Welcome reader to your CybersecurityHQ report

Headlines

Cybersecurity continues to be a major piece of the 2024 US elections story. This week, we saw two major headlines causing concern. First among them was the exposure of over 470,000 voter documents by St. Clair County in Illinois.

The data was placed in an Amazon S3 bucket left totally unguarded. The URL even had the phrase “voter documents” in it. It’s unclear whether or not anyone actually accessed the data. If someone did, they would have access to names, current and former addresses, dates of birth, ID numbers, driver’s license and social security numbers, phone numbers, email addresses, and even signatures.

Voter records have proven a gold mine for hackers in the past. In 2018, 35 million voter records from 19 states went up for sale on the dark web. These kinds of cyberattacks can undermine people’s trust in voting systems, which has a concerning effect on turnout and trust.

That’s distressing news from one angle, but cyberattacks from foreign actors continue to be an ongoing issue for both major campaigns.

According to a statement by Meta on Friday, there were potential hacking attempts made on WhatsApp accounts of US officials from the administrations of President Joe Biden and former President Donald Trump.

The threat actors posed as support agents for tech companies, targeting various political and diplomatic officials. Meta claims they linked the activity to APT42, which has ties to the Iranian government.

This is the same group that the FBI recently claimed made attempts to hack members of the Trump and Harris campaigns.

It appears that the cybersecurity theme of the 2024 campaign will continue as a major story going into the hotly contested November election.

The recent CrowdStrike update outage was perhaps most memorable for the impact it had on airports and airlines. Now, a smaller version of that is playing out in Washington state, where widespread system outages have turned into a multi-day slog for travellers and workers in the Seattle-Tacoma International Airport.

The airport is operated by the Port of Seattle, which suffered a cyberattack on Saturday. Initially, this led to an outage on their websites. But currently, their phone, email, Wi-Fi, flight display screens, kiosks, and other related services are all down.

While flights aren’t being delayed, there are major hiccups in normal operating processes. Airline staff are having to handwrite boarding passes and sort bags by hand—creating delays in the normal workflow.

The port is currently working with authorities to remedy the situation and get everything back to full service.

In potentially related airport woes, Eindhoven Airport, the second largest in the Netherlands, halted air traffic on Wednesday due to IT issues with the defense ministry—as the civilian airport shares systems with the adjacent military airport.

Dutch emergency services also suffered an outage in its alarm and communications system around the same time. Authorities claim no evidence that a cyberattack is to blame, but investigations into these events are ongoing.

China-linked cyber espionage group Volt Typhoon have likely exploited a recently discovered zero-day vulnerability in Versa Director, a software widely used by Internet and IT service providers.

The vulnerability, known as CVE-2024-39717, allows attackers to upload files to Versa Director’s systems in the form of faked PNG images, using the “change Favicon” feature in the program’s GUI.

The company has issued a patch and is urging customers to take action immediately.

The breach was first detected by Black Lotus Labs, the security research division of Lumen Technologies. They discovered the attacks targeting four victims in the US and one based outside the US, with impacts in the internet service provider, managed service provider, and information technology sectors.

They summarized their findings this way:

“The threat actors… employed the use of compromised SOHO devices and a sophisticated JAR web shell that leverages Java instrumentation and Javassist to inject malicious code into the Tomcat web server process memory space on exploited Versa Director servers. Once injected, the web shell code hooks Versa’s authentication functionality, allowing the attacker to passively intercept credentials in plaintext, potentially enabling downstream compromises of client infrastructure through legitimate credential use. In addition, the web shell hooks Tomcat’s request filtering functionality, allowing the threat actor to execute arbitrary Java code in-memory on the compromised server while avoiding file-based detection methods and protecting their web shell, its modules and the zero-day itself.”

Volt Typhoon (alternatively known as Brone Silhouette, Insidious Taurus, UNC 3236, Vanguard Panda, and Voltzite) is known to be active for at least five years, with a history of accessing and exfiltrating data from infrastructure in the US and Guam.

The popular WordPress plugin WPML has a vulnerability that affects more than a million websites. Security researcher stealthcopter discovered a way to make server-side template injection attacks with only basic access to the CMS.

Using this vulnerability, an attacker could view sensitive information, including passwords.

For the effort, stealthcopter was awarded a $1,639 bounty. A patch is now available.

WPML helps websites translate and switch languages. And its widespread popularity, with more than a million active installations across WordPress pages, made it particularly distressing. But it comes within a wider context of WordPress plugin vulnerabilities.

In just two weeks, three critical vulnerabilities have popped up—including for LiteSpeed Cache (a tool that speeds up websites) and GiveWP (which manages donations and fundraising).

France’s cybercrime unit’s probe into an unnamed person has led to the arrest of Pavel Durov, the Russian-born founder of Telegram. French authorities say this is part of an investigation into crimes related to child pornography, drug trafficking, and fraud.

On Wednesday, Durov was released after four days. He will appear in court soon as French authorities have now officially charged the CEO with refusing to cooperate with investigations into the illegal activity on his app.

Online, many people are accusing the French government of making the arrest for political reasons. Detractors included the owner of Tesla and X, Elon Musk.

This prompted President Emmanuel Macron to officially make a statement, claiming that his country is deeply committed to lawful free speech.

Telegram is one of the most popular apps in the world with almost one billion users. It is especially popular in Russia, Ukraine, and many former Soviet republics.

Interesting Read

A new report out (PDF) by KnowBe4 highlights a disturbing trend: cyberattacks on infrastructure are up 30% in 2024. That infrastructure category contains some of the most important assets to a society, including: power grids, communication systems, transportation networks, ports, among many others.

According to studies cited in the report, cyber attacks on infrastructure doubled from 2020 to 2022. They doubled again in 2023. And the situation is only getting more exploitable. They estimate that every single day, the US power grid adds 60 new points vulnerable to cyberattack.

Check out the report for a full analysis of the situation, including why and how infrastructure is becoming such a hot target for threat actors.

Twitter Highlights

For the latest openings in cybersecurity careers, check CybersecurityHQ.

Stay Safe, Stay Secure.

The CybersecurityHQ Team