Happy 4th of July! 

I know there are a few that are taking today or Friday off since the 4th of July falls on a Thursday this year.  For those traveling, please stay safe and enjoy time with your family and friends. 

Last week I brought up two different stories and I wanted to provide an update as things have become clearer (or I found updated information after the fact). 

• Federal Reserve: It seems that it was a 3rd party that was compromised, not the Federal Reserve but the Threat Actor was making misdirected claims.  Who knew, the bad guys lied... But the story of Evolve Bank, who appears to be the one that was affected, has become an interesting one. 
• CDK Global: I made a comment about how they had not published their 8-k yet, but that is because in late 2022 Brookfield Business Partners took them private.  Which explains why they are not held to the 8-k requirement anymore. 

So, with that, let’s dive into this week’s cybersecurity news update... 

Gas chromatograph vulnerabilities reveal medical IoT challenges 

For those that are not aware, Gas Chromatograph machines are used across multiple industries but are chemical analysis instruments that measures the content of various components of samples 

• Claroty, a security IoT company, discovered multiple vulnerabilities within specific gas chromatograph devices built by Emerson 
• Devices affected are Rosemount GC370XA, GC700XA, and GC1500XA, confirmed by Emerson 
• One of the vulnerabilities include command injection that would allow an unauthenticated attacker with network access to remotely execute arbitrary commands with root privileges 
• Always work with the vendor to obtain the proper firmware updates to resolve these vulnerabilities, usually the OT groups have necessary information of vendors but to be honest, once they are put in place they are rarely ever updated unless there are operational issues 

Link (1): https://www.securityweek.com/gas-chromatograph-hacking-could-have-serious-impact-security-firm/ 

 

Evolve Bank confirms data breach, undermining LockBit’s Federal Reserve claim 

Evolve has confirmed a data breach and working to investigate the incident 

• Data exposed included PII, which has been placed on the dark web, some of the following may be included 
• Name, SS#, DoB, Account Information or other personal information 
• Customers will be notified by Evolve with further information and those that had their account number compromised will have that updated with new account numbers 

Link (1): https://therecord.media/evolve-bank-data-breach-lockbit  

TeamViewer Compromise (and updates) 

TeamViewer has stated that only their internal IT systems were compromised, and not their product environment for applications used by customers (reconfirmed on June 30th) 

• TeamViewer has enhanced their security controls within the organization to reduce the risk of this occurring again in the future. 
• The incident was found to occur due to credentials of a standard employee account performed by Midnight Blizzard (the same that went after Microsoft) 
• Note that I know that some organizations that were currently using TeamViewer put in controls to block them going forward and looking for alternatives, one could say this is extreme, but I do believe they are doing what is best for their organization to maintain a secure environment 
• Considering how LastPass ended up occurring, it makes sense for organizations to take a step back and consider their relationships with suppliers when these types of events do occur 

Link (1): https://www.teamviewer.com/en-us/resources/trust-center/statement/ 

GitLab Critical Update  

GitLab has released updates for both their Community and Enterprise Editions (16.7.2, 16.6.4, and 16.5.6) 

• Fixes included: 
• Account Takeover via password reset without user interactions (Critical) 
• Bypass CODEOWNERS approval removal (High) 
• Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user (High) 
• Workspaces able to be created under different root namespace (Medium) 
• Commit signature validation ignores headers after signature (Low) 
• GitLab is recommending customers to upgrade to the latest versions to resolve these issues listed above 

Link (1): https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ 

HubSpot investigates customer account hacks 

HubSpot is investigating an incident that is targeting customers (less than 50 accounts were compromised) and measures were put in place to protect customer data 

• This incident was discovered on June 22nd and based on what I am reading about this, it appears that it was a password spray targeting HubSpot, but Threat Actors were able to gain access to less than 50 accounts 
• With the limited information given, it is easy to make assumptions - but after Snowflake's situation these types of attacks are going to force the hands of vendors to enforce measures such as MFA by default 

Link (1): https://economictimes.indiatimes.com/tech/technology/update-3-hubspot-investigating-customer-account-hacks/articleshow/111357063.cms?from=mdr 

Zero-day exploit found in Cisco nexus switches during an incident response investigation 

A China threat actor named, Velvet Ant, has been found to be exploiting a new zero-day 

• CVE-2024-20399, a vulnerability affecting the Cisco NX-OS software used in Nexus-series switches 
• A vulnerability in the CLI (command-line interface) of Cisco NX-OS could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying OS of an affected device 
• This does require the threat actor have the Administrator credentials (how many times do System / Network admins store their credentials in an excel document?) 
• This has been added to the CISA KEV Database with a due date of 7/23/2024 and was added to the list yesterday (7/2/2024) 

Link (1): https://therecord.media/cisco-velvet-ant-hackers-china 

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2024-20399 

14 million Linux systems threatened by ‘RegreSSHion’ vulnerability 

CVE-2024-6387 (reintroduced 2006 vulnerability CVE-2006-5051) allows an unauthenticated remote code execution in the OpenSSH  - this has been dubbed RegreSSHion with a score of 8.1 CVSS 

• This is specifically affecting the glibc-based Linux systems running sshd in its default configuration - where if exploited could lead to full system compromise 
• It is of note that the vulnerability is not trivial to exploit but also it is not easy to fully remediate 
• Working with one organization, I found that this vulnerability was being found on appliance-based systems - i.e., Pure Storage, Cisco UCS Chassis, Phone systems, etc. 
• Please work with vendors to obtain the necessary patches 

Link (1): https://www.darkreading.com/cloud-security/regresshion-bug-threatens-takeover-of-millions-of-linux-systems  

Critical patch issued for Juniper routers 

CVE-2024-2973 (score of 10): an authentication bypass using an alternate path or channel vulnerability in the Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device 

• For MIST Managed WAN Assurance routers this has been patched automatically through the Mist Cloud 
• Due to the severity, if you are not under some type of managed platform like Mist Cloud, test and apply patches 

Link (1): https://thehackernews.com/2024/07/juniper-networks-releases-critical.html  

Millions not thousands impacted by Prudential breach 

In Feb 2024, Prudential submitted an 8-k filing to the SEC to disclose a breach where an attacker accessed administrative/user data and employee/contractor accounts 

• Originally it revealed it notified over 36k people whose information (name, DL#, and non-DL card numbers) were stolen during the breach 
• It has since been changed to state that over 2.5 million people had their personal information compromised during the incident 
• ALPHV has taken claim to the incident on Feb 13th where it pulled the exit strategy once Prudential paid the ransom ($22 million) and they stiffed the affiliate that gave them access into the environment (again, those honorable bad guys) 
• One other thing to note, May 2023, PII of over 320k Prudential customers were exposed during the Cl0p MOVEit attack 

Link (1): https://www.bleepingcomputer.com/news/security/prudential-financial-now-says-25-million-impacted-by-data-breach/  

Patelco Credit Union cyberattack disrupts services for nearly 500,000 members 

Patelco, noted as one of the oldest and largest credit unions in the US, fell victim to a ransomware attack on June 29th - forcing them to shutdown most of its day-to-day banking systems 

• This has affected nearly 500k members across Bay Area and Northern California 
• Debit and Credit card transactions are functioning in a limited capacity, while ATM cash withdrawals and deposits remain available 

Link (1): https://thecyberexpress.com/patelco-credit-union-hit-by-ransomware-attack/  

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!