Dutch Intelligence Uncovers Extensive Chinese Cyber Espionage

Dutch military intelligence has revealed that Chinese state-backed hackers have targeted Western governments, defense companies, and international organizations, with at least 20,000 victims worldwide in a few months. The hacking group, responsible for the 2023 attack on the Dutch defense ministry, has likely claimed many more victims. China's embassy has not responded to requests for comment, and Beijing has a history of denying allegations of cyber espionage. The Dutch intelligence agency has urged organizations to adopt an "Assume Breach" approach, assuming that a successful digital attack has already occurred or will occur soon.

Majority of Software Makers to Miss Biden's Cybersecurity Deadline

A recent survey by Lineaje found that 84% of software companies are not prepared to meet the June 11 deadline set by the Cybersecurity and Infrastructure Security Agency (CISA) to submit Software Development Attestation Forms, required for software security reporting. The forms aim to ensure software producers follow guidelines to secure their networks and share cyber incident information with the federal government. The survey attributed the lack of compliance to budget and staff restrictions, as well as limited awareness of the requirements. The federal government has emphasized the need for a secure software supply chain, citing past incidents like the SolarWinds breach. Despite the deadline, agencies are still working on a rule to require software companies to comply with the executive order.

Vulnerabilities Discovered in End-of-Life Netgear Routers

Security researchers have identified six vulnerabilities in older Netgear WNR614 N300 routers, which reached end-of-life three years ago. These vulnerabilities could allow attackers to bypass authentication, intercept sensitive communications, create weak passwords, and access device PINs and firmware. The flaws, tracked as CVE-2024-36787 through CVE-2024-36795, pose significant security risks. Researchers recommend deactivating vulnerable components, implementing robust password policies, encrypting sensitive data, and replacing the routers immediately.

Cyber Claims and Ransomware Attacks Reach Record Levels

According to Marsh's analysis, cyber claims and ransomware attacks reached record levels in 2023, with 1,800 cyber claims reported in the US and Canada. Ransomware incidents accounted for less than 20% of total cyber claims, but the median ransom demand soared to $20 million, and the median extortion payment increased to $6.5 million. Despite this, 77% of companies refused to pay the ransom, indicating growing resilience. To enhance cyber resilience, organizations should adopt proactive security measures, consider cyber risk across the enterprise, and use insurer-approved vendors to streamline claims management.

Club Penguin Fans Hack Disney Server, Steal 2.5GB of Corporate Data

A group of Club Penguin fans hacked into a Disney Confluence server, intending to access information about the defunct online game, but instead made off with 2.5GB of internal corporate data. The stolen data includes documents on Disney's corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure, some of which dates back to 2022. The breach was reportedly carried out using previously exposed credentials, and the data was shared on Discord and 4Chan message boards. Disney has yet to comment on the incident.

Microsoft Makes Changes to Controversial Screenshot Feature After Privacy Concerns

Microsoft has announced changes to its "Recall" feature, a screenshot tool announced for its new AI-powered PCs, after privacy concerns were raised. The feature, which captures and stores screenshots of desktop activity, will now be opt-in instead of default, and users will need to use Windows' "Hello" authentication process to enable it. The changes come after critics warned that hackers could misuse the tool and its saved screenshots. The UK's data watchdog, the Information Commissioner's Office (ICO), had also expressed concerns about the feature. Microsoft's updates will be implemented before the launch of Copilot+ PCs on June 18.

Critical PHP Vulnerability Exploited in the Wild

A critical vulnerability in PHP (CVE-2024-4577) has been discovered, allowing attackers to execute malicious code on Windows devices. The bug is easily exploitable and has been observed being exploited in the wild, with proof-of-concept code available. The vulnerability affects PHP versions 8.3-5 and is caused by errors in Unicode character conversion. Patching is recommended immediately, especially for servers using PHP in CGI mode. Mitigation measures, such as rewrite rules, are available for unsupported versions. XAMPP for Windows is vulnerable by default, but disabling PHP CGI can temporarily mitigate the issue.

New York Times Investigates Source Code Leak

The New York Times is investigating a leak of its source code, which was posted on 4chan. The leak includes 270 GB of data, reportedly containing 5,000 repositories and 3.6 million files, including code for games like Wordle. The exposed data also allegedly includes user information, authentication URLs, API tokens, and secret keys. The Times confirmed the breach occurred in January 2024 due to a exposed credential on a cloud-based platform, but stated that there is no evidence of unauthorized access to their systems or impact on operations. The incident is under investigation.

NIST Commits to Resuming NVD Work with Additional Funding and Partnerships

The US National Institute of Standards and Technology (NIST) has announced a plan to address the backlog of vulnerabilities waiting to be added to the National Vulnerabilities Database (NVD). The plan includes additional funding, a third-party contract, and a partnership with the Cybersecurity and Infrastructure Security Agency (CISA). NIST aims to restore processing rates within the next few months and reduce the backlog by September 30. The agency faces an exponentially growing problem, with over 36,000 vulnerabilities disclosed this year, and has processed only 26% of them so far. The community has expressed concerns about the long-term sustainability of the NVD and the need for a permanent solution.

London Hospitals Hit by Cyber-Attack

A cyber-attack on pathology services provider Synnovis has forced major London hospitals, including King's College Hospital and Guy's and St Thomas', to declare a critical incident, cancelling operations and diverting emergency patients. The attack, believed to have occurred on Monday, has disrupted blood transfusions and test results, and also affected GP services in several boroughs. The NHS has apologised for the inconvenience and is working with the National Cyber Security Centre to understand the impact, while Synnovis has deployed a "taskforce of IT experts" to assess the situation.

TikTok Cyber Attack Targets High-Profile Accounts

TikTok has responded to a cyber attack targeting several prominent accounts, including CNN and Paris Hilton's. The company has collaborated with CNN to restore account access and implement enhanced security measures. While the number of compromised accounts is reportedly "very small", TikTok is working with affected owners to restore access. This incident comes as TikTok's parent company, ByteDance, challenges a US law requiring the sale of TikTok by January or face a ban, citing national security concerns.

Russian Cybercriminals Behind London Hospitals Cyber Attack

A Russian cybercrime group, known as Qilin, has been identified as the perpetrator of the ransomware attack on Synnovis, a pathology services firm that supplies London NHS hospitals. The attack has resulted in a "severe reduction in capacity" and cancelled operations, tests, and blood transfusions. Ciaran Martin, former chief executive of the National Cyber Security Centre, described the incident as "very, very serious". Qilin operates as a ransomware-as-a-service group, hiring out malware to other criminals. The attack is believed to be a targeted operation to secure a ransom, highlighting the growing threat of cybercrime.

Snowflake Database Customers Targeted by Threat Actor

A threat actor known as UNC5537 has breached several Snowflake database customers using stolen credentials, conducting data theft and extortion attacks, according to cloud security firm Mitiga. The actor targets organizations lacking two-factor authentication, using a custom tool to access Snowflake environments. The campaign, which started in April, has attracted law enforcement attention and affected multiple organizations, with stolen data being publicly posted for sale on hacker forums. Snowflake, with over 9,000 customers and a significant market share, has issued a security advisory, advising customers to review indicators of compromise and mitigations, while emphasizing that the activity is not caused by any vulnerability or malicious activity within their product.

Hugging Face Detects Unauthorized Access to AI Model Hosting Platform

Hugging Face, an AI startup, announced on Friday that its security team detected "unauthorized access" to its Spaces platform, which hosts AI models and resources. The intrusion relates to Spaces secrets, which are private pieces of information used to unlock protected resources. As a precaution, Hugging Face has revoked certain tokens and recommends that users refresh their keys or tokens and consider switching to fine-grained access tokens. The company is working with cybersecurity specialists to investigate the incident and review its security policies. The extent of the potential breach is currently unclear. This incident comes as Hugging Face faces increasing scrutiny over its security practices, with several vulnerabilities and security concerns reported in recent months.

Netflix Bug Bounty Program Pays Out Over $1 Million

Netflix has paid out more than $1 million to security researchers since launching its bug bounty program in 2016. The program has received nearly 8,000 unique vulnerability reports from over 5,600 researchers, with 845 vulnerabilities eligible for rewards. The company has moved its program to the HackerOne platform, promising enhanced triage, increased bounty ranges, and expanded scope. Rewards range from $300 to $20,000, depending on the severity and impact of the vulnerability. This investment in security research demonstrates Netflix's commitment to protecting its systems and products.

Santander Bank Hit by Massive Hack

Santander Bank has been hit by a massive hack, affecting all staff and 30 million customers, according to reports. The breach, which occurred via a supply chain attack, resulted in the theft of sensitive customer information, including personal data, credit card numbers, and account numbers and balances. The stolen database is being sold on the dark web by the ShinyHunters hacking collective for $2 million. While Santander has confirmed the breach, the extent of the damage is still unclear, with some reports suggesting that the number of affected customers may be lower than claimed.

Ticketmaster Hit by Cyber Attack, User Data Compromised

Live Nation, the parent company of Ticketmaster, has confirmed that it fell victim to a cyber attack, resulting in the compromise of user data. The breach was discovered on May 20, and an investigation was promptly launched. A week later, a criminal threat actor attempted to sell the stolen data on the dark web. While experts say the stolen data does not appear to be severe, with no banking or medical information taken, the incident highlights the ongoing threat of cyber attacks on major companies. The news comes as Live Nation faces a separate legal challenge, with the Justice Department and state attorneys general seeking to break up Ticketmaster over alleged antitrust violations.

600,000 Routers Bricked by Mysterious Threat Actor Using Chalubo Malware

A mysterious threat actor used the Chalubo trojan to render over 600,000 SOHO routers inoperable, affecting a single ISP's network. The routers, from ActionTec and Sagemcom, were likely infected with Chalubo, a remote access trojan that creates a botnet. The destructive incident occurred over 72 hours in October 2023, with 49% of impacted routers taken offline, requiring physical replacement. Lumen Technologies, which discovered the incident, suspects the threat actor used Chalubo to obfuscate attribution, but no links to known nation-state actors were found. The Chalubo malware, first discovered in 2018, can launch DDoS attacks and execute Lua scripts on infected devices. Most infections are in the US, with hundreds of thousands of Chalubo bots worldwide.

Cybersecurity Experts Warn of US Power Grid Vulnerabilities Amid Upgrades

The Biden administration's efforts to upgrade the US power grid's aging infrastructure have been met with warnings from cybersecurity experts, who say that neglecting to prioritize cybersecurity measures could leave the grid vulnerable to attacks. The initiative, which includes 21 states, aims to reduce power outages and improve the grid's resilience amid increasing demand and severe weather events. Experts point to the Ukraine-Russia war, where Russia targeted power plants and backup systems, as a stark reminder of the importance of cybersecurity in modernizing the grid. The White House has announced a public-private venture to upgrade 100,000 miles of existing power lines, but congressional action on improving transmission lines has stalled. Cybersecurity experts emphasize that cyber threats are an "ever-present" issue, and that hostile nations and criminal groups pose significant threats to the grid's security.

US Cyber Command Warns of Strategically Consequential Cyberattacks

A senior strategist at US Cyber Command, Emily Goldman, warned that cyberattacks below the threshold of armed conflict are having a significant impact on the US and its allies, with "strategically consequential effects" on their power and influence. Speaking at the International Conference on Cyber Conflict in Estonia, Goldman noted that while NATO's deterrence strategy may prevent catastrophic cyberattacks, it does not address the majority of malicious activity below the threshold of armed conflict, which is becoming routine. She emphasized the need for proactive measures to disrupt and contest these attacks without escalating to armed conflict, citing the US's policy of "defending forward" and "hunt forward" operations as examples. Goldman's comments come as NATO considers establishing a new cyber center and developing its own proactive cyber operational element to counter the growing cyber threat.

VPN Configuration Under Attack: Check Point Urges Review

Check Point, a cybersecurity firm, has issued a warning to customers to review their VPN configurations amid a surge in attacks targeting VPNs from various vendors. The company observed attempts to breach its customers' VPNs using outdated local accounts with password-only authentication, which did not exploit software vulnerabilities but leveraged weaker authentication methods. To prevent potential exploitation, Check Point recommends disabling unnecessary local accounts, enhancing security with additional authentication layers, and implementing a solution to automatically prevent unauthorized access via local accounts with password-only authentication.

Fake Pegasus Spyware Strains Populate Clear and Dark Web

CloudSEK, a cloud security provider, has discovered that fake Pegasus spyware strains are being sold on the surface web, dark web, and instant messaging platforms. This following Apple's warning about "mercenary spyware" attacks, CloudSEK investigated and found that approximately 25,000 Telegram posts claimed to sell authentic Pegasus source code, but most were fraudulent and ineffective. Threat actors created their own tools and scripts, distributing them under Pegasus' name for financial gain. The report highlights the importance of staying vigilant and relying on credible sources for information on cyberattacks and malware.

TP-Link Patches Critical Vulnerability in Archer C5400X Gaming Router

TP-Link has resolved a high-stakes vulnerability in its Archer C5400X gaming router, tracked as CVE-2024-5035, which could have allowed remote command execution with elevated privileges. The vulnerability, initially reported on February 16, 2024, affected versions before 1_1.1.7. TP-Link released a patch on May 27, 2024, fixing the issue. Users are advised to upgrade to version 1_1.1.7 to mitigate the risk.

DeFi Protocols Hit with $25 Million in Cyber Attacks

Three DeFi protocols, Sonne Finance, BlockTower, and ALEX Lab, have been targeted in cyber attacks, resulting in a combined loss of approximately $25 million in cryptocurrency. The attacks, which occurred around May 14, exploited vulnerabilities in the protocols, including an "empty market" bug and a private key compromise. Sonne Finance suffered the largest loss, with $20 million stolen via an exploited bug. ALEX Lab lost around $4 million in a suspected private key compromise.

BlockTower Capital saw a loss of approximately $1.5 million in this incident.

The attacks highlight the ongoing security concerns in the DeFi space, with investors calling for improved network-level security and standardized protocols to prevent such breaches. Some are turning to AI-powered security solutions to mitigate these risks.

Merrill Email Error Exposes Walmart Pension Plan Members' Data

A Merrill employee's email mistake exposed the personal information of 1,883 Walmart 401(k) Retirement Plan participants, including names, surnames, and Social Security numbers. The error, which occurred on April 16, was discovered six days later, and the email has since been deleted. Merrill, a division of Bank of America, is offering two years of complimentary identity theft protection services to those affected and advises them to monitor their credit reports and account statements for any unauthorized transactions. This incident marks the second data exposure affecting Walmart employees this year.

Israel Fears Russia May Share Advanced Cyber Capabilities with Iran

Israel's security establishment is alarmed by the deepening relationship between Iran and Russia, particularly the potential transfer of advanced cyber capabilities from Russia to Iran. Since October 7, Israel has seen a significant increase (2.5 to 3-fold) in major cyber attacks, targeting critical infrastructure such as healthcare, academia, and service entities. While current attacks are using known vulnerabilities, Israel is preparing for potential future attacks using sophisticated Russian cyber warfare capabilities. The concern is future-oriented, as thousands of attacks have been carried out against Israeli targets, with around 1,000 aimed at significant entities.

Google Patches Fourth Zero-Day Vulnerability in a Month

Google has released an update to patch a high-severity security flaw (CVE-2024-5274) in the Chrome browser, which is actively being exploited by malicious actors. The vulnerability is a type confusion bug in the V8 JavaScript and WebAssembly engine, allowing threat actors to modify variables and potentially execute arbitrary code or bypass access controls. This is the fourth zero-day vulnerability Google has patched this month, following CVE-2024-4947, CVE-2024-4761, and CVE-2024-4671. Users are advised to upgrade to Chrome version 125.0.6422.112/.113 (Windows and macOS) or 125.0.6422.112 (Linux). Chromium-based users should apply fixes as they become available.

London Drugs Refuses $25M Ransom Demand After Ransomware Attack

Canadian pharmacy chain London Drugs has confirmed a ransomware attack, which resulted in the theft of corporate files containing employee information. The attackers, identified as LockBit, are demanding a $25 million ransom by Thursday, threatening to leak the stolen data if the demand is not met. London Drugs has stated that it is "unwilling and unable to pay ransom to these cybercriminals." The company has notified current employees and is offering two years of free credit monitoring and identity-theft protection. The investigation is ongoing, and London Drugs will contact employees directly if their personal information was compromised. This incident comes after law enforcement disrupted LockBit's infrastructure, leading to a decrease in attacks.

Microsoft Ties Executive Pay to Cybersecurity Performance

Microsoft is linking executive compensation to a successful cybersecurity strategy in response to criticism from the US government and rival tech companies over its failure to prevent a Chinese hack of its systems last summer. The hack, attributed to China, was described as "preventable" by a government review board, which pointed to a "cascade of errors" and a corporate culture that deprioritized enterprise security investments and rigorous risk management. The move is part of Microsoft's Secure Future Initiative, which aims to prioritize cybersecurity and protect against nation-state attacks, and is seen as a positive step by some experts, who note that it sends a strong message about the importance of cybersecurity and could help instill a security-first culture within the company.

Critical Bug in Fluent Bit Logging Service Allows A Plethora of Attacks in Major Cloud Platforms

A critical vulnerability in the Fluent Bit logging service, used by major cloud providers including AWS, Microsoft, and Google Cloud, has been discovered. The bug, dubbed "Linguistic Lumberjack," allows attackers to cause denial of service (DoS), data leakage, or remote code execution (RCE) in cloud environments. The issue lies in how Fluent Bit's embedded HTTP server parses trace requests, and can be exploited by passing non-string values to a specific endpoint. The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and has been assigned a critical CVSS score of over 9.5 out of 10. Users are advised to update to the latest version or restrict access to the monitoring API to prevent exploitation.

GitHub Patches Critical Authentication Bypass Flaw in Enterprise Server

GitHub has fixed a critical vulnerability (CVE-2024-4985, CVSS score: 10.0) in GitHub Enterprise Server (GHES) that allowed attackers to bypass authentication and gain unauthorized access to instances, potentially with administrator privileges. The issue affected all versions prior to 3.13.0 and has been addressed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The flaw only impacted instances using SAML single sign-on (SSO) with encrypted assertions, which is not enabled by default. Organizations using vulnerable versions are advised to update to the latest version to prevent potential security threats.

Rockwell Automation Warns Customers to Disconnect Industrial Control Systems from Internet

Rockwell Automation has issued a security notice urging customers to disconnect their industrial control systems (ICS) from the internet due to heightened geopolitical tensions and adversarial cyber activity globally. The company is concerned about potential attacks on internet-exposed ICS devices, which could lead to unauthorized access, privilege escalation, and even Stuxnet-style attacks. A Shodan search revealed over 7,000 Rockwell devices, including Allen-Bradley programmable logic controllers (PLCs), exposed to the web. Rockwell Automation advises customers to remove public internet connectivity to reduce the attack surface and prevent exploitation of vulnerabilities, including several recently patched flaws. The US cybersecurity agency CISA has also posted an alert to bring attention to Rockwell's notice.