American water suffers cyber-attack, pauses customer billing amid security response 

American Water, the largest US water utility, revealed on Monday that it suffered a cyber-attack impacting some internal systems. Serving over 14 million people in 14 states, the New Jersey-based company acted swiftly upon discovering unauthorised network activity on October 3. 

While the attack did not affect water and wastewater operations, American Water has paused customer billing and disconnected certain systems as a precaution. Customers will not incur late fees during this period. Law enforcement has been notified, and internal teams are investigating. 

This incident highlights the growing cyber security risks faced by critical infrastructure. Recent reports from agencies like the NSA and CISA have raised alarms over state-sponsored threats targeting water utilities.  

Microsoft warns of phishing attacks exploiting trusted file hosting services to bypass security 

Microsoft has issued a warning about cyberattack campaigns exploiting trusted file hosting services like SharePoint, OneDrive, and Dropbox. These platforms are used in enterprises but are now being abused for defence evasion by cybercriminals. These attacks, known as “living-off-trusted-sites” (LOTS), let attackers bypass security by using legitimate services. 

Since April 2024, Microsoft has observed a surge in phishing campaigns leveraging these services. Attackers compromise a trusted user to upload malicious files, then share them with the target. The shared files require the recipient to authenticate via an email address and one-time password (OTP). After authentication, users are redirected to a fake page, capturing their passwords and two-factor authentication (2FA) tokens. 

This tactic allows attackers to conduct business email compromise (BEC), data theft, and financial fraud. A phishing-as-a-service kit, Mamba 2FA, which supports these attacks, allowing threat actors to steal credentials and bypass 2FA for a subscription fee of $250 monthly has been revealed. 

Microsoft’s October Patch Tuesday addresses 118 flaws, including five critical zero-day vulnerabilities 

Microsoft's October 2024 Patch Tuesday addresses 118 vulnerabilities, including five publicly disclosed zero-days, with two actively exploited. This update covers three critical remote code execution flaws and various vulnerabilities: 

• 28 elevation of privilege 

• 7 security feature bypass 

• 43 remote code execution 

• 6 information disclosure 

• 26 denial of service 

• 7 spoofing 

Notably, zero-day CVE-2024-43573 targets MSHTML platform spoofing, impacting applications using the WebBrowser control. CVE-2024-43572, another zero-day, enables remote code execution via malicious Microsoft Saved Console files. Other zero-days affect Curl (CVE-2024-6197), Windows Hyper-V (CVE-2024-20659), and Winlogon (CVE-2024-43583). 

In addition to security patches, Microsoft released Windows 10 and 11 updates (KB5044273, KB5044284, and KB5044285). 

Internet Archive suffers major data breach, exposing 31 million user records 

Internet Archive’s "The Wayback Machine" experienced a data breach when an attacker compromised its website, stealing a database with 31 million unique user records. The breach became apparent on Wednesday, with visitors seeing a JavaScript alert on archive.org referencing the breach and mentioning Have I Been Pwned (HIBP), the data breach notification service. 

Troy Hunt, HIBP's creator, revealed the attacker shared a 6.4GB SQL file, "ia_users.sql," containing emails, screen names, and bcrypt-hashed passwords. The most recent record is dated September 28, 2024, suggesting when the theft occurred. 

Hunt confirmed the database’s authenticity by contacting affected users, including cybersecurity researcher Scott Helme. The exposed data will soon be available on HIBP, enabling users to check if they were affected. 

Ivanti patches three new zero-day vulnerabilities in Cloud Services Appliance amid active attacks 

Ivanti has issued patches for three new zero-day vulnerabilities affecting its Cloud Services Appliance (CSA), warning they are actively exploited in the wild. Attackers have been chaining these flaws with a previous CSA zero-day from September. The vulnerabilities—CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381—allow SQL injection, command execution, and path traversal on impacted devices. 

These flaws affect CSA versions 5.0.1 and older, particularly version 4.6, which is end-of-life. Ivanti advises affected users to upgrade to CSA 5.0.2 immediately. The company recommends monitoring for signs of compromise by checking endpoint detection alerts and reviewing for unauthorized admin accounts. 

Ivanti recently intensified its security efforts by signing CISA’s Secure by Design pledge. With over 40,000 companies relying on its products, Ivanti aims to improve its response to security threats with enhanced scanning and responsible disclosure practices. 

CISA warns of active exploitation of critical FortiOS vulnerability 

CISA has reported that attackers are actively exploiting a critical remote code execution (RCE) vulnerability (CVE-2024-23113) in FortiOS. The flaw, linked to the fgfmd daemon, allows unauthenticated actors to execute arbitrary code on unpatched devices without user interaction. This vulnerability affects FortiOS 7.0 and later, as well as FortiPAM, FortiProxy, and FortiWeb. 

Fortinet issued a patch in February, advising administrators to limit fgfmd daemon access to mitigate attacks. However, as of now, U.S. federal agencies are required to secure impacted Fortinet devices by October 30. 

In a similar incident, the Dutch MIVD warned that Chinese hackers exploited another FortiOS vulnerability (CVE-2022-42475) to infect over 20,000 devices with malware. 

Massive Star Health data breach exposes 31 million records; hacker allegedly selling data for $150,000 

In a significant cyber security breach, over 31 million customers of India’s Star Health Insurance have had their personal and insurance data compromised. A hacker known as "xenZen" is reportedly selling 7.24 TB of data, including names, PAN numbers, health card details, and more, with asking prices up to $150,000. Partial sets of 100,000 entries are also available for $10,000. 

The leaked data, updated till mid-2024, also includes over 5 million claims records. The hacker has allegedly used Telegram bots to distribute the information, while accusing Star Health’s CISO, Amarjeet Khanuja, of selling data for $43,000. Khanuja, however, denies wrongdoing, with Star Health calling the claims a malicious attack and confirming an ongoing investigation. 

The insurer is cooperating with cybersecurity experts and regulatory authorities. Meanwhile, the Madras High Court has ordered Telegram to block any chatbots disseminating this data. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.