Dell Loses 50mil people’s data & Ohio Loses 500k people’s SSN, Cyber News Beat
Lots of people this week lost their data. Read to see if you are affected and to learn about all the latest vulnerabilities hackers are attacking.
Dell Data Breach: 49 Million Customer Records Stolen via API Exploit
In a significant data breach, Dell has disclosed the theft of 49 million customer records, orchestrated through the exploitation of a partner portal API by a threat actor known as Menelik. Using fake company accounts, Menelik bypassed security measures and exploited a lack of rate limiting to scrape sensitive customer information, including order data, warranty details, service tags, and customer names. The compromised records pertain to various Dell products such as monitors, notebooks, desktops, and laptops. Despite Menelik’s attempts to alert Dell about the vulnerability, the company did not respond until weeks later, by which time the data had already surfaced on a hacking forum. This breach demonstrates the growing trend of threat actors targeting APIs to access and monetize sensitive data, a tactic previously seen in breaches involving major platforms like Facebook, Twitter, and Trello. Dell has confirmed the breach and is actively collaborating with law enforcement to investigate the incident.
This incident with Dell highlights the critical need for companies to implement robust API security measures, including rate limiting and better authentication protocols. API security is relatively new in the grand scheme of things and I worry that this type of attack may become more prevalent in the future. I think that API security monitoring will be a growing field for specialized cyber professionals.
Ascension Reroutes Ambulances Amid Ransomware
Ascension, one of the largest U.S. healthcare networks, has redirected ambulances from several hospitals following a suspected ransomware attack that has severely disrupted clinical operations and caused widespread system outages. The attack has rendered critical systems offline, including the MyChart electronic health records system, phone systems, and platforms for ordering tests and medications. In response, Ascension has taken devices offline and advised business partners to disconnect from its systems as a precaution. The healthcare giant has also temporarily paused some non-emergent procedures and appointments, urging patients to seek emergency services if needed. The investigation, supported by Mandiant incident response experts, is ongoing, with early indications pointing to the Black Basta ransomware gang as the perpetrators. Given Ascension’s vast operations across multiple states and significant revenue, the impact of this attack is profound, disrupting healthcare delivery on a large scale.
The disruption caused by this ransomware attack shows the importance of top tier cybersecurity defenses in the healthcare sector. Ransomware attacks on healthcare systems can have severe consequences, potentially endangering patient lives. Not only this but is seemingly a large target for threat actors as of late, between this and the recent Change Healthcare breach I think we can expect more focus on the Healthcare industry by these threat actors. Due to the sensitivity of healthcare data I hope that these types of breaches will see increased fines in the future.
Ohio Lottery Hit by Ransomware Affecting Over 538k Individuals
The Ohio Lottery recently fell victim to a ransomware attack that compromised the personal information of over 538,000 individuals, including names and Social Security numbers. Occurring on Christmas Eve, the attack did not impact the gaming network but resulted in the unauthorized access and leakage of client records by the DragonForce ransomware gang. The stolen data, now leaked, has not yet been linked to any reported cases of fraud. As a precaution, the Ohio Lottery is providing free credit monitoring and identity theft protection services to those affected. DragonForce, a relatively new ransomware group, has been implicated in other cyberattacks, including an incident involving a probiotic beverage manufacturer in Australia and New Zealand. Their tactics and use of a data leak site suggest a well-organized extortion operation, potentially hinting at a rebranding of an existing known gang.
This type of breach is the one that keeps me up at night. You wouldn’t expect to lose your social security number just by living in a particular state but many people here did. Government entities need to be help liable for these data breaches, free credit monitoring is just a bucket against a forest fire. Lossing your social security number haunts you for life and can absolutely ruin your future as it is very easy for people to take out debt in your name. I foresee there might be some sort of class action in the future in order to recoup the massive losses for these people.
Google Patches Fifth Chrome Zero-Day Exploited in 2024
Google has released a security update for its Chrome browser to address the fifth zero-day vulnerability exploited in attacks this year. The vulnerability, identified as CVE-2024–4671, is a high-severity “use after free” issue in the Visuals component, which is responsible for rendering and displaying content on the browser. Discovered by an anonymous researcher, this flaw could potentially lead to data leakage, code execution, or browser crashes. The security update, rolled out as version 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, is being deployed gradually. Chrome users are advised to update their browsers via Settings > About Chrome to ensure they are protected. This marks the fifth zero-day vulnerability fixed in Chrome this year, following issues related to out-of-bounds memory access, type confusion, and out-of-bounds read errors.
The frequent discovery and exploitation of zero-day vulnerabilities in widely used software like Google Chrome are always a scary prospect. It seems this year has just been abysmal for chrome, I hope this encourages people to seek out better alternatives for their browser. And that it pushes Google to get things together for Chrome and focus more on security from the onset of development rather than continuously retroactively fixing issues.
Russian Hackers Target Polish Government Networks in New Phishing Campaign
Poland has reported a significant cyber attack by a state-backed group associated with Russia’s military intelligence service, GRU. The attackers employed a phishing campaign, using emails containing links to a malicious executable file disguised as a JPG image. Additionally, the emails included hidden files designed to collect information from the victim’s computer. This method mirrors previous attacks by APT28, a notorious Russian hacking group responsible for high-profile breaches such as the DNC hack in 2016 and the German Federal Parliament breach in 2015. NATO, the EU, and the U.S. have condemned Russia’s cyber espionage activities, urging the country to cease its malicious behavior and holding its operatives accountable. This incident reveals the persistent cybersecurity threats faced by nations and the critical need for international cooperation in addressing these challenges.
Cyber continues to be a domain in which warfare and espionage are fought. Russia has been consistently target eastern Europe, Ukraine especially, since the onset of their war. I worry that them targeting Poland speaks to broader longer term goals of the territory that they wish to conquer. It is no secret these days that Russia is acting with the intent to reform their borders to the days of the USSR. Hopefully this does not come to pass.
Citrix Urges Admins to Mitigate PuTTY SSH Client Bug
Citrix has issued an urgent advisory to administrators regarding a vulnerability in the PuTTY SSH client, which could enable attackers to steal a XenCenter admin’s private SSH key. The security flaw, tracked as CVE-2024–31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which utilizes PuTTY for SSH connections to guest VMs. Citrix recommends that administrators mitigate this vulnerability by downloading and installing the latest version of PuTTY or removing the PuTTY component entirely. This issue was discovered by Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum. Notably, Citrix had previously alerted users to other critical vulnerabilities in Citrix Netscaler, leading CISA to issue patches for actively exploited zero-day flaws.
Losing private keys is an absolutely nightmare. It can result in the irreversible loss of access to encrypted data or digital assets. Without the private key, any information encrypted with the corresponding public key is effectively locked away, and there is no way to decrypt it. Though the big worry her is an unauthorized party gaining access to the private key, they can impersonate the legitimate owner, further exacerbating the security risks by potentially executing fraudulent transactions. Patch fast.
Severe Vulnerabilities in Cinterion Cellular Modems Threaten Various Industries
Cybersecurity researchers have uncovered severe vulnerabilities in Cinterion cellular modems that could be exploited by attackers to access sensitive information and execute code remotely. These flaws, including remote code execution and unauthorized privilege escalation, pose significant risks to communication networks and IoT devices across multiple sectors, such as industrial, healthcare, automotive, financial, and telecommunications. Presented at OffensiveCon in Berlin, the vulnerabilities comprise eight critical issues, with the most severe being a heap overflow vulnerability (CVE-2023–47610) that allows remote attackers to execute arbitrary code via SMS messages. These security lapses in handling MIDlets enable attackers to bypass digital signature checks and execute unauthorized code with elevated privileges. Organizations are advised to disable non-essential SMS messaging capabilities, use private Access Point Names (APNs), control physical access to devices, and conduct regular security audits and updates.
It always interesting in seeing what is going on in the world of IoT from a security perspective. The issue is that they are so ubiquitous but so seldom patched that it is a field day for threat actors. With arbitrary code execution on these small devices I think it is only a matter of time until some threat actor compromises these by the thousands and adds them to their botnet.
North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto Firms
North Korean hackers, identified as the Kimsuky group, have been observed deploying a new Golang-based malware named Durian in targeted cyber attacks against two South Korean cryptocurrency firms. Durian functions as a comprehensive backdoor tool, allowing the execution of commands, file downloads, and data exfiltration. The attacks, occurring in August and November 2023, utilized legitimate South Korean software for infection, establishing a connection to the attacker’s server to initiate the malware sequence. The Kimsuky group, associated with the North Korean regime, aims to steal data and geopolitical insights by compromising experts. Additionally, the group has been linked to other malware campaigns, including TutorialRAT and BabyShark, indicating a broader cyber threat landscape involving North Korean state-sponsored hacking groups.
The deployment of Durian is interesting, seeing an APT like North Korea utilizing Golang based malware feels more advanced. I wonder how much cyber theft contributes to the overall GDP of a country like North Korea given the low GDP overall but simultaneously having threat actor operations pulling in HUNDREDS millions or dollars in cyber attacks globally. I would not be surprised if it was a double digit percent.
TunnelVision Attack Exploits DHCP Manipulation to Hijack VPN Traffic
Researchers have unveiled a new VPN bypass technique called TunnelVision, which allows threat actors to intercept network traffic by manipulating DHCP messages on the same local network as the victim. This technique, assigned CVE-2024–3661, exploits the DHCP protocol’s lack of authentication for option messages, enabling attackers to redirect VPN traffic through an attacker-controlled DHCP server. By setting a route on the victim’s routing table, attackers can intercept and potentially modify supposedly protected network traffic. The vulnerability affects all major operating systems except Android and VPN tools that rely solely on routing rules for security. Mitigation strategies include implementing DHCP snooping, ARP protections, port security on switches, and network namespaces on Linux. Organizations are advised to take precautions to prevent such attacks.
This is pretty scary, if more or less undermines the main use of VPNs in the first place. I hope the mitigations measures are put in broadly sooner rather than later. This type of attack is just morbidly fascinating because it essentially nullifies a core technology. It makes me wonder what in the future we will discover that undermines even larger technology corner stones. (I’m look at you quantum computing)
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
The Mirai botnet is being deployed through recently disclosed security flaws in Ivanti Connect Secure (ICS) devices, as reported by Juniper Threat Labs. The vulnerabilities CVE-2023–46805 and CVE-2024–21887 are being leveraged to deliver the botnet payload. An attacker can exploit CVE-2023–46805, an authentication bypass flaw, and CVE-2024–21887, a command injection vulnerability, to execute arbitrary code and take over susceptible instances. The attack chain involves gaining access to vulnerable endpoints and injecting the payload to deploy the malware. The use of these exploits by the Mirai botnet demonstrates the evolving cyber threats, with potential for deployment of other harmful malware and ransomware.
The exploitation of Ivanti Connect Secure flaws by the Mirai botnet shows the evolving tactics used by cybercriminals to compromise devices and deploy malware. It is incredibly the speed at which these bonnets are able to adapt and grow. It means as a cyber defender you can never just hold still and catch your breath. This perpetual arms race is why we should always patch ASAP and why the cybersecurity industry continues to grow.
