GSG Monthly Newsletter -2nd Edition December 2024

CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover.
“Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA said in an alert.
For more information: CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability – The Cyber Post

CISA Releases Nineteen Industrial Control Systems Advisories
CISA released nineteen Industrial Control Systems (ICS) advisories on November 14, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. ICSA-24-319-08 Siemens SINEC INS
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
For more details : Cybersecurity Alerts & Advisories | CISA

Hackers exploit a vulnerability in Array Network
Hackers exploit a vulnerability in Array Networks’ SSL VPN products, specifically the AG and vxAG ArrayOS, allowing attackers to execute arbitrary code and pose significant security risks.
Array Networks’ SSL VPN solutions, commonly used to secure remote access, could be exploited for unauthorized access, data breaches, and other malicious activities. The company has initiated an investigation, working with cybersecurity experts to address the problem and providing guidance to affected customers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is monitoring the situation, and Array Networks has acknowledged the issue and is working on a fix. They are advising users to apply patches and follow security best practices to reduce risks.
For More Details: http://go.pardot.com/e/1040471/vuln-detail-CVE-2023-28461/8xwdsj/1673558511/h/5ryc9GPnaaWZRIlhAhoGLncuJvt3WU7aj-bEXvuN0Vs

Ford investigates alleged breach following customer data leak
Ford is investigating allegations that it suffered a data breach after a threat actor claimed to leak 44,000 customer records on a hacking forum.
The leak was announced on Sunday by threat actor ‘EnergyWeaponUser,’ also implicating the hacker ‘IntelBroker,’ who supposedly took part in the November 2024 breach.
The threat actors leaked on BreachForums 44,000 Ford customer records containing customer information, including full names, physical locations, purchase details, dealer information, and record timestamps.
For more details: Ford investgates alleged breach following customer data leak

Iran-linked group aims malware at aerospace industry through fake job recruiter
Suspected Iranian hackers impersonated recruiters on LinkedIn to target the aerospace industry in a new espionage campaign, researchers have found.
So-called “fake worker” schemes are typically associated with North Korean threat actors. However, the Israel-based cybersecurity company ClearSky has attributed this latest campaign to the Iranian operation tracked as TA455, likely a subgroup of the Iranian government cyberwarfare group Charming Kitten.
Researchers suggest that TA455 either impersonated Pyongyang-backed hackers to mask its activities or that North Korea shared attack methods and tools with Iran.
For more details: Iran-linked group aims malware at aerospace industry through fake job recruiters – The Cyber Post

INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime
INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.
Dubbed Operation Synergia II, the coordinated effort ran from April 1 to August 31, 2024, targeting phishing, ransomware, and information stealer infrastructure.
“Of the approximately 30,000 suspicious IP addresses identified, 76 per cent were taken down and 59 servers were seized,” INTERPOL said. “Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized.”
For more details: INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime – The Cyber Post

US charges Phobos ransomware admin after South Korea extradition
Evgenii Ptitsyn, a Russian national and suspected administrator of the Phobos ransomware operation, was extradited from South Korea and is facing cybercrime charges in the United States.
Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) widely distributed through many affiliates. Between May 2024 and November 2024, it accounted for roughly 11% of all submissions to the ID Ransomware service.
The Justice Department has linked the Phobos ransomware gang to breaches of over 1,000 public and private entities in the United States and worldwide, with ransom payments worth more than $16 million.
For more details: US charges Phobos ransomware admin after South Korea extradition

Employee Data Compromised in Hacker Attack on Space Technology Firm Maxar
Satellite maker Maxar Space Systems is notifying its employees that their personal information was compromised in an October 2024 data breach.
The incident, the company says, was discovered on October 11, and prompted an immediate response to block unauthorized access to its systems.
However, the investigation into the matter revealed that a threat actor had access to Maxar’s network for roughly one week before the data breach was discovered.
The potentially compromised information, the company says, includes names, addresses, gender, Social Security numbers, business phone numbers and other business contact information, employment status, job titles, supervisor, department, and other employment-related information.
For more details: Employee Data Compromised in Hacker Attack on Space Technology Firm Maxar – SecurityWeek

STARBUCKS COFFEE
A ransomware attack on Blue Yonder, a supply chain software provider, has disrupted operations at Starbucks, forcing the company to revert to manual systems for employee scheduling and payroll. The attack, disclosed on November 21, affected Blue Yonder’s managed services environment, causing widespread service interruptions. The company is working with cybersecurity firm CrowdStrike to investigate and recover, but no timeline for full restoration has been provided. Blue Yonder, which offers AI-driven supply chain solutions to over 3,000 clients worldwide, serves companies like Starbucks, Morrisons, and Sainsbury’s. While Starbucks and others have been impacted, it’s unclear if major clients like Kroger and Procter & Gamble were directly affected.
Ransomware attacks, which typically lock computer systems to extort payments, resulted in a record $1.1 billion in global ransom payments in 2023. These attacks are especially prevalent during the holiday shopping season, exploiting reduced staffing and heightened activity.
The recent attack adds to the challenges facing Starbucks’ new CEO Brian Niccol, as the company is already dealing with three consecutive quarters of declining sales.

Read more here: http://go.pardot.com/e/1040471/-yonder-starbucks-76576514007-/8xwdt7/1673558511/h/5ryc9GPnaaWZRIlhAhoGLncuJvt3WU7aj-bEXvuN0Vs

*Disclaimer: This newsletter contains links to sites on the Internet that are owned and operated by third parties. We do not claim ownership of any third-party content. Trademarks, logos, and brand names are the property of their respective owners.
**These are basic steps; advanced issues may need expert intervention. Consult our team for detailed analysis.