Daily Brief

In February, Comcast subscriber data was stolen during a cyberattack on Financial Business and Consumer Solutions (FBCS), a debt collection agency previously used by Comcast. Initially reported unaffected, FBCS confirmed in July the data breach included names, addresses, Social Security numbers, dates of birth, and account details of approximately 237,703 customers. The breach occurred as part of a ransomware attack where data was downloaded and systems were encrypted by an unauthorized party between February 14 and 26, 2024. FBCS, struggling financially, reportedly cannot afford to provide typical credit monitoring for those impacted, leaving Comcast to manage victim notifications and protective measures. FBCS notified the FBI about the attack but has provided limited information publicly regarding the ransomware specifics or technical details of the breach. Additional fallout from the breach has also affected other FBCS clients with CF Medical (Capio) reporting over 626,396 records compromised from their cache of data held by FBCS. FBCS’s response has been minimal, providing no public statement addressing the breach specifics or ransomware discussion directly, while Comcast shoulders communication and financial aid for affected users.

Highline Public Schools experienced a significant ransomware attack on September 7, leading to the closure of all schools and cancellation of activities. The school district, serving over 17,500 students and employing 2,000 staff, initiated an immediate investigation with assistance from forensic cybersecurity experts. Following the attack, the FBI was notified, and the district is cooperating with their ongoing investigation, though details remain confidential due to the sensitive nature of the inquiries. Affected network systems are currently being rebuilt, and the district plans to re-image all Windows devices and instruct all users to change their network passwords starting October 14. Chromebooks and Apple devices do not require re-imaging but will need password resets before further use. To mitigate potential identity theft risks, the district is offering one year of free credit and identity monitoring services to all employees. This ransomware incident is part of a larger trend impacting educational institutions across North America, highlighting increased cyber risks in the sector.

Comcast discloses that personal data for 237,703 subscribers was stolen during a cyberattack on debt collection agency FBCS. FBCS suffered a ransomware attack between February 14 and 26, 2024, resulting in unauthorized data access and system encryption. Stolen data included names, addresses, Social Security numbers, dates of birth, and internal Comcast account IDs from around 2021. FBCS initially informed Comcast in March that no customer data was compromised, but revised this statement in July acknowledging the data theft. FBCS's compromised data also includes 626,396 customers from CF Medical, another former client. FBCS, financially unable to offer credit monitoring, led Comcast to provide affected customers with support services directly. The FBI has been notified of the attack, though FBCS has been reticent about publicly detailing the breach or confirming the ransomware aspect. Comcast ceased using FBCS for debt collection services in 2020, ahead of the breach.

Russian law enforcement conducted 148 raids, resulting in the arrest of 96 individuals associated with the Cryptex cryptocurrency exchange and other online services. Those arrested are charged with organizing a criminal network, unlawful computer access, illegal payment processing, and unlawful banking activities since 2013. The network facilitated currency and cryptocurrency exchanges, operated illegal banking services, and sold bank cards and accounts primarily to cybercriminals. In 2023 alone, the criminal group processed transactions worth over 112 billion rubles ($1.1 billion), generating illicit income of approximately 3.7 billion rubles ($38.7 million). Assets seized include over 1.5 billion rubles, luxury vehicles, boats, helicopters, and snowmobiles. Sergey Ivanov, also sanctioned by the U.S. and known as 'Taleon', was among those detained; he is linked to U.S.-sanctioned services like UAPS, which processed funds for ransomware actors and darknet vendors. The crackdown comes after Dutch and German authorities also targeted operations by seizing Cryptex-related servers and shutting down 47 cryptocurrency platforms involved in money laundering.

Google has recently removed Kaspersky's antivirus software from its Play Store, along with disabling the Russian company’s developer accounts. This decision aligns with previous U.S. government sanctions against Kaspersky, citing national security concerns which led to a ban on Kaspersky antivirus software. Kaspersky confirmed the removal of its products from the Play Store on its official forums and is currently investigating the reasons behind this action by Google. The company suggested users download their applications from alternative sources such as the Galaxy Store, Huawei AppGallery, and Xiaomi GetApps, or directly via the .apk file from Kaspersky’s website. There has been no official comment from Google regarding the specific reasons for removing Kaspersky's software from the Play Store. This development follows Kaspersky's decision in July to cease U.S. operations and the replacement of its software with an alternative antivirus solution without prior notification to its customers.

Canadian video game developer Red Barrels experienced a significant cyberattack impacting its IT systems and data security. The attack has caused a delay in the development of the Outlast series, including potential delays in upcoming patches and new content releases. Despite the cybersecurity breach, there has been no indication that player data was compromised during the incident. Red Barrels deployed immediate security measures and engaged external cybersecurity specialists for an in-depth investigation. Stakeholders and authorities have been notified, and employees have been offered support in response to the breach. The company confirmed that the security breach has been contained and emphasizes continued efforts to strengthen their cybersecurity framework. Future production timelines for games such as the anticipated Outlast 3 will be adjusted, though specific release details remain uncertain.

The U.S. Department of Justice and Microsoft have jointly seized 107 domains operated by Russian state-sponsored cyber actors known as COLDRIVER. COLDRIVER, linked to Russia's FSB, has been involved in extensive spear-phishing campaigns targeting U.S. government officials and sensitive data since at least 2012. The recent operation targeted domains used for credential harvesting and unauthorized computer access, compromising both governemntal and civilian entities. In June 2024, the European Council sanctioned two key COLDRIVER members, echoing previous U.S. and U.K. sanctions, for their roles in these malicious campaigns. Microsoft's civil action paralleled the seizures targeting 66 additional domains used to attack NGOs and think tanks supporting Ukraine and NATO. Since January 2023, Microsoft has identified 82 customers targeted by COLDRIVER, highlighting the group's adaptive tactics and persistent threat landscape. Victims, often unknowingly, interact with spear-phishing emails that facilitate the theft of credentials and infiltration of sensitive systems.

Sellafield, a major UK nuclear waste processing facility, has been fined £332,500 ($440k) by the Office for Nuclear Regulation (ONR) for failing to meet cybersecurity standards from 2019 to 2023. The facility was found to have left multiple vulnerabilities unpatched, violating Nuclear Industries Security Regulations 2003, exposing it to threats like ransomware and phishing. These security lapses risked sensitive nuclear information and could disrupt high-hazard operations and delay decommissioning activities. Although there were no instances of exploitation, the vulnerabilities could have led to unauthorized access and loss of data. ONR's investigations were triggered by press reports and revealed severe cybersecurity management deficiencies despite no evidence of direct exploitation by external threats. Sellafield has initiated leadership changes and strategic improvements in IT management to address and remediate the identified cybersecurity risks. ONR acknowledges good progress in Sellafield’s efforts to improve its cybersecurity posture in recent evaluations.

Apple has recently updated iOS and iPadOS to version 18.0.1, fixing two significant security vulnerabilities. One of the bugs allowed VoiceOver to potentially read aloud saved passwords, posing a privacy risk particularly for visually impaired users. This issue arrives awkwardly soon after the launch of iOS 18, which introduced Apple’s own password management tool, Passwords app. Details about the conditions or specific triggers for the password-disclosure vulnerability have not been fully disclosed by Apple. Affected devices include a range of modern iPads and iPhones, starting from models like the iPhone XS and up. The update also resolved an additional audio-related bug (CVE-2024-44207) affecting the iPhone 16, where the device captured audio slightly before indicating it was recording. Apple has improved validations and checks with the latest software patch to mitigate these issues. There is yet no severity score available for the disclosed vulnerabilities, possibly due to delays at the National Vulnerability Database.

Cloudflare mitigated a 3.8 Tbps DDoS attack lasting 65 seconds, marking the largest volumetric attack in history. Throughout September 2024, over one hundred hyper-volumetric L3/4 DDoS attacks occurred, targeting the financial services, internet, and telecommunications sectors. The attacks used the UDP protocol on a fixed port, with origins from Vietnam, Russia, Brazil, Spain, and the U.S. A significant number of the attacking devices were compromised ASUS routers exploiting a critical CVE-2024-3080 vulnerability. These high bitrate attacks are likely from a large botnet aiming to exhaust the target's network bandwidth and CPU cycles. Cloudflare emphasized the necessity of cloud services with robust capacity and appropriate hardware to defend against such large-scale DDoS attacks. The increase in DDoS attack frequencies and complexity is attributed to hacktivism and sophisticated command-and-control tactics. Major vulnerabilities in other systems, like UNIX's CUPS, are also identified as potential methods for facilitating DDoS attacks.

Continuous Threat Exposure Management (CTEM) is a framework designed to help organizations manage and mitigate cyber risks through a strategic, ongoing process. CTEM involves five key stages: Scoping, Discovery, Prioritization, Validation, and Mobilization, each essential for identifying and addressing vulnerabilities effectively. Implementing CTEM can be challenging for newcomers due to its perceived complexity and the variety of tools and processes involved in each stage. Tools such as Configuration Management Databases (CMDBs), vulnerability scanning tools, and Cloud Security Posture Management (CSPM) are critical at different stages for effectively managing assets and vulnerabilities. Prioritization within the CTEM framework emphasizes understanding the business context to better address the most impactful threats, utilizing tools like attack path mapping and external threat intelligence platforms. Validation confirms the exploitability of vulnerabilities, using methods like penetration testing and Breach and Attack Simulation (BAS) tools to ensure the prioritization of actual threats. Mobilization improves collaboration between security and IT operations teams, integrating ticketing systems and creating clear remediation playbooks to facilitate quick and effective threat response. XM Cyber offers a unified CTEM platform that reduces complexity by integrating various stages into one cohesive tool, enhancing real-time visibility, and fostering effective collaboration across teams.

Newly discovered high-severity XSS vulnerability in the WordPress LiteSpeed Cache plugin, coded as CVE-2024-47374 with a CVSS score of 7.2. Vulnerability allows execution of arbitrary JavaScript code; affects all plugin versions up to 6.5.0.2, with a patch released in version 6.5.1. Exploit requires specific conditions such as activated "CSS Combine" and "Generate UCSS" settings in Page Optimization for execution. The XSS flaw can lead to serious security breaches, including data theft, session hijacking, and potential control over the WordPress site. Unauthenticated users can escalate privileges, potentially gaining administrative access and initiating more severe attacks. Stored XSS attacks involve permanent insertion of malicious scripts on the website, posing a recurring threat to site integrity and user security. LiteSpeed Cache plugin is widely used, with over six million active installations, making it a prime target for cybercriminals. Disclosure follows recent patching of another critical LiteSpeed Cache vulnerability and serious flaws in other popular WordPress plugins.

CyberThreat 2024, a major cybersecurity conference, is set for December in London, catering to the cybersecurity professional community. The event is jointly hosted by the UK's National Cyber Security Centre and SANS Institute, emphasizing the development of essential cybersecurity skills. Participants have the option to attend in person at Novotel London West or virtually, enhancing accessibility for global attendees. The conference agenda includes keynote presentations, interactive technical sessions, and contributions from leading companies like Microsoft and Accenture. A highlight of the event is the CyberThreat 2024 Capture The Flag (CTF) Tournament, offering attendees a chance to engage in practical, hands-on cybersecurity challenges. Additional networking opportunities are available for in-person attendees, fostering professional connections within the cybersecurity industry. Registration details and more information about the event can be found through provided links, encouraging potential attendees to explore further.

Harvard undergraduates AnhPhu Nguyen and Caine Ardayfio have developed "I-XRAY," a tool using Meta Ray-Bans to identify people and gather personal data through public databases. The device streams video to Instagram; using PimEyes, it identifies faces and cross-references details like addresses and Social Security number fragments from different websites. The server-side system built in Python summarizes results delivered to a mobile application coded in JavaScript, providing almost instant personal data retrieval. The project highlights significant privacy concerns in the AI era, demonstrating the ease of accessing and compiling personal data from publicly available sources. Despite its capabilities, the technology was characterized by the creators as a demonstration project, not intended for public use due to potential misuse. Nguyen and Ardayfio emphasize that their intention was to showcase potential privacy risks with current technology to encourage public awareness and self-protection measures. The developers noted that similar results could be achieved with any camera, not necessarily smart glasses, underscoring the widespread potential for privacy invasion.

CosmicSting vulnerability, CVE-2024-34102, exploited in Adobe Commerce and Magento software affects big brands including Ray-Ban and National Geographic. Attackers installed malicious JavaScript on checkout pages to steal payment card information during transactions. Over 4,275 merchants using Adobe Commerce and Magento were compromised this summer, impacting five percent of all such online stores. At least seven distinct cybercrime groups are actively exploiting the vulnerability, leading to issues of multiple groups contesting for control over compromised sites. Adobe addressed the vulnerability with a patch on June 11, but automated attacks exploiting the flaw had already commenced. Sansec's ongoing surveillance projects further breaches, having already identified various attack indicators and data-stealing methods unique to different cyber gangs. No customer credentials were compromised in a related attack on Cisco's Magento-based merchandise site, according to a spokesperson.