Cisco warns of maximum-severity defect in firewall software
According to an advisory published by the company on Thursday, this flaw affects the company’s Secure Firewall Management Center Software and could allow “unauthenticated attackers to inject arbitrary shell commands and execute high-privilege commands.” It was noticed during internal security testing and a patch has been released. Cisco released a patch for the defect along with a series of 29 vulnerabilities in other Cisco Secure technologies. Cisco’s Product Security Incident Response Team is not currently aware of any exploitation of the vulnerability, but an update or mitigation is strongly advised.
UK’s Colt Telecom suffers cyberattack
The British telecommunications network whose name stands for City of London Telecom, provides services in 30 countries across Europe and Asia, as well as in North America. A threat actor claiming to be a member of the WarLock ransomware gang claimed responsibility for the attack and had offered to sell what it says is a batch of one million documents allegedly stolen from Colt, for the price of $200,000. The data includes “include financial, employee, customer, and executive data, internal emails, and software development information.” Cybersecurity researcher Kevin Beaumont is quoted by BleepingComputer as suggesting the hacker likely gained access by “exploiting a remote code execution vulnerability in Microsoft SharePoint,” which has been exploited as a zero-day since at least July 18, and which was addressed by Microsoft on July 21.
CISA implores OT environments to lock down critical infrastructure
The agency is seeking to get attention from companies with operational technology environments to get them to set a better cybersecurity posture. Noting an increase in attacks this year, 87 percent year-over-year, according to Dragos, CISA published some new foundational guidance for OT cybersecurity that “starts with the absolute basics: assume nothing, and start entirely fresh with a new taxonomy-based OT asset inventory.” A link to the report is available in the show notes to this episode.
(The Register and CISA)
Scammers use “ghost-tapping’ for retail fraud
A report released Thursday from researchers at Recorded Future’s Insikt Group describes a crime technique called “ghost-tapping,” in which “stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods.” This is being currently used by Chinese organized criminal groups in Southeast Asia. The gangs first use social engineering, phishing and mobile malware to steal victims’ card information and then intercept one-time passwords. The phones are then offered for sale on Telegram channels, where criminal syndicates buy them and then use hired mules to make purchases with the phones. “The police are cautioning people to not enter their bank details into suspect e-commerce sites, and especially not to then use one-time passwords on that the same site.
Huge thanks to our sponsor, Conveyor
Endless clicks, bad navigation, and expanding questions stacked like Russian nesting dolls, all add up to hours of your life you’ll never get back.
With Conveyor’s AI-powered browser extension, you can open a portal questionnaire, scan for questions, and watch it auto-populate your answers back into the portal without the copy and paste.
See how at www.conveyor.com
Plex makes urgent appeal to users to update their media servers
The Plex media platform sent out a notification to some of its users on Thursday to update their media servers due to a recently patched security vulnerability. The flaw affects only certain Plex Media Server versions, but applying the update is considered urgent. The patch can be downloaded from the Plex server management page or the official downloads page.
DOJ seizes assets from creator of Zeppelin ransomware
The U.S. Department of Justice has announced the seizure of more than $2.8 million in cryptocurrency from suspected ransomware operator Ianis Aleksandrovich Antropenko. He was indicted in Texas for “computer fraud and money laundering,” was linked to Zeppelin ransomware, a now-defunct extortion operation that ran between 2019 and 2022, and which targeted a range of individuals, businesses, and organizations worldwide, including in the United States. Authorities also confiscated cash and a luxury vehicle.
Researchers get clear look at ERMAC 3.0 banking trojan
A team from Hunt.io cybersecurity has been able to review the full source code of the Android banking trojan ERMAC 3.0, and how it has evolved from Cerberus and Hook, to a point where it is now impacting more than 700 banking, shopping, and cryptocurrency applications. ERMAC is operated by the threat actor behind the BlackRock mobile malware. The leak of the ERMAC 3.0 code exposed flaws like “hardcoded secrets, static tokens, and weak credentials.” We reported on Version 2.0 of ERMAC in May of 2022. Now, Version 3.0 supports new injection methods, a C2 panel, Android backdoor,” and confirmation of its status as an active malware-as-a-service platform.
New HTTP/2 vulnerability allows for DoS attacks
According to researchers at Deepness Lab, a new attack technique called MadeYouReset could be explored to conduct powerful denial-of-service (DoS) attacks. It “bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client,” allowing an attacker to create a denial-of-service condition, and possibly escalating into out-of-memory crashes.” Now having been assigned a CVE number MadeYouReset is “the latest flaw in HTTP/2 after Rapid Reset and HTTP/2 CONTINUATION Flood.
(The Hacker News and Deepness Lab)