4.3 million impacted by HealthEquity data breach
One of the largest HSA providers in the U.S., HealthEquity, is in the process of notifying 4.3 million people that their personal and health information was compromised. The company disclosed that the breach was attributed to a third-party vendor and that threat actors stole PII, including names, social security numbers, and payment information. While HealthEquity did not name the compromised vendor, those impacted should expect to be notified early next month.
(Security Week), (Bleeping Computer)
Microsoft admits CrowdStrike incident far greater than first reported
It’s been nearly two weeks since the great CrowdStrike outage, and it’s likely it will be a while before we know the full extent of the damage. However, we are getting some insight that Microsoft’s initial estimate of 8.5 million machines crashing is too low. Microsoft VP David Weston said in a blog post over the weekend that those initial numbers were based on voluntary crash reports shared by customers. Since every customer doesn’t share their crash reports, Weston wrote the initial 8.5 million was “a subset of the number impacted.” The post also included a promise from the company to reduce infosec vendors’ reliance on the kernel drivers following the incident.
Proofpoint exploit allows for millions of fake emails
This phishing campaign was reeling in the big boys. Dubbed “EchoSpoofing,” this massive phishing campaign exploited now-fixed weak permissions in Proofpoint’s email protection service. The emails impersonated Fortune 100 companies like Disney, Nike, IBM, and Coke, with an average of 3 million fake emails sent daily. It wasn’t easy deciphering these fake emails; they included properly configured Sender Policy Framework and DomainKeys Identified Mail signatures to make the emails look authentic. The sec urity gap was discovered in May and has since been fixed, though Bleeping Computer reports the campaign reached a peak of 14 million emails in early June.
PatchNow: CISA adds two ServiceNow critical RCE bugs to catalog
A threat actor has claimed to have harvested email addresses and associated hashes from over 105 ServiceNow databases by exploiting two critical vulnerabilities, (CVE-2024-4879 and CVE-2024-5217). These vulnerabilities, with CVSS scores of 9.3 and 9.2, respectively, have been actively exploited and are now being sold for $5,000. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its known exploited vulnerabilities catalog, mandating federal agencies patch it by August 19.
Huge thanks to our sponsor, Dropzone AI
VMware patch release followed by ransomware exploits
Less than a week after VMware released patches for a critical ESXi hypervisor vulnerability, Microsoft reports ransomware groups are exploiting it. It’s Important to note, VMware did not mention any active exploitations when the patch was issued. The flaw (CVE-2024-37095) has a severity score of 6.8, and ransomware groups are using it to gain administrative access and deploy data-extortion malware. Patches are available for ESXi 8.0 and VMware Cloud Foundation 5.x, but none are planned for ESXi 7.0 and VMware Cloud Foundation 4.x.
Critical API flaws expose millions to account takeover
A critical vulnerability in Hotjar and Business Insider have put millions of users at risk by exploiting OAuth and XSS vulnerabilities, according to Salt Security’s Salt Labs. Hotjar, used by over a million websites including brands like Adobe and Microsoft, collects extensive personal data, which can be exposed through these flaws. The Business Insider (a global news site) has a separate XSS vulnerability that can also be used for account takeover. Salt Labs warns that this combination of vulnerabilities is likely widespread, posing a significant threat to many other websites.
Pro-Ukrainian hacking group takes credit for Russian attack
A pro-Ukrainian hacker group calling themselves the ‘Cyber Anarchy Squad’ has claimed responsibility for a breach on a Russian cybersecurity firm, encrypting 400 virtual machines and allegedly destroying more than 60 terabytes of data. The security firm, Avanpost, confirmed the incident, saying the company’s infrastructure was hit by a “serious cyberattack” but did not give any details about the extent of the damage. According to The Record, the hackers leaked 390 gigabytes of information and shared some on Telegram and Mega.
New PowerShell backdoor discovered
The Cyber Intelligence team at Walmart says they’ve discovered an unknown PowerShell backdoor alongside a new variant of the Zloader/SilentNight malware. The backdoor employs sophisticated obfuscation techniques to enable further access and deploy other malware, including Zloader. The threat actor also has ties to the Black Basta ransomware group, suggesting ransom is the intention of the threat actors. Walmart says there’s no indication they were a target but made the discovery while proactively investigating new threats.