In today’s cybersecurity news…
Toyota confirms third-party data breach impacting customers
Toyota has confirmed that customer data was exposed in a data breach of an unnamed third-party. Toyota said the scope of the issue is limited and that it will provide assistance to impacted individuals. A threat actor known as ZeroSevenGroup leaked the 240 GB trove of stolen data for free and said the data includes Toyota employee and customer info, as well as financial information and network infrastructure details and credentials. BleepingComputer said the stolen files had a timestamp of December 25, 2022, potentially indicating the data was stolen at that time or possibly more recently from a backup server.
Man who hacked Hawaii state registry sentenced
In January 2023, Kentucky man Jesse Kipf used stolen login credentials to access the Hawaii Death Registry System and “certified” his own death. The creds belonged to a physician who worked for a local hospital but had left the job in 2021. By certifying his own death records, Kipf avoided paying more than $116,000 in child support. Hawaii’s Department of Health sent breach notices to affected individuals after cybersecurity firm Mandiant found the credentials had been sold on the dark web. Kipf also hacked into other state death registry systems and “governmental and corporate networks,” then sold stolen data to “customers” in Russia, Algeria and Ukraine On Monday, he was sentenced to 81 months in prison.
U.S. Intelligence blames Iran for Trump campaign hack
Following up on a story we covered last week on Cyber Security Headlines, U.S. intelligence agencies, including the FBI, have confirmed that Iran was behind a cyberattack against an adviser to former President Donald Trump. Roger Stone reported that his email was hacked, after which attackers impersonated him to further target Trump’s campaign. This development comes as no surprise as Google’s Threat Analysis Group (TAG) reported last week that Iranian group Charming Kitten was behind attempts to access personal email accounts of both Trump and Biden-Harris campaign staffers. The agencies said the activity is part of “increasingly aggressive Iranian activity during this election cycle.”
Mobile banking users targeted in new credential theft scheme
According to Slovakia-based cybersecurity firm ESET, hackers have leveraged malicious banking apps to target Android and iOS devices since last November. The hackers used automated voice calls, SMS messages and social media advertisements to trick users into installing malicious look-alike banking apps from high-quality phishing pages, including one that imitated the official Google Play Store. After installation, victims were prompted to submit their internet banking credentials which were sent to attacker-controlled servers. Among the known victims were customers of prominent Czech CSOB bank as well as banks in Hungary (OTP) and Georgia (TBC).
(The Record and The Hacker News)
Huge thanks to our sponsor, Nudge Security
Hackers use PHP exploit to backdoor Windows systems
Unknown threat actors have deployed a newly discovered backdoor dubbed Msupedge on Windows systems belonging to an unnamed Taiwanese university. The attack likely exploited a recently patched PHP remote code execution vulnerability (CVE-2024-4577) that we covered back in July on Cyber Security Headlines. The critical bug affects PHP installations running in CGI mode on Windows systems and allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise. The backdoor uses DNS traffic to communicate with the command-and-control (C&C) server, a tactic not commonly observed in the wild.
Kubernetes bug could have exposed sensitive data
Microsoft addressed a critical privilege escalation vulnerability in its managed Azure Kubernetes Service (AKS). Researchers at Mandiant identified the bug which could have allowed attackers to steal sensitive information and execute other malicious actions in AKS clusters using Azure CNI for network configuration and Azure for network policy. Callie Guenther, senior manager, cyber threat research at Critical Start said that though Microsoft has patched the issue, security teams must audit their AKS configurations, rotate Kubernetes secrets and monitor for suspicious activities. Guenther added, “While this vulnerability is serious, requiring prompt action, it is a second-stage attack, meaning it needs prior access to a pod.”
Google play store’s bug bounty program ending this month
Google’s seven-year-long bug bounty program for Android apps on the Google Play Store is set to conclude on August 31, 2024. Launched in 2017, the Google Play Security Reward Program (GPSRP) initially focused on a select group of developers and apps, offering rewards of $5,000 for the most critical vulnerabilities. In 2019, the scope widened to include all apps distributed on the platform, with payouts reaching $20,000. While termination of the program raises questions about the future of the overall security posture of the Android ecosystem, Google said it will continue to invest in various security initiatives, including the Android Vulnerability Rewards Program (AVRP) which focuses on the underlying Android OS.
Darktrace co-founder Mike Lynch presumed dead after superyacht sinks
British tech entrepreneur Mike Lynch, co-founder of Darktrace and Autonomy, is among six people presumed dead after a 184-foot superyacht sank early Monday. The ship was caught in a sudden and severe storm, with a waterspout striking it while it was anchored near Porticello, Italy. Out of the 22 people on board, 15 have been rescued, one was confirmed dead, and six remain missing, including Lynch and his 18-year-old daughter. Darktrace offers an AI-powered threat detection and response platform and was sold back in April 2024 to private equity giant Thoma Bravo for $5.3 billion.