Firstmac Limited, one of the largest non-bank lenders in Australia, disclosed a data breach.
Firstmac Limited is an Australian owned company with experience in home and investment loans. They have a range of market insurance products backed by international company, Allianz Group. International ratings agency Standard & Poors gives Firstmac its highest possible ranking (strong) for loan serviceability abilities.
The Embargo extortion group this week leaked over 500GB of data allegedly stolen from the company.
The company is notifying the impacted customers.
“Firstmac recently experienced a cyber incident where an unauthorised third party accessed a part of our IT System.” reads the notice of data breach sent to the impacted individuals and published by the popular researcher Troy Hunt. “As soon as we detected thè incident, we took steps to immediately secure our System. We also engaged cyber security experts to assist us with our investigation. Unfortunately, our investigation has identified that an unauthorised third party has accessed some customer information.”
Disclosure notices for the @FirstmacLimited ransomware incident appear to have now gone out: pic.twitter.com/e2SWoRJRTw
— Troy Hunt (@troyhunt) May 10, 2024
Exposed personal information includes:
The Australian non-bank lender added that there is no evidence of an impact on the accounts of current customers, it also remarked that their funds are secure.
“It is important to note that our systems are secure. We already have robust security processes in place for any account access changes, which will require you to confirm your identity using either Biometrics or Two Factor Authentication.” continues the notice.
Firstmac Limited provides impacted customers with IDCare identity theft protection services, it also recommends being vigilant and checking their bank accounts for any suspicious activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
Pro-Russia hackers targeted Kosovo government websites, including the websites of the president and prime minister, with DDoS attacks. The attacks are a retaliation for Kosovo’s support of Ukraine with military equipment. Defense Minister Ejup Maqedonci claimed that Russian hackers launched a cyberattack against Kosovo in retaliation for his statement supporting Ukraine at the Defence 24 conference in Poland.
The attacks caused temporary disruption, however, the government’s Information Society Agency restored the websites. The attack is part of a hybrid war aimed at destabilizing Kosovo’s security, stability, and welfare institutions, Prime Minister Albin Kurti told local media.
“We were informed by the relevant institutions that some government websites have been the target of DDoS attacks. For a short time the websites were not functioning,” a Government spokesperson told Balkan Insight.
“The attack was carried out by Russian hackers in retaliation for our support of Ukraine with military equipment,”
Foreign Minister Donika Gervalla-Schwarz announced on Tuesday that Kosovo was under a hybrid attack from Russia, following Kosovo’s announcement of support for Ukraine’s defense against Russian aggression.
Russia is attacking
— Donika Gërvalla-Schwarz (@gervallaschwarz) May 7, 2024in a hybrid attack today, following our announcement of support in military equipment for Ukraine in its justified defense against Russian genocidal aggression. We know from Serbia's genocide against
pic.twitter.com/DfSAzUMG2u
Russia and Pro-Russia groups have targeted in the past multiple European governments that expressed their support to Ukraine.
NATO and the European Union early this month condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.
The German Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.
In March 2024, the Moldovan national intelligence agency warned of hybrid attacks from Russia ahead of the upcoming elections.
Since the beginning of the Russian invasion of Ukraine, pro-Russia threat actors hit Moldava due to its support to Kiev.
The Pro-Russia group Killnet group launched multiple DDoS attacks against governments that expressed support for Ukraine, including Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia.
In October 2022, another wave of attacks targeted tens of Moldovan institutions with distributed denial-of-service (DDoS) attacks.
In October 2023, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.
The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deploy any backdoor in the compromised systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kosovo)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
Traficom: Android malware that steals bank information
BTC-e Operator Pleads Guilty to Money Laundering Conspiracy
LockBit leader unmasked and sanctioned
New series of measures issued against the administrator of LockBit
Generative AI: Raising the stakes for fraud in online gambling
Massive webshop fraud ring steals credit cards from 850,000 people
Zscaler Investigates Hacking Claims After Data Offered for Sale
Dell discloses data breach of customers’ physical addresses
Threat actor says he scraped 49M Dell customer addresses before the company found out
University System of Georgia: 800K exposed in 2023 MOVEit attack
Malware
Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin
Mal.Metrica Redirects Users to Scam Sites
Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation
Hacking
French cyberwarriors ready to test their defense against hackers and malware during the Olympics
Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
LLM PENTEST: LEVERAGING AGENT INTEGRATION FOR RCE
Alleged Europol Breach by IntelBroker
Russian hackers hijack Ukrainian TV to broadcast Victory Day parade
Von der Leyen’s campaign website hit by cyberattack
Intelligence and Information Warfare
UNDERSTANDING CHINA’S TAIWAN CYBER STRATEGY
Fighting disinformation gets harder, just when it matters most
MoD data breach: State involvement cannot be ruled out in armed forces hack, says Grant Shapps
APT28 campaign targeting Polish government institutions
A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities
Signal’s Katherine Maher Problem
Cybersecurity
Russia’s Anti-Satellite Nuke Could Leave Lower Orbit Unusable, Test Vehicle May Already Be Deployed
BIG VULNERABILITIES IN NEXT-GEN BIG-IP
Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability
European Parliament’s recruitment application compromised in data breach
Encrypted services Apple, Proton and Wire helped Spanish police identify activist
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
The FBI, CISA, HHS, and MS-ISAC have issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.
Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.
Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.
“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.
In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.
The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.
In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.
The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.
“Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023.” reads the Elliptic’s report. “Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.”
Most of the victims are in the manufacturing, engineering and construction, and retail sectors. 61,9% of the victims are in the US, 15.8% in Germany, and 5.9% in Canada.
Some of the victims’ ransom payments were sent by both Conti and Black Basta groups to the gang behind the Qakbot malware.
The US agencies recommend critical infrastructure organizations implement several mitigations. These align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST, providing a minimum set of practices to protect against common threats. Recommendations provided in the report include installing updates promptly, using phishing-resistant multi-factor authentication (MFA), securing remote access software, making backups, and applying mitigations from the #StopRansomware Guide.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
On Christmas Eve, a cyberattack targeting the Ohio Lottery resulted in the exposure of personal data belonging to 538,959 individuals. The organization is notifying the impacted people.
Attackers gained access to names or other personal identifiers in combination with Social Security Numbers of the impacted individuals.
“On or about December 24, 2023, the Ohio Lottery detected unauthorized access to our internal office network as a result of a cybersecurity incident that resulted in the exposure of the data we maintain. The incident did not impact the gaming network,” reads the notice of data breach sent to the impacted individuals.
Ohio Lottery is providing impacted individuals free credit monitoring and identity theft protection services through IDX.
The company added that there is no evidence that the stolen information had been abused in fraudulent activities.
The DragonForce ransomware group claimed responsibility for the attack and the theft of 94GB of data.
“Long negotiations that seem to have led to nothing, about 1.500.000 records that contain (SSN, DOB) Ohio Lottery clients. This is about 12% of the population of the state of Ohio and these are just our conservative estimates.” reads the message published by the group on its Tor leak site. “Especially for your convenience, we have exported records from the database into a convenient CSV format, and you also have the opportunity to download full copies of the databases. Ohio Lottery themselves were warned that people could suffer, which in general apparently does not bother them at all, these are the consequences of negligence.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
The threat actor IntelBroker announced on the cybercrime forum Breach the hack of the European law enforcement agency Europol.
The hacker said that the compromised data includes FOUO (For Official Use Only) and other classified data, such as Alliance employees, files related to recon and guidelines
IntelBroker added that the security breach occurred in May 2024, he said that impacted agencies are the CCSE (Joint Center for European Security), EC3, the Europol Expert Platform, the Law Enforcement Form, and the SIRIUS system. SIRIUS is an EU-funded project that helps law enforcement and judicial authorities access cross-border electronic evidence in the context of criminal investigations and proceedings.
“Hello BreachForums Community,
Today, I am selling the entire data breach belonging to Europol. Thanks for reading, enjoy!” announced the hacker. “In May 2024, Europol suffered a data breach and lead to the exposure of FOUO and classified data.”
The seller accepts only payments in Monero cryptocurrency.
This week IntelBroker also announced on a Breach Forums the sale of the access to “one of the largest cyber security companies.” IntelBroker did not reveal the name of the compromised security firm, but the threat actor announced in the BF ShoutBot that the company is ZScaler.
IntelBroker has offered to sell “confidential and highly critical logs packed with credentials”, including SMTP access, PAuth access, and SSL passkeys and certificates, for a total price of $20,000 in cryptocurrency.
“Hello BreachForums Community. Today Im sellng access to one of the largest cyber security companies. Revenue: $1.8 Billion Access includes: Confidential and highly critical logs packed with credentials SNITP Access Muth Pointer Auth Access SSL Passkeys S. SSL Certificates some others (will be on contact)” reads the announcement published by IntelBroker who is demanding $20K in XMR or ETH.
The seller added that the sale is covered by escrow, he will sell the access only to reputable forum members that will provide proof of funds.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019.
The organization was hit by a ransomware attack that severely impacted operations at hospitals in the country.
Impacted systems include electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.
The company detected the unusual activity on its network on May 8 and determined that it was the result of a cyber attack.
Ascension launched an investigation into the incident with the help of external forensics experts and is working to contain the attack and restore impacted systems. The company pointed out that the attack investigation and restoration activities will take time to complete.
The healthcare organization has temporarily suspended some non-emergent elective procedures, tests and appointments.
“We have implemented established protocols and procedures to address these particular system disruptions in order to continue to provide safe care to patients.” reads the notice of security incident. “Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.
The notice doesn’t include details about the incident, it is unclear if threat actors have stolen information from Ascension.
However the impacts of the security breach and the emergency response procedures launched by the company suggests it was hit by a ransomware attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Healthcare)
Google this week released security updates to address a zero-day flaw, tracked as CVE-2024-467, in Chrome browser. The vulnerability is the fifth zero-day flaw in the Google browser that is exploited in the wild since the start of the year.
The vulnerability is a use-after-free issue that resides in the Visuals component. The flaw was reported by an anonymous researcher on May 7, 2024.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.
The company addressed the vulnerability with the release of 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out over the coming days/weeks.
Below is the list of actively exploited zero-day in the Chrome browser that have been fixed this year:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.
The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.
“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”
The threat actors sent emails designed to pique the recipient’s interest and encourage them to click on a link.
Upon clicking on the link, the victims are redirected to the domain run.mocky[.]io, which is a free service used by developers to create and test APIs. The domain, in turn, redirects to another legitimate site named webhook[.]site which allows logging all queries to the generated address and configuring responses.
Threat actors in the wild increasingly rely on popular services in the IT community to evade detection and speed up operations.
The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains:
Login
IMG-238279780.jpg.exe, which pretends to be a photo and is used to trick the recipient into clicking on it,.bat (hidden file),WindowsCodecs.dll (hidden file).If the victim runs the file fake image file, which is a harmless calculator, the DLL file is side-loaded to run the batch file.
The BAT script launches the Microsoft Edge browser and loads a base64-encoded page content to download another batch script from webhook.site. Meanwhile, the browser shows photos of a woman in a swimsuit with links to her genuine social media accounts, aiming to appear credible and lower the recipient’s guard. The downloaded file, initially saved as .jpg, is converted to .cmd and executed.
Finally, the code retrieves the final-stage script that gathers information about the compromised host and sends it back.
“This script constitutes the main loop of the program. In the loop for /l %n in () it first waits for 5 minutes, and then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to webhook.site and executes it. This time, the file with the extension .css is downloaded, then its extension is changed to .cmd and launched.” continues the report. “The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.”
Regardless of whether your organization uses these websites, it’s also advised to filter emails for links to webhook.site and run.mocky.io, as legitimate use of these links in email content is very rare.
Last week, NATO and the European Union condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.
The Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.
“The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts.” reads the announcement published by the German Bundesregierung.
The nation-state actor exploited the zero-day flaw CVE-2023-23397 in attacks against European entities since April 2022. The Russia-linked APT also targeted NATO entities and Ukrainian government agencies.
The Czech Ministry of Foreign Affairs also condemned long-term cyber espionage activities by the group APT28. The Ministry’s statement also confirmed that Czech institutions have been targeted by the Russia-linked APT28 exploiting the Microsoft Outlook zero-day from 2023.
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
Versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR used PuTTY, a third-party component, for SSH connections to guest VMs. However, PuTTY inclusion was deprecated with XenCenter version 8.2.6, and any versions after 8.2.7 will not include PuTTY.
The security flaw, tracked as CVE-2024-31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which includes PuTTY.
The flaw resides in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. An attacker can exploit the vulnerability to recover NIST P-521 private keys.
“An issue has been reported in versions of PuTTY prior to version 0.81; when used in conjunction with XenCenter, this issue may, in some scenarios, allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to that guest VM while using an SSH connection.” reads the advisory.
The company recommends customers who do not want to use the “Open SSH Console” functionality to remove the PuTTY component. Customers who wish to use the functionality should replace the PuTTY version installed on their XenCenter system with an updated version (with a version number of at least 0.81).
The vulnerability CVE-2024-31497 was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. Bäumer explained that the vulnerability stems from the generation of biased ECDSA cryptographic nonces, which could allow full secret key recovery.
“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.” Baumer explained. “The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).”
The following products include an affected PuTTY version and are therefore are also impacted by the flaw:
The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.
Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Citrix)
IT giant Dell suffered a data breach exposing customers’ names and physical addresses, the company notified impacted individuals.
Dell compromised. pic.twitter.com/GF5e5UwRg8
— Jon Gorenflo(@flakpaket) May 9, 2024
The company launched an investigation into the incident that involved a Dell portal, which contains a database with limited types of customer information related to purchases from IT firm. The company downplayed the risk for the impacted individuals given the type of information involved.
“Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved” reads the data breach notification sent to the impacted customers.
Compromised data include customers’ names, physical addresses, and hardware and order information, including service tags, item descriptions, dates of order and related warranty information.
The company added that financial or payment information, email address, telephone number or any highly sensitive customer information were not exposed.
The IT giant did not share further details about the security breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Researchers from Juniper Threat Labs reported that threat actors are exploiting recently disclosed Ivanti Connect Secure (ICS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 to drop the payload of the Mirai botnet.
In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.
The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.
The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.
An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.
The Juniper Threat Labs researchers observed threat actors exploiting the CVE-2023-46805 vulnerability to gain access to the end point “/api/v1/license/key-status/;” Then the attackers exploited the command injection issue to inject their payload.
Below is the request employed in the attacks observed by the experts:,
GET /api/v1/totp/user-backup-code/../../license/keys-status/{Any Command}
“Others have observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. More recently, we have encountered Mirai payloads delivered through shell scripts.” reads the analysis published by the experts.
One of the requests observed by the researchers includes an encoded URL that, when decoded, reveals a command sequence attempting to wipe files, download a script from a remote server, set executable permissions, and execute the script.
Then script navigates through system directories, downloads a file from a specific URL, grants permission to execute it, and runs it with a specific argument. The researchers analyzed the payloads and identified them as Mirai bots.
“The increasing attempts to exploit Ivanti Pulse Secure’s authentication bypass and remote code execution vulnerabilities are a significant threat to network security. The discovery of Mirai botnet delivery through these exploits highlights the ever-evolving landscape of cyber threats. The fact that Mirai was delivered through this vulnerability will also mean the deployment of other harmful malware and ransomware is to be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protecting against potential risks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mirai botnet)
Cybersecurity firm Zscaler is investigating allegations of a data breach following reports that threat actors are offering for sale access to its network. The company confirmed that there is no impact or compromise to its customer, production and corporate environments.
“Zscaler continues to investigate and reiterates there is no impact or compromise to our customer, production and corporate environments. During the afternoon of May 8, we engaged a reputable incident response firm that initiated an independent investigation.” reads the message published by the company. “We continue to monitor the situation and will provide additional updates through the completion of the investigation.”
The notorious threat actor IntelBroker announced on a Breach Forums that he was selling access to “one of the largest cyber security companies.” IntelBroker did not reveal the name of the compromised security firm, but the threat actor announced in the BF ShoutBot that the company is ZScaler.
The name was actually released however I missed that. Zscaler was named as victim. @zscaler @Threatlabz
— James H (@milkshakesbot) May 6, 2024
also tagging @vxunderground @DarkWebInformer @DailyDarkWeb
IntelBroker has offered to sell “confidential and highly critical logs packed with credentials”, including SMTP access, PAuth access, and SSL passkeys and certificates, for a total price of $20,000 in cryptocurrency.
“Hello BreachForums Community. Today Im sellng access to one of the largest cyber security companies. Revenue: $1.8 Billion Access includes: Confidential and highly critical logs packed with credentials SNITP Access Muth Pointer Auth Access SSL Passkeys S. SSL Certificates some others (will be on contact)” reads the announcement published by IntelBroker who is demanding $20K in XMR or ETH.
The seller added that the sale is covered by escrow, he will sell the access only to reputable forum members that will provide proof of funds.
In a previous update, ZScaler reported that their investigation discovered an isolated test environment on a single server (without any customer data) that was exposed to the internet. The company pointed out that the test environment was not hosted on Zscaler infrastructure and had no connectivity to Zscaler’s environments. However, the security firm has taken offline the test environment to conduct forensic analysis.
To be continued, stay tuned …
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
F5 has addressed two high-severity vulnerabilities, respectively tracked as CVE-2024-26026 and CVE-2024-21793, in BIG-IP Next Central Manager that can lead to device takeover.
BIG-IP Next Central Manager (NCM) is a centralized management and orchestration solution offered by F5 Networks for their BIG-IP family of products. It provides a single pane of glass interface for managing multiple BIG-IP devices across an organization’s network infrastructure. With BIG-IP NCM, administrators can efficiently configure, monitor, and troubleshoot their BIG-IP devices, ensuring consistent policies and configurations across the network.
The flaws were discovered by Vladyslav Babkin of cybersecurity firm Eclypsium.
The vulnerability CVE-2024-26026 is a SQL injection issue that can be exploited by an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API (URI).
To mitigate this vulnerability, F5 suggests restricting the management access to the impacted products to only trusted users and devices over a secure network.
“Our ongoing research has identified remotely exploitable vulnerabilities in F5’s Next Central Manager that can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager.” reads the advisory published by Eclypsium that also provided a Proof-of-concept (PoC) exploit code. “These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment.”
The vulnerability CVE-2024-21793 is an OData injection issue that resides in the Next Central Manager API (URI).
An unauthenticated attacker can exploit this flaw to execute malicious SQL statements through the BIG-IP NEXT Central Manager API (URI).
Eclypsium is not aware of attacks in the wild exploiting the above vulnerabilities.
“Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance.” concludes the security firm.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, F5)
