Dick’s Sporting Goods Says Confidential Data Exposed In Cyberattack
DICK’S Sporting Goods has disclosed a cyberattack that exposed confidential information within its systems. Upon detecting the breach, the company activated its cybersecurity response plan, shut down email systems, and is manually verifying employee identities to regain access. The incident has been reported to law enforcement, and the company asserts that business operations have not been disrupted, although the investigation is ongoing.
Iran-Backed Peach Sandstorm Hackers Deploy New Tickler Backdoor
Iran-backed hacking group Peach Sandstorm has developed a new multi-stage backdoor named “Tickler,” used in recent cyber espionage operations targeting the satellite, communications, and oil and gas sectors, among others. Microsoft Threat Intelligence discovered Tickler’s deployment, where it gathers network data and uses Azure cloud resources as command and control (C2) servers. This development highlights the group’s ongoing and evolving cyber tactics, which include lateral movement and intelligence-gathering methods consistent with their history of operations.
Censys Finds Hundreds Of Exposed Servers As Volt Typhoon Apt Targets Service Providers
Chinese APT Volt Typhoon exploited a zero-day vulnerability in Versa Director servers, leading to the exposure of over 160 devices, mostly used by ISPs and MSPs, creating a significant attack surface. Despite the release of patches and warnings from Censys, many servers remain exposed, and anti-malware solutions are slow to detect the custom web shell used in these attacks. Given the critical role of these servers in managing enterprise network configurations, this situation poses a severe risk to global infrastructure, especially as the attacker’s intent appears to target critical sectors.
Apt-C-60 Group Exploit Wps Office Flaw To Deploy Spyglace Backdoor
The APT-C-60 group, aligned with South Korea, exploited a critical zero-day vulnerability in Kingsoft WPS Office (CVE-2024-7262) to deliver the SpyGlace backdoor, targeting Chinese and East Asian users. This attack leverages a booby-trapped spreadsheet with a malicious hyperlink, leading to remote code execution and multi-stage malware deployment. Additionally, the group used malicious plugins in applications like Pidgin and Cradle to further spread malware such as DarkGate, underscoring their sophisticated and deceptive techniques.
US Offering $2.5 Million Reward For Belarusian Malware Distributor
The US Department of State has announced a $2.5 million reward for information leading to the arrest of Volodymyr Kadariya, a Belarusian and Ukrainian national involved in distributing the Angler Exploit Kit and other malware through malvertising from 2013 to 2022. Kadariya and his co-conspirators used scareware ads and other tactics to infect millions of devices, stealing personal and financial information, which they later sold on Russian cybercrime forums. Kadariya has been indicted on multiple charges, including wire fraud and computer fraud conspiracy, with one co-conspirator recently extradited to the US.
Blackbyte Ransomware Exploits Vmware ESXi Flaw In Latest Attack Wave
BlackByte ransomware has recently exploited a newly patched authentication bypass vulnerability in VMware ESXi (CVE-2024-37085) to escalate privileges and control virtual machines. The group continues to refine its tactics by incorporating vulnerable drivers to bypass security measures and using VPN access to evade detection. Their evolving strategies include deploying multi-language encryptors and leveraging newly disclosed vulnerabilities, reflecting a sophisticated and adaptive threat landscape.
950,000 Impacted By Young Consulting Data Breach
Young Consulting recently experienced a data breach affecting over 950,000 individuals due to a BlackSuit ransomware attack. The breach, discovered on April 13, involved unauthorized access to personal information including Social Security numbers and medical data, impacting clients such as Blue Shield of California. The company is offering affected individuals free credit monitoring while the stolen data has been made available by the attackers on their leak site.
Second Apache Ofbiz Vulnerability Exploited In Attacks
Second Apache OFBiz vulnerability, CVE-2024-38856, is being actively exploited, with PoC exploits emerging since early August. The flaw, an incorrect authorization issue, allows unauthenticated remote code execution and affects OFBiz versions up to 18.12.14; a patch is available in version 18.12.15. CISA has added this vulnerability to its KEV catalog and is advising organizations to address it urgently following its exploitation in attacks.
Threat Group ‘Bling Libra’ Pivots To Extortion For Cloud Attacks
Bling Libra (aka ShinyHunters) has shifted from selling stolen data to using double-extortion tactics, targeting cloud environments like AWS with legitimate credentials to steal and delete data while demanding ransoms. This evolution in their approach highlights significant security vulnerabilities in cloud infrastructure, particularly the lack of multifactor authentication (MFA) and overly permissive credentials, which they exploit for initial access. Cybersecurity experts recommend implementing stricter authentication controls and restricting user permissions to protect against such sophisticated threats.
Iranian Hackers Work With Ransomware Gangs To Extort Breached Orgs
Pioneer Kitten, an Iran-based hacking group, is actively breaching organizations across sectors like defense, finance, and healthcare in the U.S., and working closely with ransomware affiliates to extort victims. The group, suspected of having ties to the Iranian government, not only sells access to compromised networks but also directly aids in ransomware operations, maintaining secrecy about their origins. Recent activities include scanning for vulnerabilities in security devices, with a history of exploiting major CVEs to infiltrate and monetize compromised infrastructures.
New Tickler Malware Used To Backdoor US Govt, Defense Orgs
The Iranian hacking group APT33, also known as Peach Sandstorm, used the new Tickler malware to infiltrate networks within the U.S. government, defense, and other critical sectors between April and July 2024. The group exploited Microsoft Azure’s infrastructure for command-and-control operations by leveraging compromised user accounts, primarily within the education sector, to create and maintain malicious Azure subscriptions. Microsoft’s response included disrupting the fraudulent Azure infrastructure and announcing mandatory multi-factor authentication (MFA) starting October 15 to enhance security against such threats.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.