CISO Daily Update - April 5, 2024
NEW DEVELOPMENTS
US Cancer Center Data Breach Exposes Info of 827,000 Patients
Source: Bleeping Computer
City of Hope, a well-known cancer treatment and research center, announced a data breach affecting over 820,000 individuals. Data types exposed include full names, social security numbers, and medical records. The breach occurred between September and October last year and involved unauthorized access to a subset of the organization's systems. The City of Hope provided identity monitoring services to impacted individuals and advised vigilance and caution against potential fraud. The type of cyberattack that caused the breach remains unknown, and no ransomware gang has claimed responsibility.
Another Insider in OneCoin Cryptocurrency Scam Gets Prison Sentence
Source: The Record
Irina Dilkinska, a Bulgarian involved in the OneCoin cryptocurrency scam, entered a guilty plea to conspiracy to commit wire fraud and money laundering. She was sentenced to four years in federal prison and had to forfeit nearly $100 million. Dilkinska helped money laundering operations by serving as OneCoin's "head of legal and compliance" and facilitating the transfer of $110 million in revenues earned through fraud to a Cayman Islands company. Co-founder Ruja Ignatova marketed OneCoin as the future bitcoin–tricking investors out of at least $4 billion. Ignatova is still at large, and her accomplice Karl Sebastian Greenwood received a 20-year prison sentence for his involvement in the conspiracy. Earlier this year, Mark Scott, a lawyer involved in laundering OneCoin earnings, was sentenced to ten years in prison.
Cybercriminals Are Spreading Malware Through Facebook Pages Impersonating AI Brands
Source: The Record
Cybercriminals are exploiting Facebook pages to promote fake generative AI software containing malware. Researchers highlight the use of "malvertising" to impersonate popular AI brands like Midjourney and Sora AI. These campaigns are facilitated through hijacked Facebook accounts and distribute malware such as Rilide and Vidar. Users are targeted and reached using Meta's sponsored ad system. Despite takedowns, hijacked pages resurface and continue to pose an ongoing threat to Facebook users. Concerns over AI misuse persist, with experts cautioning against the potential for deepfake technology to exacerbate cybersecurity risks.
Hosting Provider VMware ESXi Servers Hit By New SEXi Ransomware
Source: GB Hackers on Security
A new ransomware strain dubbed "SEXi" targets VMware ESXi servers and poses a significant threat to hosting providers globally. The ransom demand for this variant is approximately 140 million dollars–reinforcing the vulnerability's significant impact on virtualized environments. The exact intrusion method remains undisclosed. Upon infection, SEXi ransomware appends ".SEXi" extensions to encrypted files and leaves a ransom note named "SEXi.txt." Researchers continue to investigate this new trend.
New Phishing Campaign Targets Oil & Gas with Evolved Data-Stealing Malware
Source: The Hacker News
A new phishing campaign targeting the oil and gas sector employs an updated version of the information-stealing malware Rhadamanthys. The phishing emails target unsuspecting victims with “lures” about a purported vehicle incident–and spoofs the Federal Bureau of Transportation. Disguised as a legitimate PDF, the email includes a malicious link within the document to aid in evading detection.
Hackers Hijacked Notepad++ Plugin To Execute Malicious Code
Source: GB Hackers on Security
A sophisticated cyberattack targeted users of Notepad++, leveraging a manipulated default plugin called "mimeTools.dll" to execute malicious code. This DLL Hijacking technique allows attackers to load the compromised plugin automatically and initiate the hidden malware upon launching Notepad++. The malware, dubbed "WikiLoader," employs encrypted shell code embedded within the plugin to communicate with a command and control (C2) server– enabling further malicious activities. Users are urged to remain cautious, verify software integrity, and update software from official sources.
Visa Warns of New JSOutProx Malware Variant Targeting Financial Orgs
Source: Bleeping Computer
Visa issued a warning regarding a surge in detections of a new JsOutProx malware variant targeting financial institutions and their clients. This phishing campaign, observed in South and Southeast Asia, the Middle East, and Africa, employs highly obfuscated JavaScript backdoor malware. The malware allows attackers to execute various commands, download payloads, capture screenshots, and control infected devices' keyboard and mouse. While the ultimate goal of this campaign remains unclear, Visa advises raising awareness about phishing risks and implementing security measures to mitigate potential threats. Additionally, Resecurity's report delves deeper into the operation revealing the malware's evolution–including using GitLab to host malicious payloads. The threat actor behind this campaign is potentially associated with Chinese or China-affiliated actors.
Recommended by LinkedIn
VULNERABILITIES TO WATCH
Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
Source: SecurityOnline. info
Security researchers uncovered three vulnerabilities in the widely used Apache HTTP Server–posing significant risks to website security. Tracked as CVE-2023-38709, CVE-2024-27316, and CVE-2024-24795, these flaws enable attacks ranging from HTTP response manipulation to denial-of-service scenarios. Exploiting these vulnerabilities could lead to website content alterations, memory exhaustion, and destabilization of server-browser connections. Apache has released version 2.4.59 to address these vulnerabilities.
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
Source: The Hacker News
A security researcher discovered a new vulnerability in the HTTP/2 protocol known as HTTP/2 CONTINUATION Flood. This vulnerability enables attackers to launch denial-of-service (DoS) attacks by abusing the CONTINUATION frame, which is not properly limited or sanitized in many HTTP/2 implementations. Attackers can broadcast a stream of CONTINUATION frames to deplete server memory or induce crashes. The issue affects various projects, and users are recommended to upgrade the affected software or temporarily disable HTTP/2.
D-Link NAS Command Injection Flaw: 92,000 Devices Affected
Source: Cyber Security News
A backdoor account and command injection vulnerabilities were discovered in D-Link Network Attached Storage (NAS) devices. This affects models including DNS-340L, DNS-320L, DNS-327L, and DNS-325. These vulnerabilities affect more than 92,000 publicly accessible devices and may be used by threat actors to carry out denial-of-service attacks, access private information, change system configurations, and execute arbitrary commands. D-Link has provided updates to fix these issues.
SPECIAL REPORTS
How CISOs Can Make Cybersecurity a Long-Term Priority for Boards
Source: Darkreading
CISOs play a crucial role in building stakeholder support for cybersecurity and educating board members on the severity of cyberattacks and the importance of risk mitigation. CISOs should focus on enhancing communication strategies for non-technical audiences. Key areas to hone in on with boards include further emphasis on the entire cyber-impact chain, stressing the human element of cyberattacks, outlining measurable outcomes of awareness training, and securing long-term support for sustainable cybersecurity initiatives. With cyber threats constantly evolving, CISOs must ensure that their communication strategies and training programs adapt accordingly.
LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches
Source: Infosecurity Magazine
The aftermath of Operation Cronos continues to impede the operations of the LockBit ransomware group, leading to the resurgence of old breaches on its leak site. Trend Micro reports that since Operation Cronosn, early 80% of the entries on the group's new leak site are illegitimate–many reuploads from attacks predating the operation. Additionally, some entries were attributed to other ransomware groups. LockBit's attempt to populate the site with fake victim data suggests an effort to portray normalcy despite the disruption. The takedown also appears to have hindered LockBit's affiliates' ability to launch new attacks, with a significant drop observed in actual infections post-operation.
Sophos Reveals Ransomware Attacks Are Now Targeting Backups
Source: Hackread
Sophos' latest report highlights a concerning trend in ransomware attacks in which cybercriminals increasingly target backups–undermining organizations' ability to recover data and escalating ransom demands. Based on a survey of IT professionals, the report reveals that 94% of organizations faced attempts to compromise their backups during attacks. Consequently, organizations unable to recover data from compromised backups ended up paying over double the ransom amount compared to those with secure backups. To mitigate this threat, investing in secure backup solutions such as offline backups isolated from the network is crucial to mitigate ransomware damage and reduce financial losses.
Security Pros Are Cautiously Optimistic About AI
Source: Help Net Security
According to a Cloud Security Alliance and Google Cloud survey, security professionals are cautiously optimistic about integrating AI into cybersecurity–with 55% of organizations planning to adopt GenAI solutions within the year. The push for AI adoption is largely driven by C-level executives who recognize its competitive advantage. While 67% have tested AI for security purposes, confidence in executing AI strategies varies with 48% feeling confident. Despite the potential of AI to enhance security measures, concerns remain about its advantages for malicious parties.
Software, Cyber Security Professional
1yHi Marcos, is there any way I could get in contact with you?