Sharp rise in Hacktivist activity as Israeli/Hamas conflict escalates
MOVEit Vulnerability forces Flagstar Bank to issue data breach warning to over 800 thousand of its customers
Air Europa advises customers to cancel credit card payments following cyber attack
Patch Tuesday fixes numerous zero days and actively exploited vulnerabilities
Curl 8.4.0 released early after high severity issue discovered
According to reports at least 15 ransomware collectives, including Anonymous Sudan and Killnet, have actively engaged in cyber-attacks targeting Israeli and Palestinian institutions and their backers. Killnet confirmed its focus on Israel via its Telegram channel, while several Indian groups have also declared similar objectives. One such group even claimed a successful cyber-attack on the Palestinian government website, according to their own Twitter post.
Anonymous Sudan initiated attacks against Israel shortly after the first rockets were launched by Hamas during the groups attack on Saturday. The group claimed to have disabled emergency warning systems in Israel. Additionally, The Jerusalem Post, Israel's largest English-language daily, was targeted by the same group.
Moreover, the Israel Independent System Operator's network was reportedly compromised, leading to the shutdown of its website. This attack was orchestrated by a group that also aimed at the Israel Electric Corporation. On the other hand, ThreatSec, a pro-Israel group, claimed to have compromised the infrastructure of Gaza-based Internet Service Provider AlfaNet.
Flagstar Bank, an American based commercial bank issued a warning to 837,390 of its U.S. customers about a data breach affecting their personal information.
In an official notification, Flagstar Bank detailed that the MOVEit vulnerability did not compromise any of their own systems nor affect their customer service capabilities but cyber criminals were able to access files transferred via MOVEit, which contained personal customer data from Flagstar and its associated institutions.
A cyber security firm based in Los Angeles, revealed that while the compromised data hasn't yet appeared on the Dark Web, it has been offered for sale in private underground forums.
This is not Flagstar Bank’s first cyber security incident. In June 2022, they disclosed a breach affecting around 1.5 million individuals, details of which were not made public. Another attack occurred in March 2021, perpetrated by the Clop ransomware gang, impacted nearly the same number of customers.
Air Europa, a Spanish airline based in Mallorca, has advised customers to cancel their credit cards following a cyberattack on its online payment system.
The company did not disclose the number of customers affected or the timing of the attack. In a statement, Air Europa assured that there's "no evidence that the breach was ultimately used to commit fraud," offering no details on the nature or source of the attack. The airline is emailing affected customers and financial institutions, urging the cancellation and replacement of any bank cards used on its website to mitigate potential fraud.
This is not the first cyber security lapse for Air Europa; the airline was fined in 2021 for mishandling a 2018 data breach that impacted 489,000 customers.
The company reported that breach 41 days after it occurred, violating the EU's GDPR regulation that mandates reporting within 72 hours. This comes amid heightened scrutiny of airlines' cybersecurity, exemplified by British Airways' reduced £20 million ($24.5 million) fine in 2018 for a similar breach involving payment data.
In Microsoft's October 2023 Patch Tuesday, the tech giant rolled out security updates for a total of 104 vulnerabilities, including three zero-day flaws that have been actively exploited. The vulnerabilities addressed include 45 Remote Code Execution (RCE) bugs, 26 Elevation of Privilege vulnerabilities, and 17 Denial of Service issues, among others. Only 12 of these were categorized as 'Critical,' all being RCE vulnerabilities.
The three actively exploited zero-day flaws are:
This Patch Tuesday also addressed a Chromium vulnerability, CVE-2023-5346, already fixed by Google earlier in the month. Apple meanwhile released fixes for two zero day vulnerabilities earlier in the month.
Microsoft revealed that two of the zero-days were publicly disclosed, underscoring the urgency for users to update their systems.
The Curl development team disclosed a high-severity vulnerability, CVE-2023-38545, affecting versions 7.69.0 to 8.3.0 of the Curl library.
This Heap-based Buffer Overflow flaw occurs when utilising a SOCKS5 proxy with remote hostnames exceeding 255 bytes. To exploit this, an attacker would need a victim to connect through a malicious SOCKS5 proxy and then redirect them to a URL with a lengthy hostname to trigger the overflow. Successful exploitation could result in remote code execution.
To mitigate the vulnerability, users should upgrade to Curl version 8.4.0 or apply available patches. The vulnerability is not easily exploitable, as clarified by Curl's author Daniel Stenberg, because it requires specific conditions like delaying the proxy handshake and a "double presence" of malicious elements for a successful attack.
A second, lower-severity flaw, CVE-2023-38546, also affects the Curl library. It could potentially allow an attacker to inject arbitrary cookies into an application using affected versions. However, the exploit demands specific conditions and is considered less likely to be utilized for an attack.
These vulnerabilities highlight the need for timely security updates, especially for libraries like Curl that are fundamental to many applications. Anyone using impacted versions should immediately apply patches or upgrade to avoid potential risks.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.