In today’s cybersecurity news…
Cisco patches a level 10 vulnerability in IOS XE
This action is intended to fix a maximum-severity security flaw with a CVSS score of 10 in its IOS XE Wireless Controller. This vulnerability “could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.” In an advisory released Wednesday, Cisco stated the vulnerability exists “due to the presence of a hard-coded JSON Web Token (JWT) on an affected system…an attacker could exploit this by sending crafted HTTPS requests to the AP image download interface.” It should be noted that for an exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device, and this is something that is disabled by default.
President nominates former Unilever CISO to be Pentagon CIO
Kirsten Davies is the former chief information security officer at Unilever. According to her LinkedIn bio, which the Defense Department is using as a backgrounder, “she served as CISO for Unilever from September 2021 to June 2024 and had other senior information security roles at The Estée Lauder Companies, Barclays bank, Hewlett-Packard and Siemens.” She is also a member of Team8’s CISO Village, described as “an avenue for exchanging ideas, collaborating as an industry, and promoting innovation in cyber security…Team8 is a global venture group that invests in companies specializing in cyber capabilities and artificial intelligence.”
SonicWall patches a new zero-day vulnerability
On Wednesday, the company announced patches for three vulnerabilities affecting its Secure Mobile Access (SMA) 100 series appliances, all of which could lead to remote code execution (RCE). These are different vulnerabilities from those we reported on last Friday. These new vulnerabilities each have CVE numbers and CVSS ratings of 8.8, 8.3, and 6.7 and each allows an attacker to inject commands. Users are advised to update their systems as soon as possible. More details about these vulnerabilities can be found in the show notes to this episode.
VC firm Insight Partners confirms vital data stolen in January attack
Following up on a story we covered in February, the Venture capital firm Insight Partners has announced it will be alerting an unspecified number of people over the next few days about data that was stolen as a result of a January 16 hack. This data includes “personal information about its current and former employees, and information relating to its limited partners, the investors who provide capital to Insight’s venture funds but whose names are typically kept private.” Also stolen was “information about certain funds, management companies, and portfolio companies, including banking and tax information.” According to the company’s earlier statement in February, threat actors “used a sophisticated social engineering technique to gain access to its infrastructure.”
(TechCrunch and Security Affairs)
Thanks to today’s episode sponsor, ThreatLocker
PowerSchool hacker now extorting individual school districts
Following up on a story we have been covering since January, the education technology company PowerSchool now says that despite having paid a ransom, “the same threat actor is now attempting to use the stolen data to extort the individual school districts that it works with.” The breach, which occurred in December, exposed sensitive personal data of more than 60 million K-12 students and more than nine million teachers. PowerSchool had expressed confidence that the incident had been resolved, telling Bleeping Computer the hacker shared a video which purported to show the data being deleted. Apparently, this was not the end of the story as at least four school boards have contacted with extortion requests.
South African Airways suffers cyberattack
The state-owned airline said the cyberattack occurred last Saturday and temporarily disrupted its website and several internal operational systems. Essential customer service channels, such as the airline’s contact centers and sales offices were not affected and full functionality was restored later the same day. The airline has not confirmed whether the incident involved ransomware, and as of this recording, no group has taken credit for the incident.
Google connects LostKeys malware and Russian cyberspies to ClickFix
The Russian state-backed hacking group ColdRiver has been using a new malware called LostKeys to steal files as part of an espionage attack on Western governments, journalists, think tanks, and non-governmental organizations. ColdRiver has been confirmed as being connected to Russia’s Federal Security Service, according to security services in the United Kingdom as well as in the Five Eyes Alliance. As mentioned in BleepingComputer, “the Google Threat Intelligence Group first observed LostKeys being deployed selectively in January as part of the ClickFix series of social engineering attacks, where the threat actors trick victims into running malicious PowerShell scripts. Google adds, “the typical behavior of ColdRiver is to steal credentials and then use them to steal emails and contacts from the target.
LockBit ransomware gang hacked
As quoted in BleepingComputer, “the LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump,” which itself appears to have occurred on April 29. It is not known who carried out this breach or how they did it, but the defacement message, which reads, “Don’t do crime CRIME IS BAD xoxo from Prague,” matches one used in a recent breach of the dark web site belonging to Everest ransomware, suggesting a possible link. BleepingComputer continues “It’s too early to tell if this additional reputation hit will be the final nail in the coffin for the ransomware gang.”