Power outage darkens Cloudflare dashboard and APIs
As of this recording, Cloudflare continues to struggle with an outage that has affected its customers’ ability to use Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, Workers. Instead, they are seeing Code 10000 authentication errors and internal server errors. Cloudflare confirms the outage does not affect the cached file delivery via the Cloudflare CDN or Cloudflare Edge security features. According to numerous media sources, the company revealed that the ongoing issues are due to power outages at multiple data centers.
Apache ActiveMQ flaw sees HelloKitty attempt
Following up on a story we brought you yesterday, researchers at Rapid7 are warning of a possible exploit of the vulnerability in Apache ActiveMQ tagged as CVE-2023-46604. Attempts to deploy the HelloKitty ransomware were noticed in two separate customer environments. Although Apache dealt with the flaw through the October 25 release of new ActiveMQ versions, the researchers stated that proof-of-concept exploit code and vulnerability details were still publicly available. Both of the customer environments identified were running outdated versions.
Boeing says cyber incident affects parts and distribution
Following up on a story we brought you on Monday, Boeing has confirmed that a cyberattack affected its parts and distribution process but emphasized that this does not affect flight safety. LockBit had added Boeing to its leak site on October 27, giving the company until November 2 to respond. The company’s name was removed from the leak site on Monday. No payment negotiations can be confirmed, but a Boeing spokesperson told Recorded Future News, “we are assessing this claim.”
Okta informs 5,000 staff of data theft due to third-party breach
This number involves current and former employees of the ID management company, and the third-party vendor was Rightway Healthcare, a company that compares healthcare providers and rates. According to the notification to the employees, the break-in happened at Rightway’s IT environment on September 23. Rightway informed Okta about the intrusion on October 12, nearly three weeks later. The information stolen included names, social security numbers, and health or medical insurance plan numbers.
(MSN.com)
Huge thanks to this week’s episode sponsor, Hunters
Ransomware attack hits 70 German municipalities
The attack has paralyzed local government services in towns across the western part of the country. Its cause was an unknown hacker group that encrypted the files of a municipal service provider, Südwestfalen IT. This outage resulted in the cancellation of online services such as finance and registry offices. According to German cybersecurity experts, “the timing of the attack is particularly sensitive, as local governments typically perform financial transactions such as salaries, social assistance, and transfers from the nursing care fund at the end of the month.”
Prolific Puma outed for link shortening cybercrime services
The security company Infoblox describes this little-known threat actor as a company that provides “domain names with an RDGA [registered domain generation algorithm] and use these domains to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware.” Little is known about the group and its owners, but it has registered between 35,000 to 75,000 unique domain names since April 2022, and also acts as a DNS threat actor which leveraged DNS infrastructure for its criminal pursuits. A link to the Infoblox report is available in the show notes to this episode.
(The Hacker News and Infoblox)
WhatsApp mod uses Telegram to hit Arabic-speaking users with spyware
A report from researchers at Kaspersky describes the proliferation of mod as one of many that contain malware code. The mods are modified versions of apps, ideally to add features that the original developers did not include, but in this case abused by malware propagators. This mod, named by the researchers as Trojan-Spy.AndroidOS.CanesSpy, uses Telegram to travel primarily to Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt. They pointed out “WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware.”
(Securelist from Kaspersky)
Microsoft reveals Secure Future Initiative to bolster security
The plan, announced yesterday, pledges to “improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.” It will be called the Secure Future Initiative (SFI) and will have three pillars, “focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats.” This will include automation and artificial intelligence (AI) to “transform” software development, aiming to deliver what it describes as “software that is secure by design, by default, and in deployment” while also prioritizing secure defaults to ensure optimal protections for users out-of-the-box.