, and a shared object rootkit, all of which are used in the userland. 

To manipulate core system behaviours, the rootkit component can hook into 18 different syscalls and several kernel functions using an internal Linux function tracer (ftrace), which enables it to control the behaviour of core system components. The rootkit is an advanced persistent threat (APT) that tends to target critical organizations with specific programs designed to establish persistence within compromised systems.

The rootkit is often used by APT groups in their attempts to target critical organizations with specific programs. As a result of the discovery of this Linux rootkit malware called Pumakit, it can evade detection and compromise systems through advanced stealth and privilege escalation techniques. Several components make up this sophisticated malware, including a dropper, a memory-resident executable, kernel module rootkits, and userland rootkits. 

The Pumakit malware family was discovered by Elastic Security in a suspicious binary 'cron' uploaded to VirusTotal on September 4, 2024. The details surrounding its identity and target remain vague. There are a variety of rootkits like this that are commonly used by advanced threat actors to undermine critical infrastructure, steal money, disrupt operations, and infiltrate enterprise systems to conduct espionage. As a sophisticated piece of malware, PUMAKIT was discovered via routine threat detection on VirusTotal as part of routine threat hunting. 

Its binary contains strings embedded by the developer that can be easily identified and accessed by developers. There is an internal structure to the malware that is based on a multi-stage architecture, which comprises a dropper component named "cron", two memory-resident executables called TGT and WPN, an LKM rootkit called Pumba and a shared object rootkit called Kitsune that is bundled in with the malware. This payload allows for loading the LKM rootkit ('puma.ko') into the kernel as well as the userland rootkit ('Kitsune SO') to intercept system calls via the userland.  

A kernel function, such as "prepare_creds" and "commit_creds," can also be used to alter core system behaviour and achieve its objectives. It includes the use of the internal Linux function tracer (trace) to hook into as many as 18 different system calls and various kernel functions, such as "prepare_creds." and "commit_creds." In addition, Elastic noted that every step of the infection chain is designed to conceal the malware's presence, leveraging memory-resident files, and doing specific checks before unleashing the rootkit, which will make it difficult for the user to detect it before it is launched. 

As of right now, the company has not linked PUMAKIT to any known threat actor or group and believes that the software most likely originated from unknown sources. As you may know, PUMAKIT is a sophisticated and stealthy threat, which utilizes advanced techniques like syscall hooks, memory-resident execution, and unique methods for escalating privileges. According to the researchers, it is a multi-architectural malware that demonstrates the increasing sophistication of malware aimed at Linux. For IForthe LKM rootkit to be able to manipulate the behaviour of a system, it must use the syscall table, as well as kallsyms_lookup_name() to find symbol names. 

Rootkits targeting kernel versions 5.7 and above tend to use probes, which means they are designed for older kernels which makes them more difficult to detect than modern rootkits. There has been a debate within the kernel development team about the unsporting of the kallsyms_lookup_name() code to prevent unauthorized or malicious modules from misusing it. As part of this tactic, modules are often added with fake MODULE_LICENSE("GPL") declarations that circumvent license checks, thereby allowing them to access non-exported kernel functions, which is not permitted under the GPL.

A Linux rootkit known as PUMAKIT, or Pumakkit for short, has been discovered that underscores the sophistication with which Linux systems are being targeted by targeted threats. This malware is one of the most dangerous adversaries because it can evade detection and execute advanced attacks. In any case, proactive measures can reduce the harm caused by these threats by recommending regular updates and by increasing monitoring capabilities, among other measures. 

To defend against attacks like PUMAKIT being carried out by hackers like Kumak, it is crucial to remain informed and vigilant in the face of evolving cybersecurity threats. Users must take every precaution to ensure that their Linux systems are protected from this and other advanced malware threats.
Read more »
Telecom
CyberCrime Cyberhackers Cybersecurity Cyberthreats FBI. Cyberespionage Hackers Technology Telecom

Telecom Networks on Alert Amid Cyberespionage Concerns

 



The U.S. Federal Government has called on telecommunication companies to strengthen their network security in response to a significant hacking campaign allegedly orchestrated by Chinese state-sponsored actors. 

The campaign reportedly allowed Beijing to access millions of Americans' private communications, including texts and phone conversations. In a joint advisory, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) outlined measures to help detect and prevent such cyber-espionage activities. Extent of the Breach Remains Unclear According to officials, the full scale of the breach and whether Chinese hackers still have access to U.S. networks remain unknown. The announcement was coordinated with security agencies in New Zealand, Australia, and Canada—members of the Five Eyes intelligence alliance—signaling the global reach of China's hacking activities. 

The FBI and CISA revealed that Chinese hackers breached the networks of several U.S. telecom companies. These breaches enabled them to collect customer contact records and private communications. Most targeted individuals were involved in government or political activities. 

Key Findings:
  • Hackers accessed sensitive information under law enforcement investigations or court orders.
  • Attempts were made to compromise programs governed by the Foreign Intelligence Surveillance Act (FISA), which allows U.S. spy agencies to monitor suspected foreign agents' communications.
Salt Typhoon Campaign The campaign, referred to as Salt Typhoon, surfaced earlier this year. Hackers used advanced malware to infiltrate telecom networks and gather metadata, such as call dates, times, and recipients. 
 
Details of the Attack:
  • Limited victims had their actual call audio and text data stolen.
  • Victims included individuals involved in government and political sectors.
While telecom companies are responsible for notifying affected customers, many details about the operation remain unknown, including the exact number of victims and whether the hackers retain access to sensitive data. 
  
Recommendations for Telecom Companies 

Federal agencies have issued technical guidelines urging telecom companies to:
  1. Encrypt Communications: Enhance security by ensuring data encryption.
  2. Centralize Systems: Implement centralized monitoring to detect potential breaches.
  3. Continuous Monitoring: Establish consistent oversight to identify cyber intrusions promptly.
CISA's Executive Assistant Director for Cybersecurity, Jeff Greene, emphasized that implementing these measures could disrupt operations like Salt Typhoon and reduce future risks. 

China's Alleged Espionage Efforts 
 
This incident aligns with a series of high-profile cyberattacks attributed to China, including:
  • The FBI's September disruption of a botnet operation involving 200,000 consumer devices.
  • Alleged attacks on devices belonging to U.S. political figures, including then-presidential candidate Donald Trump, Senator JD Vance, and individuals associated with Vice President Kamala Harris.
The U.S. has accused Chinese actors of targeting government secrets and critical infrastructure, including the power grid. 

China Denies Allegations 
 
In response, Liu Pengyu, spokesperson for the Chinese embassy in Washington, dismissed the allegations as "disinformation." In a statement, Liu asserted that China opposes all forms of cyberattacks and accused the U.S. of using cybersecurity as a tool to "smear and slander China." 

As cyber threats grow increasingly sophisticated, the federal government’s call for improved network security underscores the importance of proactive defense measures. Strengthened cybersecurity protocols and international cooperation remain critical in safeguarding sensitive information from evolving cyber-espionage campaigns.
Read more »
Information Breach
Cyberattacks CyberCrime Cyberhackers Cyberthreats Data Breach Electric Ireland FBI GNCCB Information Breach

Woman Charged in Electric Ireland Customer Information Breach

An Irish national utility service provider, Electric Ireland, is investigating a significant data breach involving customer information. This breach, first reported last year, has led to arrests and an ongoing investigation by the Garda National Cyber Crime Bureau (GNCCB) and the Garda National Economic Crime Bureau (GNECB). The incident has raised concerns about the misuse of personal and financial data and potential risks for affected customers.

Details of the Data Breach

Electric Ireland disclosed that an employee of a company working on its behalf may have inappropriately accessed data from approximately 8,000 residential customer accounts. The compromised information includes personal and financial details, potentially exposing customers to fraud. While the company has not released the names of affected customers, it is actively identifying and contacting individuals who may be at risk. The breach has left many customers concerned about identity theft and financial security.

Electric Ireland has apologized for the breach and is providing guidance to impacted customers. Those not contacted by the company are advised to remain cautious and avoid taking immediate action until they receive official communication. In addition, Electric Ireland has encouraged customers to report any fraudulent activity related to their accounts and to consult their banks for potential security measures.

Investigative Efforts by Authorities

The Garda National Cyber Crime Bureau and GNECB are at the forefront of the investigation. The GNCCB specializes in analyzing digital evidence and has collaborated with international agencies like Europol, Interpol, and the FBI in similar cases. During the probe, investigators discovered evidence on the phone of a Nigerian national allegedly linked to the breach. Further scrutiny led to a focus on his girlfriend and her associates, indicating a wider network of individuals potentially involved in the unauthorized access of data.

The GNECB, which handles financial crime cases, is assessing the fraud's extent and coordinating with Electric Ireland to mitigate the impact on customers. Despite limited details from the authorities, the case highlights the growing challenges of safeguarding sensitive data in an increasingly digital landscape.

Company Response and Customer Guidance

In addition to addressing the data breach, Electric Ireland is dealing with separate issues of overcharging due to incorrect tariff rates and smart meter data errors. The company has issued apologies for these errors and is offering credit notes to affected customers. Regulatory authorities are reviewing the matter to ensure compliance and prevent similar occurrences in the future.

Electric Ireland remains committed to transparency and is collaborating with Garda Síochána to resolve the breach. Customers are urged to stay vigilant, monitor their financial accounts, and report any suspicious activities to the company and their banks.

Read more »
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
insurance
CyberCrime Cybersecurity Cyberthreats Data Breach data security HDFC insurance

HDFC Life Responds to Data Leak, Engages Cybersecurity Experts

 


According to HDFC Life Insurance, the company recently reported a cyberattack resulting in stolen confidential customer data. Cybercriminals allegedly accessed sensitive policyholder information and demanded extortion from the insurance company, so the company submitted a complaint to the South Region Cyber Police. As per the complaint, there was a breach of security at the company between November 19 and November 21, 2024. 

The cybercriminals, operating under the alias of bsdqwasdg@gmail.com and using a WhatsApp account to send unencrypted communications, managed to steal the

personal data of HDFC Life's clients. In a news release on Monday, HDFC Life Insurance Company, the country's second-largest private insurer by premiums, reported that customer information had been stolen from their system. 

In recent months, there has been a second major data breach within the insurance sector following thee leak of many gallons of personal information by Star Health & Allied Insurance a few months ago. Star Health and Allied Insurance had previously been subject to a cyberattack, as well as a forensic investigation conducted by independent cybersecurity experts, into the incident.

The data breach that occurred at Star Health's servers reportedly resulted in the sale of sensitive information about 31 million customers - an amount of 7.24 terabytes estimated - on the messaging network Telegram as part of the breach.  In its article, the Insurance Regulatory and Development Authority of India (IRDAI), which controls the insurance industry in India, had indicated that, even though insurers have not been named, it takes security breaches very seriously and is committed to continuing its engagement with the companies to ensure the interests of policyholders are protected fully. 

There was a lot of personal information leaked, including names, addresses, phone numbers, tax details, and sometimes even medical records of the insurance policyholders. It was reported that Star Health's chief information security officer (CISO), Amarjeet Khanuja, had sold the company's data for $150,000 after a hacker allegedly accessed the data through the company's network. There was another incident involving the loss of data at Tata AIG as well. 

A few days after the presidential election, HDFC Life Insurance received several emails claiming to have been sent by an anonymous sender who claimed to have stolen the sensitive information of its customers. A hacker attached data to the email that included the names, policy numbers, addresses, and phone numbers of 99 of his victims. 

As outlined in the email, unless negotiations are conducted, the data of the company will be leaked or sold to third parties. According to the hacker, the company has two days to respond to the threat and its reputation could be jeopardized. A series of messages had been sent over the weekend of November 20 and 21 by the extortionist, warning the company that if they failed to negotiate, a massive leak would occur. As stated in one of the messages, the company will have to suffer losses of "hundreds of billions of rupees" if the transaction goes through, along with a damaged reputation and regulatory pressure from the government. 

It was requested by the hacker that he pay money in exchange for preventing the exposure of the information. A security expert examined the breach and verified its authenticity with the help of HDFC Life Insurance, which then decided to engage the police and inform the appropriate authorities of the breach. 

As a result, the company has given its customers the assurance that it is taking all possible measures to ensure their information is protected and that the impact of the data theft is minimized. It was decided to file a case under sections 308(3) (extortion) as well as 351(4) (criminal intimidation) of the Bharatiya Nyaya Sanhita, 2023 along with the relevant provisions of the Information Technology Act, 2000, for the commission of the offence. 

There was a statement from HDFC Life that stated the company is committed to safeguarding the interest of its customers and will take swift action to resolve this matter. In recent months, other insurers, including Star Health Insurance and Tata AIG, have also admitted to data breaches as a result of intrusions into their systems. 

It is because of these incidents that IRDAI is constantly monitoring insurers' data security frameworks and ensuring that the necessary corrective actions are being taken as soon as possible. A growing number of cyber threats are posing serious risks to the privacy of customers and the accountability of organizations in the insurance sector. 

HDFC Life's proactive measures reflect the industry's recent push to enhance cybersecurity measures continuously to ensure that the risk of these breaches in the future is diminished. A number of cybersecurity measures have been put in place by the IRDAI to ensure that data protection is robust and that millions of policies are protected
Read more »
Wi-fi
APT28 Cyber Hackers CyberCrime Cybersecurity Cyberthreats Data Breach Volexity Wi-fi

Wi-Fi Exploit Enables Russian Hackers to Breach US Business

 


A sophisticated cyberattack was carried out by a Russian state-sponsored group, which is believed to be APT28 (Fancy Bear), which exploited a large U.S. enterprise's Wi-Fi network remotely. This breach was first detected by cybersecurity firm Volexity on February 4, 2022, while it targeted a Washington, DC-based organization whose projects related to Ukraine were being carried out. 

A group of Russian hackers, reportedly linked to Russia's GRU military intelligence, managed to gain access to the wireless network through a password-spraying attack on another service, which allowed them to obtain the credentials needed to connect. The Russian state-sponsored hackers known as "APT28" have exploited a novel attack technique called 'nearest neighbour attack' to penetrate a U.S. company's enterprise WiFi network to spy on employees' activity. 

Although the hackers were thousands of miles away, they could compromise an organization nearby within WiFi range, providing a pivot from where they could reach their destination. Security firm Volexity was able to detect the attacks on February 4, 2022, as it had been monitoring the hackers, codenamed 'GruesomeLarch', as they had been monitoring the attack for many weeks beforehand. 

APT28, which is associated with the General Staff's Main Intelligence Directorate (GRU) and is part of the Russian military's 26165 unit, has been conducting cyber operations since at least 2004 in conjunction with a Russian military unit. Using a hijacked device in a neighbouring building across the street, Russian state-sponsored hackers were able to log into a Wi-Fi network in the United States without ever leaving their country of residence. 

Volexity, a security vendor, documented a rare hacking technique that they call the "Nearest Neighbor Attack." The company discovered the incident in January 2022, when an unnamed customer, calling itself Organization A, suffered a system hack. Initially, the attackers, whom Volexity tracks as GruesomeLarch, gained access to the target's enterprise WiFi network by accessing that service through a password-spraying attack that targeted the victim's public-facing services, as the passwords were flooded. 

Nonetheless, the presence of one-time password (OTP) protection meant that the credentials could not be used to access public web-based services. As far as connecting to the enterprise's WiFi network was concerned, MFA was not required, however, being "thousands of miles away from the victim and behind an ocean" posed a significant inconvenience. It was through this creative use of the hacker's brain that they began looking into buildings nearby that could be potential pivots to the target wireless network, in fact they started to do so. 

APT28 compromised multiple organizations as part of this attack and was able to daisy-chain their connection between these organizations by using legitimate access credentials to connect with them. At the end of the investigation, they discovered a device within a certain range that was capable of connecting to three wireless access points near the windows of a victim's conference room to retrieve their data. 

An unprivileged account used for the remote desktop connection (RDP) allowed the threat actor to move around the target network from one point to another searching for systems of interest and exfiltrating sensitive information from them. Three Windows registry hives were dumped by the hackers: SAM, Security, and System. This hive was compressed into a ZIP archive and then exfiltrated by the hackers using a script named 'servtask.bat'. 

The most common way they collected data while minimizing their footprint was to use native Windows tools. As a result of Volexity's analysis, it was also identified that GruesomeLarch was actively targeting Organization A so that data would be collected from individuals and projects active in Ukraine who have expertise in and experience with those projects. Despite Volexity's initial inability to confirm an association between the attacker and any known threat actors, a subsequent report by Microsoft pointed to certain indicators of compromise (IoCs) that matched the information Volexity had observed, indicating that the Russian threat group was responsible. 

Microsoft's cybersecurity report indicates that it is highly likely that APT28 was able to escalate privileges before launching critical payloads within a victim's network by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network. This is a zero-day vulnerability in Windows. 

APT28, a group that executes targeted attacks using the nearest neighbour technique, successfully demonstrated that close-access operations, which are usually performed at close range, can be executed from a distance, eliminating the risk of identifying or capturing the target physically. Even though internet-facing devices have benefited from increasing security over the past year, thanks to services such as multi-factor authentication and other types of protections that have been added, WiFi corporate networks have largely remained unprotected over the same period.
Read more »
Technology
Android Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Google GPS Technology

Improving GPS Technology with Insights from Android Phones

 


The effect of navigation apps drifting off course may be caused by a region 50-200 miles overhead called the ionosphere, which is a region of the Earth’s atmosphere that is responsible for such drifts. There are various levels of free electrons in this layer that, under certain conditions, can be extremely concentrated, thereby slowing down the processing of GPS signals when they are travelling between satellites and devices. 

A delay, like a delay that would occur from navigating through a crowded city street without being able to get to your place of work on time, is a major contributor to navigation system errors. As reported in Nature this week, a team of Google researchers demonstrated they had been able to use GPS signal measurements collected from millions of anonymous Android mobile devices to map the ionosphere by using GPS data from those devices. 

There are several reasons why a single mobile device signal cannot tell researchers so much about the ionosphere with only one device, but this problem is minimized when there are many other devices to compare with. Finally, the researchers have been able to use the vast network of Android phones to map out the ionosphere in an extremely precise way, matching or exceeding the accuracy of monitoring stations, using the huge network of Android phones. This technique was far more accurate in areas like India and Central Africa, compared to the accuracy of listening stations alone, where the Android technique was used. 

The total electron content (TEC) referred to as ionospheric traffic is a measure of the number of electrons in the ionosphere used within a cellular telephone network. Satellites and ground stations are used to measure this amount of electrons in the ionosphere. These detection tools are indeed effective, but they are also relatively expensive and difficult to build and maintain, which means that they are not used as commonly in developing regions of the world. 

The fact that monitoring stations are not accessible equally leads to disparities in the accuracy of the global ionospheric maps. However, Google researchers did not address one issue. They chose to use something that more than half of the world's population already possessed: mobile phones. In an interview with Popular Science, Google researcher Brian Williams discussed how changes in the ionosphere have been hindering GPS capabilities when working on Android products.

If the ionosphere were to change shortly, this may undermine GPS capabilities. Aside from contributing to scientific advances, he sees this project as an opportunity to improve accuracy and provide a more useful service to mobile device users regularly.  Rather than considering ionosphere interference with GPS positioning as an obstacle, the right thing to do is to flip the idea and imagine that GPS receiver is an instrument to measure the ionosphere, not as an obstacle," Williams commented.

The ionosphere can be seen in a completely different light by combining the measurements made by millions of phones, as compared to what would otherwise be possible." Thousands of Android phones, already known as 'distributed sensor networks', have become a part of the internet. GPS receivers are integrated into most smartphones to measure radio signals beamed from satellites orbiting approximately 1,200 miles above us in medium Earth orbit (MEO).

A receiver determines your location by calculating the distance from yourself to the satellite and then using the distance to locate you, with an accuracy of approximately 15 feet. The ionosphere acts as a barrier that prevents these signals from travelling normally through space until they reach the Earth. In terms of GPS accuracy errors, many factors contribute to the GPS measurement error, including variables like the season, time of day, and distance from the equator, all of which can affect the quality of the GPS measurement. 

There is usually a correctional model built into most phone receivers that can be used to reduce the estimated error by around half, usually because these receivers provide a correctional model.  Google researchers wanted to see if measurements taken from receivers that are built into Android smartphones could replicate the ionosphere mapping process that takes place in more advanced monitoring stations by combining measurements taken directly from the phone. 

There is no doubt that monitoring stations have a clear advantage over mobile phones in terms of value per pound. The first difference between mobile phones and cellular phones is that cellular phones have much larger antennas. Also, the fact that they sit under clear open skies makes them a much better choice than mobile phones, which are often obscured by urban buildings or the pockets of the user's jeans.

In addition, every single phone has a customized measurement bias that can be off by several microseconds depending on the phone. Even so, there is no denying the fact that the sheer number of phones makes up for what they are lacking in individual complexity.  As well as these very immediate benefits, the Android ionosphere maps are also able to provide other less immediate benefits. According to the researchers, analyzing Android receiving measurements revealed that they could detect a signal of electromagnetic activity that matched a pair of powerful solar storms that had occurred earlier this year. 

According to the researchers, one storm occurred in North America between May 10 and 11, 2024. During the time of the peak activity, the ionosphere of that area was measured by smartphones and it showed a clear spike in activity followed by a quick depletion once again. The study highlights that while monitoring stations detected the storm, phone-based measurements of the ionosphere in regions lacking such stations could provide critical insights into solar storms and geomagnetic activity that might otherwise go unnoticed. This additional data offers a valuable opportunity for scientists to enhance their understanding of these atmospheric phenomena and improve preparation and response strategies for potentially hazardous events.

According to Williams, the ionosphere maps generated using phone-based measurements reveal dynamics in certain locations with a level of detail previously unattainable. This advanced perspective could significantly aid scientific efforts to understand the impact of geomagnetic storms on the ionosphere. By integrating data from mobile devices, researchers can bridge gaps left by traditional monitoring methods, offering a more comprehensive understanding of the ionosphere’s behaviour. This approach not only paves the way for advancements in atmospheric science but also strengthens humanity’s ability to anticipate and mitigate the effects of geomagnetic disturbances, fostering greater resilience against these natural occurrences.
Read more »
Vulnerabilities and Exploits
CISA Issues CyberCrime Cybersecurity Cyberthreats Palo Alto Threats Exploitations Vulnerabilities and Exploits

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs

 


A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software. Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool. 

This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems. CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability. 

There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.

A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July. 

To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well. As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability. 

Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system. A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations." 

In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive. 

Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet. 

It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched. As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher. 

It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks. It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely. 

There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system. There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks. This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts. 

The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin. Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.
Read more »
ransomware attacks
Cyber Attacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Hospitals ransomware attacks

Cyberattack Impacts Georgia Hospital, Colorado Pathology Services

 


The number of hospitals that have been affected by ransomware, business email compromise, and other cyber threats is increasing across all sectors, from small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, to those with a large number of beds.  In his opening keynote address at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C., Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, indicated that there is now an average of two data breaches conducted every day within the American health care system. 

People who work in hospitals and health systems are often targeted by cyber threat actors exploiting the basic vulnerabilities of their systems and taking advantage of the vulnerabilities. To illustrate these types of breaches, Kaiser Permanente, one of the country's largest health systems, said it had sent a notice Sunday to those in Southern California whose personal health data had been compromised as a result of unauthorized access to two email accounts of employees. 

The bad guys can also be skilled at exploiting their victim's vulnerability, with sophisticated social engineering techniques coupled with phishing attacks that focus on bots. As part of a cyber exploit, originally discovered earlier this month, Summit Pathology, an independent pathology service provider based in Colorado, had patient data associated with more than 1.8 million people exfiltrated from its system. 

In a report issued by Kaiser Permanente, it was reported that an unauthorised third party gained access to the email accounts of two employees and was able to view the health information of patients. As the U.S. grows and grows, ransomware, business email compromise, and other cyber threats are causing disruptions to care for millions of people across the nation, including small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, as well as the largest providers. 

A recent study conducted by the Health Sector Coordinating Council Cybersecurity Working Group found that the United States amounted to two data breaches per day on average, Greg Garcia, executive director of the ASHC Cybersecurity Working Group, said in his opening address at the HIMSS Healthcare Cybersecurity Forum, held in Washington, DC, last week. In many cases, cybercriminals target people who work in hospitals and health systems to exploit weaknesses in the system. A health system in Southern California posted a notice informing its members on Friday there was an issue about the security of health information that was discovered on September 3. 

A notice on the company's website advised that two of its employees' email accounts had been accessed by an unauthorized party, according to the notice. "Immediately following the discovery of this incident, Kaiser Permanente terminated the unauthorized access and immediately began investigating to determine the scope of the access." this statement was made by Kaiser Permanente. It was found that some protected health information about some patients were included in the email's contents after we validated them." 

According to the health system, although Social Security numbers and financial information were not involved, protected health information, such as first and last names, dates of birth, medical records numbers, and medical information, had the potential to be accessed and/or viewed by third parties. As part of Kaiser Permanente's maintenance of health system operations, affected individuals were contacted directly by the company, Kaiser Permanente said. There is evidence out there that on October 18, Summit Pathology of Loveland, Colorado, reported to the Department of HHS that there are 1,813,538, whose data had been breached in a hacking incident, in which their data has been compromised. 

 As outlined in the pathology services company's notice on its website, the impacted systems contained data such as names, addresses, medical billing and insurance information, certain medical information such as diagnosis, demographic information such as dates of birth, social security numbers, and financial information. There was an incident that occurred on or around April 18 when Summit announced it had noticed suspicious activity on its computer network and that it had taken the necessary steps to secure it, including contacting third parties to assist in the investigation. 

The affected healthcare entities have reported that they successfully identified files that unauthorized individuals may have accessed or acquired during the ransomware attack. In response to the incident, Summit conducted a thorough review of its internal policies and procedures. Following this review, they implemented additional administrative and technical safeguards to strengthen security and mitigate the risk of future attacks. 

On October 31, the Murphy Law Firm, based in Oklahoma City, stated its involvement in the case. The firm announced that it is pursuing a class action lawsuit and actively investigating claims related to the breach. According to Murphy Law Firm, Summit’s forensic investigation revealed that cybercriminals were able to infiltrate the organization's inadequately secured network, leading to unauthorized access to sensitive data files. The law firm is now seeking to hold Summit accountable for the potential data security lapses that may have enabled the breach.
Read more »
Subscribe to: Posts (Atom)