Cyber Watch – May 17, 2024

Xforce cyber watch banner
Cyber Watch 17-04-2024 | DigitalXForce

Welcome to our Cyber Watch series for today, Friday 17th May, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.  

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

Global Study Reveals Widespread Consumer Concerns over Deepfakes and AI Scams

A comprehensive global consumer research study conducted by Jumio has shed light on prevalent concerns and attitudes surrounding generative AI and deepfakes. The study, which surveyed 8,000 adult consumers across the United States, the United Kingdom, Singapore, and Mexico, revealed that 72% of respondents harbor daily worries about falling victim to scams involving deepfakes, where their money or sensitive information could be compromised.

The findings further highlight the pervasiveness of deepfake content, with 60% of consumers reporting encountering deepfake videos within the past year, while only 15% stated they had never experienced such content. Interestingly, a significant portion of respondents (60%) believed they could detect a deepfake if presented with one.

Amidst these concerns, there is a growing sentiment among consumers for increased government regulation of AI to mitigate the risks associated with deepfakes, with 60% of respondents advocating for such measures. Notably, more than 70% of participants were willing to spend additional time verifying identification if it improves security measures against deepfake-related scams. 

Dell Warns Customers of Data Breach Exposing Names, Addresses, and Order Details

Dell has issued a warning to its customers, informing them of a recent cybersecurity incident that may have compromised their personal information. According to the tech giant, a threat actor known as Menelik gained unauthorized access to a Dell database containing customer records, potentially exposing names, physical addresses, and specific order details.

The breach came to light when Menelik made a post on the cybercrime site BreachForums, claiming to have access to 49 million customer records from Dell servers. While Dell has not confirmed the validity of this claim, some customers have reported receiving notification emails from the company, alerting them to the potential exposure of their name, address, and order information, including details about Dell hardware purchases.

In its statement, Dell acknowledged the incident, stating that it did not involve financial or payment information, email addresses, telephone numbers, or highly sensitive customer data. However, the company recognized the risks associated with the exposed information, such as potential identity theft, fraud, and address-related scams.

Nissan Discloses Data Breach Affecting Over 53,000 Employees After Ransomware Attack

Nissan North America (NNA) has revealed a significant data breach affecting over 53,000 of its current and former employees after falling victim to a targeted ransomware attack in late 2023. The Japanese automaker disclosed that the threat actor gained unauthorized access to its systems, potentially compromising employees’ personal information, including names and social security numbers.

According to a data breach notification filed with the Office of the Maine Attorney General, the incident occurred when a ransomware actor infiltrated Nissan’s external VPN and shut down some of its systems, demanding a ransom payment. While Nissan successfully remediated the attack with the assistance of cybersecurity professionals and law enforcement, the investigation revealed that the attacker had accessed data from various network shares.

Notably, the threat actor did not encrypt any data or render Nissan’s systems inoperable, deviating from traditional ransomware tactics. However, the accessed data included sensitive personal information of 53,038 current and former NNA employees, raising concerns about potential identity theft and follow-up social engineering attacks.

Again! FBI Takes Down Notorious BreachForums Data Leak Site

The FBI has successfully taken over the infamous data leak site, BreachForums. This move represents a substantial blow to the underground ecosystem facilitating the trade of stolen data and illegal activities on the dark web.

BreachForums, which emerged in March 2022 as a successor to the notorious RaidForums, quickly established itself as a hub for hackers and cybercriminals seeking to buy and sell compromised data. The site’s prominence grew further after the arrest of its alleged operator, “Pompompurin,” in New York in March 2023.

Following Pompompurin’s arrest, a new administrator, known as “Baphomet,” took over the reins of BreachForums, vowing to keep the platform operational. However, in a surprising turn of events, the site and its associated Telegram channel have been seized by law enforcement agencies.

Official messages on the Telegram channel, sent on behalf of Baphomet, indicate that authorities have gained control over the platform, effectively dismantling a major hub for the trade of stolen data and other illicit activities.

PDF Exploit Targets Foxit Reader Users with Malicious Payloads

A critical security flaw in Foxit Reader is being actively exploited by multiple threat actors, allowing them to deliver malicious payloads through crafted PDF files, according to findings by Check Point Research. The exploit takes advantage of the “flawed design of warning messages” in Foxit Reader, tricking unsuspecting users into executing harmful commands.

When an altered PDF file is opened, the exploit triggers a security warning. If the user proceeds with the default options, which are the most harmful, the exploit downloads and executes a payload from a remote server without raising further suspicion.

The researchers warn that the low detection rate of this exploit enables its distribution through unconventional channels, such as social media platforms like Facebook, evading traditional security measures.

The impact of this exploit is far-reaching, with threat actors leveraging it for various nefarious purposes, including espionage campaigns, e-crime, and delivering prominent malware families like VenomRAT, Agent-Tesla, and Remcos, among others. In some cases, the exploit has been used to achieve impressive attack chains, including bypassing Two-Factor Authentication (2FA) on targeted devices.

Check Point Research has obtained multiple builders used by actors to create these malicious PDF files, with many executing PowerShell commands to download and execute payloads from remote servers.

US, UK, Australia Name Russian National as LockBit Ransomware Gang Leader

Law enforcement agencies from the U.S., U.K., and Australia have identified Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the notorious LockBit ransomware gang, responsible for extorting over $500 million from victims worldwide. Khoroshev faces numerous charges and potential imprisonment if apprehended.

Elsewhere, WIRED interviewed a representative of the pro-Kremlin hacker group Cyber Army of Russia, known for targeting water utilities and having ties to the infamous Sandworm unit. The interview provided insights into their motivations and tactics, albeit laced with Russian propaganda.

Raising privacy concerns, a deputy FBI director urged employees to continue using a foreign surveillance database to search for communications of U.S. persons without a warrant, defying calls for reform from civil liberty advocates.

Wichita Ransomware Attack Exposes Personal Data, Including Social Security Numbers

The City of Wichita, Kansas has disclosed that files containing sensitive personal information were stolen by ransomware attackers in the early May cyberattack that disrupted several city systems. The stolen data includes names, Social Security numbers, driver’s licenses or state ID numbers, and payment card information found in law enforcement incidents and traffic records.

The ransomware incident initially came to light on May 5th when the city shut down certain systems to contain the file-encrypting malware’s spread. While first responder operations continued through contingency measures, several online services and payment systems were impacted and remain down.

Wichita revealed that the initial network access was gained by exploiting a recently disclosed vulnerability affecting organizations globally, though specifics were not provided. City technicians have been working urgently to mitigate the issue and recover impacted systems, while also coordinating with law enforcement for further investigation.

Researchers Find Vulnerabilities in GE Healthcare Ultrasound Devices Exposing Patient Data

Security researchers at Nozomi Networks have identified nearly a dozen vulnerabilities in some GE Healthcare ultrasound products that could allow threat actors with physical access to implant ransomware or access and manipulate sensitive patient data stored on the affected devices.

The 11 vulnerabilities, ranging in severity, affect various ultrasound systems and software like the Vivid T9 ultrasound system, its pre-installed Common Service Desktop web app, and related EchoPAC software. Flaws include the use of hard-coded credentials, missing encryption of sensitive data, protection mechanism failures, excessive privileges, path traversal issues, and more.

Nozomi reported that a malicious USB drive could potentially be used to automate an attack chain, including ransomware deployment, on vulnerable devices if physically accessed.

While GE Healthcare downplayed the findings citing existing risk mitigations, the researchers warn of severe consequences – delayed medical procedures, inaccurate diagnoses, unauthorized data access, and potential patient harm.

GE acknowledged the vulnerabilities allow command injection and path traversal risks through physical device access but states residual risks are acceptable with proper controls.

GlobalPlatform Unveils Secure Channel to Enhance IoT Device Management

GlobalPlatform has released a new Secure Channel Protocol designed to bolster security and enable remote management capabilities for low-power, constrained IoT devices operating on narrowband networks.

The protocol promises to accelerate robust end-to-end security adoption across the IoT landscape while simplifying device management, supporting regulatory compliance, and promoting sustainability through reduced energy consumption. It addresses a key challenge faced by the proliferating IoT device market – the inability to remotely update or patch constrained NarrowBand IoT (NB-IoT) devices lacking SMS support.

By incorporating optimized protocols like UDP for faster data transmission, CoAP for minimized packet sizes, and DTLS for end-to-end security tailored to constrained environments, the new Secure Channel Protocol aims to benefit a diverse range of IoT use cases. 

These include single-charge battery devices like emergency buttons and trackers, smart meters, automotive applications enhancing in-vehicle connectivity, and smart city services enabling sustainable urban automation.

Ebury Botnet Compromised Over 400,000 Linux Servers for Financial Gain

A malicious botnet called Ebury, active since 2009, is estimated to have compromised over 400,000 Linux servers globally, with more than 100,000 still compromised as of late 2023. Cybersecurity researchers at ESET characterize Ebury as one of the most advanced server-side malware campaigns aimed at financial gain.

The Ebury operators pursue various monetization activities, including spreading spam, redirecting web traffic, stealing credentials, and conducting cryptocurrency heists through man-in-the-middle attacks. They also engage in credit card theft by eavesdropping on network traffic, a technique known as server-side web skimming.

In 2017, a Russian national named Maxim Senakh was sentenced to nearly four years in prison in the U.S. for his role in developing and maintaining the Ebury botnet malware used for click-fraud and spam email schemes that fraudulently generated millions in revenue.

ESET’s analysis reveals the attackers employ various techniques to deliver Ebury, such as stealing SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploiting vulnerabilities like CVE-2021-45467 in Control Web Panels, and conducting SSH man-in-the-middle attacks.

That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success