Cybersecurity News: Halliburton Suffers Cyberattack, Telegram CEO Arrested, Georgia Tech Lawsuit

In today’s cybersecurity news…

Halliburton takes systems offline after cyberattack

The oilfield services company informed regulators and the media on Friday about a recent cyberattack that “required the shutdown of certain systems.” The attack occurred Wednesday and affected operations at its Houston headquarters. According to an 8-K report filed with the SEC on Thursday, the company said hackers “gained access to certain systems.”

(The report)

French police arrest Telegram CEO Pavel Durov

Durov, the 39-year-old billionaire who founded Telegram in 2013, was arrested after his private jet landed at Le Bourget airport north of Paris, French media reported. The arrest targeted Telegram moderators, with Durov accused of “failing to take measures to curb criminal use of the app.” The app company itself has been accused of “failing to cooperate with law enforcement in cases involving drug trafficking, child pornography and fraud.” Durov’s lawyer called the arrest “absolutely ridiculous” and said the charges were “comparable to accusing a car manufacturer of an accident, or using its cars to commit crimes.”

(BBC News and BBC News)

DOJ joins lawsuit against Georgia Tech over Defense Department cybersecurity failures

The Department of Justice has announced that it has joined a whistleblower lawsuit over “allegations that the Georgia Institute of Technology evaded its cybersecurity obligations in contracts with the U.S. Department of Defense.” The lawsuit was originally filed by current and former members of Georgia Tech’s cybersecurity team. U.S. prosecutors are calling Georgia Tech’s actions a “blatant disregard for federal cybersecurity regulations that came with Department of Defense and Air Force contracts.” Georgia Tech, for its part, alleges that the government told the school that “the investigation did not require cybersecurity restrictions, and moreover, there was no information breach or data leak.”

(The report)

Thanks to today’s episode sponsor, Scrut Automation

Scrut Automation enables compliance and risk teams of all sizes to build enterprise-grade security programs. Their best-in-class features like process automation, AI, and 75+ native integrations turn compliance blame around and help proactively manage risk as your business grows. To schedule a demo or learn more, visit scrut.io. It’s www.scrut.io.

New Linux malware uses credit card skimmers

Researchers from Aon’s Stroz Friedberg incident response services team have discovered a new variant of Linux malware that can achieve persistence on infected systems to hide credit card skimmer code. Called sedexp According to the researchers, the malware uses udev rules to maintain persistence. Udev provides a mechanism to identify devices based on their properties and configure rules to respond when there is a change in the device status, such as a device being plugged in or removed. It is then able to “hide credit card scraping code on a web server,” suggesting that its owners are financially motivated.

(The Hacker News)

CISA Adds Versa Director Bug to Its KEV Catalog

The Versa Director Dangerous File Type Upload Vulnerability “located in the Change Favicon feature in the Versa Director GUI, allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Versa Director is a virtualization and service creation platform that simplifies the design, automation, and delivery of Secure Access Service Edge services, or SASE for short. Its placement in the Known Exploited Vulnerabilities catalog means that federal agencies must fix this vulnerability by September 13.

(Security Affairs)

Hackers Use AppDomain Injection to Drop Cobalt Strike Beacons

The technique behind this attack, which has been around since 2017, has been observed by researchers from Japan’s NTT Group. They describe a wave of attacks that began in July 2024, leveraging a technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows. The attacks have currently resulted in the deployment of Cobalt Strike beacons targeting government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam. There has been no definitive attribution as to who is behind the attacks, but current thinking suggests the Chinese state-sponsored threat group is APT 41 due to the coupling of AppDomainManager Injection with the cross-site scripting (XSS) attack technique of GrimResource techniques.

(BleedingComputer)

New Qilin ransomware attack uses VPN credentials to steal personal data on Chrome

Researchers at Sophos say this technique can have what they call cascading consequences. The particular attack, observed in July 2024, began with infiltration of a target network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). “Once the attacker reached the affected domain controller, they edited the default domain policy to introduce a login-based Group Policy Object (GPO).? This allowed them to trigger a credential-harvesting script on their systems. ?The theft of credentials stored in the Chrome browser means that affected users will now need to change their username/password combinations for every third-party site.”

(The Hacker News)

The post Cybersecurity News: Halliburton Suffers Cyberattack, Telegram CEO Arrested, Georgia Tech Lawsuit appeared first on CISO Series.