Cyber News Roundup for June 14, 2024

Welcome to our latest cybersecurity roundup. This week, SolarWinds patched critical vulnerabilities discovered by NATO, while the FCC proposed enhancements to BGP security. Microsoft announced that its Recall feature will be opt-in due to security concerns, and The New York Times suffered a source code leak. Additionally, Cisco Talos found serious vulnerabilities in AutomationDirect’s PLCs, and Frontier Communications warned 750,000 customers of a data breach. Read all these stories and more below.

 

1. SolarWinds fixes flaws unearthed by NATO

SolarWinds has patched multiple high-severity vulnerabilities in its platform, including a path traversal flaw and a command injection bug, both of which could lead to command execution and privilege escalation. These vulnerabilities were reported by NATO’s Cyber Security Centre and could be exploited by authenticated local users or those with admin-level access to execute arbitrary commands. Users are advised to update to SolarWinds Platform version 2023.1 to mitigate these risks​. (SecurityWeek)

 

2. FCC’s plan to strengthen BGP protocol

The FCC has proposed requiring broadband providers to enhance Border Gateway Protocol (BGP) security and submit quarterly progress reports. This initiative aims to mitigate BGP-related risks, including data theft and espionage, by implementing Resource Public Key Infrastructure (RPKI) measures. The proposal highlights the need for robust security in internet routing to protect national security and public safety. (SecurityWeek)

 

3. Microsoft resets Recall plans

Following up on a story that dogged the industry last week, Microsoft announced on Friday that its new feature Recall will not be released as active by default, but will instead be an opt-in feature. The feature, which had been designed as a visual timeline, capturing screenshots of users, screens every five seconds to be analyzed and parsed was immediately decried by security experts for its potential as a gaping security lapse, with WIRED’s Andy Greenberg going so far as to call it “unrequested, pre-installed spyware.” Microsoft has responded by pointing out Recall’s security features and how a user remains in total control of its functionality. Researcher Kevin Beaumont whose warnings were instrumental in getting Microsoft to change course on the product did add later, “There are obviously going to be devils in the details…but there’s some good elements here. Microsoft needs to commit to not trying to sneak users to enable it in the future.” (The Hacker News)

 

4. New York Times source code is leaked online

Internal source code and data from The New York Times were leaked on the 4chan message board after being stolen from GitHub repositories in January 2024. An anonymous user posted a torrent of a 273GB archive containing the stolen data, which includes source code, IT documentation, and infrastructure tools. The leak was discovered by VX-Underground and confirmed by The Times to BleepingComputer. The breach occurred due to exposed credentials for a third-party code platform. The Times stated there was no unauthorized access to its internal systems or impact on operations. This incident follows another leak on 4chan of Disney’s internal documents, though it is unclear if the same person is responsible for both breaches. (Bleepingcompter)

 

5. Cisco Talos finds 15 serious vulnerabilities in PLCs

Cisco’s Talos unit found 15 vulnerabilities in AutomationDirect’s Productivity series PLCs, classified as ‘high’ or ‘critical’ severity. These flaws can enable remote code execution or denial-of-service attacks, risking costly industrial disruptions. Although typically not exposed to the internet, about 50 devices might be online, as shown by a Shodan search. AutomationDirect released updates and recommendations to address these issues. The US cybersecurity agency CISA informed organizations of these vulnerabilities in late May. (SecurityWeek)

6. Frontier Communications warns 750,000 customers of a data breach

Frontier Communications is warning 750,000 customers of a data breach following an April cyberattack by the RansomHub ransomware group. The breach exposed personal information, including full names and Social Security Numbers, but not financial information. The company has informed regulatory authorities and implemented additional security measures. Affected customers are advised to enroll in free credit monitoring and identity theft services provided by Kroll. RansomHub has threatened to leak 5GB of stolen data if Frontier does not respond by June 14. (Bleepingcomputer)

 

7. Cyber assistance coming to rural hospitals

Both Microsoft and Google announced programs to offer cybersecurity services to these organizations. The Biden administration announced that Google will offer free endpoint security advice to non-profits and rural hospitals, as well as launch a pilot for these hospitals to develop a better package of security security services. Microsoft separately announced a program to provide “non-profit pricing” and discounts on cybersecurity services up to 75%, as well as a free year of access to its security suite, and free Windows 10 security updates. The White House said there are at least 1,800 rural hospitals in the US that would quality. (The Record)

 

8. The world’s largest law firm faces class action over the MOVEit hack

Kirkland & Ellis, the world’s largest law firm by revenue, is facing a proposed class action over a data breach linked to the MOVEit Transfer file management software hack in May 2023. The lawsuit accuses Kirkland and other companies, including Humana and Progress Software, of failing to protect personal information. The breach affected millions and led to numerous lawsuits, now centralized in Massachusetts federal court under U.S. District Judge Allison Burroughs. Kirkland represented Trilogy Home Healthcare in its acquisition by Humana’s CenterWell Home Health, transferring files with private information using MOVEit. The lawsuit, filed on behalf of at least 4,700 people, claims Kirkland delayed notifying Trilogy of the breach until October, with customers informed in March 2024. The ransomware gang cl0p claimed responsibility for the hack. (Reuters)

 

9. SAP releases high priority patches

SAP announced the release of ten new and two updated security notes for its June 2024 Security Patch Day. This includes two high-priority patches: a cross-site scripting (XSS) vulnerability in Financial Consolidation (CVE-2024-37177, CVSS score 8.1), and a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java (CVE-2024-34688, CVSS score 7.5). The XSS flaw can manipulate website content, severely impacting confidentiality and integrity, while the DoS issue allows attackers to disrupt service by exploiting unrestricted access to Meta Model Repository services. Eight medium-severity vulnerabilities affect various SAP products, leading to potential DoS conditions, file uploads, information disclosure, or data tampering. Two low-severity issues in BusinessObjects Business Intelligence Platform and Central Finance Infrastructure Components were also addressed. Organizations are urged to update their systems promptly. (SecurityWeek)

 

10. Chinese hackers breached 20,000 FortiGate systems

Dutch authorities (MIVD) disclosed back in February that Chinese hackers exploited a critical code execution flaw in FortiOS/FortiProxy (CVE-2022-42475) to infect 14,000 devices between 2022 and 2023. The Coathanger remote access trojan (RAT) malware was used in the attacks and was also found on a Dutch Ministry of Defence’s research and development (R&D) network. Dutch authorities indicate that since February, the number of compromised FortiGate devices has ballooned to 20,000. They believe Chinese hackers still have access to many victims because the Coathanger malware survives firmware upgrades and is difficult to detect as it intercepts system calls to avoid revealing its presence. (Bleeping Computer)

 

11. Dutch military intelligence warns of the Chinese Coathanger RAT

The Dutch military intelligence and security service (MIVD) has issued a warning about an extensive Chinese cyber-espionage campaign. According to the National Cyber Security Centre (NCSC), state-sponsored hackers exploited a vulnerability in FortiGate devices (CVE-2022-42475) for two months before it was disclosed. This zero-day attack infected 14,000 devices, targeting Western governments, international organizations, and defense companies. The MIVD and the Dutch signals intelligence service (AIVD) revealed that the hackers breached the Dutch Ministry of Defence’s network, deploying the COATHANGER remote access trojan (RAT). The ongoing investigation shows the hackers accessed at least 20,000 FortiGate systems globally in 2022 and 2023. Identifying and removing the COATHANGER malware remains challenging, and many systems likely remain compromised. (The Record)

 

12. Life360 faces extortion attempt after Tile data breach

Life360, the parent company of Tile, a bluetooth tracking device reported an extortion attempt following a data breach in Tile’s customer support platform. The breach reportedly exposed personal information including names, addresses, email addresses, and phone numbers but did not compromise sensitive information like credit card numbers or location data primarily because that data is not stored on the customer support platform. 404 Media reports the hacker used stolen credentials of a former Tile employee to gain access to the systems. Life360 confirms the hackers have tried to extort the company to get their data back but has not released how many customers are impacted. (404 Media), (Bleeping Computer)

 

13. Hackers target Toronto school board

In a letter to parents, the Toronto School Board (TDSB) announced they discovered an attack on their technology testing environment. It should be noted that these test environments are separate from the board’s official networks. TDSB is the largest in Canada, managing 582 schools and more than 230,000 students. A representative from the school board says systems are operational and they are currently investigating if there was any impact on the network or if any personal information was taken. (The Record), (School Board Letter)