CISO Daily Update - May 30, 2024
NEW DEVELOPMENTS
Massive Google Leak Exposes Search Algorithm Secrets
Source: The Cyber Express
A massive leak of internal Google documents exposed the factors influencing search results–over 2,500 pages of data and 14,014 attributes from Google's search API. Initially published on GitHub in March 2024 and removed in May, the documents provide unprecedented insights into Google's ranking mechanisms but do not reveal each factor's hierarchy or importance. SEO professionals are buzzing with reactions, noting potential discrepancies between the leak and Google's public statements, particularly on "domain authority." Google has yet to comment on the leak.
First American December Data Breach Impacts 44,000 People
Source: Bleeping Computer
First American Financial Corporation, a leading U.S. title insurance provider, disclosed that a cyberattack in December 2023 resulted in a data breach impacting approximately 44,000 individuals. The company was forced to take some systems offline to contain the incident's impact. Five months later, an investigation concluded that unauthorized access led to the exposure of personal information belonging to those affected. First American will notify impacted individuals and offer free credit monitoring and identity protection services. This breach occurred just a month after the company paid New York a $1 million penalty for a 2019 data exposure incident.
Toshiba Email Compromise Reveals Social Security Numbers
Source: Cyebrnews
Toshiba America Business Solutions (TABS) faced an email compromise incident that exposed personal information including individual names and social security numbers. The breach lasted nearly a year from April 2023 to March 2024, and affected an undisclosed number of individuals across multiple US states. TABS addressed the issue upon discovery in May 2024 and is providing affected individuals complimentary identity monitoring services for two years. Law enforcement is investigating the incident, and TABS is yet to provide further details.
Internet Archive Disrupted by Sustained and “Mean” DDoS Attack
Source: Infosecurity Magazine
The Internet Archive is experiencing intermittent service disruptions due to sustained and "mean" distributed denial-of-service (DDoS) attacks since May 26. Tens of thousands of fake information requests per second have targeted the site, affecting access to its extensive collection, including the Wayback Machine which archives over 866 billion web pages. Despite the disruptions, the Internet Archive has assured users that all collections remain safe. Founder Brewster Kahle highlighted the attack's persistent and targeted nature and noted efforts to strengthen their defenses. This incident is part of a broader trend of cyber-attacks on public libraries, including recent attacks on the British Library, Solano County Library, and London Public Library.
Ransomware Attack on Seattle Public Library Knocks Out Online Systems
Source: The Record
The Seattle Public Library was hit by a ransomware attack that took down its entire online system, wireless network, staff and patron computers, and online catalog. The incident began on Saturday, prompting the library to shut down all systems while investigating the attack with law enforcement assistance. All 27 branches will remain open for manual book and CD lending, but online services are unavailable with no estimated recovery time provided. This attack adds Seattle to the growing list of city and county library systems targeted globally by ransomware gangs that exploit the critical nature of library services to extort victims. Recent high-profile incidents include attacks on the British Library and Toronto Public Library system.
U.S. Treasury Sanctions Chinese Nationals Behind Billion-Dollar 911 S5 Botnet Fraud
Source: The Cyber Express
The U.S. Treasury Department sanctioned three Chinese nationals for their involvement in operating a botnet that facilitates fraudulent activities including Coronavirus Aid Relief and Economic Security (CARES) Act fraud. The botnet compromised 19 million IP addresses and caused significant financial losses to the U.S. government. The sanctioned individuals, residing in Singapore and Thailand, allegedly administered the botnet and facilitated money laundering activities. This move is part of broader efforts to address cybersecurity threats with recent warnings about Chinese state hackers using proxy server networks to evade detection.
U.S. Sentences 31-Year-Old to 10 Years for Laundering $4.5M in Email Scams
Source: The Hacker News
Malachi Mullings, 31, of Sandy Springs, Georgia, has been sentenced to 10 years in prison for laundering over $4.5 million through business email compromise (BEC) and romance scams. Between 2019 and July 2021, Mullings used a fictitious company, The Mullings Group LLC., to open 20 bank accounts for laundering fraudulent proceeds. These scams targeted a healthcare benefit program, private companies, and the elderly, exploiting social engineering tactics to defraud companies and individuals. Mullings and his co-conspirators concealed the fraud proceeds and bought various luxury items. In a related case, Russian citizen Evgeniy Doroshenko has been indicted for selling access to corporate networks on cybercrime forums, facing up to 25 years in prison for wire fraud and related charges.
Surge in Discord Malware Attacks as 50,000 Malicious Links Uncovered
Source: Hackread
Bitdefender's recent analysis reveals a significant surge in malware and phishing attacks on Discord, with over 50,000 malicious links identified in the past six months. US users are the most targeted, making up 16.2% of the threats. The majority of these attacks involve fake offers of Discord Nitro, a premium subscription service, to lure victims into downloading malware or providing sensitive information. This trend highlights the platform's vulnerability following previous incidents involving malware. Bitdefender's findings emphasize the need for increased cybersecurity awareness among Discord users, including cautious behavior regarding free offers, enabling two-factor authentication, using antivirus software, and reporting suspicious activity.
Over 90 Malicious Android Apps With 5.5M Installs Found on Google Play
Source: Bleeping Computer
Security researchers discovered over 90 malicious Android applications on Google Play that were installed over 5.5 million times, delivering malware and adware. Among them, the Anatsa banking trojan has seen a recent surge and is distributed through two decoy apps "PDF Reader & File Manager" and "QR Reader & File Manager" with over 70,000 installations. Anatsa employs a multi-stage payload loading mechanism and anti-analysis checks to evade detection while targeting over 650 financial apps to steal credentials. Other prevalent malware families found include Joker, Facestealer, Coper, and various adware strains impersonating utility, personalization, photography, productivity, and health apps. Though adware dominates by number, Anatsa and Coper pose higher risks, capable of on-device fraud and sensitive data theft. The identified Anatsa dropper apps were removed from Google Play.
Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package
Source: The Hacker News
Cybercriminals exploited Stack Overflow to promote a malicious Python package, pytoileur, which facilitates cryptocurrency theft. This package, found on the Python Package Index (PyPI) and downloaded 316 times, executes a Base64-encoded payload from its setup[.]py script to retrieve and run a Windows binary called 'Runtime.exe,' and drop spyware and stealer malware. Under the pseudonym PhilipsPY, the threat actor re-uploaded a new version after the previous one was removed. They also created a Stack Overflow account to mislead users into installing the malicious package. Stack Overflow has since suspended the account.
VULNERABILITIES TO WATCH
Check Point Warns of Zero-Day Attacks on its VPN Gateway Products
Source: The Hacker News
Check Point warns of a zero-day vulnerability (CVE-2024-24919) in its Network Security gateway products, exploited in the wild and affecting CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. This flaw allows attackers to access certain information on internet-connected gateways with remote access VPN or mobile access enabled. Hotfixes are available for various versions, including R81.20, R81.10, R81, R80.40, R80.30SP, R80.20SP, R81.10.x, R80.20.x, and R77.20.x. This follows recent alerts of attacks on VPN devices using old local accounts with weak authentication, reinforcing the ongoing risks to network perimeter applications.
Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege
Source: Cyber Security News
A new privilege escalation vulnerability (CVE-2024-29072) was discovered in Foxit PDF Reader for Windows, allowing low-privileged users to increase their permissions. This vulnerability results from flawed certification validation of the updater executable, which allows users to initiate the update operation and raise their privileges. The vulnerability affects many versions of Foxit PDF Reader, and Foxit has provided a fix. Users are encouraged to update to the most recent version (Foxit PDF Reader 2024.2.2) to reduce the risk of exploitation.
Citrix Workspace App Lets Attackers Elevate Privileges From Local User to Root User
Source: Cyber Security News
A critical security flaw (CVE-2024-5027) was discovered in the Citrix Workspace app for Mac versions before 2402.10, allowing attackers to escalate privileges from locally authenticated users to root users. This vulnerability poses significant risks, potentially leading to security breaches or system compromise. Citrix released an urgent security bulletin, urging affected users to update to version 2402.10 or later to mitigate the risk. Detailed instructions and patches are provided to address the vulnerability and protect systems from exploitation.
Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution
Source: Security Week
Vulnerabilities discovered in Eclipse ThreadX, a real-time IoT operating system, before version 6.4, pose risks of denial-of-service and code execution. Humanativa Group identified flaws (tracked as CVE-2024-2214, CVE-2024-2212, and CVE-2024-2452) that lead to memory corruption including buffer overflow and heap buffer overflows. These vulnerabilities, reported in December 2023 and January 2024, were addressed in version 6.4.0. Despite additional security-related issues, they were not deemed vulnerabilities but will be addressed in future releases as code improvements.
SPECIAL REPORTS
Why CVEs Are an Incentives Problem
Source: Darkreading
The surge in Common Vulnerabilities and Exposures (CVEs) highlights an incentives problem where the desire for recognition can lead to an influx of low-quality submissions. While the CVE system serves as a trusted method for identifying vulnerabilities, challenges such as gaming for reputation, lack of accountability, and misaligned metrics like the Common Vulnerability Scoring System (CVSS) contribute to inefficiencies. To address this, revising the incentive structure to reward quality over quantity, enhancing verification measures, and redefining the CVSS to reflect real-world risk are crucial steps toward mitigating the impact of misleading submissions and improving the effectiveness of CVE reporting.
Social Distortion: The Threat of Fear, Uncertainty and Deception in Creating Security Risk
Source: Security Week
While Red Teams focus on pinpointing organization-specific vulnerabilities, a new class of industry-wide susceptibility is emerging—a culture of fear, uncertainty, and deception. Governmental agendas, industry imbalances, and profit-driven models contribute to this phenomenon, resulting in compromised integrity, blurred motivations, and increased susceptibility to attacks. These influences hinder collaboration, confuse security teams, and undermine trust. From government secrecy to industry standards and deceptive practices within the security community, these factors pose significant challenges–exacerbated by emerging technologies like AI and deepfakes, which further complicate the security landscape.
Finding value in this newsletter? Like or share this post on LinkedIn