Transport for London has limited access to systems and email after a cyberattack
Transport for London (TfL) suffered a cyberattack that has limited staff access to systems and email. The incident was reported to government agencies, including the National Cyber Security Centre and the National Crime Agency, and TfL is working with them to contain its impact.
TfL’s Chief Technology Officer, Shashi Verma, stated that measures were immediately implemented to prevent further access, and TfL is working to restore all services as soon as possible. Despite these disruptions, London's transport network continues to operate normally.
As a precaution, TfL is requiring all 30,000 employees to attend in-person appointments for identity verification and password resets. While the breach did not affect transportation services, it delayed refunds and exposed customer data, including names, contact details, and addresses. TfL, which serves over 8.4 million Londoners through surface, underground, and Crossrail networks, remains committed to protecting customer and employee information.
Microsoft September 2024 Patch Tuesday provides security updates for four zero days, 79 flaws
Microsoft's September 2024 Patch Tuesday includes security updates for 79 vulnerabilities, with three zero-days actively exploited and one publicly disclosed. The patch addresses seven critical flaws that allowed remote code execution and privilege elevation.
The updates fix 30 elevation of privilege, 4 security bypass, 23 remote code execution, 11 information disclosure, 8 denial of service, and 3 spoofing vulnerabilities. Among the zero days, CVE-2024-38014 enables attackers to gain SYSTEM privileges on Windows systems, and CVE-2024-38217 bypasses security features like Smart App Control. Another zero day, CVE-2024-38226, bypasses Microsoft Publisher's macro protections.
Microsoft also addressed a zero day (CVE-2024-43491) that reintroduced older, previously patched vulnerabilities, affecting Windows 10 version 1507 and certain enterprise editions.
Blind Eagle targets Colombian insurance sector to deploy a customized version of threat actor Quasar RAT
The Colombian insurance sector has been targeted since June 2024 by a threat actor known as Blind Eagle, with the objective of deploying a customized version of Quasar RAT.
The attacks began with phishing emails impersonating the Colombian tax authority, urging recipients to click on malicious links. These links led to ZIP archives hosted on Google Drive, associated with a compromised account belonging to a Colombian governmental organization. The archives contain a variant of Quasar RAT, dubbed BlotchyQuasar, which uses obfuscation techniques to evade detection.
The malware is designed to log keystrokes, execute commands, steal data and monitor banking activities in Colombia and Ecuador.
Data breach of car rental company Avis impacts over 299,000 customers’ personal information
Avis, an American car rental giant, disclosed a data breach last month in which attackers accessed one of its business applications and stole personal information of 299,006 customers.
The breach occurred between August 3 and August 6, after which the company blocked the attacker’s access and began an investigation with the help of external cybersecurity experts. Avis is notifying affected customers and offering complimentary credit and identity monitoring services. The company has also stated that it enhanced its cybersecurity measures and is reviewing its security controls to prevent future incidents.
Avis, part of Avis Budget Group, operates over 10,000 rental locations worldwide and reported over $3 billion in revenues for Q2 2024.
Operation WordDrone: How drone manufacturers are victims of cyberattacks in Taiwan
Acronis' latest threat research covers a highly sophisticated and unusual targeted operation (dubbed “Operation WordDrone”) where the attackers used a DLL side-loading vulnerability in an outdated version of Microsoft Word to install a backdoor with advanced functions, including persistence and command-and-control capabilities. The backdoor, distributed via a legitimate Word file, leveraged a malicious DLL loader to execute an encrypted payload, enabling attackers to maintain access and control over compromised systems.
Tools like Impacket wmicexec and ProcDump were used for internal spreading and credential dumping. The attack targeted businesses in Taiwan, possibly linked to the country’s growing drone industry, thus making them valuable targets for espionage.
The malicious files were found in directories related to a popular Taiwanese ERP software, suggesting a potential supply chain compromise. The investigation showed attackers exploiting old software and digital certificates to bypass security measures.