Healthcare Sector
- Recently Spotted Trinity Ransomware Spurs Federal Warning To Healthcare Industry
"At least one U.S. healthcare entity has fallen victim to a new ransomware strain called Trinity, according to a report from federal officials. The U.S. Department of Health and Human Services published an advisory on Friday warning hospitals of the threat posed by the ransomware group, noting that its tactics and techniques make it “a significant threat” to the U.S. healthcare and public health sector. The department’s Health Sector Cybersecurity Coordination Center “is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently,” officials said. The advisory said the ransomware was first spotted around May 2024."
https://therecord.media/trinity-ransomware-alert-healthcare-industry-hhs-cyber-center
https://www.hhs.gov/sites/default/files/trinity-ransomware-threat-actor-profile.pdf
https://www.bankinfosecurity.com/feds-warn-health-sector-new-trinity-ransomware-threats-a-26468
Industrial Sector
- Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
"The financial impact of a cyberattack targeting a cyber-physical system (CPS) can reach up to $1 million, as affected organizations struggle with revenue loss, recovery costs, and employee overtime. According to a new Claroty survey of 1,100 security professionals involved in OT, IoT, BMS, and IoMT (connected medical devices), about 45% of organizations suffered losses of $500,000 or more over the past year, while 27% disclosed losses of $1 million or more. More than half of the respondents in the chemical manufacturing, power and energy, and mining and materials sectors have reported losses greater than $500,000 caused by cyber incidents over the past 12 months, Claroty’s latest Global State of CPS Security report (PDF) shows."
https://www.securityweek.com/ransomware-hits-critical-infrastructure-hard-costs-adding-up/
https://web-assets.claroty.com/resource-downloads/cps-survey-business-disruptions.pdf
New Tooling
- Rspamd: Open-Source Spam Filtering System
"Rspamd is an open-source spam filtering and email processing framework designed to evaluate messages based on a wide range of rules, including regular expressions, statistical analysis, and integrations with custom services like URL blacklists."
https://www.helpnetsecurity.com/2024/10/07/rspamd-open-source-spam-filtering/
https://github.com/rspamd/rspamd
Vulnerabilities
- Critical Apache Avro SDK Flaw Allows Remote Code Execution In Java Applications
"A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4. "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.""
https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html
https://securityaffairs.com/169469/security/apache-avro-java-sdk-critical-flaw.html - Qualcomm Patches High-Severity Zero-Day Exploited In Attacks
"Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. The security flaw (CVE-2024-43047) was reported by Google Project Zero's Seth Jenkins and Amnesty International Security Lab's Conghui Wang, and it is caused by a use-after-free weakness that can lead to memory corruption when successfully exploited by local attackers with low privileges."
https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2024-bulletin.html - Okta Tells Users To Check For Potential Exploitation Of Newly Patched Vulnerability
"Identity and access management solutions provider Okta has resolved a vulnerability that could have allowed attackers to bypass sign-on policies and gain access to applications. The issue, Okta says in a security advisory, was introduced on July 17 and only affects Okta Classic users, under certain conditions. “On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies,” the company said."
https://www.securityweek.com/okta-tells-users-to-check-for-potential-exploitation-of-newly-patched-vulnerability/
https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/
https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/
Malware
- Russian State Media Company Operation Disrupted By ‘unprecedented’ Cyberattack
"Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. While a VGTRK spokesperson initially downplayed the impact of the attack, claiming it did not cause significant damage, local media reported that the broadcast of several television channels owned by VGTRK, including Russia 1 and Russia 24, was cut off mid-program and resumed nearly an hour later. An anonymous source at the company told the Russian media outlet Gazeta.ru that the hackers erased data from the company's servers, including backups. Recorded Future News could not independently verify this information."
https://therecord.media/russian-state-media-company-disrupted-cyberattack
https://cyberscoop.com/russian-media-cyberattack-ukraine-courts-putin-birthday/
https://securityaffairs.com/169486/cyber-warfare-2/kyivs-hackers-hit-russian-state-media.html - Over 300,000! GorillaBot: The New King Of DDoS Attacks
"In September 2024, NSFOCUS Global Threat Hunting System monitored a new botnet family calling itself Gorilla Botnet entering an unusually active state. Between September 4 and September 27, it issued over 300,000 attack commands, with a shocking attack density. During this active period, Gorilla Botnet targeted over 100 countries, with China and the U.S. being the hardest hit. Targets included universities, government websites, telecoms, banks, gaming, and gambling sectors."
https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/
https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html
https://www.darkreading.com/cyberattacks-data-breaches/gorillabot-goes-ape-cyberattacks-worldwide - Large Scale Google Ads Campaign Targets Utility Software
"After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack. Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking."
https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software - Awaken Likho Is Awake: New Techniques Of An APT Group
"In July 2021, a campaign was launched primarily targeting Russian government agencies and industrial enterprises. Shortly after the campaign started, we began tracking it, and published three reports in August and September 2024 through our threat research subscription on the threat actor we named Awaken Likho (also named by other vendors as Core Werewolf)."
https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ - Mind The (air) Gap: GoldenJackal Gooses Government Guardrails
"ESET researchers discovered a series of attacks on a governmental organization in Europe using tools capable of targeting air-gapped systems. The campaign, which we attribute to GoldenJackal, a cyberespionage APT group that targets government and diplomatic entities, took place from May 2022 to March 2024. By analyzing the toolset deployed by the group, we were able to identify an attack GoldenJackal carried out earlier, in 2019, against a South Asian embassy in Belarus that, yet again, targeted the embassy’s air-gapped systems with custom tools."
https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/
https://www.infosecurity-magazine.com/news/goldenjackal-exploits-air-gapped/
Breaches/Hacks/Leaks
- American Water Shuts Down Online Services After Cyberattack
"American Water, the largest publicly traded U.S. water and wastewater utility company, was forced to shut down some of its systems after a Thursday cyberattack. In a filing with the U.S. Securities and Exchange Commission (SEC), American Water said it has already hired third-party cybersecurity experts to help contain and assess the incident's impact. It also reported the breach to law enforcement and is now coordinating their efforts in a joint and ongoing investigation. "The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems," the 8-K regulatory filing reads."
https://www.bleepingcomputer.com/news/security/american-water-shuts-down-online-services-after-cyberattack/
https://therecord.media/american-water-works-cyberattack-utility
https://cyberscoop.com/american-water-works-cyber-ransomware/
https://www.theregister.com/2024/10/07/american_water_hack/
https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ - ADT Discloses Second Breach In 2 Months, Hacked Via Stolen Credentials
"Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. ADT is a public American company that specializes in security and smart home solutions for residential and small business customers. The firm employs over 14,000 people and has an annual revenue of $4.98 billion. In a Monday evening FORM 8-K filing filed with the SEC, the company says that credentials were stolen from a third-party business partner that allowed threat actors to breach ADT's systems."
https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-in-2-months-hacked-via-stolen-credentials/ - LEGO's Website Hacked To Push Cryptocurrency Scam
"On Friday night, cryptocurrency scammers briefly hacked the LEGO website to promote a fake Lego token that could be purchased with Ethereum. During the breach, the hacker replaced the main banner for the official LEGO website with an image showing crypto tokens branded with the "LEGO" logo and text stating, "Our new LEGO Coin is officially out! Buy the new LEGO Coin today and unlock secret rewards!" According to LEGO Reddit moderator "mescad," the breach took place at 9 PM EST and lasted approximately 75 minutes until 10:15 PM ET, when the site was restored."
https://www.bleepingcomputer.com/news/security/legos-website-hacked-to-push-cryptocurrency-scam/ - Universal Music Group Admits Data Breach
"Universal Music Group (UMG), one of the world’s largest music corporations, has disclosed a data breach that occurred in mid-July 2024. According to a filing with the Maine Attorney General’s Office, the breach may have exposed the personal information of 680 US residents. In the filing, UMG said it detected unauthorized activity in one of its internal applications on July 15, prompting an immediate investigation involving third-party cybersecurity experts."
https://www.infosecurity-magazine.com/news/umg-data-breach-680-us-residents/
https://www.securityweek.com/personal-information-compromised-in-universal-music-data-breach/
https://securityaffairs.com/169502/data-breach/universal-music-group-data-breach.html
General News
- The Case For Enterprise Exposure Management
"For several years, external attack surface management (EASM) has been an important focus for many security organizations and the vendors that serve them. EASM, attempting to discover the full extent of an organization’s external attack surface and remediate issues, had broad purview, targeting software vulnerabilities, misconfigurations and neglected shadow IT assets from the outside-in. The focus on greater attack surface visibility and external asset awareness resonated with CISOs, CIOs and practitioners alike."
https://www.helpnetsecurity.com/2024/10/07/exposure-management-em/ - Transforming Cloud Security With Real-Time Visibility
"In this Help Net Security interview, Amiram Shachar, CEO at Upwind, discusses the complexities of cloud security in hybrid and multi-cloud environments. He outlines the need for deep visibility into configurations and real-time insights to achieve a balance between agility and security. Shachar also shares strategies for addressing misconfigurations and ensuring compliance, recommending a proactive approach to risk management in cloud deployments."
https://www.helpnetsecurity.com/2024/10/07/amiram-shachar-upwind-cloud-security-failures/ - SOC Teams Are Frustrated With Their Security Tools
"Security operations center (SOC) practitioners believe they are losing the battle detecting and prioritizing real threats – due to too many siloed tools and a lack of accurate attack signal, according to Vectra AI. They cite a growing distrust in vendors, believing their tools can be more of a hindrance than help in spotting real attacks. This is at odds with growing confidence in their teams’ abilities and a sense of optimism around the promise of AI."
https://www.helpnetsecurity.com/2024/10/07/soc-teams-security-tools-problems/ - Meet The Shared Responsibility Model With New CIS Resources
"You can’t fulfill your end of the shared responsibility model if you don’t emphasize secure configurations. Depending on the cloud services you’re using, you’re responsible for configuring different things. Once you figure out those responsibilities, you then need to perform the hardening."
https://www.helpnetsecurity.com/2024/10/07/cis-shared-responsibility-model/ - Ukrainian Pleads Guilty To Operating Raccoon Stealer Malware
"Ukrainian national Mark Sokolovsky has pleaded guilty to his involvement in the Raccoon Stealer malware cybercrime operation. Sokolovsky and his conspirators distributed Raccoon Stealer under a MaaS (malware-as-a-service) model, allowing threat actors to rent it for $75 per week or $200 monthly. The malware steals a wide range of information from infected devices, including stored browser credentials and information, cryptocurrency wallets, credit card details, email data, and other types of sensitive data from dozens of applications."
https://www.bleepingcomputer.com/news/security/ukrainian-pleads-guilty-to-operating-raccoon-stealer-malware/
https://www.bankinfosecurity.com/ukrainian-pleads-guilty-for-role-in-raccoon-stealer-malware-a-26474 - Board-CISO Mismatch On Cyber Responsibility, NCSC Research Finds
"New research conducted by the UK’s National Cyber Security Centre (NCSC) has found that 80% of board members and security leaders are unsure of where accountability for cyber resides. The government cyber agency said that its research found that in many organizations CISOs thought the board was accountable, whilst the board believe it to be the CISO or equivalent role. The research included interviews with board members, CISOs and other cybersecurity leaders in medium to large organizations and was conducted by research specialists, Social Machines."
https://www.infosecurity-magazine.com/news/boardciso-mismatch-on-cyber/ - Vulnerable APIs And Bot Attacks Costing Businesses Up To $186 Billion Annually
"Organizations are losing between $94 - $186 billion annually to vulnerable or insecure APIs (Application Programming Interfaces) and automated abuse by bots. That's according to The Economic Impact of API and Bot Attacks report from Imperva, a Thales company. The report highlights that these security threats account for up to 11.8% of global cyber events and losses, emphasizing the escalating risks they pose to businesses worldwide."
https://thehackernews.com/2024/10/vulnerable-apis-and-bot-attacks-costing.html
https://www.imperva.com/resources/resource-library/reports/the-economic-impact-of-api-and-bot-attacks/ - MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short
"To say that multi-factor authentication (MFA) is a failure is too extreme. But we cannot say it is successful – that much is empirically obvious. The important question is: Why? MFA is universally recommended and often required. CISA says, “Adopting MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks.” NIST SP 800-63-3 requires MFA for systems at Authentication Assurance Levels (AAL) 2 and 3."
https://www.securityweek.com/mfa-isnt-failing-but-its-not-succeeding-why-a-trusted-security-tool-still-falls-short/ - Billion-Dollar Cyberfraud Industry Expands In Southeast Asia As Criminals Adopt New Technologies
"A new report launched today has found that Asian crime syndicates have integrated new service-based business models and technologies including malware, generative artificial intelligence (AI), and deepfakes into their operations while establishing new underground markets and cryptocurrency solutions for their money laundering needs. The report, titled Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking, and Technological Innovation: A Shifting Threat Landscape, is the second in a series of ongoing threat analyses produced by the UN Office on Drugs and Crime (UNODC)."
https://www.unodc.org/roseap/en/2024/10/cyberfraud-industry-expands-southeast-asia/story.html
https://therecord.media/southeast-asian-cyber-fraud-outpaces-crackdown-efforts-united-nations - Feds Reach For Sliver Of Crypto-Cash Nicked By North Korea's Notorious Lazarus Group
"The US government is attempting to claw back more than $2.67 million stolen by North Korea's Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin. The first lawsuit stems from the 2022 Deribit hack, during which the North Korean criminals drained about $28 million from the crypto exchange's hot wallet. The crooks then laundered the funds through virtual currency exchanges, the Tornado Cash mixer and virtual currency bridges in an attempt to cover their tracks."
https://www.theregister.com/2024/10/08/us_lazarus_group_crypto_seizure/
อ้างอิง
Electronic Transactions Development Agency(ETDA)