American Water Hit by Cyber-Attack, Billing Systems Disrupted | Alessandro Mascellino | 8 Oct 2024
American Water, the United States’ largest publicly regulated water and wastewater utility fell victim to a cyber-attack affecting some internal systems. This firm provides essential water and wastewater services to more than 14 million people across 14 states and hence it has swiftly proceeded to secure its operations after detecting unauthorized activity within its networks on October 3rd, 2024. American Water has confirmed its operations have not been affected by the attack and as a form of precaution, specific systems have been disconnected and customer billing has also been suspended without any late charges to customers within the period. American Water has stated its focus to be protecting customer data and preventing further damage. The specific details and type of cyber-attack have not been disclosed. However, law enforcement and internal teams are working strongly to investigate the nature of the breach.
LinkedIn was fined €310 million by the Irish Data Protection Commission (DPC) for utilizing user behavior data for targeted advertising without authorization, a violation of the GDPR. Following a complaint to the French Data Protection Authority, the DPC investigation concluded that LinkedIn’s consent methods were inadequately informed and that its interests superseded those of its users. According to this decision, LinkedIn’s data processing was in violation of many GDPR regulations, including Article 6 and Article 5(1)(a). In addition to the penalties, LinkedIn has been mandated to comply with GDPR regulations within three months, guaranteeing that user permission for data processing is explicit, informed, and freely provided.
Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining
TeamTNT is one of the most notorious cryptojacking groups, and now they have started a new campaign of large-scale attacks against Docker environments in cloud settings to use them for unauthorized mining of cryptocurrencies and renting out compromised servers. They use mass-scanning tools to exploit unprotected Docker APIs, deploying malware that takes over cloud resources for mining Monero and renting them on Mining Rig Rentals. Significantly, there has been a transition to the Sliver C2 framework, accompanied by the use of AnonDNS to preserve both control and anonymity, illustrating a sophisticated and developing approach to monetization. This particular campaign is noteworthy as it exemplifies an increasing trend in cybercriminal activities, wherein perpetrators enhance and evolve their operational techniques, compromising not just individual systems, but also employing advanced strategies to oversee and capitalize on entire networks via cloud services.
In the News – Georgia says it foiled an attempt to crash a state election website
Brief Summary: On October 14, 2024, detection tools from Georgia’s Office of the Secretary of State reported a slowdown in processing shortly after 5 PM. Cloudflare, a distributed denial of service (DDoS) firm contracted by the state agency, alerted them within minutes of an attack that involved flooding a website with data to overwhelm and disable it.
Key Points:
-Over 420,000 Internet Protocol (IP) addresses were simultaneously attempting to access the site, leading to a slowdown of Georgia’s absentee voter portal. Fortunately, the site did not crash, and no data compromise occurred.
-The attempted attack took place just one day before the start of early in-person voting, indicating potential political motives behind the action.
-In response, the state agency’s IT department implemented a verification tool that required users to confirm they were human. Traffic returned to normal within 30 minutes of the alert.
-As required by federal law, the agency notified the FBI, CISA, and DNI. As of October 24, 2024, state or federal authorities have not identified the attackers responsible for the attempt.
Exposed United Nations Database Left Sensitive Information Accessible Online.
An online database was discovered leaking sensitive data from the United Nations Trust Fund to End Violence Against Women, where over 115,000 files regarding organizations partnering up with or getting financing from UN Women were exposed. This includes staffing information, contracts, correspondence, and financial audits of organizations working around the world with highly vulnerable communities, including those living under repressive regimes. The unsecured database, not password-protected and lacking proper access controls, was found by security researcher Jeremiah Fowler. He notified the UN, who then secured their database. Given the nature of the information exposed, there are many ways to take advantage of what was accessible: financial audits can be misused, budget breakdowns, operating costs, and employee information. Adding the reputation of trust related to the UN, this data can be used in scams.
Hacker claims to have data linked to 19 million French mobile and internet customers
A hacker claims to have accessed data linked to 19.2 million customers of the French internet service provider Free. The breach, which affects Free Mobile and Freebox customers, involved a management tool and allegedly exposed personal details such as names, email addresses, phone numbers, and over 5 million IBAN numbers. Free confirmed the breach but stated that passwords and bank card information were not compromised. They are notifying affected customers and have implemented measures to enhance security. Experts warn about the potential for phishing attacks using the leaked data.
Russian charged by U.S. for creating RedLine infostealer malware
The United States announced charges today against Maxim Rudometov, a Russian national, for being the suspected developer and administrator of the RedLine malware operation, one of the most prolific infostealers over the past few years.
These infostealers, marketed to cybercriminals and sold via subscriptions, enable attackers to steal credentials and financial data and bypass multi-factor authentication.
Rudometov was named in an update to ‘Operation Magnus,’ an international law enforcement operation that announced yesterday it had disrupted the RedLine and META malware-as-a-service (MaaS) platforms.
The U.S. DOJ announced today charges against Maxim Rudometov based on evidence of his direct involvement with the creation of RedLine and the management of its operations.
A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation
Exposure validation is a tool for Cyber professionals to better understand and prioritize vulnerabilities. Cyber professionals often find lists upon lists of vulnerabilities and trying and it’s important to categorize the vulnerabilities to ensure time and moey are being used in the right way. Exposure validation runs continuous tests to see if the vulnerabilities found can actually be exploited or if there are already affective mitigations in place. “Exposure validation bridges this chasm by simulating actual attack scenarios”.
This is not in article, but something I just thought of. If this is a tool people can buy, couldnt it just be used by cybercriminlas to see what vulnerabilities an organization has that it can actually exploit?
The hacking group TeamTNT recently launched a new malware campaign targeting exposed Docker daemons, deploying the Sliver malware and cryptomining software across 16 million IP addresses. TeamTNT compromised a Docker Hub account to upload malicious software images and used the “TDGGinit.sh” script to facilitate further malicious activities. In this attack, they steal credentials and hijack infected resources for cryptocurrency mining or reselling. Experts advise organizations to strengthen cybersecurity measures to counter these threats. https://hackread.com/teamtnt-exploits-ips-malware-attack-docker-clusters/
An investigation by French newspaper Le Monde found that the highly confidential movements of U.S. President Joe Biden, presidential rivals Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through a fitness app that their bodyguards use.
But the U.S. Secret Service told the newspaper that it doesn’t believe the protection it provides was in any way compromised.
Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. https://www.securityweek.com/fitness-app-strava-gives-away-location-of-biden-trump-and-other-leaders-french-newspaper-says/
LinkedIn bots and spear phishers target job seekers
LinkedIn remains one of the most important job platforms. However, as any other social media site, it has become increasingly flooded with bots. These bots are attracted to key words and hashtags such as “opentowork” or posts mentioning if someone was just laid off. Within minutes of a post, dozens of accounts start replying with links or requests to be added as a connection. The use of certain hashtags was already known to attract bots, and the #opentowork one is no different. While bots are easy to spot for most people, a more dangerous phenomenon is personalized messages through inMail that appear as legit recruiters or employers. These messages will contain fake LinkedIn links that redirect a user to enter sensitive data such as passwords. Scammers are notorious for targeting the vulnerable, and job seekers who may have just been laid off may desperately fall into one of these phishing attempts. https://www.malwarebytes.com/blog/news/2024/10/linkedin-bots-and-spear-phishers-target-job-seekers
New Windows Driver Signature bypass allows kernel rootkit installs
Attackers can bypass Windows security features and install rootkits by downgrading kernel components. Outdated software components can be introduced on fully patched systems by exploiting the Windows Update process, making them susceptible to past vulnerabilities. Microsoft has dismissed the issue and the vulnerability remains unfixed, allowing for downgrade attacks and potential rootkit deployment. Researcher Alon Leviev at BlackHat showcased how outdated files reintroduce fixed vulnerabilities, even on Windows 11. Microsoft initially dismissed this due to administrative access requirements but is now developing mitigations.
Delta officially launches lawyers at $500M CrowdStrike problem
Delta Air Lines is suing CrowdStrike in a bid to recover the circa $500 million in estimated lost revenue months after the cybersecurity company “caused” an infamous global IT outage. Delta had to cancel about 7,000 flights over the five-day period from July 19 to July 24 – a huge disruption hitting around 1.3 million customers and leading to multiple class-action lawsuits from affected passengers.
Delta was by far and away the hardest-hit airline in the US, despite other major carriers Allegiant Air, American Airlines, Frontier Airlines, Spirit Airlines, and United Airlines all reporting major issues.
Transportation Secretary Peter Buttigieg said at the time that the slow recovery was “unacceptable.” Around 3,000 complaints were made against Delta including those from people forced to sleep on airport floors as they waited for their flight to be rescheduled.
The banking malware Astaroth, has returned to Brazil, spreading by spear-phishing emails disguised as official tax documents. An attachment in the email contains a ZIP file that carries both obfuscated JavaScript and Windows shortcuts for bypassing security. Once the malware is triggered, communications with the command-and-control server start, therefore compromising data and breaking user trust. Strong password policies, multi-factor authentication, keeping software up-to-date, and applying the rule of least privilege are suggested to help prevent such kinds of threats.
This article examines the DDoS threat landscape from 2020 into early 2021, highlighting a significant rise in attack frequency and scale, with more attacks over 50 Gbps than in all of 2019. Notably, three of Akamai’s largest DDoS attacks occurred in one month, targeting industries like gambling and gaming.
The resurgence of extortion campaigns saw an attack peak at over 800 Gbps, driven by criminals seeking Bitcoin payouts. New attack vectors, particularly the abuse of the Datagram Congestion Control Protocol (DCCP), have emerged, allowing attackers to circumvent traditional defenses. Additionally, attacks have become more targeted and persistent, often employing multiple vectors over extended periods. The article stresses the importance of organizations being prepared with robust DDoS defenses to address these evolving threats.
Clement Tetteh Kpakpah says
American Water Hit by Cyber-Attack, Billing Systems Disrupted | Alessandro Mascellino | 8 Oct 2024
American Water, the United States’ largest publicly regulated water and wastewater utility fell victim to a cyber-attack affecting some internal systems. This firm provides essential water and wastewater services to more than 14 million people across 14 states and hence it has swiftly proceeded to secure its operations after detecting unauthorized activity within its networks on October 3rd, 2024. American Water has confirmed its operations have not been affected by the attack and as a form of precaution, specific systems have been disconnected and customer billing has also been suspended without any late charges to customers within the period. American Water has stated its focus to be protecting customer data and preventing further damage. The specific details and type of cyber-attack have not been disclosed. However, law enforcement and internal teams are working strongly to investigate the nature of the breach.
https://www.infosecurity-magazine.com/news/american-water-cyberattack-billing/
Yash Mane says
LinkedIn was fined €310 million by the Irish Data Protection Commission (DPC) for utilizing user behavior data for targeted advertising without authorization, a violation of the GDPR. Following a complaint to the French Data Protection Authority, the DPC investigation concluded that LinkedIn’s consent methods were inadequately informed and that its interests superseded those of its users. According to this decision, LinkedIn’s data processing was in violation of many GDPR regulations, including Article 6 and Article 5(1)(a). In addition to the penalties, LinkedIn has been mandated to comply with GDPR regulations within three months, guaranteeing that user permission for data processing is explicit, informed, and freely provided.
https://securityaffairs.com/170266/laws-and-regulations/irish-dpc-fined-linkedin.html
Steven Lin says
Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining
TeamTNT is one of the most notorious cryptojacking groups, and now they have started a new campaign of large-scale attacks against Docker environments in cloud settings to use them for unauthorized mining of cryptocurrencies and renting out compromised servers. They use mass-scanning tools to exploit unprotected Docker APIs, deploying malware that takes over cloud resources for mining Monero and renting them on Mining Rig Rentals. Significantly, there has been a transition to the Sliver C2 framework, accompanied by the use of AnonDNS to preserve both control and anonymity, illustrating a sophisticated and developing approach to monetization. This particular campaign is noteworthy as it exemplifies an increasing trend in cybercriminal activities, wherein perpetrators enhance and evolve their operational techniques, compromising not just individual systems, but also employing advanced strategies to oversee and capitalize on entire networks via cloud services.
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html
Jocque Sims says
In the News – Georgia says it foiled an attempt to crash a state election website
Brief Summary: On October 14, 2024, detection tools from Georgia’s Office of the Secretary of State reported a slowdown in processing shortly after 5 PM. Cloudflare, a distributed denial of service (DDoS) firm contracted by the state agency, alerted them within minutes of an attack that involved flooding a website with data to overwhelm and disable it.
Key Points:
-Over 420,000 Internet Protocol (IP) addresses were simultaneously attempting to access the site, leading to a slowdown of Georgia’s absentee voter portal. Fortunately, the site did not crash, and no data compromise occurred.
-The attempted attack took place just one day before the start of early in-person voting, indicating potential political motives behind the action.
-In response, the state agency’s IT department implemented a verification tool that required users to confirm they were human. Traffic returned to normal within 30 minutes of the alert.
-As required by federal law, the agency notified the FBI, CISA, and DNI. As of October 24, 2024, state or federal authorities have not identified the attackers responsible for the attempt.
Source: https://www.pbs.org/newshour/nation/georgia-says-it-foiled-attempt-to-crash-a-state-election-website
Daniel Akoto-Bamfo says
Exposed United Nations Database Left Sensitive Information Accessible Online.
An online database was discovered leaking sensitive data from the United Nations Trust Fund to End Violence Against Women, where over 115,000 files regarding organizations partnering up with or getting financing from UN Women were exposed. This includes staffing information, contracts, correspondence, and financial audits of organizations working around the world with highly vulnerable communities, including those living under repressive regimes. The unsecured database, not password-protected and lacking proper access controls, was found by security researcher Jeremiah Fowler. He notified the UN, who then secured their database. Given the nature of the information exposed, there are many ways to take advantage of what was accessible: financial audits can be misused, budget breakdowns, operating costs, and employee information. Adding the reputation of trust related to the UN, this data can be used in scams.
https://www.wired.com/story/un-women-database-exposure/
Sara Sawant says
Hacker claims to have data linked to 19 million French mobile and internet customers
A hacker claims to have accessed data linked to 19.2 million customers of the French internet service provider Free. The breach, which affects Free Mobile and Freebox customers, involved a management tool and allegedly exposed personal details such as names, email addresses, phone numbers, and over 5 million IBAN numbers. Free confirmed the breach but stated that passwords and bank card information were not compromised. They are notifying affected customers and have implemented measures to enhance security. Experts warn about the potential for phishing attacks using the leaked data.
https://www.itpro.com/security/cyber-attacks/hacker-claims-to-have-data-linked-to-19-million-french-mobile-and-internet-customers
Justin Chen says
Russian charged by U.S. for creating RedLine infostealer malware
The United States announced charges today against Maxim Rudometov, a Russian national, for being the suspected developer and administrator of the RedLine malware operation, one of the most prolific infostealers over the past few years.
These infostealers, marketed to cybercriminals and sold via subscriptions, enable attackers to steal credentials and financial data and bypass multi-factor authentication.
Rudometov was named in an update to ‘Operation Magnus,’ an international law enforcement operation that announced yesterday it had disrupted the RedLine and META malware-as-a-service (MaaS) platforms.
The U.S. DOJ announced today charges against Maxim Rudometov based on evidence of his direct involvement with the creation of RedLine and the management of its operations.
https://www.bleepingcomputer.com/news/security/russian-charged-by-us-for-creating-redline-infostealer-malware/
Sarah Maher says
A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation
Exposure validation is a tool for Cyber professionals to better understand and prioritize vulnerabilities. Cyber professionals often find lists upon lists of vulnerabilities and trying and it’s important to categorize the vulnerabilities to ensure time and moey are being used in the right way. Exposure validation runs continuous tests to see if the vulnerabilities found can actually be exploited or if there are already affective mitigations in place. “Exposure validation bridges this chasm by simulating actual attack scenarios”.
This is not in article, but something I just thought of. If this is a tool people can buy, couldnt it just be used by cybercriminlas to see what vulnerabilities an organization has that it can actually exploit?
https://thehackernews.com/2024/10/a-sherlock-holmes-approach-to.html
Lili Zhang says
The hacking group TeamTNT recently launched a new malware campaign targeting exposed Docker daemons, deploying the Sliver malware and cryptomining software across 16 million IP addresses. TeamTNT compromised a Docker Hub account to upload malicious software images and used the “TDGGinit.sh” script to facilitate further malicious activities. In this attack, they steal credentials and hijack infected resources for cryptocurrency mining or reselling. Experts advise organizations to strengthen cybersecurity measures to counter these threats.
https://hackread.com/teamtnt-exploits-ips-malware-attack-docker-clusters/
Rohith says
An investigation by French newspaper Le Monde found that the highly confidential movements of U.S. President Joe Biden, presidential rivals Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through a fitness app that their bodyguards use.
But the U.S. Secret Service told the newspaper that it doesn’t believe the protection it provides was in any way compromised.
Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community.
https://www.securityweek.com/fitness-app-strava-gives-away-location-of-biden-trump-and-other-leaders-french-newspaper-says/
Charles Lemon says
LinkedIn bots and spear phishers target job seekers
LinkedIn remains one of the most important job platforms. However, as any other social media site, it has become increasingly flooded with bots. These bots are attracted to key words and hashtags such as “opentowork” or posts mentioning if someone was just laid off. Within minutes of a post, dozens of accounts start replying with links or requests to be added as a connection. The use of certain hashtags was already known to attract bots, and the #opentowork one is no different. While bots are easy to spot for most people, a more dangerous phenomenon is personalized messages through inMail that appear as legit recruiters or employers. These messages will contain fake LinkedIn links that redirect a user to enter sensitive data such as passwords. Scammers are notorious for targeting the vulnerable, and job seekers who may have just been laid off may desperately fall into one of these phishing attempts.
https://www.malwarebytes.com/blog/news/2024/10/linkedin-bots-and-spear-phishers-target-job-seekers
Aaroush Bhanot says
New Windows Driver Signature bypass allows kernel rootkit installs
Attackers can bypass Windows security features and install rootkits by downgrading kernel components. Outdated software components can be introduced on fully patched systems by exploiting the Windows Update process, making them susceptible to past vulnerabilities. Microsoft has dismissed the issue and the vulnerability remains unfixed, allowing for downgrade attacks and potential rootkit deployment. Researcher Alon Leviev at BlackHat showcased how outdated files reintroduce fixed vulnerabilities, even on Windows 11. Microsoft initially dismissed this due to administrative access requirements but is now developing mitigations.
https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/?utm_source=tldrinfosec
Parth Tyagi says
Delta officially launches lawyers at $500M CrowdStrike problem
Delta Air Lines is suing CrowdStrike in a bid to recover the circa $500 million in estimated lost revenue months after the cybersecurity company “caused” an infamous global IT outage. Delta had to cancel about 7,000 flights over the five-day period from July 19 to July 24 – a huge disruption hitting around 1.3 million customers and leading to multiple class-action lawsuits from affected passengers.
Delta was by far and away the hardest-hit airline in the US, despite other major carriers Allegiant Air, American Airlines, Frontier Airlines, Spirit Airlines, and United Airlines all reporting major issues.
Transportation Secretary Peter Buttigieg said at the time that the slow recovery was “unacceptable.” Around 3,000 complaints were made against Delta including those from people forced to sleep on airport floors as they waited for their flight to be rescheduled.
Read more in detail at https://www.theregister.com/2024/10/28/delta_airlines_crowdstrike_lawsuit/
Haozhe Zhang says
The banking malware Astaroth, has returned to Brazil, spreading by spear-phishing emails disguised as official tax documents. An attachment in the email contains a ZIP file that carries both obfuscated JavaScript and Windows shortcuts for bypassing security. Once the malware is triggered, communications with the command-and-control server start, therefore compromising data and breaking user trust. Strong password policies, multi-factor authentication, keeping software up-to-date, and applying the rule of least privilege are suggested to help prevent such kinds of threats.
https://thehackernews.com/2024/10/astaroth-banking-malware-resurfaces-in.html
Elias Johnston says
This article examines the DDoS threat landscape from 2020 into early 2021, highlighting a significant rise in attack frequency and scale, with more attacks over 50 Gbps than in all of 2019. Notably, three of Akamai’s largest DDoS attacks occurred in one month, targeting industries like gambling and gaming.
The resurgence of extortion campaigns saw an attack peak at over 800 Gbps, driven by criminals seeking Bitcoin payouts. New attack vectors, particularly the abuse of the Datagram Congestion Control Protocol (DCCP), have emerged, allowing attackers to circumvent traditional defenses. Additionally, attacks have become more targeted and persistent, often employing multiple vectors over extended periods. The article stresses the importance of organizations being prepared with robust DDoS defenses to address these evolving threats.
https://www.akamai.com/blog/security/2021-volumetric-ddos-attacks-rising-fast