WEEKLY TOP TEN: July 29, 2024, 16:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- The NSA Warns of Attacks on US Critical Infrastructure
The NSA, in a joint briefing with the FBI and CISA, has warned of an influx of attacks against US critical infrastructure, including health, aerospace, nuclear, and defense related organizations. A North Korean cyber-espionage group appears to be responsible for these attacks. Along with this briefing, a ten-million-dollar reward for information related to these individuals has also been issued. - Deleted GitHub Repositories May Still be Readable
A design flaw in Microsoft’s ever-popular version management software, GitHub, has been discovered, possibly allowing malicious actors to read deleted GitHub repositories and obtain sensitive information. This is due to the ‘fork’ feature in GitHub, which allows any user to make a personal copy of a desired repository so that they can modify it for themselves.
This means that if the forked repository is deleted, one of the downstream forks will be reassigned by GitHub as the new root node for that repository. So, if the repository was deleted due to sensitive information leaks, that data may still be available to be viewed. - Vulnerability in Twilio Authenticator Added to CISAs KEV List
CISAs KEV list is a catalog of vulnerabilities which are known to be exploited in the wild. Recently, a new vulnerability in Twilio’s Authenticator app, Authy, has been added to this list.
This vulnerability (CVE-2024-39891) allows for phone numbers of devices with Authy installed to be leaked due to an information disclosure bug in the Authy API. This discovery came after a statement from the infamous Shiny Hunters threat actor group claimed to have stolen thirty-three million phone numbers associated with Authy. - Telegram Messenger Exploit Delivers Malware in Videos
Yet another bug has been discovered in the Telegram messenger app, which allows for malware to be delivered to unsuspecting Android users, this time in the form of a video file. Using this bug, a threat actor can deliver malware disguised as a multimedia file, when a user attempts to play it, they will be met with an error message, prompting them to download and install a malicious APK (Android application) file. - Phishing Campaigns Leverage the Recent CrowdStrike Fiasco to Spread Malware
A new strain of phishing campaigns has been seen the world over. These present themselves as hot fixes or applications that can repair the harm that the CrowdStrike sensor update caused, which bricked millions of computers.
One such campaign has been observed targeting German users, in which an email claiming to be from CrowdStrike contains a zip file with a supposed automated fix to the ongoing issues, once ran the executable installs infostealer malware. - WhatsApp Vulnerability Allows for Automatic Execution of Malicious Attachments
A new bug in the extremely popular WhatsApp desktop messaging app has been discovered. The bug comes in an attachment sent to users that contains a malicious python or PHP script, which when opened, allows the scripts to execute without warning.
As with similar attacks seen previously in Telegram, this does require the victim to have python installed on their machine, which reduces the attack surface to engineers, developers, and individuals of the like. - Malicious Python Package Targets MacOS
Security researchers have discovered a brand-new malicious package on the Python Package Index (PyPI). This package targets MacOS users with the intent of stealing Google Cloud credentials.
This type of attack is fairly common, and as such, it is always important to ensure spelling is correct for any packages being installed, as typosquatting is the most common method of spreading these attacks. - Fake GitHub Accounts Used to Spread Malware
Researchers at CheckPoint Security have uncovered a campaign utilizing fake GitHub accounts to spread malware, posing as legitimate repositories. These fake accounts will mimic legitimate accounts by forging their repositories, and injecting them with their own malware. - PKFail Leaves Millions of Devices Vulnerable to Secure Boot Bypass
Secure boot is an integral part of modern security practices, by locking down the bootloader of a machine and preventing unauthorized software from running on computer startup. Recently, researchers discovered a leaked key, which is the authority used to ensure all software running at boot is legitimate.
This key was encrypted, however, it utilized a four digit password, making cracking trivial and revealing the true key, leaving over two-hundred motherboard models from several manufacturers vulnerable to bootkits. - Russian-Based Threat Actor Groups Make Up Over Half of All Ransomware Activity
Researchers have discovered through blockchain analysis that Russian-based threat actor groups make up nearly seventy percent of all ransomware transactions. This is likely due to the lax stance of the Kremlin on cybercrime, which does not target former Soviet-bloc nations, allowing threat actors to operate with near-immunity against western countries.