The Cybersecurity Digest - 19 Aug 2024

Author

Greg
August 19, 2024

The Cybersecurity Digest Newsletter

Date: 19 Aug 2024

Hello and welcome to the Cybersecurity Digest Newsletter, where our goal is to help you stay informed so that you can stay secure! The format of this newsletter is designed to help you stay informed on the latest within the cybersecurity and information security space.

This newsletter is broken down into three main sections to help you stay informed. The first is Notable News which contains the latest news stories, as well as important research. The second section is Prevalent Patches, which contains information surrounding any released patches. Lastly, is the CISA corner which highlights any advisories or news that CISA has published.

In addition to this newsletter we have a weekly podcast published on Mondays that recaps the top 10 stories from the previous week.

Upcoming In This Issue:

Notable News:

  • Leaked Environment Variables lead to Cloud Extortion Campaign

  • National Public Data Breach

  • Unicoin locked out of their GSuite by Hacker

  • Styx Stealer Deep Dive

  • Xeon Sender

  • FlightAware Data Leak

  • Toyota Data Breach

  • Azure and Google Disinformation/Malware Campaign

  • “WireServing” AKS Privilege Escalation

  • Popular Software Searches Exploited

Prevalent Patches:

Last Week’s Patch Tuesday Review

  • Adobe Patches

  • Ivanti Patches

  • Microsoft Patch Tuesday

CISA Corner:

  • Jenkins CLI Path Traversal Vulnerability added to the KEV Catalog

Notable News

Unit 42 researchers discovered a campaign where attackers exploited exposed environment variable files (.env files) containing sensitive credentials. The attackers set up their infrastructure within various organizations’ AWS environments, scanning over 230 million targets and compromising 110,000 domains. They exfiltrated data from cloud storage containers and left ransom notes without encrypting the data. The campaign relied on automation and misconfigurations in victim organizations, not vulnerabilities in cloud providers. The attackers used advanced cloud architectural techniques to escalate privileges and perform extensive discovery operations, ultimately leading to data exfiltration and ransom demands.

Originally speculated to be around 2.7 billion individuals affected by the recent data breach of National Public Data. In a filing with the Maine Attorney General they listed the number at 1.3 million

The record reports that a hacker recently breached Unicoin’s systems, locking all employees out of their Google G-Suite accounts for four days. The attack, which began on August 9, was resolved by August 13, but left discrepancies in personal data and traces of hacked messages. Unicoin is investigating the incident and its potential financial impact. The breach highlights ongoing concerns about North Korean hackers infiltrating U.S. tech companies, as evidenced by a similar incident involving KnowBe4. Despite no evidence of stolen funds, the attack underscores the persistent threat to cryptocurrency firms.

This article from CheckPoint Research discusses the discovery of Styx Stealer, a new malware variant derived from Phemedrone Stealer. Styx Stealer, sold on styxcrypter[.]com, can steal passwords, cookies, cryptocurrency wallet data, and more. Despite inheriting core functions from Phemedrone, it lacks some newer features but includes new ones like auto-start and crypto-clipper. The developer, known as Sty1x, made significant operational security mistakes, exposing his identity and connections to other cybercriminals. If you are interested in stealer malware check out the full article linked in the title.

SentinelLabs posted about the Xeon Sender is a cloud attack tool used for SMS spam and phishing campaigns. It leverages legitimate APIs from multiple SaaS providers to send bulk SMS messages, requiring valid credentials for these services. Distributed mainly through Telegram and hacking forums, Xeon Sender has evolved since its earliest known version in 2022. The tool’s simplicity allows even low-skilled actors to conduct attacks, though it lacks professional polish and robust error handling. Organizations should monitor for unusual SMS activity to defend against such threats. It is also a great time to remind employees of SMS cyber practices.

BleepingComputer reports that FlightAware, a flight tracking platform, has experienced a data security incident due to a configuration error discovered on July 25, 2024, which exposed personal user information, including user IDs, passwords, and email addresses, since January 1, 2021. The company has remediated the error and is requiring all affected users to reset their passwords. Additionally, FlightAware is offering a 24-month identity protection package through Equifax to those impacted and advises users to report any suspicious activity to local law enforcement.

BleepingComputer reports that Toyota has confirmed a data breach after a threat actor leaked 240GB of stolen data on a hacking forum. The breach, which affected a U.S. branch, exposed information on Toyota employees, customers, contracts, and financial details. The attacker used the ADRecon tool to extract network infrastructure information, including credentials. Although Toyota has not disclosed when the breach occurred or how the attacker gained access, BleepingComputer found that the stolen files were created on December 25, 2022.

BleepingComputer reports of a recent disinformation campaign has exploited Microsoft Azure and OVH cloud subdomains, along with Google search notifications, to drive traffic to scam websites. Android users receive misleading notifications about topics they’ve previously searched, leading them to fake articles about public figures suffering from health issues. These articles, hosted on cloud services, spread unverified rumors and ultimately redirect users to sites pushing malware, spam, and counterfeit software. The campaign targets multiple celebrities, including Harry Connick, Jr., Bill Paxton, and Megan Fox, among others.

This article describes of a vulnerability that Mandiant recently disclosed to Microsoft. The issue affected Azure Kubernetes Services clusters using “Azure CNI” for network configuration and “Azure” for network policy. An attacker with command execution in a Pod within an affected cluster could escalate privileges, access credentials, and read all secrets within the cluster. Microsoft has since fixed the underlying issue.

The HackerNews reported that Cybercriminals are exploiting popular software searches to spread the FakeBat malware through malvertising campaigns. This malware, also known as EugenLoader and PaykLoader, is linked to the threat actor UNC4536. The attacks use trojanized MSIX installers disguised as legitimate software like Brave, KeePass, Notion, Steam, and Zoom. These installers execute a PowerShell script to download additional payloads, including IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak. The malware gathers system information and maintains persistence by creating shortcuts in the StartUp folder. For more details check out the full article!

Prevalent Patches

Last week was Patch Tuesday and several companies had some major patches that fixed several issues. I have categorized these by company for your convenience:

Adobe Patches

Product

Security Bulletin

Highest CVSS Noted

Adobe Illustrator

APSB24-45

7.8

Adobe Dimension

APSB24-47

7.8

Adobe Photoshop

APSB24-49

7.8

Adobe Indesign

APSB24-56

7.8

Acrobat and Reader

APSB24-57

8.1

Adobe Bridge

APSB24-59

7.8

Substance 3D Stager

APSB24-60

7.8

Adobe Commerce

APSB24-61

9.0

Adobe InCopy

APSB24-64

7.8

Substance 3D Sampler

APSB24-65

5.5

Substance 3D Designer

APSB24-67

7.8

Ivanti Patches

Product

Advisory

Highest CVSS

Virtual Traffic Manager

CVE-2024-7593

9.8

Ivanti Avalanche

Multiple CVEs

8.2

Neurons for ITSM

Multiple CVEs

9.6

Microsoft Patch Tuesday:

Microsoft published their August 2024 Security Updates. In this patch Tuesday there were over 89 vulnerabilities addressed. It is worth noting that 54 of these vulnerabilities received a CVSS score of 7.5 or higher. Seven are even 9.1 or higher on the CVSS system. Microsoft notes 6 of these as having Exploitation Detected, as well as 11 classified as Exploitation More Likley.

CISA Corner

CISA has added one alert to their CISA Known Exploited Vulnerability (KEV) catalog today.

CISA KEV Addition 1

CISA added CVE-2024-23897 to it’s list of known exploited vulnerabilities. It is worth noting that this vulnerability has received a CVSS score of 9.8/10. To quote the National Vulnerability Database description of this vulnerability:

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Conclusion:

Thank you for reading this first edition of the Cybersecurity Digest Newsletter. If you enjoyed this newsletter and would like to ensure you are staying informed so you can stay secure, please consider subscribing.

Our next newsletter will be coming out Wednesday 21 August 2024.

For more in-depth analysis and detailed reports, visit our website or tune into the latest episode of the Cybersecurity Digest podcast.

Until next time, Stay Secure!

Reply

or to participate.