Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this year, Duolingo left an API exposed, which led to 2.6 million user records being scraped. The scraped data has since been posted to a hacking forum, and is known to include the real names, usernames, and other non-public information such email addresses.
The inclusion of email addresses in this breach is concerning, because it leaves users susceptible to targeted phishing attacks using information from their profile.
This data was scraped from the exposed API back in January but reports from Bleeping Computer state that this API is still “openly available to anyone on the web”. Questions have been asked as to why this has not been locked down yet, but Duolingo has remained quiet.
The personal details of more than 75,000 Tesla employees was exposed earlier this year, and the company has labelled the incident as an “insider wrongdoing.”. A German newspaper shared news of this breach with Tesla, after they obtained the stolen data from two former Tesla employees. The newspaper agency, Handelsblatt, had no intention of publicly releasing this data, and instead elected to disclose the news to Tesla in private.
An investigation has since been launched and the two former employees have had lawsuits filed against them.
The breach data was reported to include the names, addresses, phone numbers and email addresses of both current and former employees. More details on this incident can be found here.
The release of Google Chrome version 117 will include a new feature known as “Safety Check”. Safety Check has a few capabilities that are designed to protect you against potentially malicious browser extensions. Users of Chrome 117 will have this feature notify them if an extension is removed due to policy violation or unpublished by the developer; the third, and most important attribute, will notify the user of any extensions that have been flagged as potential malware. In addition to these notifications, users will now have a dedicated section in their “Privacy and Security” settings that will make it easy to remove any extensions that are harmful.
Akira ransomware has been found targeting Cisco VPN products as a new method of infiltrating networks, and stealing and encrypting data. The ransomware operation launched in March 2023 with a later addition of a Linux encryptor to target VMware ESXi virtual machines. Sophos first identified abuse of VPN accounts in May when researchers identified that "VPN access using Single Factor authentication” was conducted. Researchers were also unable to identify this Akira brute-forced the VPN account credentials or this they were gathered elsewhere such as from a phishing campaign or sold online. SentinelOne also conducted research into the attack and shared information indicating that Akira could be exploiting an unknown vulnerability bypassing all authentication required. Cisco recommends all customers activate MFA for their VPN accounts in order to provide the best protection possible.
The latest statement from CloudNordic has advised all of their customers that a recent Ransomware attack has "paralyzed CloudNordic completely.” The attack happened on the 18th of August when the attacker shut down all of CloudNordic systems, wiping both customer and company websites and email systems. Nordic has stated that they “cannot and do not want to meet the financial demands of the criminal hackers for ransom” and that “unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us." CloudNordic has stated it is ready to start bringing customer web and email servers back online, but data previously stored with them will be lost.
A high severity flaw tracked as CVE-2023-32315 could allow path traversal in Openfire’s administrative console that would allow an unauthenticated attacker to access restricted pages meant for privileged users. The flaw has affected all software versions since April 2015 and was patched earlier in May with the release of versions 4.6.8, 4.7.5, and 4.8.0. "Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters […] the path traversal protections in place in Openfire were not updated to include protection against this new encoding” reported Openfire XMPP developers. This vulnerability is already known to be exploited in the wild with Shodan reporting of the more than 6,300 Openfire servers up to 50% remain unpatched and vulnerable to this flaw. Users are advised to update to the latest patch immediately to avoid a possible attack.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #248 – 25th August 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.