In Today’s Security News – TechKranti

Tor says it’s ‘still secure’ despite reports that police are deanonymizing users

The Tor Project assures users that its network remains secure, despite recent reports of law enforcement using timing attacks to deanonymize users. While Tor acknowledges timing analysis as a known method, it emphasizes that mitigations in newer versions of its tools, including improved relay management, reduce such risks. The project also urges greater network diversity, noting that previous attacks targeted outdated software and specific vulnerabilities that have since been addressed.

Hackers Demand $6 Million for Files Stolen from Seattle Airport Operator in Cyberattack

Hackers associated with the Rhysida ransomware group are demanding $6 million in bitcoin from the Port of Seattle after stealing and leaking sensitive airport documents in a cyberattack. Despite the breach, the airport has refused to pay the ransom and the FBI has launched a criminal investigation into the incident. The attack, which disrupted operations such as ticketing and baggage handling, remains under investigation as authorities work to secure exposed personal information.

Ivanti warns of another critical CSA flaw being exploited in attacks

Ivanti has disclosed another critical Cloud Services Appliance (CSA) vulnerability, CVE-2024-8963, which is being actively exploited in conjunction with the previously disclosed CVE-2024-8190. This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on unpatched systems, posing a significant risk to corporate network security. Ivanti urges administrators to immediately apply patch 519, implement proper network segmentation, and monitor for signs of exploitation, as federal agencies are required to patch ahead of the October deadline.

Hackers abuse default credentials in foundation software to hack construction companies

Hackers are abusing default credentials in FOUNDATION Accounting Software to compromise construction companies, targeting sub-industries such as plumbing, HVAC, and concrete. Attackers are brute-forcing access to Microsoft SQL Server instances, leveraging elevated accounts such as “sa” and “dba,” which often have default credentials, allowing them to execute arbitrary shell commands via xp_cmdshell. To mitigate these risks, experts recommend rotating default credentials, limiting the software’s public exposure, and disabling the xp_cmdshell configuration.

Police dismantle phone unlocking ring linked to 483,000 victims

A multinational law enforcement operation has dismantled an international phishing network using the iServer phishing-as-a-service platform, which was exploiting more than 483,000 victims worldwide to unlock stolen or lost mobile phones. The platform, active since 2018, was used by low-skilled criminals to steal login credentials and bypass phone security features, with more than 2,000 registered ‘unlockers’ gaining access to stolen devices. The coordinated week of action saw 17 suspects arrested and the platform’s Argentinian operator detained, concluding a multi-country investigation that resulted in significant seizures.

Packed with features, ‘SambaSpy’ Rat packs a punch

SambaSpy is an advanced remote access Trojan (RAT) with extensive capabilities such as file management, password theft, webcam monitoring and keystroke logging, making it a versatile tool for espionage and cyberattacks. Originating in Brazil and initially targeting Italian users, the malware uses phishing emails and Zelix KlassMaster obfuscation to evade detection, with signs of expansion to Spain, Brazil and other regions. The deployment method, via phishing lures, remains a highly effective attack vector, amplified by AI-driven tactics, and is expected to persist in future campaigns.

Thousands of ServiceNow KB instances expose sensitive corporate data

Over the past year, 1,000 instances of ServiceNow enterprise knowledge bases exposed sensitive data, including PII and active credentials, due to outdated configurations and misconfigured access controls. Although ServiceNow has implemented security updates to improve data protection, these improvements have not addressed vulnerabilities in KB access controls, resulting in widespread data breaches. To mitigate these issues, organizations should regularly review KB access controls and ensure that appropriate security configurations are in place to prevent unauthorized data exposure.

CISA Releases Cyber ​​Defense Alignment Plan for Federal Agencies

CISA’s Federal Civilian Executive Branch Operational Cybersecurity Alignment (FOCAL) plan focuses on unifying and standardizing cybersecurity measures across federal agencies to better address dynamic cyber threats. The plan emphasizes five priority areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident detection and response, with the goal of improving collective operational defense and resilience. By aligning these components, CISA aims to improve interagency coordination and reduce vulnerabilities across the federal enterprise

Germany seizes 47 crypto exchanges used by ransomware gangs

German authorities have seized 47 cryptocurrency exchanges involved in facilitating anonymous money laundering schemes for cybercriminals, including ransomware gangs. These platforms, which circumvented “Know Your Customer” regulations, allowed users to evade detection, creating a significant risky environment for illicit financial activity. The operation, dubbed “Operation Final Exchange,” resulted in the seizure of extensive user and transaction data, potentially aiding in future investigations and arrests of the cybercriminals involved.

As geopolitical tensions rise, Iran’s cyber operations grow

Iranian cyber operations, particularly by the APT34 group, are increasingly targeting government sectors in the Middle East, including recent attacks on Iraq. The group, affiliated with Iran’s Ministry of Intelligence and Security, uses custom malware and advanced communications techniques to exfiltrate sensitive data rather than cause destruction. As geopolitical tensions rise, Iran’s cyber capabilities are expected to continue to evolve, highlighting the need for robust cybersecurity measures and zero-trust architectures in the region.

Contractor software targeted via Microsoft SQL Server vulnerability

Cybercriminals have exploited a vulnerability in Foundation’s accounting software, which is widely used in the construction industry, by targeting the exposed Microsoft SQL Server (MSSQL) via port 4243, which is accessible via mobile app features. Huntress researchers identified the threat from unusual SQL Server process activity and noted that attackers are using brute force and default credentials to gain administrative access. To mitigate this threat, organizations are advised to rotate credentials and ensure their installations are isolated from the internet.

New TeamTNT Cryptojacking Campaign Targets Centos Servers With Rootkit

TeamTNT has launched a new cryptojacking campaign targeting CentOS-based Virtual Private Servers (VPS) using an advanced rootkit. The attack begins with an SSH bruteforce attack to upload a malicious script that disables security features, deletes logs, and disrupts other mining operations, before deploying the Diamorphine rootkit for stealth and persistent access. This operation reflects TeamTNT’s evolution since 2019, now utilizing enhanced tactics to ensure persistent control and obfuscation within compromised systems.

Disclaimer: Titles and summaries are AI generated. Please refer to linked content for more details.