The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of threat actors abusing unencrypted persistent F5 BIG-IP cookies in order to identify and target other internal devices on targeted networks.

“CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network,” the agency warned. However, CISA did not disclose who is behind the activity or what the end goals of the campaign are.

CISA recommended organizations encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. The agency also urged users to verify the protection of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential issues.

Researchers have described a new way to hide functionality within a machine learning (ML) model by targeting the computational graph. The technique dubbed “ShadowLogic” is said to enable an attacker to easily inject a backdoor function into the ML model without any coding required. The injected backdoor could even survive subsequent fine-tuning of the model enabling the attacker to persist for longer with no additional effort.

To make the technique work, an attacker manipulates the computational graph that defines the model’s logic and dataflows and adds various triggers for the backdoor logic so that the backdoor functionality remains hidden and is only activated when required.

Typical triggers could be in many different forms, from checksums on inputs passed to the model to the presence of certain types of pixels within an input image for image classifier models such as ResNet.

In all, the researchers described techniques to achieve similar hidden logic attacks in three well-known ML models, including the ResNet image classification model, the YOLO (You Only Look Once) object detection model, and the Phi-3 Mini which is a small language model that can run on mobile devices and is often used to power chatbots.

Users of the Tor browser are asked to update as soon as possible to fix a critical use-after-free bug in  Firefox’s Animation timeline tracked as CVE-2024-9680 (CVSS: 9.8), which it inherited from its Firefox codebase.

The issue is said to be easily exploitable over a network with no user interaction required and is reported to be actively exploited in the wild. Successful exploitation could allow an attacker to execute arbitrary code in the context of the browser’s content process and take over control of the browser. Crucially, the Tor team does not believe that the flaw would enable an attacker to de-anonymize the user.

Tor users are advised to upgrade to Tor browser version 13.5.7 to ensure they are protected. Firefox users should also ensure that they are running the latest version—131.0.2 and Firefox ESR versions 128.3.1 and 115.16.1—if they have not already updated.

Researchers have described a number of methods in which command line interface (CLI) entry points for various commands can be hijacked.

In code packages like Python, an attacker could manipulate the metadata of a distribution package such as Python Wheel files to change the contents of the console_scripts so that it can call a custom plugin when the entry point is called.

Another method to attack the CLI entry points is to use a technique called command jacking, where legitimate commands both for third parties and operating system commands such as ls, cd, mkdir, and so forth are overridden with the attacker’s own version of the command. Attacks of this type require installing the malicious command at a location that appears in the PATH before the legitimate command, after which, when the command is issued, the malicious one is found and executed instead of the legitimate one.

To enhance the stealthiness of the command hijacking attack, the attacker could also use a technique called command wrapping. Here, the attacker could create a wrapper that includes their own malicious payload, and when the command is invoked, the wrapper will run the malicious code before passing on the execution to the legitimate command and then passing back the results to the caller.

Many different commands and packages could be used for these types of attacks and with attackers constantly targeting Python (but not limited to) as well as other open-source code libraries with fake or malicious packages, users would need to be mindful of such attacks and take appropriate precautions.

Gryphon Healthcare, a Houston-based services provider to healthcare organizations, recently disclosed a data breach that involved an unnamed third party that Gryphon provides with medical billing services.

Gryphon said the third-party breach, which it discovered on August 13, led to a threat actor accessing files containing information about patients “for whom Gryphon provides medical billing services.” Compromised data includes names, addresses, dates of birth, Social Security numbers, dates of service, diagnosis and health insurance information, treatment and prescription information, provider details, and medical record numbers.

Gryphon is notifying 393,358 individuals that the data breach may impact them. The billing services provider is offering 12 months of free identity theft protection services, including credit monitoring, an insurance reimbursement policy, and ID theft recovery services, to all impacted individuals.

The Republican think tank America First Policy Institute has said that it was targeted in a cyberattack that resulted in a breach of its computer networks.

No details have been shared about the nature of the breach or what specifically was accessed but the organization stated that given the nature of the organization, it is not surprising that it is the target of threat actors.

It further added that the “tactics, techniques, and procedures of the threat actor are similar to that of nation-state sponsored activities we have seen, allowing us to remediate and respond quickly” and that the systems have since been secured.

In the run-up to the U.S. Presidential Election in November 2024, political organizations are on high alert for potential attacks from adversaries seeking to influence the election results to favor either of the candidates. In September, U.S. authorities revealed charges against three Iranian nationals accused of targeting U.S. officials with cyberattacks seeking to influence the outcome of the election.

Cisco is investigating claims that it suffered a breach after data allegedly stolen from the tech giant was offered for sale on a hacking forum.

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files,” a Cisco spokesperson told BleepingComputer. “We have launched an investigation to assess this claim, and our investigation is ongoing.”

The news follows claims made by the threat actor known as IntelBroker who said that they and two others called EnergyWeaponUser and zjj breached Cisco on October 6 and stole a large amount of developer data.

According to IntelBroker, the stolen data includes GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, confidential documents, Jira tickets, API tokens, AWS private buckets, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and product information. IntelBroker claims that dozens of high-profile companies were affected by the breach.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the SolarWinds Web Help Desk (WHD) hardcoded credentials vulnerability to its catalog of known exploited vulnerabilities (KEV) after evidence emerged indicating that attackers are actively targeting vulnerable installations.

The critical vulnerability tracked as CVE-2024-28987 (CVSS: 9.1) is caused by hardcoded credentials in the product that could allow a remote unauthenticated attacker to access information within the application and modify its data.

The issue was first patched by SolarWinds in its mid-August security update and then, in late September, full details were shared by the researcher who reported the issue.

As we know, attackers are always quick to grab a free lunch so have wasted little time to start using it to target laggards in the patching process.

Alongside the SolarWinds issue, the Mozilla Firefox Use-After-Free Vulnerability (CVE-2024-9680) and Microsoft Windows Kernel TOCTOU Race Condition Vulnerability (CVE-2024-30088) were also added to the KEV catalog. Federal agencies have until November 5 to address these issues.

While Google works hard to ensure that its official app store Google Play is as safe a space as possible for users within its Android ecosystem, many malicious apps still get by the various security measures designed to prevent them from getting into the app store.

A new report covering a period from June 2023 to April 2024 indicates that over 200 malicious apps still managed to find their way into the Google Play store with download totals of around 8 million between them.

The most commonly found malicious apps include one called Joker, which is an information-stealing Trojan that also subscribes the victim to premium services to generate revenue for the attackers. Another app called Adware covertly runs in the background downloading ads and generating false traffic to generate revenue. Another called Facestealer is an app that steals Facebook credentials.

In terms of app categories, the tools, personalization, and photography categories are where most of the malicious apps are found.

Most of the malicious apps were downloaded by users in India (28%), closely followed by the U.S. (27%), and Canada (15%). The industry sector most frequently affected by mobile malware is the educational sector, which saw an increase of 136% in malware detections in the past year.

A critical flaw in Kubernetes Image Builder has been discovered (CVE-2024-9486 – CVSS 9.8) that could allow a remote attacker to get SSH access with root privileges to a VM built using a vulnerable image builder.

The Image Builder is a tool used to build Kubernetes VM images that can then be used with various VM hosting solutions. The problem arises when a version of Image Builder with the flaw (version 0.1.37 or earlier) is used to create a new VM image. The new VM images created could have a privileged builder account with default credentials used during the build process but the account is not disabled afterwards.

An attacker could use the default credentials to SSH to the VM using the builder account after the VM is built and have privileged access levels.

Users of Kubernetes Image Builder are urged to check the version used to build their VMs. If affected, the temporary solution is to disable the builder account, but the full solution is to rebuild and redeploy the image using a non-vulnerable version of the builder.

Users should check the Kubernetes advisory page for instructions and details about the solutions and status from various providers as solutions and impacts may vary.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with partners in the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), has released a joint report warning critical infrastructure owners of sustained cyberattack activity coming from Iranian-linked threat actors.

The report aims to share the tactics, techniques, and procedures (TTPs) used by these threat actors and particularly focuses on attacks since October 2023.

The threat actors favor a few methods to gain initial access. These include account brute forcing, password spraying where multiple accounts are brute forced, and multifactor authentication (MFA) “push bombing” attacks where legitimate users are repeatedly sent MFA authorization requests due to login attempts with the hope that the user will eventually or accidentally approve the MFA request.

Once inside, the attackers tend to use living-off-the-land tactics to conduct their activities within the organization. Tools typically used include nltest and net to gather details and issue commands to change settings.

Organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors are said to be most at risk from these threat actors. Members of these sectors are advised to beef up password and access management policies and procedures, provide training to staff, and use phishing-resistant MFA solutions.

The hacker known as USDoD (aka EquationCorp), who was allegedly behind several high-profile cyberattacks, has been arrested by Brazilian law enforcement.

On Wednesday (October 16), Brazil’s Department of Federal Police (DFP) revealed the arrest as part of Operation Data Breach, which they launched to investigate several intrusions on their own systems as well as others internationally.

“A search and seizure warrant and a preventive arrest warrant was served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications and sales of Federal Police data,” DFP said. “The prisoner boasted of being responsible for several cyber intrusions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard, a partnership between the FBI and private critical infrastructure entities in the United States of America.”

While DFP did not name the suspect, USDoD has previously claimed responsibility for the December 2022 breach of the FBI’s InfraGard platform. The hacker has also claimed responsibility for breaches at European aerospace giant Airbus, the U.S. Environmental Protection Agency, U.S. background check giant National Public Data, and many other organizations. USDoD, who reportedly is a 33-year-old Brazilian named Luan BG, has also been linked to Brazil by several cybersecurity researchers.

U.S. insurance firm Globe Life is being extorted by threat actors threatening to publish data stolen from the company’s systems earlier this year.

“Based on the Company’s investigation to date, which remains ongoing, the Company believes that information relayed to the Company by the threat actor may relate to certain customers and customer leads that can be traced to the Company’s subsidiary, American Income Life Insurance Company,” the Texas-based insurance giant told regulators at the U.S. Securities and Exchange Commission (SEC). Globe Life says that at least 5,000 American Income Life customers are impacted.

The stolen information includes Social Security numbers, names, addresses, health-related data and more. Globe Life warned that the “full scope of information possessed by the threat actor has not been fully verified.”

Globe Life also stated that the attackers attempted to extort the company into paying a ransom in exchange for not publishing the stolen data. “Most recently, the threat actor also shared information about a limited number of individuals to short sellers and plaintiffs’ attorneys,” the SEC filing adds. “The threat actor claims to possess additional categories of information, which claims remain under investigation and have not been verified.”