In today’s cybersecurity news…
SonicWall SSL VPN flaws now being actively exploited
Following up on a story we covered in August, cybersecurity firm Rapid7 says it has “observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July.” SonicWall has subsequently confirmed that the attacks on its firewalls “involved a year-old security flaw (CVE-2024-40766) with a CVSS score of 9.3, where local user passwords were carried over during the migration and not reset. Customers are advised to “rotate passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA/TOTP policies are configured, and restrict Virtual Office Portal access to the internal network.”
Acting federal cyber chief outlines his priorities
Michael Duffy, speaking at the Billington Cybersecurity Summit identified his priorities as “focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government.” For the first of these, he described it as “a matter of leaders thinking about things like vulnerability management, supply chain or incidence responses not just for their own agency, but across the enterprise as well,” adding, “it’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.”
(FedScoop)
U.S. based investors in spyware firms nearly tripled in 2024
According to a report from the Atlantic Council think tank, 31 American firms were found to be backing the manufacturers of spyware, compared to 11 in 2023. The report continues by saying “the U.S. is the largest investor in the spyware market.” The report mentions as examples, Paragon, makers of the Graphite product, allegedly “used to target WhatsApp users,” which was acquired by Florida-based AE Industrial Partners last year, and Integrity Partners, which invested in Saito Tech Ltd, creator of Candiru spyware.
UK cybersecurity legislation delayed again
The UK government’s long-awaited Cyber Security and Resilience Bill (CSRB) has been delayed again, despite its main provisions being finalized three years ago. The Sunak government failed to table the bill in 2022, and the Starmer government’s nearly identical version was due this week but was postponed amid a cabinet reshuffle. No new date has been announced. The delay comes as Britain faces escalating cyberattacks, including a recent incident that halted production at Jaguar Land Rover, described as an “economic security incident.” Other attacks have hit retailers like Marks & Spencer and the Co-op, causing nationwide supply disruptions.(The Record)
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC.
Get started at Vanta.com/headlines.
DDoS defender targeted in giant DDoS attack
The Europe-based DDoS mitigation service provider was targeted in a massive distributed denial-of-service attack that reached 1.5 billion packets per second. The attack was launched from thousands of IoTs and MikroTik routers. FastNetMon, the company that mitigated the attack, “did not name the targeted customer, but describes it as a DDoS scrubbing provider.” The attack was detected in real-time, and mitigation action was taken using the customer’s DDoS scrubbing facility.
Hackers use ConnectWise ScreenConnect to drop AsyncRAT
Researchers at LevelBlue are warning of a campaign that uses the remote desktop software to deploy the AsyncRAT trojan. The report states that attackers are using VBScript/PowerShell loaders and are achieving persistence via a fake Skype updater. This attack is an example of a fileless malware campaign in which .NET assemblies are run directly in memory instead of saving executables to disk, which makes detection and defense much harder.
KillSec ransomware attacks Brazilian on healthcare software provider
The attack targeted MedicSolution, a software solutions provider for the healthcare industry in Brazil, and according to researchers at Resecurity, the root cause of the incident was “data exfiltration from an insecure AWS S3 bucket.” The window of exposure is estimated as at several months. The data stolen includes sensitive laboratory results reports, medical assessments, and other private patient information. According to Resecurity affected patients had not been made aware of the attack. The total volume of stolen data exceeds 34Gb. KillSec ransomware actors “also targeted healthcare institutions in Colombia, Peru, and the United States.
New VMScape attack breaks guest-host isolation on AMD, Intel CPUs
As posted on BleepingComputer, “a new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.” This attack, developed by a team of researchers at ETH Zurich public university in Switzerland, “breaks the isolation between VMs and the cloud hypervisor, bypassing existing Spectre mitigations and threatening to leak sensitive data by leveraging speculative execution. The researchers note that “a threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the hypervisor or other VMs.