Cyber Briefing 2023.07.18

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

The latest in cybersecurity: Docker Hub, Azure, Google Cloud Platform, Adobe, ColdFusion, WooCommerce, WordPress, NoEscape Ransomware, Avaddon, Becton Dickinson, TomTom, Pioneer, Hillsborough County, Washington State Food Service, Idaho Colleges, Autozone, Meta, MOVEit, CISA, Spanish Police, NATO.

🚨 Cyber Alerts

1. Cloud Credential Stealing Campaign

A recent investigation by SentinelOne and Permiso reveals a cloud credential stealing campaign that targets Azure and Google Cloud Platform (GCP) services, marking an expansion in the adversary’s targeting beyond AWS. The campaign, similar to TeamTNT’s cryptojacking activities, single out public-facing Docker instances to deploy a worm-like propagation module, indicating an actively evolving threat. With the threat actor actively improving and tuning their tools, security researchers warn of the potential for larger scale campaigns and the challenges of attribution.

2. Widespread Attack Targets WooCommerce Plugin

A critical vulnerability in the popular WooCommerce Payments plugin for WordPress has been exploited by hackers, allowing them to gain privileged access to vulnerable websites. With over 600,000 active installations of the plugin, the impact is widespread. The vulnerability was fixed in version 5.6.2, but threat actors have been actively targeting over 157,000 sites, using the exploit to install malicious plugins and create unauthorized administrator accounts. Website owners are advised to update their installations immediately and conduct thorough scans for any suspicious files or accounts.

3. ColdFusion Vulnerabilities Exploited: Webshell Attacks Rise

Hackers are actively exploiting two critical vulnerabilities in Adobe ColdFusion to bypass authentication and execute remote commands, allowing them to install webshells on vulnerable servers. The vulnerabilities being targeted are an access control bypass (CVE-2023-29298) and a critical remote code execution flaw (CVE-2023-38203). Rapid7 researchers have observed attackers chaining these exploits to gain unauthorized access to ColdFusion servers and plant webshells for remote control.

4. NoEscape: Avaddon Rebrand and Double-Extortion

The infamous Avaddon ransomware gang makes a comeback under the new guise of NoEscape, engaging in double-extortion attacks against enterprises since June 2023. Targeting Windows, Linux, and VMware ESXi servers, NoEscape encrypts files and steals data, threatening public exposure if ransoms aren’t paid, with demands ranging from hundreds of thousands to over $10 million. Although it bears similarities to Avaddon, NoEscape’s encryption algorithms differ slightly, and security experts suspect that core Avaddon members are now part of this new ransomware operation.

5. Secrets Found in Docker Hub Images

Researchers from RWTH Aachen University in Germany have discovered that tens of thousands of container images on Docker Hub contain sensitive secrets, creating a significant attack surface that puts software, online platforms, and users at risk.The study analyzed over 337,000 Docker images from Docker Hub and private registries, revealing that around 8.5% of them contain confidential data, including private keys and API secrets.

6. Becton Dickinson Alaris Vulnerabilities

In a recent bulletin, medical device manufacturer Becton, Dickinson and Co. (BD) and federal regulators warned about eight vulnerabilities discovered in BD Alaris Guardrails Suite MX. These vulnerabilities, if exploited, could compromise sensitive data and device integrity. BD has reported the issues to the Food and Drug Administration (FDA), the Cybersecurity and Infrastructure Security Agency (CISA), and other industry organizations.

💥 Cyber Incidents

7. Hillsborough County Data Breach Alert

Hillsborough County, facing a data breach involving the MOVEit file transfer tool, is notifying over 70,000 individuals about their personal information being at risk. The county’s cybersecurity staff acted promptly upon being notified of the breach, installing security patches and working on additional measures to mitigate the impact. While Hillsborough County wasn’t targeted specifically, files from the Healthcare Services and Aging Services departments containing sensitive data, such as social security numbers and medical information, may have been exposed. The county has taken steps to inform affected individuals and urged them to place fraud alerts on their credit reports.

8. Food Worker Data Breach: 1.5M at Risk

Last Friday, the Tacoma-Pierce County Health Department revealed that unauthorized access to the Washington State Food Worker Card online training system database exposed personal data for 1.5 million individuals. The breach, discovered in late 2022 by the federal government, included names, dates of birth, email addresses, and ZIP codes from a database copy dating back to November 18, 2018. Although the breach impacted 20% of the state’s population, health officials decided to notify all affected individuals, along with the State Attorney General’s Office, out of transparency, even if their driver’s license numbers weren’t leaked. The department has since transitioned to a more secure system under a new software vendor to prevent future breaches.

9. TomTom and Pioneer Cyber Breach

Global mapping and location giant TomTom, along with Pioneer Electronics and Autozone, has been affected by the recent MOVEit file transfer system attacks, as revealed by the Cl0p ransom group’s dark leak site. The GPS mapping leader, TomTom, confirmed that 82GB of data was stolen, and the company has taken necessary security measures to protect the data and informed the authorities. The attacks have targeted thousands of companies worldwide, exploiting a zero-day vulnerability in the MOVEit software system, with many prominent organizations listed as victims on the Cl0p leak site, leading to FBI issuing a $10 million bounty on the Cl0p gang.

10. Idaho Colleges Data Breach

A worldwide data breach of move-it transfer software has raised concerns for Idaho colleges and universities, including the College of Southern Idaho (CSI), as the personal information of students and employees could be affected. The breach involves a third-party vendor utilized by the National Student Clearinghouse (N-S-C) and Teachers Insurance Annuity Association of America (TIAA). Fortunately, the office of the State Board of Education and Idaho’s public higher education institutions have not been compromised. N-S-C has contacted seven Idaho schools about the breach, and institutions like CSI are closely monitoring the situation to promptly notify and support affected individuals once the specifics are disclosed by the clearinghouse.

📢 Cyber News

11. CISA Offers Free Cloud Security Tools: Safeguard Your Digital Assets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a factsheet offering free tools and guidance for organizations transitioning to cloud environments. The comprehensive toolkit aids network defenders, incident response analysts, and cybersecurity professionals in countering information theft, data encryption attacks, and cyber threats encountered while managing cloud-based or hybrid infrastructures. The highlighted tools, developed in collaboration with partners, complement cloud service providers’ built-in security capabilities, bolster network resilience, and swiftly identify and address malicious activity post-breach, providing crucial protection for critical infrastructure entities against cyber threats.

12. Meta Faces Fines for Privacy Breaches

Norway’s data protection authority, Datatilsynet, has announced that Meta, the parent company of Facebook and Instagram, will be fined one million crowns ($100,000) per day from August 4th to November 3rd unless it takes remedial action to address privacy breaches. The fines could amount to $10 million in total. The regulator accused Meta of illegally harvesting user data in Norway, including physical locations, for behavioral advertising, which is a common business model for Big Tech companies. This move comes after the European Union’s top court ruled against Meta’s data harvesting practices for behavioral advertising, and the case has been referred to the European Data Protection Board, potentially widening the decision’s impact across Europe.

13. Spanish Police Capture Cybercriminal

The Spanish National Police successfully apprehended a Ukrainian national who was part of a scareware operation spanning from 2006 to 2011, infecting hundreds of thousands of computers with malicious software. The operation involved displaying deceptive pop-up messages to trick users into thinking their devices were infected, coercing them to pay $129 for a fake antivirus solution. The criminal gang’s scareware scheme resulted in consumer losses exceeding $70 million globally, and the suspect had managed to elude capture by US authorities for over a decade before his arrest in Barcelona. The operation was carried out with international collaboration, involving the FBI, INTERPOL, and an Interpol Red Notice issued by the United States to locate and apprehend the wanted individual.

14. IT Employee Jailed for Ransomware Blackmail

Ashley Liles, a 28-year-old former IT security analyst, received a three-year and seven-month prison sentence for attempting to blackmail his employer during a ransomware attack. Exploiting his position, Liles intercepted a ransom payment meant for cybercriminals and impersonated the attackers to redirect the funds to his own cryptocurrency wallet. In a bid to pressure the company, he even accessed a board member’s private emails and altered the original blackmail messages, but his unauthorized activities were eventually exposed during internal investigations.

15. Federal Agencies Tackle Zero-Days Exploited by RomCom

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to federal agencies, requiring them to address remote code execution vulnerabilities affecting Windows and Office products. These vulnerabilities were exploited by the RomCom cybercriminal group in targeted phishing attacks against government entities involved in the NATO Summit. The flaws, tracked as CVE-2023-36884, have been added to CISA’s Known Exploited Vulnerabilities list. Agencies have been given three weeks to secure their systems by implementing mitigation measures provided by Microsoft.