This Week in Cybersecurity News: Kaspersky Banned in the US, 120 Campaigns Using Rafel RAT, CANIHAZBUFFEROVERFLOW and More….

7 minute read

  • Nathan Burke

Apple Vision Pro Flaw Lets Attackers Fill Your Room With Spiders, US Bans Kaspersky, 120 Malicious Campaigns Using the Rafel RAT, I Can Has Buffer Overflow?, Lockbit Claims to hack the Federal Reserve, and BlackSuit Ransomware Causes Global Disruption to North American Auto Dealerships.

Breaches and Attacks in the News

CDK Global begins to restore systems after cyber hack hits thousands of retailers
By Reuters
Retail technology and software provider CDK Global has begun work to restore systems used by over 15,000 retail locations across North America, the company said in a statement on Sunday, adding that it expects the process to take “several days.” “We are continuing to actively engage with our customers and provide them with alternate ways to conduct business,” CDK said in an emailed statement. Last week, a dealer who received a letter from CDK said the company informed him it could take several more days to get the systems up and running.

CDK warns: threat actors are calling customers, posing as support
By Ax Sharma – BleepingComputer
CDK Global has cautioned customers about unscrupulous actors calling them and posing as CDK agents or affiliates to gain unauthorized systems access. The warning follows ongoing cyberattacks that have hit CDK, forcing the company to shut down its customer support channels and take most of its systems offline. CDK Global is a software-as-a-service (SaaS) platform that thousands of US car dealerships rely upon.

CDK Global outage caused by BlackSuit ransomware attack
By Lawrence Abrams – BleepingComputer
The BlackSuit ransomware gang is behind CDK Global’s massive IT outage and disruption to car dealerships across North America, according to multiple sources familiar with the matter. The same sources, who provided information on condition of anonymity, told BleepingComputer that CDK is currently negotiating with the ransomware gang to receive a decryptor and not leak stolen data. While BleepingComputer is the first to report that BlackSuit is behind the attack, the news that CDK is negotiating with threat actors was revealed by Bloomberg yesterday.

CDK Global cyberattack impacts thousands of US car dealerships
By Lawrence Abrams – BleepingComputer
Car dealership software-as-a-service provider CDK Global was hit by a massive cyberattack, causing the company to shut down its systems and leaving clients unable to operate their business normally. CDK Global provides clients in the auto industry a SaaS platform that handles all aspects of a car dealership’s operation, including CRM, financing, payroll, support and service, inventory, and back office operations.
See Also: Over 50% of US Car Dealers Are Shut Down Following CDK Hack Attack

Lockbit Claims the Hack of the US Federal Reserve
By Pierluigi Paganini – SecurityAffairs
The Lockbit ransomware group announced that it had breached the systems of Federal Reserve of the United States and exfiltrated 33 TB of sensitive data, including “Americans’ banking secrets.” The Lockbit ransomware group added the Federal Reserve to the list of victims on its Tor data leak site and threatened to leak the stolen data on 25 June, 2024 20:27:10 UTC. The group hasn’t published any sample of the stolen data. “Federal banking is the term for the way the Federal Reserve of the United States distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City, and San Francisco.” reads the announcement published by the group on its leak site. “33 terabytes of juicy banking information containing Americans’ banking secrets. You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans’ bank secrecy at $50,000.”
See Also: Lockbit 3.0 Claims Attack on Federal Reserve: 33 Terabytes of Sensitive Data Allegedly Compromised, LockBit Ransomware Claims 33 TB of US Federal Reserve Data for Ransom

Los Angeles Unified confirms student data stolen in Snowflake account hack
By Lawrence Abrams – BleepingComputer
The Los Angeles Unified School District has confirmed a data breach after threat actors stole student and employee data by breaching the company’s Snowflake account. SnowFlake is a cloud database platform used by some of the largest companies worldwide to store their data. Earlier this month, a threat actor began to sell data from numerous companies, including TicketMaster, Satandar Bank, Advance Auto Parts, and Pure Storage, with the hacker stating it was stolen from SnowFlake.
See Also: LAUSD Data Breach: Hackers Leak 25M Records, Including Student Locations

Change Healthcare lists the medical data stolen in ransomware attack
By Lawrence Abrams – BleepingComputer
UnitedHealth has confirmed for the first time what types of medical and patient data were stolen in the massive Change Healthcare ransomware attack, stating that data breach notifications will be mailed in July. On Thursday, the company published a data breach notification warning that the ransomware attack exposed a “substantial quantity of data” for a “substantial proportion of people in America.” While UnitedHealth has not explicitly shared how many people were affected, UnitedHealth CEO Andrew Witty stated during a congressional hearing that “maybe a third” of all American’s health data was exposed in the attack.

Levi’s Data Breach: 72,000+ Customers’ Data Exposed
By Dhivya – Cyber Security News
Levi Strauss & Co., a renowned American clothing company, has disclosed a significant data breach affecting over 72,000 customers. The breach occurred on June 13, 2024, and was discovered on the same day. The compromised data includes personal identifiers such as names, which were exposed due to a vulnerability exploited by cyber attackers. The breach has impacted 72,231 individuals, including 75 residents of Maine.

Threats, Campaigns, and Techniques in the News

UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s of PCs & Servers
By Eswar – Cyber Security News
The Phoenix SecureCore UEFI firmware has discovered a new vulnerability, which runs on several Intel Core Desktop and mobile processors. This vulnerability has been assigned CVE-2024-0762, and its severity has been given as 7.5 (High). This was initially identified on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen, which uses the latest Lenovo BIOS updates, but later, Phoenix Technologies took responsibility to come forward and acknowledge the same issues exist on multiple versions of their multiple versions of SecureCore firmware. According to the reports shared with Cyber Security News, this vulnerability exists on multiple Intel processor families and multiple generations of Intel core Processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.
See Also: Firmware flaw affects numerous generations of Intel CPUs — UEFI code execution vulnerability found for Intel CPUs from 14th Gen Raptor Lake to 6th Gen Skylake CPUs, and TPM will not save you, UEFICANIHAZBUFFEROVERFLOW Flaw in Phoenix Securecore UEFI Firmware Potentially Impacts Hundreds of PC and Server Models

Experts Observed Approximately 120 Malicious Campaigns using Rafel RAT to Target Android Devices
By Pierluigi Paganini – SecurityAffairs
Multiple threat actors are using an open-source Android remote administration tool called Rafel RAT to target Android Devices. Check Point Research identified multiple threat actors using Rafel, an open-source remote administration tool (RAT). The researchers spotted an espionage group using Rafel, highlighting the tool’s effectiveness across different threat profiles and goals. Previously, Check Point observed the cyber espionage group APT-C-35 / DoNot Team using Rafel RAT. Rafel’s features, including remote access, surveillance, data exfiltration, and persistence mechanisms, make it a powerful tool for covert operations and infiltrating high-value targets. Check Point observed approximately 120 different malicious campaigns using the tool, threat actors successfully targeted high-profile organizations, including the military sector. Most of the victims are from the United States, China, and Indonesia, but the researchers pointed out that they observed infections all over the world.

Cybersecurity and Public Policy in the News

U.S. Bans Usage of Kaspersky Antivirus Over Security Concerns
By Guru Baran – Cyber Security News
The United States has announced a comprehensive ban on the sale and use of antivirus software developed by the Russian firm Kaspersky, citing national security concerns. Commerce Secretary Gina Raimondo unveiled the decision on Thursday. The decision is rooted in fears over the company’s alleged ties to the Kremlin and the potential risks posed to U.S. infrastructure and personal data. Raimondo emphasized the urgency of the measure, stating that the U.S. had to act due to Russia’s “capability and intent to collect and weaponize the personal information of Americans.”
See Also: Biden administration bans sale of Kaspersky software in US , Kaspersky’s US Customers Face Tight Deadline Following Govt. Ban

US sanctions 12 Kaspersky Lab execs for working in Russian tech sector
By Lawrence Abrams – BleepingComputer
The Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned twelve Kaspersky Lab executives for operating in the technology sector of Russia. These sanctions came after the Biden administration announced yesterday the ban of sales and software updates for Kaspersky antivirus software in the USA, which started in July, over potential cybersecurity risks to national security. In addition, the Department of Commerce designated AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) to the Entity List, preventing any US business from conducting business with them.

CISA warns chemical facilities in America about possible data breach
By Naveen Goud – Cybersecurity Insiders
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all chemical facilities operating in the United States regarding a potential data breach that may have exposed sensitive information to hackers. This includes details such as business names, place of birth, citizenship, redress system number, and global entry ID. CISA’s alert follows a confirmed report that the Chemical Security Assessment Tool (CSAT) was compromised by a known threat actor through a vulnerability in the Ivanti Connect Secure Appliance earlier this year. This breach affects all participants of the Chemical Facility Anti-Terrorism Standards (CFATS), prompting immediate attention due to the potential exposure of sensitive data.

The NYSE’s $10M Wake-up Call
By Jeffrey Wells – DarkReading
The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions’ cybersecurity frameworks as well as the importance of regulatory oversight.

Investigative Cybersecurity Stories

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO
By Brian Krebs – Krebs on Security
On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The subjects of that piece are threatening to sue KrebsOnSecurity for defamation unless the story is retracted. Meanwhile, their attorney has admitted that the person Radaris named as the CEO from its inception is a fabricated identity.

Terrifying Cybersecurity News Story of the Week

Apple Vision Pro Flaw Let Attackers Fill Your Room with Hundreds of Spiders
By Dhivya – Cyber Security News
Cybersecurity experts have discovered a critical flaw in Apple’s latest augmented reality (AR) headset, the Apple Vision Pro. This vulnerability allows malicious actors to exploit the device and project hundreds of virtual spiders into the user’s environment, causing panic and potential harm. The flaw has raised significant concerns about the security of AR technology and the potential psychological impact on users.


Cybersecurity News

More like this
a call center with hackers in hoodies calling people to install ransomware with piles of money around them in photorealistic style


This Week in Cybersecurity News: Volcano Demon Ransomware Group Calling Victims, TeamViewer Confirms Breach, Ransomware Demands Soar to $5.2 Million Per Attack and More….

FacebookLinkedInTweetEmail Breaches and Attacks in the News TeamViewer Confirms Security Breach by Russian Midnight BlizzardBy WAQAS ...

Read the post: This Week in Cybersecurity News: Volcano Demon Ransomware Group Calling Victims, TeamViewer Confirms Breach, Ransomware Demands Soar to $5.2 Million Per Attack and More….


Silent Threat Unveiled: The UEFI Firmware Vulnerability (CVE-2024-0762)

FacebookLinkedInTweetEmail By Lior Tenne – Security Researcher A critical security flaw (CVE-2024-0762) in Phoenix SecureCore UEFI ...

Read the post: Silent Threat Unveiled: The UEFI Firmware Vulnerability (CVE-2024-0762)
scripting & interpreter nagomi


Prioritizing MITRE ATT&CK Techniques for Command & Scripting Interpreters

FacebookLinkedInTweetEmail The second in a five part series looking at where security teams can understand the ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Command & Scripting Interpreters