WEEKLY TOP TEN: August 19, 2024, 16:00 GMT
- Net Suite E-Commerce Sites Leak Customer Information
A common misconfiguration of Oracle’s NetSuite E-Commerce software has been discovered on thousands of sites, allowing for unauthorized access to customer data due to misconfigured access controls. The unprotected records contain personal information such as home addresses. This is not a vulnerability in NetSuite, but a common configuration error by unknowing administrators. - Google Disrupts Iranian-Linked Hacking Campaigns
Google has announced that they have taken disruptive actions against the Iranian hacking group APT42 AKA Calanque. This group was targeting individuals and information related to the upcoming US presidential election using spear-phishing and social engineering. Google states they have detected and blocked several sign-in attempts assumed to be from these individuals. - NIST Releases First Post-Quantum Encryption Standards
Post-Quantum encryption standards are exactly what they sound like, encryption algorithms that are meant to withstand attacks from ultra-powerful quantum computers. The FIPS (federal information processing standard) 203, 204, and 205 models are built on the Module-Lattice-Based Key-Encapsulation and CrystalKyber algorithms that are already out there. NIST has stated that system administrators should migrate to these post-quantum models ASAP. - National Public Data Breach Exposes an Estimated 70 million Records
In April, the data broker National Public Data, which focuses mainly on providing information for background checks, suffered a breach from a threat actor going by the alias “USDoD,” who published data including emails and social security numbers. Due to a class-action lawsuit against NPD, this has become a hot topic in the media, with many outlets reporting as many as 2.9 billion people being impacted. However, Troy Hunt, founder of HaveIBeenPwned, has analyzed the data and found a much lower figure of 70 million people, both living and deceased. - RansomHub Linked Threat Actor Group Employs Novel EDR Bypass Tools
According to Sophos, a threat actor who they claim is likely linked to the infamous RansomHub group has been observed using a novel EDR bypass tool dubbed EDRKillShifter. This utility will detect and disable any present EDR endpoint agents on a compromised host. This operates through a BYOVD (bring your own vulnerable driver) attack, in which threat actors intentionally install a vulnerable driver on the host and then use it to evade defenses. - Russian InfoStealer Malware Campaign Mimics Legitimate Brands
A new InfoStealer spreading campaign has been observed originating from Russia, impersonating legitimate brands, and hosting the malware downloads via DropBox. Typically, these malicious downloads will install either DanaBot or StealC malware, both infostealers that target sensitive information on victim devices, such as saved credentials or banking information. - GitHub Actions Abused to Leak Sensitive Information
GitHub actions are a way to automate the handling of CI/CD (continuous integration/deployment) and other operations. Palo Altos’ Unit 42 has discovered a vulnerability within GitHub actions, which they dubbed “ArtiPACKED,” that allows the theft of sensitive information such as GitHub authentication tokens. This flaw is a series of misconfigurations and bad practices that allow attackers to read tokens in the [.git] directory of projects. - Critical RCE Vulnerability Discovered in SolarWinds Web Help Desk
CISA has warned of a critical vulnerability in SolarWinds Web Help Desk tracked as CVE-2024-28986 with a CVSS score of 9.8. This vulnerability allows for unauthenticated remote code execution, leading to a complete system takeover. SolarWinds released a patch for this vulnerability but failed to mention that it has been exploited in the wild. - Copy2Pwn Vulnerability Allows for Windows Security Bypass
Trend Micro’s ZDI has discovered a zero-day vulnerability in Windows which allows for the bypass of Windows Smart-Screen anti-malware. The way WebDAV handles files during copy and paste operations is where this vulnerability, also known as Copy2Pwn, lies.
When a file is downloaded from the web, Windows tags the file with the Mark of the Web, which tells smart-screen to treat the file cautiously, however, files copied from WebDAV do not get tagged with the same MotW. - Zero-Click RCE Vulnerability Discovered in Windows IPv6 Handler
A zero-click remote code execution vulnerability has been discovered in the Windows IPv6 handler. Zero-click RCE vulnerabilities are often considered the most severe type of security flaw, due to the ease of exploitation and severe impacts. This specific vulnerability lies somewhere in the IPv6 handling by Windows, however, due to the severity of this vulnerability, details are not publicly available. A patch is available, and it is critical to apply this update ASAP.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: