Happy Wednesday! 

A quick update from last week about the Evolve Bank incident regarding the data exfiltration has been confirmed to affect 7.6 million customers.  Outside of the normal activities, it was nice to have a slower than normal weekend due to the 4th of July holiday but getting back into the swing of things has been nice as well. 

Please, take a special note of the Microsoft Patch Tuesday this month, there are some severe vulnerabilities being patched this month. 

So, with that, let’s dive into this week’s cybersecurity news update... 

China’s Velvet Ant hackers exploiting new Cisco zero-day 

CVE-2024-20399: a vulnerability affecting the Cisco NX-OS software in Nexus-series switches (which was discussed last week) 

• Velvet Ant, state backed hackers from China, have been seen to use this vulnerability where they focus on establishing long-term access 
• This vulnerability was discovered during an IR (Incident Response) engagement where Velvet Ant was the Threat Actor 
• The Threat Actor had to have already gained access to the environment to exploit the vulnerability 

Link (1): https://therecord.media/cisco-velvet-ant-hackers-china 

Europol law enforcement takes down Cobalt Strike servers 

Operation Morpheus, was a Europol coordinated join operation that led to almost 600 cobalt servers 

• These servers are being used for criminal activities to attack infrastructure 
• Over 690 IP addresses were flagged by service provides across 27 counties, where 593 were taken down over the course of a week 

Link (1): https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobalt-strike-servers-used-by-cybercriminals/ 

Twilio SMS MFA list compromised  

Twilio has confirmed that an unsecured API allowed threat actors to verify the phone number of millions of Authy MFA users 

• The concern here is that this could potentially make these users vulnerable to SMS phishing and SIM swapping attacks 
• The data released was by a threat actor, ShinyHunters, where they released a CSV containing 33 million phone numbers registered with Authy services 
• This unsecured API has since been resolved and is now secured 
• This is similar to how threat actors abused the unsecured Twitter API and Facebook API in the past 

Link (1): https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ 

Australian man charges with running fake Wi-Fi while on airline 

A 42-year-old Australian man (unnamed) has been charged with running a fake Wi-Fi access point during a domestic flight with the goal of stealing user credentials and data 

• The suspicious wireless network was discovered by the employees of an airline during a domestic flight 
• This is not the first time this has happened; I have heard talks from threat researchers where they will stand up a Wi-Fi Pineapple device on a flight or at an airport where it will allow auto connections to Open Wi-Fi connections that someone has established on their devices already to automatically connect 
• Consider turning off your wireless when you are not at home or in a trusted area - for iPhones, there are mechanisms you can use that are built in that will automatically disable wireless when you leave your home and turn on when you come back 

Link (1): https://thehackernews.com/2024/07/australian-man-charged-for-fake-wi-fi.html 

Alabama Department of Education suffers data breach 

On June 17th, Alabama State Department of Education announced that it stopped a ransomware attack, yet the threat actors were still able to exfiltrate data that it had accessed and disrupted some services before being stopped 

• The type and amount of data is still being investigated 
• This goes to validate that just because you "stopped" the ransoming of your environment does not mean you stopped the exfiltration of your data - because that last part has already occurred before the ransom occurs 

Link (1): https://securityaffairs.com/165389/uncategorized/alabama-state-department-of-education-data-breach.html 

Microsoft Patch Tuesday - July 

CVE-2024-37985: Information disclosure vulnerability with a low CVSS temporal score of 5.2. Although publicly disclosed, it has not been detected publicly. Microsoft also gives this an "Exploitation Less Likely" rating. 

• CVE-2024-38080: This update has a slightly higher CVSS temporal score of 6.8. An attacker who successfully exploits it could gain SYSTEM privileges. It is not publicly disclosed but exploitation has been detected in the wild. 
• CVE-2024-38112: A spoofing vulnerability that has a score of 7.0. This CVE is also not public but is being exploited. It does require user interaction as Microsoft says successful exploitation would require an attacker to trick a user into executing a malicious file. 
• CVE-2024-35264: This zero day is a remote code execution scored 7.1. This has been publicly disclosed, but exploitation has not yet been detected. The attack complexity is high. 
• Microsoft SharePoint Server 2019 has had alleged RCE Proof of Concepts go up on the dark web for the following CVEs 
• CVE-2024-38094 
• CVE-2024-38024 
• CVE-2024-38023 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!