By the CyberWire staff
At a glance.
- CISA observed no significant malicious activity impacting the US election.
- Suspected Snowflake hacker arrested in Canada.
- Attackers exploit Palo Alto Expedition vulnerability.
- Canada to shut down TikTok's business operations, but won't block app.
- City of Columbus, Ohio says data breach affected at least 500,000 people.
- Okta vulnerability affects accounts with long usernames.
- Cisco patches critical flaw in Industrial Wireless software.
- Oilfield supplier hit by ransomware.
- SteelFox malware spreads via trojanized software cracks.
- Google's large language model discovers SQLite vulnerability.
CISA observed no significant malicious activity impacting the US election.
US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said Tuesday evening that the agency has "seen no evidence of malicious activity impacting the security or integrity of election infrastructure," the Record reports. Easterly stated in a press call, "While at the national level we saw some minor disruptive activity throughout the day, that activity was largely expected and planned for."
The FBI issued a statement on a series of bomb threat hoaxes against polling centers, noting that many of the threats were sent from Russian email addresses. Easterly pointed out that this doesn't necessarily mean the threats originated from Russia, and the federal government hasn't made any official attributions.
Easterly added that Americans should be prepared "for continued attempts by our foreign adversaries to use false narratives and disinformation to undermine American confidence and the legitimacy of election."
Retired Gen. Paul Nakasone, former NSA director and commander of US Cyber Command, told the Record that the intelligence community has made significant progress in sharing information about influence operations, stating, "What's different this year is the fact that we're hearing so much about so many adversaries at different times. I see this as success. This is exactly what we want to be doing. [In 2016] we knew all this information and didn't share it. [Now] when we see it, we say something about it."
Suspected Snowflake hacker arrested in Canada.
Canada's Department of Justice has arrested a Canadian man at the request of the US for his alleged involvement in a wave of attacks targeting Snowflake cloud storage accounts earlier this year, BleepingComputer reports. Ian McLeod, a spokesperson for Canada's Department of Justice, told BleepingComputer, "Following a request by the United States, Alexander Moucka (a.k.a. Connor Moucka) was arrested on a provisional arrest warrant on Wednesday October 30, 2024. He appeared in court later that afternoon and his case was adjourned to Tuesday November 5, 2024. As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case."
The data theft extortion campaign breached approximately 165 organizations, affecting hundreds of millions of people. Researchers at Mandiant said the financially motivated threat actor "UNC5537" used stolen credentials to hack into Snowflake accounts that lacked multifactor authentication.
Discover how forward-thinking SOCs are raising security standards with AI.
Join Kieran Walsh (Senior SOC Engineer, Samsara) and Hela Lucas (Security Operations Engineer, Samsara) for a behind-the-scenes look at how they optimize security operations with AI.
They'll share how AI helped them:
- Slash response times
- Reduce manual effort, from incident management to reporting
- Boost efficiency while maintaining accuracy
- Combat alert fatigue
Sign up to secure your spot.
Attackers exploit Palo Alto Expedition vulnerability.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that a critical vulnerability (CVE-2024-5910) affecting Palo Alto Networks’ Expedition tool is being exploited in attacks. Palo Alto issued a patch for the flaw in July. CISA hasn't shared details on the exploitation, but BleepingComputer notes that a Horizon3.ai researcher released a proof-of-concept exploit for the vulnerability last month.
CVE-2024-5910 is a missing authentication vulnerability that can allow "an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data." The flaw was assigned a CVSS score of 9.3.
Canada to shut down TikTok's business operations, but won't block app.
The Canadian government has ordered TikTok parent ByteDance to shut down TikTok's business operations in Canada, citing national security concerns, CBC reports. The company will be required to shutter its offices in Toronto and Vancouver, but Canadians can still access and use the TikTok app. Canada's Innovation Minister François-Philippe Champagne told CBC, "We came to the conclusion that these activities that were conducted in Canada by TikTok and their offices would be injurious to national security."
A TikTok spokesperson told TechCrunch the company plans to challenge the order in court.
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
City of Columbus, Ohio says data breach affected at least 500,000 people.
The City of Columbus, Ohio, has disclosed that data belonging to approximately 500,000 people was stolen by a "foreign cyber threat actor" during a thwarted ransomware attack in July 2024, TechCrunch reports. The city said in a notification to affected individuals that the breached data includes "first and last name, date of birth, address, bank account information, driver’s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City." The city adds that the information has apparently been posted on the dark web.
TechCrunch notes that the Rhysida ransomware gang has uploaded 3.1 terabytes of data it claims to have stolen from Columbus.
Okta vulnerability affects accounts with long usernames.
Okta has disclosed an authentication bypass vulnerability affecting accounts with usernames that are 52 characters or longer, the Register reports. When certain conditions were met, an attacker could log into one of these accounts without a password. The company issued a patch for the flaw on October 30th.
The vulnerability could be exploited if the following conditions were met:
- "Okta AD/LDAP delegated authentication is used
- "MFA is not applied
- "The username is 52 characters or longer
- "The user previously authenticated creating a cache of the authentication
- "The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
- "The authentication occurred between July 23rd, 2024 and October 30th, 2024"
Cisco patches critical flaw in Industrial Wireless software.
Cisco has issued a patch for a critical remote code execution vulnerability (CVE-2024-20418) affecting its Unified Industrial Wireless software that can "allow an unauthenticated, remote attacker to perform command injection attacks with root privileges on the underlying operating system." SecurityWeek reports. The flaw was assigned a CVSS score of 10.
Cisco states, "This vulnerability is due to improper validation of input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system."
The Register notes that the flaw is particularly serious because these devices are often used in industrial environments at critical infrastructure organizations.
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Oilfield supplier hit by ransomware.
Texas-based oilfield supplier Newpark Resources has disclosed an October 29th ransomware attack that disrupted its IT services, the Record reports. The company said its "manufacturing and field operations have continued in all material respects utilizing established downtime procedures."
Newpark stated in an SEC filing that the incident "has caused disruptions and limitation of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems." The company added that it believes "this incident is not reasonably likely to materially impact the Company's financial conditions or results of operations."
SteelFox malware spreads via trojanized software cracks.
Kaspersky has published a report on a new crimeware bundle dubbed "SteelFox" that's spreading via trojanized cracks for popular software applications like Foxit PDF Editor, JetBrains, and AutoCAD. Once installed, it attempts to steal financial data and drops a cryptocurrency miner.
The researchers note, "For this particular campaign, no attribution can be given. Posts with links to activators were either made by compromised accounts or by inexperienced users who were not aware of the threats they were spreading. This campaign was highly active on the Chinese platform Baidu and Russian torrent trackers."
Fortify Your Cybersecurity Against Modern-Day Outlaws with Cisco
In our free eBook, Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats, we delve into the attacker’s playbook and arm you with the knowledge and tools to bolster your secure access. Learn how to build powerful, secure identity access that protects your business, your data, and your workers—no matter where they are. Download the eBook now and take the first step in modernizing and galvanizing your secure access against identity-based threats.
Google's large language model discovers SQLite vulnerability.
Researchers at Google's Project Zero have disclosed that their vulnerability research AI agent (dubbed "Big Sleep") discovered an exploitable stack buffer underflow vulnerability affecting SQLite. The researchers note, "We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software." They add that SQLite's existing testing infrastructure did not flag the issue. The researchers reported the flaw to SQLite's developers, and a patch was issued last month.
Crime and punishment.
An Interpol operation dubbed "Operation Synergia II" has seized 22,000 IP addresses linked to phishing, ransomware, and information stealers. The operation was supported by law enforcement in 95 countries and security firms Group-IB, Trend Micro, Kaspersky, and Team Cymru. The effort resulted in the arrests of 41 individuals, with 65 others still under investigation. Police also seized 43 electronic devices and 80GB of server data tied to malware operations.
The US Justice Department has indicted a Virginia company and two of its executives for allegedly violating export restrictions by transferring millions of dollars worth of sensitive American technology to Russia. The company, Eleview International, is an e-commerce service that allowed Russian customers to purchase items from US retailers. The Justice Department stated, "After the Department of Commerce imposed stricter export controls in response to Russia’s further invasion of Ukraine in February 2022, the defendants began shipping items to purported end users in Turkey, Finland, and Kazakhstan, knowing that the items were ultimately destined for end users in Russia. To facilitate these illegal exports, the defendants made numerous false statements to the Department of Commerce and other freight forwarders about the end users and ultimate consignees of the items in these shipments."
Policies, procurements, and agency equities.
The US Transportation Security Administration (TSA) is seeking public feedback on a proposed cybersecurity rule that would require certain pipeline, freight railroad, passenger railroad, and rail transit operators to establish comprehensive cyber risk management programs, Industrial Cyber reports.
TSA Administrator David Pekoske said in a statement, "TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure. The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."