Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: VMware Addresses Critical Vulnerabilities

Also: Capita Reports 106.6-Million-Pound Loss Following Ransomware Attack
Breach Roundup: VMware Addresses Critical Vulnerabilities
Image: Shutterstock

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, VMware handled critical vulnerabilities, Capita reported losses, the NSA pushed for zero trust, malware exploited aNotepad, a Taiwanese telecom was breached, the Swiss government dealt with ransomware attack fallout, fake meetings spread malware, Amex was breached and PetSmart was hacked.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

VMware Addresses Critical Vulnerabilities

VMware issued urgent security updates to tackle critical sandbox escape vulnerabilities that can enable attackers to breach virtual machines and gain unauthorized access to the host operating system. The flaw is in ESXi, Workstation, Fusion and Cloud Foundation products.

All the flaws - CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255 - carry a critical severity rating and could lead to unauthorized access to the host system or compromise the isolation between virtual machines.

A temporary workaround is removing USB controllers from virtual machines. VMware has also released security fixes for older ESXi versions due to the severity of the vulnerabilities.

Capita Reports 106.6-Million-Pound Loss After Ransomware Attack

British outsourcing company Capita disclosed losses of 106.6 million pounds - $135.6 million - over the past year and said roughly one-quarter of that amount is attributed directly to a March ransomware attack claimed by the Black Basta group. The company initially estimated the incident would cost up to 20 million pounds, but it revised that figure to 25.3 million pounds - $32.2 million.

The company cited additional high costs, including business exits and impairment of goodwill, for the additional losses. In response to the setback, Capita's chief executive unveiled cost-cutting initiatives to mitigate the impact.

NSA Pushes for Zero Trust Framework

In new guidance, the U.S. National Security Agency pushed for the adoption of a zero trust security framework to bolster organizational defenses against cyberthreats. By implementing data flow mapping, macro- and microsegmentation, and software-defined networking, organizations can incrementally enhance their zero trust maturity, the agency said. Data flow mapping involves identifying data storage and processing points. Segmentation limits lateral movement by compartmentalizing network access. Through microsegmentation, user access is finely restricted. And SDN provides centralized control and enhanced visibility.

The NSA underscored the importance of gradually advancing through maturity levels to establish a robust zero trust architecture capable of preempting, detecting and responding to potential threats effectively.

Malware Exploits aNotepad

Newly discovered malware dubbed "WogRAT" by researchers at AhnLab Security Intelligence Center targets Windows and Linux operating systems while using the online notepad platform aNotepad as a covert communication channel. Researchers traced the malware's activities to late 2022 and found that was primarily active in Asian countries, including Japan, Singapore, China and Hong Kong. The malware's distribution methods remain unclear, but its disguised executables mimic popular software titles, hinting at malvertising tactics.

The malware's Windows version hides within a base64-encoded .NET binary on aNotepad, bypassing initial security checks. Once executed, it downloads additional malicious components, establishing a backdoor for remote control. The Linux variant, distributed as an ELF file, employs Tiny SHell for operation, to enhance communication encryption.

Taiwanese Telecom Giant Breached

China-linked hackers pilfered 1.7 terabytes of data from Taiwan's largest telecom company, Chunghwa Telecom, and have since offered it for sale on the dark web. The Taiwanese defense ministry confirmed the breach to news agency AFP on Friday. Compromised information includes sensitive data from various government sectors. While no confidential information was reportedly leaked, Taiwanese officials said enhanced security measures are needed.

Play Ransomware Leaked 65,000 Swiss Documents

The Swiss National Cyber Security Center on Thursday said hackers from the Play ransomware operation posted onto the dark web about 65,000 records containing information relevant to the national government. The records, part of a larger set of 1.3 million records, came from a May 2023 hack on Swiss IT services provider Xplain. Around 5,100 records pertaining to the Swiss government contain sensitive content such as "personal data, technical information, classified information and passwords."

Fake Online Meetings Used to Spread Malware

Threat actors are orchestrating fake Skype, Google Meet and Zoom meetings to spread commodity malware, researchers at Zscaler's ThreatLabz said. The campaign began in December and employs shared web hosting to host counterfeit online meeting platforms on a single IP address. The fake meeting sites sport a URL similar to the legitimate services and serve as bait to lure unsuspecting victims.

Researchers said Android-focused SpyNote RAT, as well as NjRAT and DCRat, which target Windows users, are the primary payloads the threat actors use. The campaign enables theft of confidential data, keystroke logging and file exfiltration.

Each campaign uses tailored lures and attack vectors. The Skype campaign directs Windows users to download a malicious executable disguised as a Skype installer, while Android users are prompted to download a fake Skype application. The fake Google Meet site offers downloads for Android and Windows, disguising the SpyNote RAT and DCRat payloads, respectively.

The Zoom campaign presents links resembling authentic meeting IDs to potentially deceive users into clicking on malicious links.

Amex Blames Third-Party Provider for Breach

American Express alerted customers of a data breach at a third-party provider used by merchants that exposed payment card numbers. The company's travel services division used this provider. American Express said its systems were unaffected. The breach swept up American Express account numbers, names and expiration dates.

PetSmart Credential Stuffing Attack

U.S. household pet superstore retailer PetSmart warned that hackers apparently have been running credential stuffing attacks against customer accounts, leading the company to force password resets. A notification posted online by the company says that PetSmart "security tools saw an increase in password guessing attacks on petsmart.com." The company did not immediately respond to a request for comment.

Credential stuffing attacks occur when hackers attempt to reuse login credentials exposed in data breaches. Individuals can check whether their email has been swept up in a data breach by searching Have I Been Pwned.

Other Coverage From Last Week

With reporting from Information Security Media Group's David Perera in Washington, D.C.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.