📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
September 27, 2023 Johnson Controls International has suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment.The company employs 100,000 people through its corporate operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex.A weekend cyberattackYesterday, a source told BleepingComputer that Johnson Controls suffered a ransomware attack after initially being breached at its Asia offices.BleepingComputer has since learned that the company suffered a cyberattack over the weekend that caused the company to shut down portions of its IT systems.Since then, many of its subsidiaries, including York, Simplex, and Ruskin, have begun to display technical o
Recently, officials for the trucking and fleet management provider ORBCOMM confirmed that they had suffered a ransomware attack that was impacting their tracking and data logging services for several of the largest trucking firms in the US. The outages for the Electronic Logging Devices (ELD) were also causing truckers to record their driving hours on paper, which is only allowed for 8 out of 30 consecutive days, per federal regulations, though a waiver has been instituted until September 29th. All affected customers were made aware of the attack shortly after its discovery, though the investigation into which group was behind the attack is still underway.TransUnion breach data leaked on BreachForumsOver the weekend, researchers discovered a 3GB data trove on the dark web forum, BreachForums, that claims to have been stolen from a TransUnion breach last year. It is believed that the stolen database contains a significant amount of sensitive customer and employee data dating back to Mar
September 27, 2023 By Bill Toulas US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks.The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-sponsored Chinese APT group (advanced persistent threat) known for conducting cyber espionage attacks on Japanese, Taiwanese, and Hong Kong-based entities since at least 2010.The sectors BlackTech targets include government, industrial, technology, media, electronics, telecommunication, and the defense industry. >> Full Article <<
September 27, 2023 By Brian Krebs The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.The victim shaming website for the Snatch ransomware gang.KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes i
Firefox 118 patches six high-severity vulnerabilities, including a memory leak potentially leading to sandbox escape. September 27, 2023 By Ionut Arghire Mozilla on Tuesday announced security updates for both Firefox and Thunderbird, addressing a total of nine vulnerabilities in its products, including high-severity flaws.Firefox 118 was released to the stable channel with patches for all nine vulnerabilities – all are memory issues, most of which could lead to exploitable crashes.Tracked as CVE-2023-5168 and CVE-2023-5169, the first two high-severity flaws are described as out-of-bounds write issues in the browser’s FilterNodeD2D1 and PathOps components. According to Mozilla, both could lead to “a potentially exploitable crash in a privileged process”. >> Full Article <<
Attackers can find tons of information on Tesla cars and their drivers by searching for misconfigured TeslaMate instances online. September 27, 2023 By Ionut Arghire Misconfigured TeslaMate instances can leak tons of data on the internet, potentially exposing Tesla cars and their drivers to malicious attacks, IoT security intelligence firm Redinent reports.A third-party data logging application, TeslaMate relies on the Tesla API to retrieve various types of information about Tesla cars, making it available to users on their computers.While the application is a great tool for keeping track of car data, it also poses a significant risk if improperly configured, Redinent has discovered. >> Full Article <<
September 27, 2023 By Guru According to the recent findings by Proofpoint, a new malware called ZenRAT has been discovered. This malware is being spread via fraudulent download packages disguised as Bitwarden installations.This malware primarily targets Windows users and redirects non-Windows users to benign web pages.The method of distribution remains unknown, but historical precedents include SEO Poisoning, adware bundles, and email. >> Full Article <<
A security vulnerability originally classified as a Chrome bug is much more serious than thought. Numerous applications are probably affected, many of which have not yet received a security update. September 27, 2023 By Kris Wallburg Google has given an already-known security vulnerability a new CVE ID with the highest severity level. The reason for this is that the vulnerability, originally classified as a Chrome bug, affects significantly more applications, because it’s a WebP vulnerability instead.The WebP image file format is particularly popular on the web because it offers a good balance between storage size and quality. But the vulnerability allows attackers to use a specially crafted WebP image to create a heap buffer overflow and execute malicious code. To do this, the image must be opened in an application; in browsers, simply calling up a website is sufficient. The code executed in the background can then install malware, for example. >> Full Article <<
September 27, 2023 By Pierluigi Paganini DarkBeam left an Elasticsearch and Kibana interface unprotected, exposing records from previously reported and non-reported data breaches.The leaked logins present cybercriminals with almost limitless attack capabilities.DarkBeam, a digital risk protection firm, left an Elasticsearch and Kibana interface unprotected, exposing records with user emails and passwords from previously reported and non-reported data breaches.According to CEO of SecurityDiscovery Bob Diachenko, who first identified the leak, the now-closed instance contained over 3.8 billion records.DarkBeam has apparently been collecting information to alert its customers in case of a data breach. The incident will most likely affect more than DarkBeam users alone. >> Full Article <<
September 26, 2023 By Bill Toulas Hackers are utilizing a new trick of using zero-point fonts in emails to make malicious emails appear as safely scanned by security tools in Microsoft Outlook.Although the ZeroFont phishing technique has been used in the past, this is the first time it has been documented as used in this way.In a new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick could make a massive difference in the effectiveness of phishing operations, and users should be aware of its existence and use in the wild. >> Full Article <<
By Fred Gutierrez | September 27, 2023 A Short History LessonIn 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic. This oblast has a 95% ethnically Armenian population. In 1988, Nagorno-Karabakh declared its intention to leave Azerbaijan and join the neighboring Republic of Armenia. While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for control of the Nagorno-Karabakh region. While a ceasefire was tentatively reached in 1994 and again in 2020, tensions remain high between the two countries.Figure 1. Regional MapAffected platforms: Microsoft WindowsImpacted parties: Targeted management associated with an Azerbaijanian companyImpact: Reconnaissance of basic computer info of targeted usersSeverity level: Low A Spearphishing Campaign Exploits the Azerbaijan-Armen
September 27, 2023 Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers.The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and then automatically issues pull requests to install the updated versions.As reported today by Checkmarx, these fake Dependabot contributions were made possible using stolen GitHub access tokens with the attackers' goal of injecting malicious code to steal the project's secrets. Full Article
A previously unknown compression side channel in GPUs can expose images thought to be private. DAN GOODIN - 9/26/2023 GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains. >> Full Article <<
September 26, 2023 By Bill Toulas A new APT hacking group named 'AtlasCross' targets organizations with phishing lures impersonating the American Red Cross to deliver backdoor malware.Cybersecurity firm NSFocus identified two previously undocumented trojans, DangerAds and AtlasAgent, associated with attacks by the new APT group.NSFocus reports that the AtlasCross hackers are sophisticated and evasive, preventing the researchers from determining their origin."After an in-depth study of the attack process, NSFOCUS Security Labs found that this APT attacker is quite different from known attacker characteristics in terms of execution flow, attack technology stack, attack tools, implementation details, attack objectives, behavior tendency and other main attribution indicators," explains NSFocus."The technical level and cautious attitude shown by this attacker during this activity are also worthy of attention." >> Full Article <<
September 25, 2023 By Bill Toulas The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree.BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.MOVEit attacks leveraged a zero-day vulnerability (CVE-2023-34362) in the Progress MOVEit Transfer software to compromise and steal data from thousands of organizations worldwide.BORN first became aware of the security breach on May 31 and posted a public notice on its site while simultaneously notifying the relevant authorities (Privacy Commissioner of Ontario). >> Full Article <<
September 26, 2023 By Sergiu Gatlan Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago.The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format.This zero-day bug was jointly reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School on Wednesday, September 6, and fixed by Google less than a week later....New maximum severity CVEHowever, it has now assigned another CVE ID, CVE-2023-5129, marking it as a critical issue in libwebp with a maximum 10/10 severity rating. This change has significant implications for other projects using the libwebp open-source library.Now officially recognized as a libwebp flaw, it involves a heap buffer overflow in WebP, impacting Google Chrome versions precedin
CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO, and constant churn can leave cracks or gaps in security. September 26, 2023 By Kevin Townsend The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to get feet under the table, never mind a meaningful seat at the table. Two questions arise: why is there such volatile churn in this space; and how does it affect enterprise cybersecurity?Reasons for CISO churn Cause #1: the scapegoat effectThe potential for CISOs to be used as scapegoats for security incidents is widely accepted and potentially growing. It can simply be internal: ‘We got breached under your watch, so we’ll blame you and let you go.’ But it can equally be a complex external issue ultimately caused by a lack of legal clarity in the Computer Fraud and Misuse Act (CFAA), a lack of clarity on bounty hunting and secur
