A cyberattack has compromised at least 4 Internet Service Providers via a popular management tool, a new Sonic Wall vulnerability, Google issues a patch for it’s 10th zero day of the year and a surprising update on the National Public Data hack.
Welcome to Cyber Security Today. I’m your host Jim Love.
“A sophisticated cyberattack campaign exploiting a zero day vulnerability has successfully targeted at least 4 Internet Service Providers. This attack, attributed to Chinese state-sponsored actors, exploits a critical vulnerability in a popular network management platform used by ISPs.
The vulnerability, CVE-2024-39717, affects Versa Director, a system crucial for managing complex network infrastructures. This zero day is an “unsantized file upload vulnerability” and allows for the injection of malicious Java files. Compounding the issue, these files are able to run on Versa systems with elevated privileges.
The hackers initially gain access through port 4566, typically used for high-availability pairing between Versa nodes. They then establish longer HTTPS connections over port 443, masquerading as legitimate traffic.
The attackers install a custom web shell called ‘VersaMem’, which grants remote administrative control of affected systems. Notably, this malware operates entirely in memory, evading detection by major antivirus and endpoint protection platforms.
To further obfuscate their activities, the attackers route their intrusions through compromised home and small office routers. This tactic has been a recurring issue – in January, the FBI had to secretly send commands to hundreds of such routers to remove similar malware left by Chinese hackers.
Versa patched the vulnerability Monday after Lumen privately reported it earlier. All versions of Versa Director prior to 22.1.4 are affected.
But researchers at Black Lotus Labs discovered that hackers have been exploiting this flaw since at least June 12th, 2024. Further, the campaign has successfully infiltrated at least four U.S.-based ISPs, allowing the attackers to capture customer login credentials before encryption.
ISPs and network administrators are strongly advised to update their systems and thoroughly check for signs of compromise.
There’s a link to the Versa blog in the show notes for today’s show.
Sources include: Versa Blog and
“SonicWall has issued a critical patch for a vulnerability affecting its firewall products. This flaw, if exploited, could allow unauthorized access to these devices, potentially compromising network security for many organizations.
The vulnerability, identified as CVE-2024-40766, has been assigned a critical severity score of 9.3 out of 10. It’s described as an improper access control bug in the SonicWall SonicOS management interface.
This issue affects multiple generations of SonicWall firewalls, including Gen 5, Gen 6, and some Gen 7 devices running older versions of SonicOS. The company has released patched versions for affected devices and recommends immediate updating.
For users unable to apply the patch immediately, SonicWall advises restricting firewall management access to trusted sources or disabling WAN management access from the internet.
While there’s no evidence of this vulnerability being exploited in the wild, the potential risk is significant. This incident highlights a concerning trend: threat actors, particularly those linked to China, are increasingly targeting edge infrastructure like firewalls and VPN appliances.
For instance, last year, a China-linked group known as UNC4540 was found exploiting unpatched SonicWall appliances to deploy malware and maintain long-term access to compromised networks.
More recently, another China-associated group called Velvet Ant was discovered using a zero-day exploit against Cisco Switch appliances to spread a new hybrid malware.
Sources include: The Hacker News
“Google has released an emergency security update for its Chrome browser to address an actively exploited zero-day vulnerability discovered in the Chrome browser.
The latest vulnerability, tracked as CVE-2024-7965, has been assigned a high severity score of 8.8 out of 10. It’s described as an ‘inappropriate implementation’ issue within Chrome’s V8 JavaScript engine, a critical component responsible for executing JavaScript code.
Google acknowledges that this vulnerability, along with another identified as CVE-2024-7971, is already being exploited in the wild. However, the company has withheld specific details about these attacks to prevent further exploitation while users update their browsers.
The security researcher known as TheDog reported this flaw on July 30, 2024. Google has promptly addressed it with the release of Chrome version 128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux.
This incident marks the tenth zero-day vulnerability in Chrome this year, following a string of other critical flaws including type confusion issues, out-of-bounds memory access problems, and use-after-free vulnerabilities. Many of these were discovered during security events like Pwn2Own 2024.
The frequency of these high-severity vulnerabilities highlights the intense focus of malicious actors on web browsers as an attack vector. It’s a good reminder to keep browsers updated with the latest security patches.
Users are strongly advised to update their Chrome browsers immediately to the latest version to protect against potential exploitation of these vulnerabilities.”
Sources include: Security Affairs
Something that you may have missed in ongoing saga of the National Public Data (NPD) breach, revealing deeper security issues within the consumer data brokerage industry.
NPD, which recently suffered a breach exposing hundreds of millions of Americans’ sensitive data, an literally billions of records including Social Security numbers, is now linked to another security lapse where someone may have left the password to the site exposed to the internet.
KrebsOnSecurity reported that they discovered that a sister company of NPD, operating the background check service recordscheck.net, inadvertently exposed its database passwords on its public website.
The recordscheck.net website was found hosting an archive file named ‘members.zip’, which contained source code and plain text credentials for the site’s administration. This file was publicly accessible until August 19th, just before the story broke.
Further investigation revealed that many RecordsCheck users were assigned the same six-character initial password, with many failing to change it as instructed. The breach tracking service Constella Intelligence noted that these exposed passwords matched those from previous breaches involving NPD’s founder, Salvatore Verini.\
When contacted, Verini confirmed the removal of the exposed archive and announced the imminent shutdown of the recordscheck.net service. He described the exposed file as containing outdated, non-functional code and passwords.
Sources include: Krebs on Security
That’s our show. You can find the show notes with links at technewsday.com or .ca
You can reach me at editorial@technewsday.ca
I’m your host Jim Love, Thanks for listening.