Welcome to the Cyber Watch series for today, Friday 31st May 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
RedTail Malware Evolves with Palo Alto Exploit, Advanced Crypto-Mining Tactics
The perpetrators behind the RedTail cryptocurrency mining malware have demonstrated an alarming level of sophistication, integrating a critical Palo Alto Networks firewall vulnerability into their ever-expanding exploit arsenal. This strategic move has been accompanied by updates that arm the malware with advanced anti-analysis techniques, further solidifying its potency.
According to findings from web security experts at Akamai, the attackers have deployed the recently disclosed CVE-2024-3400 flaw, granting them the ability to achieve unauthenticated remote code execution on vulnerable Palo Alto firewalls. This initial foothold paves the way for the deployment of a malicious bash script, ultimately leading to the delivery of the RedTail payload tailored to the target’s CPU architecture.
Notably, the latest iteration of RedTail incorporates an encrypted mining configuration to launch the embedded XMRig miner, eschewing the use of a cryptocurrency wallet – a tactic that researchers suggest may indicate a shift toward leveraging private mining pools for greater control and financial gain.
NIST Awards Contract to Clear National Vulnerability Database Backlog
The National Institute of Standards and Technology (NIST) has awarded a new contract to an outside vendor. This key development is expected to bolster the processing of security flaws added to the critical National Vulnerability Database (NVD).
NIST announced on Wednesday that the undisclosed contractor will provide “additional processing support” for incoming Common Vulnerabilities and Exposures (CVEs) submitted to the NVD. The agency expressed confidence that this supplementary support will enable a return to pre-February 2024 processing rates within the next few months.
The vulnerability backlog has been a pressing concern for government officials, cybersecurity experts, and defenders since NIST announced cutbacks in February due to increased vulnerability volume and changes in interagency support. NIST is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to clear the backlog by the end of the fiscal year on September 30th.
Online Services Disrupted at Seattle Public Library as Ransomware Attack Looms
The Seattle Public Library is working to restore its online services after falling prey to a ransomware attack over the Memorial Day weekend. The cybersecurity incident, identified on May 25th, has disrupted access to a range of digital resources, including the online catalog, e-book and audiobook platforms, public computers, and in-building Wi-Fi.
In a statement, the library acknowledged the attack’s impact, stating, “This disruption began impacting access to staff and public computers, our online catalog and loaning system, e-books and e-audiobooks, in-building Wi-Fi, and our website.” The attack struck just a day before planned maintenance, catching the institution off guard.
While physical locations remain open for visitors to check out materials, the library’s ability to process returns and new arrivals has been hampered, leading to anticipated longer wait times as staff manages the backlog manually.
Brazilian Church Software Firm inChurch Leaks Data of 932,000 Members
inChurch, a software development company providing services to over 5,000 churches in Brazil and 45,000 worldwide, has suffered a massive data breach exposing the sensitive personal information of 932,000 church members. Cybersecurity researchers discovered an open Google Cloud Storage bucket belonging to the company, which contained 9.2 million files, including a database backup and Microsoft Excel files with member data.
The leaked data includes highly sensitive personal details such as full names, email addresses, home addresses, dates of birth, social security numbers, marital status, occupation, education, nationality, and information about baptisms and churches attended.
The exposure of such a vast trove of personal data poses significant risks, as cybercriminals could exploit it for targeted phishing attacks, identity theft, unauthorized account access, and doxxing (malicious publication of private information).
Global Botnet Behind $5.9B Covid Fraud Dismantled, Chinese National Charged
The U.S. Department of Justice (DOJ), partnering with the FBI and international law enforcement agencies, has succeeded in shutting down a global malware network responsible for stealing $5.9 billion in COVID-19 relief funds and other heinous crimes. At the center of this operation is 35-year-old Chinese national YunHe Wang, who faces a maximum of 65 years in prison for allegedly operating the “911 S5” botnet, likely the world’s largest ever.
From 2014 to 2022, Wang’s botnet compromised over 19 million IP addresses across nearly 200 countries, including 614,000 in the United States alone. Leveraging this vast network of hacked devices, Wang sold access to cybercriminals, amassing at least $99 million used to fund a lavish lifestyle with luxury cars, watches, and properties worldwide.
Beyond the staggering theft of pandemic relief funds, the 911 S5 botnet was a hub for a range of nefarious activities, including fraud, stalking, harassment, illegal exports, and even child exploitation. Notably, it enabled approximately 560,000 fraudulent unemployment insurance claims, highlighting the ever-evolving cyber threats facing crucial government programs.
Hackers Weaponize Microsoft Office to Deploy Malware in Businesses
Cybersecurity researchers at COFENSE have uncovered a disturbing trend – the active weaponization of Microsoft Office documents by hackers to deploy malware in business environments. These malicious files, disguised as innocuous reports, essays, or resumes, exploit the powerful scripting capabilities of Office applications, transforming them into formidable cyber weapons.
The tactics employed by these threat actors are as cunning as they are diverse. Seemingly harmless links or QR codes embedded within the documents can serve as attack vectors, exploiting vulnerabilities to bypass security controls. Even more insidious are the malicious macros lurking within the Visual Basic for Applications (VBA) code, automatically executing upon file opening to deliver their malware payloads.
Spreading these malicious documents through spoofed brand emails and cloud-sharing services, the hackers employ social engineering tactics to lure unsuspecting victims. Phishing pages masquerading as legitimate Microsoft login portals further compound the deception, harvesting credentials from the unwary.
Internet Archive Battles Sustained DDoS Attacks, Access Disrupted
The Internet Archive, a vital non-profit digital library preserving millions of historical documents and websites, is under siege from sustained distributed denial-of-service (DDoS) attacks, leading to intermittent service disruptions since May 26th.
The attacks have inundated the Archive’s systems with tens of thousands of fake information requests per second, temporarily crippling access to invaluable resources like the Wayback Machine, which chronicles over 866 billion web pages.
Brewster Kahle, the Archive’s founder and digital librarian, apologized for the disruptions while underscoring the highly targeted and adaptive nature of these malicious attacks. In a statement, he vowed that the organization, with support from others, is fortifying its defenses to restore reliable access to this priceless digital repository.
Sensitive Data Sharing with AI Tools Soars as “Shadow AI” Use Spreads
The meteoric rise of AI adoption in the workplace is bringing a host of new cybersecurity risks, according to a disturbing report from Cyberhaven. The “AI Adoption and Risk Report” reveals that employees are inputting sensitive corporate data into chatbots and generative AI tools at an alarming rate – more than doubling compared to just a year ago.
Perhaps more unsettling is the proliferation of “shadow AI” – the unmonitored use of personal AI accounts by workers that lack the safeguards of corporate-sanctioned tools. A staggering 73.8% of workplace ChatGPT usage and over 94% of Google’s AI offerings occurred through personal accounts, exposing a vast trove of confidential data to potential breaches and misuse.
The types of sensitive information being fed into these unchecked AI systems are particularly concerning. Customer support records made up 16.3% of the offending inputs, while source code, R&D data, legal documents, and employee records were also commonly shared, frequently through insecure personal channels.
Beyond data exposure risks, the improper use of generative AI in core business functions like coding and research raises alarms about potential intellectual property violations and the introduction of vulnerabilities into critical systems.
Identity Threats Persist, Businesses Grapple with Sprawl and Fallout
The Identity Defined Security Alliance’s latest report on identity security systems within large organizations paints a grim picture of the persistent challenges plaguing the digital landscape. Despite heightened awareness, a staggering 90% of the studied entities experienced an identity-related incident over the past year, a statistic that remains alarmingly consistent with the previous year’s findings.
The report sheds light on the most prevalent identity incident vectors, with phishing attacks leading the charge at a staggering 69%, closely followed by the insidious threat of stolen credentials, which accounted for 37% of incidents. However, the repercussions extend far beyond the initial breach, as a resounding 84% of identity stakeholders reported direct business impacts, a substantial increase from the previous year’s 68%.
Perhaps most concerning is the erosion of reputational integrity, with 45% of companies experiencing negative reputational impacts in the wake of an identity incident, nearly doubling the 25% figure from the previous year. This stark reality underscores the far-reaching consequences that can ripple through an organization in the aftermath of a breach.
CISOs Sound Alarm on Human Risk, Economic Pressures Amid Cyber Threats
Cybersecurity leaders have sounded a resounding alarm bell, with a striking 70% of Chief Information Security Officers (CISOs) admitting to feeling vulnerable to a potentially crippling cyber attack. However, what’s perhaps more disconcerting is the stark disconnect – only 43% feel adequately prepared to confront such an onslaught.
At the crux of this heightened trepidation lies a startling culprit: the human element within their very organizations. A staggering 74% of CISOs identify their employees as the greatest source of vulnerability, prompting an overwhelming 87% to place their faith in AI-driven solutions as a crucial line of defense against human-centered cyber threats.
The report further exposes the tangible consequences of such risks, with 46% of security leaders grappling with the loss of sensitive data, an alarming 73% of which stemmed from employees departing their organizations – a sobering reality check on the critical need for robust data protection measures.
That’s all for today. Stay tuned for our next episode. See you next week!