• The Cybersecurity Club Newsletter
  • Posts
  • 🚨 Cybersecurity Club Debrief: 🖨️ Urgent: Your Printer Could Be the Next Target, FCC reached a US$ 15.7 Million settlement with T-Mobile

🚨 Cybersecurity Club Debrief: 🖨️ Urgent: Your Printer Could Be the Next Target, FCC reached a US$ 15.7 Million settlement with T-Mobile

Insights into Cyber Risks, Threat Intel and Startup and VC updates

October 06, 2024

Threat actors are currently scanning the internet for UNIX systems that have exposed printing ports in an attempt to exploit a set of four vulnerabilities in the Common UNIX Printing System (CUPS). Discovered by Italian security researcher Simone Margaritelli earlier this year, these vulnerabilities were publicly disclosed last week, leading to significant concern within the cybersecurity community.

Key Details:

  • Vulnerabilities Overview:

    • The vulnerabilities allow attackers to deploy malicious printers that can exploit CUPS and execute harmful code on the victim's server when a print job is initiated.

    • The exploit chain includes the following vulnerabilities:

      • CVE-2024-47176

      • CVE-2024-47076

      • CVE-2024-47175

      • CVE-2024-47177

  • Impact of Vulnerabilities:

    • These vulnerabilities enable an attacker to:

      1. Deploy a malicious printer.

      2. Have the printer indexed by the victim's CUPS server.

      3. Plant malicious code on the CUPS server using a PPD file.

      4. Execute the malicious code when a user initiates a print job through the compromised printer.

  • Public Attention and Concerns:

    • Margaritelli's write-up explaining the vulnerabilities generated significant attention, especially after proof-of-concept code was published last week.

    • While the vulnerabilities received extensive media coverage, experts believe the risks have been somewhat exaggerated. Key points include:

      • They do not impact all Linux distributions, affecting only a select few.

      • Exploitation scenarios are limited and require specific conditions.

      • The CVSS score of 9.9 may not accurately reflect the actual threat level.

  • Current Threat Landscape:

    • Following the public disclosure, threat actors began scanning for devices with UDP port 631 open, which is the port used by CUPS to listen for new printers.

    • According to data from Shodan, there are over 75,000 CUPS systems currently exposed on the internet, with other scans indicating numbers as high as 107,000 or more.

  • Mitigation Recommendations:

    • To protect against potential exploitation, it is crucial to take preventive measures:

      • Disable CUPS: If not needed, disabling the CUPS service can reduce the attack surface.

      • Remove CUPS: If CUPS is not essential for operations, consider removing it entirely.

      • Update CUPS: Ensure that CUPS is updated to the latest version, which may include security patches to address these vulnerabilities.

In summary, while the vulnerabilities in CUPS present a serious concern, they are not as universally devastating as initially portrayed. However, system administrators should act swiftly to mitigate risks associated with these vulnerabilities, especially given the large number of exposed systems on the internet.

💻 Malware and Vulnerabilities

  • Researchers from ForeScout's Vedere Labs discovered 14 critical vulnerabilities in DrayTek routers, affecting over 700,000 devices used primarily in commercial settings. These vulnerabilities could lead to severe cyberattacks, and users are urged to apply the patches provided by DrayTek to protect against potential threats like ransomware and espionage.

📈 Breaches and Incidents

  • The FCC reached a settlement with T-Mobile over several data breaches, imposing a $15.75 million fine and requiring equivalent investment in cybersecurity upgrades. The settlement highlights the importance of data protection and sets a precedent for the telecommunications industry, focusing on improvements like zero-trust models and multi-factor authentication.

  • Verizon is facing a network outage impacting major cities like Atlanta, Chicago, and Los Angeles, leaving over 100,000 customers unable to make calls or send texts. The company is aware of the issue and is working on a solution, though no timeline for resolution has been given.

  • Sellafield, the UK's largest nuclear site, has been fined £332,500 for cybersecurity lapses from 2019 to 2023, marking the first prosecution under the Nuclear Industries Security Regulations 2003. While no hacking incidents occurred, the site admitted to neglecting annual security checks, partly due to staffing challenges in the industry.

  • ChoiceDNA, a genetic DNA and facial matching service, exposed the personal and biometric data of around 8,000 individuals due to an unsecured WordPress folder named "Facial Recognition Uploads." This folder, accessible without authentication, contained sensitive information such as facial DNA data, biometric images, and personal details. The breach was reported by cybersecurity researcher Jeremiah Fowler and was quickly addressed by securing the folder.

🚨 Threat Intel & Info Sharing

  • The U.S. Department of Justice, in partnership with Microsoft, has seized 107 internet domains used by Russian state-sponsored hackers known as COLDRIVER. These domains were part of a phishing campaign aimed at U.S. government officials and NGOs to steal credentials for espionage purposes.

  • Taiwanese server manufacturer Quanta has invested nearly $80 million in microgrid technology from Bloom Energy to power its California facilities. The purchase of fuel cell systems reflects Quanta’s effort to secure reliable energy for its tech-heavy operations, as local utilities face challenges in meeting rising energy demands, especially from industries like AI datacenters.

  • Unconfirmed reports suggest that the Israeli military hacked into the communications system of Beirut's Rafic Hariri International Airport, warning an Iranian aircraft not to land. The warning allegedly involved threats and led the plane to turn back without landing.

  • Key Group, a ransomware operation targeting primarily Russian users, has been active since April 2022. The group uses leaked ransomware builders like Chaos and Xorist for attacks via phishing emails and multi-stage loaders. Their use of publicly available tools and negotiation through Telegram highlights a growing trend of cybercriminals using easy-access methods to launch ransomware campaigns.

  • A suspected ransomware attack has disrupted IT systems at several hospitals in Kuwait, affecting cancer control centers, health insurance, and administrative operations. Kuwait's Health Ministry is working to restore systems using backups, though no ransomware group has claimed responsibility for the attack.

  • A cyberattack has affected IT systems at Agence France-Presse (AFP), disrupting a system used to deliver news services to customers. However, normal newsroom operations were not impacted. AFP has reported the incident to France's cybersecurity agency.

  • Hackers have stolen $3.8 million in crypto-assets from the DeFi platform Onyx in a cyber-heist. The attacker exploited a variant of a bug previously used to hack the platform in November. This vulnerability affected the "empty market" protocols used for launching new trading pools.

⚖️ General Cyber Updates

  • Irish DPA fines Meta: Ireland's data protection agency has fined Meta €91 million ($101.5 million) for storing some users' passwords in plaintext, related to a breach reported in March. It took five years for the fine to be issued.

  • Meta's Russian problem: Meta is under scrutiny regarding its EU personnel issues.

  • LibGen court ruling: A U.S. court has ordered the LibGen book piracy portal to pay $30 million in copyright infringement damages to book publishers.

  • Discord close to getting banned in Russia: Russian internet watchdog Roskomnadzor has added Discord to its registry, marking the first step towards formally blocking access to the service within Russia's borders.

  • US gives up on Cyber Force: The Pentagon has asked U.S. lawmakers to shut down an independent assessment evaluating the need for a separate cyber branch in the military. This decision surprised many on Capitol Hill, as multiple U.S. think tanks had advocated for a unified Cyber Force, arguing that separate cyber units across military branches are ineffective for recruiting and retaining talent.

⚖️ Cybersecurity Start Ups and VCs

  • HackerNews for AI Papers: HuggingFace's Ahsen Khaliq has developed a new interface that resembles HackerNews, designed specifically for accessing the latest AI research papers.

  • Sigmalite: RunReveal has open-sourced Sigmalite, a Sigma rules evaluation engine, with its code now available on GitHub.

  • RansomGuard: Security researcher Windy Bug has released RansomGuard, a mini-filter driver for filesystems aimed at preventing ransomware from encrypting files.

  • PolyTracker: Researchers from Trail of Bits have introduced PolyTracker, a tool that helps users understand how computer programs handle their data, with a supporting research paper.

  • Slack Watchman Update: PaperMtn, a security researcher, has updated their Slack Watchman tool to allow data retrieval from Slack workspaces without requiring authentication.

  • RomHack 2024 Livestreams: Live streams from the RomHack 2024 security conference are now accessible on YouTube.

  • Visa's Acquisition: Visa has acquired Featurespace, a company specializing in AI-based fraud detection technology.

  • Recent reports from OpenText reveals the top risks facing enterprises today, from nation-state attacks to the growing collaboration between cybercrime rings and geopolitical adversaries.

    • Collaboration between nation-states and cybercrime rings: New evidence shows organized crime groups working in tandem with state-sponsored attacks.

    • Targeted attacks linked to major events: The 2024 U.S. elections and the ongoing conflict in Ukraine have seen a spike in cyberattacks.

    • Supply chain attacks on the rise: Adversaries are using supply chains to breach enterprises, often through poorly defended third-party vendors.

    • Top threat actors of 2024: Discover which malware families and threat groups, like Killnet and Lokibot, are dominating the threat landscape.

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our Discord Community or our LinkedIn Group.