Flair Data Systems Cybersecurity News Update 5-8-2024
My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/8/2024...

I hope your week is going well so far. For some, it’s been smooth sailing, while others are juggling new projects and the usual daily grind. Speaking of high-stakes scenarios, the US has placed a $10 million bounty on the head of the LockBit creator (details in the article below). Imagine the mixed emotions that must bring! It’s fascinating how anonymity online can give people a sense of invincibility. But once your real identity is exposed, that sense of security vanishes, and the reality of a bounty on your head, sets in.
In the US, $10 million is a significant amount, but in other parts of the world, its value is even more impactful. One has to wonder how this revelation affects the trust and relationships the LockBit creator has with those around him.
Now, let's dive into this week's cybersecurity news update....
US indicts LockBit ransomware ringleader
Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, has been indited by the DOJ for the development and administration of LockBit ransomware
- Artur Sungatov and Ivan Kondratyev have also been charged for deploying LockBit against victims in the US
- Khoroshev is facing 26 charges and up to 185 years in prison with a bounty of $10 million for information that helps law enforcement apprehend him
Link (1): https://www.theverge.com/2024/5/7/24151493/us-lockbit-ransomware-ringleader-indictment-reward
LastPass spin off from GoTo
LastPass has announced it has separated from the parent company, GoTo - which was stated to start that process in December of 2021
- The new holding company will be LMI Parent, a shareholder holding company
- The CEO, Karim Toubba, will stay at the helm with the new structure
Link (1): https://www.theverge.com/2024/5/1/24146205/lastpass-independent-company-security-breaches
Goldoon botnet exploits D-Link routers
A new botnet dubbed, Goldoon, has been found to be exploiting a decade-old vulnerability in unpatched D-Link routers
- CVE-2015-2051 - could allow a threat actor to run code remotely on infected hardware with low attack complexity
- The activity spiked in April, which was doubling the frequency
Link (1): https://therecord.media/goldoon-botnet-unpatched-dlink-routers
Dropbox discloses breach of digital signature service
Dropbox Sign (formally HelloSign) has announced a breach of their system where a threat actor was able to access customer information
- Dropbox investigation has them to believe that only the Sign infrastructure was compromised, and not the other Dropbox platforms
- Data exposed included Email, Usernames, phone numbers and hashed passwords along with general account settings and certain authentication information (API keys, OAuth tokens, and MFA)
- If someone was to received or signed a Dropbox Sign document, but never created an account the email address and names were also exposed
- If the authentication was set up through Google, no password was stored or exposed
- Currently, there is no evidence of customer accounts being accessed or payment information
Link (1): https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
Cybersecurity consultant arrested after allegedly extorting IT firm
Vincent Cannady, 57, worked for a staffing company to assess and remediate potential vulnerabilities in a New York-based multinational IT ISP
- On June 23, 2023, he was terminated for performance reasons
- Cannady allegedly used a company-issued laptop to download proprietary and confidential documents, including architectural maps, trade secrets, and list of potential vulnerabilities to which he still maintained access to after being terminated
- He threatened to publicly disclose the information unless the company agreed to pay him up to $1.5 million as a settlement, for what he claims to be employment termination
- This one hit home, as a security professional we are trusted advisors to the organization we support and yet people are going to be just that... people. I completely disagree with everything this individual did, and for an executive or outsider looking in it paints a horrible picture of our industry
Buffer Overflow Vulnerabilities in ArubaOS (critical 9.8 rating)
There is a temporary work around available until patches can be applied.
- CVE-2024-26305: Buffer overflow in ArubaOS' utility daemon
- CVE-2024-26304: Buffer overflow in ArubaOS' L2/L3 management service
- CVE-2024-33511: Buffer overflow in ArubaOS' automatic reporting service
- CVE-2024-33512: Buffer overflow in ArubaOS' local user authentication database
- No PoC has been released as of yet but all 4 exploits are accessible through Aruba's PAPI UDP port 8211
- Aruba Mobility Conductors, Mobility Controllers, and WLAN and SD-WAN gateways are all affected
Link (1): https://www.arubanetworks.com/support-services/security-bulletins/
Link (2): https://www.theregister.com/2024/05/02/hpe_aruba_patches/
Feds warn about North Korean exploitation of improperly configured DMARC
Several Fed Agencies have published an advisory last week to warn of hackers targeting improperly configured DNS DMARC record policies
- DMARC, a decade old, used by email platforms to authenticate messages and reduce the ability to spoof domains
- North Korean hackers have been targeting improperly configured DMARC setups to make it look like their emails are coming from a legitimate domains email exchange, allowing them to masquerade as experts or academics with credible links to North Korean policy circles
- This is a reminder that when creating a control, it is fully implemented - there are times to allow for testing to be performed but a following to finalize the controls is necessary - this is something we all know, but have a tendency to get busy chasing squirrels and circling back gets delayed or forgotten until it's too late
Link (1): https://therecord.media/north-korea-kimsuky-hackers-dmarc-emails
DHCP Based VPN Routing Leaks
CVE-2024-3661: By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. Many, if not most VPN systems based on IP routing are susceptible to such attacks.
- There are fix capabilities, but it will require a lot of times for vendors to update their VPN software or applying work arounds
- The link above does provide a PoC for how this works
Link (1): https://www.leviathansecurity.com/blog/tunnelvision
Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!
About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.
Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children.
About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We are a trusted cyber security solutions company in Dallas, TX.