InfoSec News – July 12, 2024

I am switching to a weekly newsletter format for these posts. I spend a lot of time during the week scanning newsfeeds to find interesting and relevant information as part of my day job. I am already sharing these with my team, so why not share them with the wider infosec community?

My hope is to product at least one of these post weekly, then share it with the great community. It could be via social media or an email newsletter, or both. My goal is to drop the post and have the rest happen automatically. But for now, I’ll be happy with just a weekly post every Friday.

I hope you find this valuable! – Chris

Patelco CU Breach

Patelco CU Reported Data Breach in 2023, Affected 181,000 Members – Patelco suffered another data breach in late 2023 due to the MOVEit vulnerabilities. The Clop ransomware gang was appearantly able to gather sensative date on all 181,507 members. Members have files a class-action lawsuit related to this incident. It is unclear if this eventually lead to the June 2024 ransomware attack, but I suspect the forensic investigation will find that link.

Patelco CU Reports ‘Serious Security Incident’ – A large California credit union was crippled by ransonware over the last few weeks.

Pressure Mounts on Patelco, So Do the Class Action Lawsuits – Patelco now has several class-action lawsuits against it due to this ransomware attack.

Patelco’s Network Stabilized 8 Days After Ransomware Attack – The credit union has been able to start processing transactions again, but they still have a long way to go before they are back online for their members.

Vulnerabilities

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook – Remote code exec bug patched this week by Microsoft.

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) – Check Point Research – 0-day RCE on all versions of Windows leveraging URL shortcut files. This has been actively exploited for the last 18 months. Roll this patch as soon as possible, but you should also be treating URL files like executables, LNKs, shortcuts, etc. Strip them from emails and prevent users from downloading them.

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere | Ars Technica – TL;DR this is a RADIUS MitM attack made possible by non-standard MD5, but only if you are not using TLS/DTLS. Best mitigation is to switch to TLS/DTLS transport. I believe the purported impacts of this are overblown. An attacker needs to be inside the network to catch these under typical corporate implementations. And how many RADIUS over the internet implementations are not using TLS? My guess is not many.

RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 – TL;DR – Cisco isn’t sure what products are affected yet, but watch this for more updates.

Critical Ghostscript flaw exploited in the wild. Patch it now! – Threat actors are actively exploiting a Ghostscript vulnerability to escape the sandbox for remote code execution.

Breaches & Attacks

Troy Hunt: Telegram Combolists and 361M Email Addresses – Another huge dump of usernames and passwords hit the web. Some of this data is old/reused, but some of it appears to be relatively new. Time to rotate passwords??

Microsoft Orders China Staff to Switch From Android Phones to iPhones for Work – Bloomberg – Might be petty, but this made me chuckle. Please, employees, use our biggest competitor’s product!

SysInformation Healthcare Services, LLC Provides Notice of a Data Security Event – SysInformation Healthcare Services (TX, USA) suffered a major data breach a year ago, only recently disclosed. Attackers got name, date of birth, health insurance information, medical history, and treatment information. They recommended credit monitoring. And their victims recommended compensation: SysInformation Healthcare Services Data Breach Lawsuit | ClassAction.org

AT&T Says Phone Records Of ‘Nearly All’ Customers Breached – AT&T falls victim to the Snowflake breach.

Neiman Marcus data breach: 31 million email addresses found exposed – Troy Hunt found >31mil customer email addresses on the dark web. Another Snowflake related breach.

Security

ANOM – Darknet Diaries – Another great episode discussing the ANOM crime-phones and how the FBI was actually running the show.

Visual guide to SSH tunneling and port forwarding | ITTavern.com – SSH tunneling is always a good trick to keep in your toolbox.

Cyber Scarecrow – This is an interesting concept that has been leveraged with certain malware to prevent install. It’s almost like a vaccination for your PC. I have two concerns: How will they prevent malware from detecting the software rendering it ineffective? How will they prevent false positives by security software? Hopefully more to come from this project.

GitHub – Lissy93/web-check: 🕵️‍♂️ All-in-one OSINT tool for analysing any website – All-in-one OSINT tool for analysing any website.

Cloudflare 1.1.1.1 incident on June 27, 2024 – A Brazilian ISP attempted to blackhole 1.1.1.1, which was then published to the greater internet causing an outage for Cloudflare’s public DNS service. It’s not clear if this was intentional or an accident. My personal opinion: BGP security needs to become a priority across the globe. One rogue change shouldn’t take down a major internet service.

RockYou2024: 10 billion passwords leaked in the largest compilation of all time | Cybernews – Someone has gathered up all of the breached password dumps over the last several years to create another mega-list, but it appears the file is mostly garbage compared to RockYou2021. This Reddit thread talks more about better sources for password lists: https://www.reddit.com/r/hacking/comments/1dxb25f/whet_to_download_rockyou2024/

Overlooked Domain Name Resiliency Issues: Registrar Communications – SANS Internet Storm Center – Another weak point in the internet: registrars. Someone reported a major ISP domain for phishing, causing the registrar to stop resolving the domain. The registrar did not provide any workable resolution process which could be accessed by clients.

How do cryptocurrency drainer phishing scams work? – Great background on crypto-draining attacks and how to avoid them.

Wide World of Cyber: State directed cybercrime – Risky Business – I’ve enjoyed the thoughtful discussions on these episodes. Worth the listen.

Technology

LeonStraathof/pfsense-speedtest-widget – I recently switched to a pfSense router after missing the advanced features not found in my Eeros, but pfSense doesn’t have a built-in speedtest. This dashboard plugin fixed that. No more worrying if the results are skewed due to other hardware!

DNS Deep Diving with Serena DiPenti – YouTube – The first 10 minutes or so gives you a high level understanding of how DNS works. The rest describes common DNS attacks and how pentesters try to exploit DNS.

Interesting News

Secret meeting between Apple and TSMC reported; 2nm capacity – Courtesy Unsupervised Learning – Has Apple locked down all the 2nm chips? Does this give it market superiority? It certainly allows more power in a smaller space.

A Vast, Untapped Source of Lithium Has Just Been Found in The US : ScienceAlert – Courtesy Unsupervised Learning – It looks like the US may be closer to on-shoring our Lithium needs by extraction from fracking water.

US sues Adobe for ‘deceiving’ subscriptions that are too hard to cancel – The Verge – It’s not enough to milk your users for continued shareholder payouts, but you want to force them into a perpetual contract?

Apple is winning in financial services – Looks like Apple could be opening Apple Pay to additional “buy now, pay later” partners.

Supreme Court ruling on Chevron doctrine may upend future cybersecurity regulation | Cybersecurity Dive

HP discontinues online-only LaserJet printers in response to backlash — Instant Ink subscription gets the boot, too | Tom’s Hardware – HP is giving up on their “instant ink” printers, but they won’t unlock those printers from the service.

Thread by @lcasdev on Thread Reader App – Thread Reader App – Google has given their own API’s preference to detailed performance telemetry regardless of user choice, but not other vendors. This impacts all Chromium based browsers. This is a clear violator anti-trust laws.

Leave a Reply