← Risky Bulletin
Risky Bulletin
Risky Bulletin: CISA tells federal agencies to mitigate on-prem-to-cloud Exchange attack
00:08:27
Loading summary
Transcript1 lines
- [00:04]
Claire Aird
Federal agencies told to patch a new exchange floor Millions of sites are vulnerable to HTTP desync attacks, Trend Micro patches a zero day and the Salesforce data breaches continue. This is the Risky bulletin prepared by Catalyn Kimparnu and read by me, Claire aird. Today is the 8th of August and this podcast episode is brought to you by no code automation platform Tynes. In today's top story, US Federal agencies have been ordered to patch a new attack vector in Microsoft Exchange email servers. CISA has given a deadline of Monday to apply mitigation shared by Microsoft this week. The guidance addresses a vulnerability in hybrid environments where on premise exchange synchronises data to exchange online. Hackers can leverage a shared authentication process to move into the cloud once they've compromised on PREM servers. In other news, a suspected state sponsored group has hacked the US Department of Justice case management system. The hack occurred in early July. It impacted two systems for managing case files known as PACER and cmecf. According to Politico. The hack exposed data about ongoing investigations, informants and witnesses. Danish jewellery company Pandora is notifying customers of a security breach. The company says hackers stopped the data from a third party platform. Bleeping Computer reported that Pandora is the latest organisation to have its Salesforce account hacked. Hackers have also stolen customer data from Google's Salesforce account. The company said most of the stolen data was publicly available business information such as company names and contact details. Google attributed the hack to a group named UNC6040. The hacking campaign targeting Salesforce accounts also involves a second group tracked as UNC6240. According to Google, the group is extorting companies with the stolen data. It contacts victims via email and phone and requests bitcoin payment within 72 hours. The group is using the name Shiny Hunters. It's unclear if it's connected to the old group of the same name. A hacker has stolen customer data from Air France and Dutch airline klm. A third party customer service platform used by both airlines was the target of the breach, the airline said. No sensitive or financial data was stolen. Hackers have stolen customer data from French telecommunications company Boiga Telecom. 6.4 million customers were impacted in Monday's breach. The stolen data includes personal information, contractual details and bank account numbers. Uyghur Telecom said account passwords were not compromised and it's notifying affected customers. The tea on her app is leaking user data due to a security flaw. The app launched this week. It allows men to share details about the women they're dating and find information about them. It was created in response to the Women Only Tea app, which recently suffered a similar leak. According to TechCrunch, the app is leaking usernames, email, emails, IDs and selfies. South Korea's largest telco says a recent security breach led to a 37% drop in profits. SK Telecom says the cost of compensating retailers and replacing sims contributed to the reduction in second quarter profits. The company suffered a major breach in April when hackers stole all of its customer sim data. The telco had to replace all its SIM cards and lost a large number of customers. Germany's highest court has ruled that police can only use spyware when investigating serious crimes. Spyware can be used only to monitor individuals suspected of crimes with a maximum sentence of at least three years. The use of spyware for police has been allowed in Germany since 2017. The founders of the Samurai Wallet cryptocurrency mixer have pleaded guilty to money laundering related charges. CEO Keon Rodriguez and CTO William Lonigan Hill were arrested last year after the FBI shut down the service. Officials say they designed and promoted their tool to hide and move illicit funds. Samurai Wallet helped launder more than $200 million worth of crypto assets from hacks, online fraud and drug trafficking. The co founder of the Tornado Cash cryptocurrency mixer has been found guilty of running an unlicensed money transmitting business. Roman Storm was acquitted of money laundering charges. Tornado Cash was taken down by the FBI in 2022 for laundering more than $1 billion. Storm will be sentenced later this year. He faces a maximum prison sentence of 5 years. More than 150 malicious Firefox extensions have been added to the browser's official add ons store. The extensions were initially innocent, but were later updated with malicious code that collected Crypto Wallet credentials, according to Koi Security. The group also runs malware delivery portals as well as fake crypto investment scam and phishing sites. So far, the group's operations appear to have made more than $1 million. A North Korean espionage group has been linked to ransomware attacks. Victims were infected with backdoors and info stealers before the VCD ransomware was deployed. South Korean security firm S2W has attributed the attacks to Chinopunk, a subgroup of the scarcraft apt.s2w said the attacks were a deviation from scarcraft's usual focus on espionage. Security firm Trend Micro has patched an actively exploited zero day in its Apex1 detection and response platform. The zero day is a pre auth command injection. It allows remote attackers to run code on on premise versions of the management console. Trend Micro has released a hotfix that disables the remote install agent functionality. A more comprehensive update is expected later this month. Sonicwall has found no evidence of a zero day in recent attacks against its firewalls. The company says attackers exploited a vulnerability from last year. Sonicwall is tracking around 40 incidents related to this wave of attacks. The company says most cases involved customers who upgraded to Gen 7 firewalls and didn't reset account passwords. Google security researchers have increased the speed of the retbleed CPU side channel attack. The retbleed attack attack leaks data from AMD and Intel processors, it was disclosed in 2022. The improved attack can now leak data three times faster than the original at 13 kilobytes per second. The researchers also work to improve the attack in restrictive virtual machine and cloud environments. Portswigger researcher James Kettle has unveiled two new HTTP desync attacks. The attacks target the HTTP 1.1 protocol and can expose user credentials transmitted over the Internet. They leverage weak boundaries between individual requests to expose user data by manipulating proxies and CDNs. Ketil estimates that tens of millions of sites are currently impacted. He recommends that Internet infrastructure companies migrate using the more secure HTTP 2 protocol. And finally, security researchers have hijacked Gemini AI agents using modified Google Calendar invites. The attack hid malicious prompts inside the invites. These instructed agents to perform malicious actions against users Google accounts. The agents could be abused to geolocate victims, steal emails, conduct spam and phishing attacks, and remotely control users. Smart Home Appliances SafeBreach presented its findings at the Black Hat Security Conference this week. Google fixed the issues earlier this year and that is all for this podcast edition. Today's show was brought to you by our sponsor, Tynes. Find them@tines.com thanks for your company.