Goldoon botnet exploits D-Link routers
The exploit involves a security flaw that is almost 10 years old, specifically CVE-2015-2051 which has a CVSS score of 9.8. It affects D-Link’s DIR-645 routers and allows remote attackers to execute arbitrary commands by means of specially crafted HTTP requests. The exploit was announced by Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li, following a spike in the botnet activity on April 9 of this year. After setting up contact with a C2 server, Goldoon provides 27 different ways to launch DDoS attacks via protocols such as DNS, HTTP, TCP, and others.
CISA adds Gitlab flaw to its KEV catalog
Following up on a story we covered in late January, the issue, which affects GitLab Community and Enterprise Editions is an account takeover via Password Reset. Tracked as CVE-2023-7028, it has a CVSS score of 10.0, and can be exploited to hijack an account without any interaction. In other words, a zero click. The flaw allows reset emails to be sent to unverified email addresses, and although GitLab addressed the flaw, researchers from ShadowServer still report thousands of instances exposed online that are vulnerable, most in the U.S., Germany, and Russia.
Dropbox discloses breach of digital signature service
The company announced on Wednesday that its Dropbox Sign service, formerly called HelloSign, has been breached by unidentified threat actors, who “accessed emails, usernames, and general account settings associated with all users of the digital signature product.” The breach was discovered on April 24. The announcement also said that for “subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.” This intrusion “also affects third parties who received or signed a document through Dropbox Sign, but never created an account themselves, specifically exposing their names and email addresses.” This is a developing story.
Cybersecurity consultant arrested after allegedly extorting IT firm
Vincent Cannady, 57, has been assigned by a staffing agency to find and fix potential vulnerabilities within the systems of a New York-based multinational IT infrastructure services provider. After being terminated for “performance reasons,” Cannady allegedly used a company-issued laptop to download proprietary and confidential information, including architectural maps, trade secrets, and lists of potential vulnerabilities, from the victim company’s network, to which he still had access and which he threatened to disclose unless they paid him $1,500,000. He also cut off the staffing firm’s access to the laptop, threatened lawsuits for emotional distress. If found guilty, Cannady faces a maximum of 20 years.
Huge thanks to this week’s episode sponsor, Dropzone AI
Government agencies warn of ongoing Russian IoT hacks
CISA has released a fact sheet authored by itself along with government agencies from the U.S., Canada, and the UK, that warns how hacktivist groups have been “attempting to compromise ICS and OT systems in North America and Europe, particularly in sectors such as water and wastewater systems (WWS), dams, energy, and food and agriculture.” The report shows how the groups have been targeting internet-exposed human-machine interfaces (HMIs), typically leveraging default passwords and outdated VNC software to do things such as causing water pumps to exceed their normal operating parameters, turning off alarm mechanisms, and changing administrative passwords to lock out the operators.”
(Security Week and CISA fact sheet)
Ukrainian sentenced to almost 14 years for REvil ransomware deeds
A Ukrainian hacker, Yaroslav Vasinskyi, 24, has been sentenced to almost 14 years in prison for both distributing REvil ransomware and seeking over $700 million in ransom payments. In addition to the sentence, he has been ordered to pay more than $16 million in restitution. He did not work alone but was part of a group. One of their most infamous infections was that of the software provider Kaseya in 2021 that spread the ransomware to thousands of companies around the world.
A record-setting first quarter for global ransomware attacks, says Corvus Report
On Tuesday, April 30, Corvus Insurance released its Q1 2024 ransomware numbers, which show that last year’s troubling trends continue, with first quarter 2024 attacks surpassing Q1 2023 by 21 percent. The report shows that this set a record for most global ransomware attacks in a first quarter—1,075 leak site ransomware victims were posted on leak sites during this period, with 18 new leak sites emerging over Q1, the largest number of leak sites to emerge in a single quarter on record and attacks on medical practices (specialists or family clinics), were up 38 percent over Q4 2023. A link to the Corvus report is available in the show notes to this episode.
Decommissioned U.S. government supercomputer for sale, low mileage, only one previous owner
If you have dreamed of owning your own former government supercomputer, now’s your chance. The U.S. General Services Administration has begun an auction for the decommissioned Cheyenne supercomputer, located in Cheyenne, Wyoming. In 2016 it was the 20th most powerful in the world. Bidding started at $2,500, but its posted price is currently $27,643 with the reserve not yet met. With a peak performance of 5,340 teraflops, this baby was capable of performing over 3 billion calculations per second for every watt of energy consumed, making it three times more energy-efficient than its predecessor, Yellowstone. You will have to come and pick it up yourself, though. The auction includes 14 E-Cell power units each weighing about 1,500 lbs, as well as two air-cooled Cheyenne Management Racks, each weighing 2,500 lbs, that contain servers, switches, and power units.