Take a look at our third Cyber Weekly Digest of 2023, where we dive into the latest cyber security news, including the latest data breaches reported by T-Mobile and Mail Chimp. Keep reading to stay up to date on the biggest cyber security news from the week.
A critical security issue that hackers have already started to exploit in the Cacti device monitoring tool has left more than 1600 instances vulnerable to RCE. Cacti is an operational and fault management monitoring solution for network devices, providing graphical visualisation. There are thousands of instances deployed across the world exposed on the web. In early December 2022, a security advisory warned of Cacti's critical command injection vulnerability (CVE-2022-46169, severity rating of 9.8 out of 10) that could be exploited without authentication. The developer has now released an update that fixes the vulnerability and advises preventing command injection and authorization bypass. A public Proof-of-concept (POC) has been released along with technical details about the attack. This means even low-skilled adversaries could leverage this malicious attack against victims. Censys reported in a scan that only 26 out of 1637 Cacti hosts were not vulnerable to CVE-2022-46169, based on the count of instances in which Censys could capture the version number.
The Vice Society ransomware gang has claimed responsibility for a November 2022 cyber breach on the University of Duisburg-Essen (UDE) that forced the University’s IT infrastructure to be reconstructed, a process that is still ongoing. The threat actors have also leaked files they claim to have stolen from the university during the network breach, exposing potentially sensitive details about the University’s operations, students, and personnel. The UDE has since confirmed that they are aware of the data being published by the threat actors and that they will not be paying the ransom. UDE states: “The university had not complied with the attacker’s demands and had not paid a ransom.” The leaked files include backup archives, financial documents, research papers, and student spreadsheets. UDE’s IT Specialists performed a school-wide password reset which was a start in the right direction; however, as it was such a complex ransom attack, their entire IT infrastructure needed to be rebuilt. The CISO of UDE highlights that rebuilding their infrastructure will result in significant financial loss and that losing CPU hours for one week would cost €75,000.
A POC exploit code will be released later this week for a critical vulnerability allowing remote code execution (RCE) without authentication in several Zoho ManageEngine products. The exploit in question, marked as CVE-2022-47966, is a pre-authentication RCE security flaw due to an outdated and vulnerable third-party dependency, Apache Santuario. Successful exploitation enables unauthenticated threat actors to execute arbitrary code on ManageEngine servers if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack. The list of vulnerable software includes almost all ManageEngine products. Fortunately, Zoho has patched them in waves by updating the third-party module to a more recent version. Security researchers have warned admins that they created a POC for CVE-2022-47966. Researchers also found that around 10% of all internet-exposed ManageEngine instances were vulnerable to this attack. The FBI and CISA have given out advisories after CVE-2022-47966, and other related exploits were spotted being used in the wild.
A data breach affecting Email marketing firm MailChimp has led to hackers gaining access to internal customer support and account administration tools, allowing the threat actors to gain access to the data of 133 customers. MailChimp says that the attackers gained access to employee credentials after conducting a social engineering attack on MailChimp employees and contractors. The attack was first detected on January 11th, after MailChimp detected the unauthorized person accessing their support tools. No action is required on MailChimp users. In an email from WooCommerce regarding the MailChimp breach, they also state that no payment, passwords or sensitive data were leaked during the breach. However, emails were in fact breached in the leak. This led to fake Trezor hardware crypto wallet emails being sent to wallet owners receiving fake data breach notifications prompting users to install fake software that would steal their crypto and recovery seeds. Customers affected in the August breach included Edge Wallet, Cointelegraph, NFT creators, Ethereum FESP, Messari and Decrypt.
The personal information of 37 million postpaid and prepaid customer accounts has been breached after T-Mobile disclosed a hack on their systems through one of its Application Programming Interfaces (APIs). APIs are software interfaces or mechanisms commonly used by applications or computers to communicate with each other. Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens. While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first. The breach affected 37 million customers; however, the leaked data did not include passwords, payment data, or any financial information. However, it did include full names, addresses, email, phone numbers, dates of birth, T-Mobile account numbers and information such as the number of lines on the account and plan features. Phishing threat actors could utilise this to trick users into buying fake products that could potentially be malicious. This is T-Mobile’s eighth data breach since 2018, including one attack that led to a threat actor gaining access to customer data of roughly 3% of all T-Mobile customers.