Vanilla Tempest, a ransomware group also known as Vice Society, has been seen deploying the INC ransomware strain for the first time to target the American healthcare sector.

This is according to cybersecurity researchers from Microsoft, who recently detailed their newest findings in an X thread.

In the thread, the company said Vanilla Tempest first receives hands-off from Gootloader infections by Storm-0494, before deploying different malware and software, including Supper, AnyDesk, MEGA, and others.

Vice Society

The group uses Remote Desktop Protocol (RDP) for lateral movement, and Windows Management Instrumentation Provider Host to deploy the INC ransomware.

Unfortunately, Microsoft did not say which organizations Vanilla Tempest targeted, or how successful it was. Ransomware attacks against healthcare firms usually result in the leak of highly sensitive medical data, as well as potentially dizzying payouts.

Vanilla Tempest, or Vice Society, is a threat actor that’s been active since mid-2022. It usually targets education, healthcare, IT, and manufacturing sectors, and is known for frequently switching between different encryptors. While affiliates usually stick to one or two encryptors, Vanilla Tempest was observed using BlackCat, Quantum Locker, Zeppelin, Rhysida, and others.

In October 2022, Microsoft warned about Vanilla Tempest, saying it was known for swapping ransomware payloads as it targeted schools in the US. In some cases, Microsoft added, the group skips the encryption part altogether and just steals the data.

Some of its victims include the Swedish furniture powerhouse IKEA, as well as the Los Angeles Unified School District (LAUSD). IKEA fell prey in late November 2022, when its shops in Morocco and Kuwait were forced to shut parts of their infrastructure down. A few months earlier, LAUSD tried to negotiate with the group to keep the stolen sensitive data private, but the negotiations broke down.

"Unfortunately, as expected, data was recently released by a criminal organization,” LAUSD said soon after. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”

The identity of the hackers is unknown to this day.

Via The Hacker News

More from TechRadar Pro

• IKEA confirms it was hit in significant cyberattack
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache HugeGraph-Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the bug is actively being exploited in the wild.

The addition also forces federal agencies to apply a patch before the October 9 deadline, or stop using the vulnerable product altogether.

The bug in question is a remote command execution flaw in the Gremlin graph traversal language API. It carries a severity score of 9.8, and affects all versions of the software prior to 1.3.0. It is tracked as CVE-2024-27348, and it was patched months ago - in April.

Four more bugs

Besides installing the patch, users are also recommended to use JAva 11 and enable the Auth system. Furthermore, they should enable the “Whitelist-IP/port” function, since it improves the security of the RESTful-API execution, it was added.

In mid-July this year, the Shadowserver Foundation said it found evidence of the flaw’s exploitation, adding that the PoC code has been public since early June.

“If you run HugeGraph, make sure to update,” the organization said at the time.

Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented with the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, allowing for complex graph queries and analyses.

Besides the RCE flaw, CISA added another four flaws to the KEV catalog - a Microsoft SQL Server Reporting Services Remote Code Execution vulnerability (CVE-2020-0618), a Microsoft Windows Task Scheduler Privilege Escalation vulnerability (CVE-2019-1069), an Oracle JDeveloper Remote Code Execution vulnerability (CVE-2022-21445), and an Oracle WebLogic Server Remote Code Execution vulnerability (CVE-2020-14644).

Adding these bugs to the catalog doesn’t necessarily mean they are currently being exploited, BleepingComputer reports, it just means that they were being exploited at some point in the past.

Via BleepingComputer

More from TechRadar Pro

• Apache HugeGraph users told to patch immediately to stay safe from this dangerous bug
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Social media apps are surveilling children and teenagers, and using the data gathered to earn billions of dollars every year.

At the same time, they’re doing close to nothing to protect their young users from harmful content.

This is one of the conclusions published in a new staff report from the US Federal Trade Commission (FTC), BleepingComputer finds.

Free speech

Apparently, back in 2020, the FTC started probing into the biggest social media platforms out there: Twitch, Facebook, YouTube, Twitter, Snapchat, TIkTok, Discord, Reddit, and WhatsApp. The probe analyzed, among other things, how these companies collected data, how they tracked personal information, demographic information, and how the practice affected minors.

While data harvesting and monetization is nothing new, especially with social media companies, the FTC was particularly worried about the way these firms managed their younger audience. FTC Chair Lina M. Khan said "several firms' failure to adequately protect kids and teens online is especially troubling."

One of the ways these companies tried to bury the problem is by saying there were no children on the platforms, the report argues. Apparently, many companies said since the services were not directed to children, there were no children present. The FTC believes this was a way to avoid complying with the Children’s Online Privacy Protection Act. Instead, these firms were treating teens the same as adults.

For Graeme Stewart, head of public sector at Check Point Software, one of the biggest problems is social media companies pushing back against any legislation that might limit teens’ use of their platforms.

“Various governments around the world are stepping in to address this,” he said, adding that “social media companies push back, essentially arguing that they’re just providing a platform and shouldn’t be held accountable for inappropriate content posted on it. They also lobby governments, framing their arguments around free speech.”

The best parental control apps can help restrict access children's access to social media.

Via BleepingComputer

More from TechRadar Pro

• Using your real name on social media? Here's why you should think twice
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

A critical path traversal vulnerability, recently discovered in Ivanti’s Cloud Service Appliance (CSA), is being actively exploited in the wild to grant access to restricted product functionalities. This is according to the security advisory Ivanti published earlier this week, in which it said it was “aware of a limited number of customers” who have been exploited by this vulnerability.

CSA is a gateway solution that allows secure communication between Ivanti software products (such as Ivanti Endpoint Manager) and devices outside the corporate network. It acts as a secure bridge for remote devices, enabling them to connect to internal services without the need for a VPN.

The bug is being tracked as CVE-2024-8963, and carries a severity score of 9.4. Ivanti says hackers can chain it to CVE-2024-8190, an OS command injection vulnerability, to bypass admin authentication and run arbitrary commands on the vulnerable endpoint.

End of life

The company did not say which companies were targeted, or by whom.

The bug was “incidentally addressed” as part of CSA 4.6 Patch 519, and CSA 5.0: “Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519),” the company said. It stressed that CSA 4.6 is past its end-of-life date, and as such no longer receives patches for OS or third-party libraries.

“Additionally, with the end-of-life status the fix released on 10 September is the last fix Ivanti will backport to that version,” the company concluded. “Customers must upgrade to Ivanti CSA 5.0 for continued support. CSA 5.0 is the only supported version of the product and is not affected by this vulnerability.”

Since the bug is actively exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog recently, forcing government agencies to patch up by October 10, The Hacker News found.

Via The Hacker News

More from TechRadar Pro

• Ivanti patches serious endpoint management software security bugs, so update now
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Every now and then, software updates for popular operating systems break other programs installed on these devices, and this time around, it’s Apple’s turn.

TechCrunch is reporting that the latest macOS update, Sequoia (AKA macOS 15) broke many major cybersecurity solutions. This, understandably, caused both frustration and fear among the Apple community since, after all, not having endpoint protection places many organizations at serious risk.

In its writeup, the publication mentions some of the most popular security solutions today: CrowdStrike, SentinelOne, Microsoft, ESET, and others. Most of these companies alerted their users that they would not be able to support macOS Sequoia and advised against updating the OS until the matter is resolved.

Four more bugs

“I’m very sorry to report that we will not be supporting Sequoia on day 1 in spite of our intention (and previous track record) to support the latest OS within hours of [General Availability],” a CrowdStrike engineer said in a Slack message seen by TechCrunch.

Furthermore, the developers are under the impression that they will have to be the ones addressing the issue, and not Apple. The company is yet to address the problem.

“I get it, that writing bug-free software is challenging, but maybe if Apple spent less time and money on marketing, and more time on actually testing their software, we’d all be better off!” Patrick Wardle, the founder of Mac and iOS security startup DoubleYou, and a longtime expert on macOS security, told TechCrunch.

While yet unconfirmed, the problem seems to be related to firewalls and DNS on the OS, since two separate researchers reported these issues, per Apple Insider. One of the researchers, Will Dormann, said blocking incoming connections in the macOS Sequoia firewall can also block replies to DNS requests. "Depending on your firewall config, silly things like DNS may stop working for some apps.”

Via TechCrunch

More from TechRadar Pro

• macOS 15 Sequoia is available right now – here’s what to know about Apple’s latest desktop OS
• Here's a list of the best VPN with antivirus
• These are the best internet security suites

According to new research by Germany’s Federal Office for Information Security (BSI), one in 10 organizations affected by CrowdStrike’s July outage are dropping their current security vendor.

Of the tenth of organizations switching provider, nearly half (40%) have already replaced their cybersecurity solutions, with the remaining (60%) companies planning to do so soon.

Furthermore, around one in five companies plan to revise their vendor selection criteria following the incident, which left around 8.5 million Windows devices offline.

CrowdStrike outage has left a bitter taste in customers’ mouths

Although Microsoft claimed that customers using its own systems were back up and running in as little as a few minutes, the reality is that many of the affected users were relying on third parties. BSI found that nearly half (48%) experienced a downtime of ten hours.

Consequentially, two in five were unable to collaborate with clients, with business operations and revenue affected.

However, the outage has at least served as a reminder to businesses of the precarious nature of relying on third parties. Two-thirds have either improved or plan to improve their incident response.

BSI President Claudia Plattner commented: “There will never be a 100 percent protection against IT security incidents in the future… companies must and can increase their resilience through preventive measures, making them more resistant to IT security incidents.”

The Office’s research also highlighted the role of social media and the interconnected world during such events – more companies found out about the outage via social media than from CrowdStrike directly.

Although the body acknowledged that the small sample size of 311 German organizations is not entirely representative of the landscape, it can at least be used as an indication of companies’ responses to the outage.

Via The Register

More from TechRadar Pro

• These are the best small business servers
• Secure your device with the best endpoint protection software
• CrowdStrike reveals what went wrong — and it's pretty much what we expected

Google Cloud users in the United States are getting a host of upgraded security features that should make the platform more resilient to cyberattacks.

The company announced Mandiant’s Managed Defense for Google Security Operations is now available in the country, offering users real-time threat detection and response.

The threat hunting and incident investigation feature will be integrated into Google’s built-in security operations platform.

Practical advice

Mandiant’s Managed Defense for Google Security Operations is a cybersecurity service designed to enhance threat detection, investigation, and response for organizations using Google Cloud. It combines Mandiant’s threat intelligence and expertise in incident response with Google Cloud’s security tools, such as Chronicle and Google Security Command Center.

The service offers continuous monitoring, advanced analytics, and proactive threat hunting to identify and mitigate cyber threats, and helps organizations manage their security operations effectively by providing expert guidance and reducing the burden on in-house teams.

Furthermore, by integrating with Google Cloud, the service can provide real-time insights into potential vulnerabilities.

Mandiant’s Managed Defense for Google Security Operations is a cybersecurity service designed to enhance threat detection, investigation, and response for organizations using Google Cloud. It combines Mandiant’s threat intelligence and expertise in incident response with Google Cloud’s security tools, such as Chronicle and Google Security Command Center.

The service offers continuous monitoring, advanced analytics, and proactive threat hunting to identify and mitigate cyber threats, and helps organizations manage their security operations effectively by providing expert guidance and reducing the burden on in-house teams.

Furthermore, by integrating with Google Cloud, the service can provide real-time insights into potential vulnerabilities.

The other key announcement is the introduction of Private Collection Sharing for Google Threat Intelligence, which is essentially a new way to help businesses share vital cybersecurity intelligence. By creating a secure space for data sharing, companies can discuss indicators of compromise, tactics, techniques and procedures, and more, with their peers.

“Collaboration is critical to foster true resilience when it comes to the systems and networks we rely on every day,” said Phil Venables, chief information security officer at Google Cloud.

Finally, Google announced the second edition of the Defender’s Advantage Framework, Mandiant’s cybersecurity strategy designed to help organizations improve their defense capabilities and resilience against cyber threats. It emphasizes a proactive, intelligence-driven approach to security by focusing on understanding the threat environment, prioritizing and hardening assets, building resilient security operations, preparing for the worst, and operationalizing threat intelligence.

The second edition comes with practical guides on identifying redundancies, and improving cybersecurity overall.

More from TechRadar Pro

• Google Cloud Document AI has some worrying security flaws
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Chinese state-sponsored hackers were snooping around a US-based global engineering firm for months, trying to steal classified information, blueprints, login credentials, and other sensitive data.

An exclusive report by The Register, discussed the news with John Dwyer, Director of Security Research at Binary Defense, a managed detection and response firm that was brought in to investigate, once the attack was discovered.

The target company was not named, but it was describes as making, “components for public and private aerospace organizations and other critical sectors, including oil and gas.” The hacking collective was also not precisely identified, although the researchers did say they believed it to be Chinese, and state-sponsored, at that.

Unmanaged IT

The group made its way into the company’s infrastructure through three unmanaged AIX servers. These IBM-made servers are running the Advanced Interactive eXecutive operating system, a UNIX-based OS, and apparently, still had the default login credentials. That allowed threat actors to brute-force their way in, after which they established persistence and lurked for months. The researchers believe the intrusion originally occurred in March this year.

The group’s goal was to harvest information, which could later probably be used in supply chain attacks. Since the organization makes gear for critical sectors, the risk of important hardware going bust was real.

The victim company had endpoint detection and response (EDR) systems set up. However, these AIX servers were so old that they weren’t compatible with the EDR and as such were not monitored. The Register described them as “long- or almost-forgotten machines,” shadow IT deployments that are often not managed at all.

However, when the crooks tried to dump the memory of the LSASS process on a Windows server (a “common way to harvest credentials," the publication states), they were spotted, and blocked.

Via The Register

More from TechRadar Pro

• Chinese government hackers infiltrate at least two top US ISPs
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

German police were able to identify individuals using the Tor network, link them to certain criminal activity, and have them arrested and later convicted of the crimes. This is according to multiple German media outlets, who recently reported on the law enforcement using so-called “timing analysis” attacks.

Tor’s heads, on the other hand, argue that the network is perfectly fine and safe, and that the person that was arrested was, in fact, using outdated software that exposed its identity to the police, The Register found.

The Onion Router (Tor) is a privacy-focused network that enables anonymous communication by routing internet traffic through a series of volunteer-operated servers, or nodes. It hides users' IP addresses and encrypts their data, making it difficult to trace their online activity.

Unmanaged IT

In its writeup, the German outlet Panorama briefly explains the logic behind timing attacks: “By timing individual data packets, anonymised connections can be traced back to the Tor user, even though data connections in the Tor network are encrypted multiple times.” That would presumably require the law enforcement to add, or compromise, the nodes, and use them to observe clues about users sending traffic into the network.

It seems to be a long shot, and the maintainers of the Tor network believe the individual gave themselves away by using outdated third-party software. Namely, an anonymous messaging app called Ricochet, which didn’t have protections against so-called guard attacks. A “guard” is an entry node - the first one to receive data that’s later moved through the Tor network.

By getting a list of all subscribers connecting to a specific guard (in this case, by asking a telecommunications provider for the information), and then cross-referencing this data with Ricochet, the police were able to de-anonymise one user, an individual known as “Andres G”, allegedly operating a website hosting child sex abuse content.

"The claim that the network is 'not healthy' is simply not true," Tor's PR director Pavel Zoneff told The Register.

More from TechRadar Pro

• Tor has a new HTTPS-esque feature to help beat censorship
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

American online tax filing platform, eFile.com, appears to have suffered (yet another) ransomware attack.

Earlier this week, ransomware operators LockBit added the company to their extortion site, threatening to leak the files stolen during the raid, The Register reports. However, the company has not yet confirmed, nor denied, the attack.

Therefore, we don’t know if the attack even occurred, and even if it did - what kind of data the hackers stole, who was affected, and how many people are at risk.

Tax season

eFile.com is not a government organization, and is not affiliated with the Internal Revenue Service (IRS) in any way. It is a private, commercial, online tax filing platform that allows users to prepare and e-file their federal and state tax returns electronically. It offers both free and paid options, and comes with a user-friendly interface and step-by-step guidance to simplify the tax filing process. It is, however, authorized by the IRS to run its business.

Cybercriminals are no strangers to attacking the IRS, or other businesses adjacent to tax obligations. However, the attacks usually occur during the tax season (between early January and mid-April in a year), since in that period hackers have a solid chance of not being spotted quickly. Most of the time, the crooks would impersonate the IRS and send out phishing emails to their victims, to get them to either install malware, or share sensitive information.

In some cases, the crooks would obtain so much PII that they would steal a person’s identity and file their tax returns, essentially stealing money from them.

This attack, having happened outside tax season, raises many questions. The Register, for example, suspects the crooks might be recycling data from a 2022 breach. They could also be straight-up lying, in an attempt to regain some fame after being disrupted by law enforcement.

Via The Register

More from TechRadar Pro

• IRS-authorized tax service eFile was found sending out malware
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

DevOps platform GitLab patched a critical-severity flaw found in its Community Edition (CE) and Enterprise Edition (EE) solutions, which could grant malicious users access to restricted information.

The flaw, described as a “SAML authentication bypass”, is tracked as CVE-2024-45409, and carries the perfect severity score of 10/10. Short Assertion Markup Language (SAML), is a web-based authentication protocol facilitating, among other things, the single sign-on (SSO) feature.

It was discovered that the ryb-saml library wasn’t verifying the signature of the SAML Response properly, allowing threat actors to log in.

No evidence of abuse

"An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents," GitHub explained in a security advisory. "This would allow the attacker to log in as arbitrary user within the vulnerable system."

Those worried about compromise should make sure their Community Edition and Enterprise Edition solutions are upgraded to versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10. Those unable to apply the patch right now should enable two-factor authentication (2FA) for all accounts, and disallow the SAML two-factor bypass option.

While GitHub did not explicitly state if the vulnerability was abused in the wild yet or not, its wording in the security advisory is somewhat telling. In the document, the maintainers shared details on spotting both successful and unsuccessful exploitation attempts suggesting, at least, that the crooks might be trying their luck already.

GitLab is a web-based DevOps platform that provides tools for version control, continuous integration/continuous delivery (CI/CD), and software development lifecycle management. It helps teams collaborate on code, automate testing, and streamline deployment processes and has tens of millions of active users. As such, it is a high-profile target for all sorts of cybercriminals.

Via The Hacker News

More from TechRadar Pro

• GitLab warns of critical security flaw which could allow hacker takeovers
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

A cybercriminal claims to have breached Temu and stolen millions of customer records, but the ecommerce giant is vehemently denying the claims.

A hacker with the alias ‘smokinthashit’ took to BreachForums, one of the most popular underground forums out there, and advertised a new database, allegedly stolen from the company.

“Temu company database for sale. +87M lines. Source: temu.com. The data has never been sold before. Only one copy will be sold,” the ad reads.

It's all false, says Temu

The ad also came with a small sample, as proof of the database’s authenticity. The sample apparently contains usernames and IDs, IP addresses, full names, birth dates, gender, shipping addresses, phone numbers, and hashed passwords. Should the archive prove to be authentic, it would put many people at risk of identity theft, wire fraud, and more.

But whether or not the archive is authentic remains to be seen. In a statement given to BleepingComputer, Temu denied claims of data theft, saying that nothing in the database belongs to the firm:

"Temu's security team has conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false; the data being circulated is not from our systems. Not a single line of data matches our transaction records," Temu told the publication.

"At Temu, the security and privacy of our users are paramount. We follow industry-leading practices for data protection and cybersecurity, ensuring that consumers can shop with peace of mind on our platform."

Temu is right to be dismissive, especially if the claims indeed are false. Sometimes, even the mention of a company in context of a data breach, is enough for consumers to stay away and thus hurt the firm’s bottom line. And with an up-and-coming e-commerce platform such as Temu, a pristine image is pivotal to success.

Temu is an online marketplace that offers a wide range of products, from clothing and electronics to home goods, at highly competitive prices. It is a Chinese company, with a global presence, and sources products directly from manufacturers. The platform is designed to appeal to budget-conscious consumers looking for deals across various categories. Since its launch, Temu has grown rapidly, leveraging a model similar to other discount e-commerce platforms.

Via BleepingComputer

More from TechRadar Pro

• Chinese ecommerce giant PandaBuy hit by cyberattack, data breach
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now