19-Sep-24: In Security News Today

Tor Says It’s “Still Safe” Amid Reports Of Police Deanonymizing Users

The Tor Project reassures users that their network remains secure despite recent reports of law enforcement using timing attacks to deanonymize users. While acknowledging timing analysis as a known method, Tor emphasizes that mitigations in newer versions of its tools, including improved relay management, reduce such risks. The project also urges increased network diversity, noting that past attacks targeted outdated software and specific vulnerabilities that have since been addressed.

Hackers Demand $6 Million For Files Stolen From Seattle Airport Operator In Cyberattack

Hackers linked to the Rhysida ransomware group are demanding $6 million in bitcoin from the Port of Seattle after stealing and leaking sensitive airport documents in a cyberattack. Despite the breach, the airport has refused to pay the ransom, and the FBI has launched a criminal investigation into the incident. The attack, which disrupted operations like ticketing and baggage handling, is still under recovery, while authorities work to secure any exposed personal information.

Ivanti Warns Of Another Critical CSA Flaw Exploited In Attacks

Ivanti has disclosed another critical Cloud Services Appliance (CSA) vulnerability, CVE-2024-8963, which is actively being exploited in conjunction with the previously disclosed CVE-2024-8190. This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on unpatched systems, posing a significant risk to enterprise network security. Ivanti urges administrators to apply patch 519 immediately, implement proper network segmentation, and monitor for signs of exploitation, as federal agencies are required to patch by October deadlines.

Hackers Exploit Default Credentials In Foundation Software To Breach Construction Firms

Hackers are exploiting default credentials in FOUNDATION Accounting Software to breach construction firms, targeting sub-industries like plumbing, HVAC, and concrete. Attackers brute-force access to Microsoft SQL Server instances, leveraging high-privileged accounts such as “sa” and “dba,” which are often left with default credentials, allowing execution of arbitrary shell commands via xp_cmdshell. To mitigate these risks, experts recommend rotating default credentials, limiting public exposure of the software, and disabling the xp_cmdshell configuration.

Police Dismantles Phone Unlocking Ring Linked To 483,000 Victims

A multinational law enforcement operation dismantled an international phishing network using the iServer phishing-as-a-service platform, which exploited over 483,000 victims globally by unlocking stolen or lost mobile phones. The platform, active since 2018, was used by low-skilled criminals to steal credentials and bypass phone security features, with over 2,000 “unlockers” registered to access stolen devices. During the coordinated action week, 17 suspects were arrested, and the platform’s Argentinian administrator was detained, concluding an investigation spanning multiple countries and leading to significant seizures.

Packed With Features, ‘SambaSpy’ Rat Delivers Hefty Punch

SambaSpy is a sophisticated remote access Trojan (RAT) with extensive capabilities like file management, password theft, webcam control, and keystroke logging, making it a versatile tool for espionage and cyberattacks. Originating from Brazil and initially targeting Italian users, the malware uses phishing emails and Zelix KlassMaster obfuscation to evade detection, with signs of expanding to Spain, Brazil, and other regions. Its deployment method, through phishing lures, remains a highly effective attack vector, enhanced by AI-driven tactics, and is expected to persist in future campaigns.

Thousands Of ServiceNow Kb Instances Expose Sensitive Corporate Data

Over the past year, 1,000 instances of ServiceNow enterprise knowledge bases have exposed sensitive data, including PII and active credentials, due to outdated configurations and misconfigured access controls. Although ServiceNow implemented security updates to enhance data protection, these improvements failed to address vulnerabilities in KB access controls, leading to widespread data leaks. To mitigate these issues, organizations should regularly audit KB access controls and ensure proper security configurations are in place to prevent unauthorized data exposure

CISA Releases Cyber Defense Alignment Plan For Federal Agencies

CISA’s Federal Civilian Executive Branch Operational Cybersecurity Alignment (FOCAL) plan aims to unify and standardize cybersecurity measures across federal agencies to better address dynamic cyber threats. The plan emphasizes five priority areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident detection and response, with the goal of improving collective operational defense and resilience. By aligning these components, CISA seeks to enhance interagency coordination and reduce vulnerabilities within the federal enterprise

Germany Seizes 47 Crypto Exchanges Used By Ransomware Gangs

German authorities have seized 47 cryptocurrency exchanges implicated in facilitating anonymous money laundering for cybercriminals, including ransomware gangs. These platforms, bypassing “Know Your Customer” regulations, enabled users to evade detection, creating a significant risk environment for illicit financial activities. The operation, dubbed “Operation Final Exchange,” has led to the capture of extensive user and transaction data, potentially aiding in future investigations and arrests of involved cybercriminals.

As Geopolitical Tensions Mount, Iran’s Cyber Operations Grow

Iranian cyber operations, particularly by the group APT34, are increasingly targeting government sectors in the Middle East, including recent attacks on Iraq. This group, linked to Iran’s Ministry of Intelligence and Security, utilizes custom malware and sophisticated communication techniques to exfiltrate sensitive data rather than cause destruction. With geopolitical tensions rising, Iran’s cyber capabilities are expected to continue evolving, emphasizing the need for robust cybersecurity measures and zero-trust architectures in the region.

Contractor Software Targeted Via Microsoft SQL Server Loophole

Cybercriminals have been exploiting a vulnerability in Foundation accounting software, widely used in construction, by targeting its exposed Microsoft SQL Server (MSSQL) through port 4243, which is accessible due to mobile app features. Researchers from Huntress identified the threat from unusual SQL Server process activity and noted that attackers are utilizing brute force and default credentials to gain administrative access. To mitigate this threat, organizations are advised to rotate credentials and ensure their installations are isolated from the Internet.

New TeamTNT Cryptojacking Campaign Targets Centos Servers With Rootkit

TeamTNT has launched a new cryptojacking campaign targeting CentOS-based Virtual Private Servers (VPS) using a sophisticated rootkit. The attack begins with an SSH brute force to upload a malicious script that disables security features, deletes logs, and disrupts other mining activities before deploying the Diamorphine rootkit for stealth and persistent access. This operation reflects TeamTNT’s evolution from 2019, now employing enhanced tactics to ensure persistent control and concealment within compromised systems.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.