June 29, 2024

Hello all,

The unfolding tragedy of CDK Global continues to dominate both the tech and automotive news as automobile and truck dealerships across North America have been forced to regress two decades and resort to manual, analog methods of conducting business. Many find that nearly impossible to accomplish and are crippled. Bet that they wished they’d tested their IR (Incident Response) and BC (Business Continuity) plans for this type of contingency a bit more rigorously. It is estimated that $16 billion will be lost in sales, which would account for a 2.3% drop in the nation’s retail sales for June. That will take nearly a full percentage point off the country’s GDP. Pile on the third-party suppliers and vendors that are caught in this quagmire and it gets worse. And then there are payrolls – larger dealerships can likely weather this storm, but smaller ones, now lacking cash-flow will be unable to pay vendors, suppliers, and employees. This supply-chain attack will keep giving for some time to come. Thankfully, it appears that CDK may now be in the process of restoration, and some of the financial hit will be mitigated by a bounce-back in July, but this is far from over. As MSN News wrote, “You may want to hold off on looking at your 401(k) on July 25 when the government releases second-quarter GDP estimates”.

A lot more than CDK was happening this week, so read on for a bit more regarding them, and other news of note and interest.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

• CDK Global as noted above, is in a world of hurt. Rumors are floating that they will be or have already paid the multi million dollar ransom the criminals demanded.
• WordPress has delisted five plug-ins to address a supply-chain attack that inserted backdoors into them. The investigation is still ongoing to determine how they were compromised. If you use any of the affected plugins, uninstall or update them to a clean version, and immediately conduct a full scan of your site. Wordfence has excellent guidance on how to perform this process. WordPress itself also updated to version 6.5.5 this past week to fix three different vulnerabilities. Patch immediately if you don’t have automatic updates turned on.
• Forta FileCatalyst Workflow Application has a critical flaw in their SQLi database. If you use this file transfer system, patch or mitigate immediately as a PoC already exists to exploit this vulnerability.
• HubSpot, used by nearly a quarter of a million corporate clients for marketing and CRM has apparently experienced an incident and is in the process of contacting affected customers. Initial findings suggest that less than 50 HubSpot accounts were impacted.
• Juniper has patched 225 vulnerabilities in their Secure Analytics, at least one of which is critical. Patch immediately as there are no workarounds.
• MOVE it by Progress Software has patched more vulnerabilities found in their file transfer system. It is imperative to patch quickly as exploitation by evil people has begun already.
• Polyfill.io is a site used “for adding JavaScript polyfills to sites, small bits of code that provide modern functionality in older browsers and ensure compatibility with a broader range of browsers.” This function is pretty much not needed any longer due to modern browsers including this natively, but scores of websites still reference it. In February 2024 a Chinese CDN took over the site, and it was found last week that, “the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it.” There is a lot to this story, so check the link for more information.
• TeamViewer is investigating a breach of their corporate network. They say that the customer-facing network was not affected. Time will tell. For now, be very wary of any TeamViewer connectivity, especially anything new.
• US Government, due to a massive security hole that Google patched, has ordered Google Pixel owners to update their phones or stop using them. If you have a Pixel, patch it, now.
• VMWare ESXi has patched a few flaws. Check the details and patch as appropriate.
• Wi-Fi man-in-the-middle, two weeks ago I discussed insecure wireless access on my vacation. This section’s article about a Western Australian man’s interception of communication underscores why it is important to stay vigilant.

In Ransomware, Malware, and Vulnerabilities News:

• Some good news for a change. In the first few articles in this section, you’ll find links to stories of success by law enforcement, both domestic and worldwide, against some of the evil cyber-scourge.
• Meet the Ransomware Negotiators is an excellent interview with professionals that undertake this challenging high-stakes digital tango.
• LockBit made the news a number of times in this section, the most notable being their claim of breaching the US Federal Reserve, which proved to be false. However, Arkansas’ Evolve Bank & Trust, which was the victim, is now in a world of hurt and is causing ripples in the Financial Technical sector. Hopefully, they don’t swell to a tsunami.

In Other News Events of Note and Interest:

• Kaspersky has been banned in the US by the government. Unfortunately, businesses and Managed Service Providers (MSP) are now on the hook for the cost of time and effort to rip and replace with a different product, with very little time to get it accomplished.
• VMware vSphere 8 Update 3 is out with live patching for ESXi. It is about time. Needing to reboot after patching is onerous and causes delays in much needed patching.

In Cyber Insurance News:

• Cyber recovery costs soar 50%, surpassing insurance limits. How much coverage is enough? With attacks not slowing, and new threat actors cropping up each month, it is vital to ensure that you have sufficient insurance coverage to help you recover.

This coming week many of those in the United States will commemorate our country’s 247th birthday with celebratory parades, fireworks nationwide, and a four-day weekend. Threat actors worldwide are quite aware that cyber-defenders in the USA will be lightly staffed during this period, so they will be increasingly aggressive in their attempts. Make sure that you batten down the hatches and remain vigilant so that you don’t come back to work on Monday the 8th to a different form of fireworks.

Keep the shields up. They really are out to get you.

Viscount Jan Broucinek
Red-N Weekly Cyber Security News

Headline NEWS

• Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
• CDK Global calls cyberattack that crippled its software platform a “ransom event”
• CDK cyberattack outage could lead to 100,000 fewer cars sold in June, experts say
• Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application
• HubSpot says it’s investigating customer account hacks
• Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP8 IF03
• Progress quietly fixes MOVEit auth bypass flaws
• Batten down the hatches, it’s time to patch some more MOVEit bugs
• Polyfill Supply Chain Attack Hits Over 100k Websites
• TeamViewer’s corporate network was breached in alleged APT hack
• US government tells some Pixel users to update their phones in 10 days or stop using them
• VMware ESXi Flaw Allows Attackers to Bypass Authentication
• Western Australian man set up fake free Wi-Fi at Australian airports and on flights to steal people’s data

Ransomware, Malware, and Vulnerabilities News

• Google’s Naptime Framework to Boost Vulnerability Research with AI
• Four FIN9 hackers indicted for cyberattacks causing $71M in losses
• UK and US cops band together to tackle Qilin’s ransomware shakedowns
• FBI puts a $5 million bounty on the missing Cryptoqueen
• Indonesia detains 103 Taiwanese in a raid in Bali involving suspected cybercrime
• Nearly 4,000 arrested in global police crackdown on online scam networks
• ‘Don Corleone of cybercrime’ scammed thousands of Europeans
• The biggest data breaches in 2024: 1B stolen records and rising
• Why MFA alone will no longer suffice
• 75% of new vulnerabilities exploited within 19 days
• BECs reported to be most common form of cyberattack
• North Korean Hackers Using New ‘HappyDoor’ Malware Used In Email Attacks
• Google cuts ties with Entrust in Chrome over trust issues
• Personal data of US citizens could be passed to China, fears govt
• Microsoft informs customers that Russian hackers spied on emails
• Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims
• Critical GitLab bug lets attackers run pipelines as any user
• Dangerous AI Workaround: ‘Skeleton Key’ Unlocks Malicious Content
• Mac users served info-stealer malware through Google ads
• Phishing attack launched against Any.Run
• Crown Equipment Confirms a Cyber Attack by a Cybercrime Group After a Multi-Week Disruption
• Zero-day vulnerabilities in temperature monitors could leak patient data
• Florida Attorney General’s Office sent nearly $71,000 to a suspected imposter
• Tech expert explains how Tri-State school district lost $1.7M in cyberattack
• io owner punches back at ‘malicious defamation’ amid domain shutdown
• Cyber Attackers Turn to Cloud Services to Deploy Malware
• Chinese Cyberspies Employ Ransomware in Attacks for Diversion
• Scammers are targeting the Facebook profiles of long-term users like Sarah for one reason
• New security loophole allows spying on internet users’ online activity
• ISP accused of installing malware on 600,000 customer PCs to interfere with torrent traffic
• Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping
• Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment
• Security experts find millions of users running malware infected extensions from Google Chrome Web Store
• New Attack Technique Exploits Microsoft Management Console Files
• That PowerShell ‘fix’ for your root cert ‘problem’ is a malware loader in disguise
• A Watershed Moment for Threat Detection and Response
• Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool
• Amtrak Data Breach Stemming from Credential Stuffing Compromises Guest Rewards Accounts
• Levi’s and more affected in pants-dropping week of data breaches
• New Cyberthreat ‘Boolka’ Deploying BMANAGER Trojan via SQLi Attacks
• Snowflake isn’t an outlier, it’s the canary in the coal mine
• The Snowflake latest: New victims, ShinyHunters takes credit
• Neiman Marcus confirms data breach after Snowflake account hack
• New Medusa malware variants target Android users in seven countries
• Hackers exploit critical D-Link DIR-859 router flaw to steal passwords
• Meta’s Virtual Reality Headset Vulnerable to Ransomware Attacks
• Meet the Ransomware Negotiators
• US firms claimed to be attacked by BianLian ransomware gang
• LockBit Most Prominent Ransomware Actor in May 2024
• Infosys McCamish says LockBit stole data of 6 million people
• LockBit 3.0 Claims Attack on Federal Reserve: 33 Terabytes of Sensitive Data Allegedly Compromised
• LockBit holds its word, publishes US Federal Reserve alleged data
• LockBit lied: Stolen data is from a bank, not US Federal Reserve
• Arkansas-based Evolve Bank confirms cyber attack and data breach – LockBit’s true victim
• Evolve Bank breach takes toll on fintech firms
• Indonesia’s national data center encrypted with LockBit ransomware variant
• Dealership system hackers seemingly identified as restorations begin
• New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites
• Zyxel NAS Devices Under Attack: Mirai-Like Botnet Exploiting

Other News Events of Note and Interest

• Adobe will launch more native Arm-based Windows apps, including Illustrator, soon
• Apple just became first company ever charged with violating EU’s new pro-competition law
• CISA Releases Guidance on Network Access, VPNs
• CentOS Linux 7 Is End-Of-Life
• How the Kaspersky ban will hit resellers in the US
• ‘Devastating loss’: Digital lending library, Internet Archive, removes 500,000 books after being sued by publishers
• Why Passphrases are Safer and Easier than Passwords
• Google dropping continuous scroll in search results
• Google rolls out Gemini side panels for Gmail and other Workspace apps
• Time to update your contact pics as Google Messages now shows them bigger
• Proton VPN is now free to use without an account on Android
• Firefox users are unhappy with privacy tweaks in the browser’s latest version
• Mozilla fixes YouTube playback issues in Firefox
• Justice Department convicts five men for running a huge illegal streaming service
• Intel releases new Wi-Fi and Bluetooth drivers with Windows 11 version 24H2 support
• VMware vSphere 8 Update 3, with ESXi Live Patching, Integrated Kubernetes Cluster Management
• Windows: Insecure by design
• Toward greater transparency: Unveiling Cloud Service CVEs
• Update on MFA requirements for Azure sign-in
• Microsoft hits snooze again on security certificate renewal
• Microsoft breached antitrust rules by bundling Teams with office software, European Union says
• Microsoft surfaces underwater data centers, stops experiment
• Microsoft unveils major Windows 11 Start menu upgrade — integrates Phone Link messages and notifications
• Microsoft confusing users again with new Outlook update
• Microsoft Defender thinks you created your own Windows PC virus by writing this one line
• 0patch will keep Windows 10 secure for at least five more years after Microsoft abandons it
• Windows 10 KB5039299 non-security update is out with taskbar and jumplist fixes
• Microsoft pauses Windows 11 KB5039302 rollout as it breaks PCs and causes infinite restarts
• Windows 11 is now automatically enabling OneDrive folder backup without asking permission
• Windows Update will include more Microsoft products, including Visual Studio
• Microsoft is deprecating WSUS driver synchronization
• WordPress 6.5.5 Security Release – What You Need to Know

Cyber Insurance News

• Insurers Warn Standardizing Cyber Policies Could Limit Future Coverage
• Cyberattack costs outpace insurance coverage
• Cyber recovery costs soar 50%, surpassing insurance limits