Dallas County is notifying over 200,000 people that the Play ransomware attack in October 2023 exposed their personal data to cybercriminals.  In October 2023, the Play ransomware gang added Dallas to its extortion portal on the dark web, threatening to leak data it stole during an attack on its systems, including private documents from various departments.  It was taking a long time for Dallas to finish their investigation into the incident, so it created a dedicated call center in January 2024 to help answer people's questions.

Advance Auto Parts started to send data breach notifications to over 2.3 million people whose personal data was stolen in recent Snowflake data theft attacks.  The company said that on June 5, 2024, a threat actor known as "Sp1d3r" began selling a massive 3TB database allegedly containing 380 million Advance Auto Parts customer records, orders, transaction details, and other sensitive information.  On June 19, the company confirmed the breach via a Form 8-K filing but said it only impacts current and former employees and job applicants.

According to researchers at Sysdig, the new threat actor called "CRYSTALRAY" now has over 1,500 victims. The threat actor has stolen credentials and deployed cryptocurrency miners. In February, Sysdig researchers first reported the actor's use of the "SSH-Snake" open source worm to spread laterally on breached networks. SSH-Snake steals SSH private keys from compromised servers and then uses them to move laterally to other servers while dropping additional payloads. This article continues to discuss recent findings regarding the CRYSTALRAY threat actor.

A recently disclosed PHP security flaw has been used to deliver Remote Access Trojans (RATs), cryptocurrency miners, and Distributed Denial-of-Service (DDoS) botnets. The vulnerability, tracked as CVE-2024-4577, with a CVSS score of 9.8, enables an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. According to Akamai researchers, attackers can escape the command line and pass arguments to be interpreted directly by PHP, through the exploitation of the vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint alert about the exploitation of OS command injection vulnerabilities in network edge devices. In response to recent intrusions exploiting vulnerabilities that impact Cisco NX-OS, Palo Alto Networks PAN-OS, and Ivanti Connect Secure, business leaders and device manufacturers are urged to eliminate OS command injection vulnerabilities at the source.

Cryptocurrency investigators at Elliptic have claimed a popular online marketplace in Southeast Asia is actually being used primarily by money launderers and fraudsters.  The investigators claimed that Huione Guarantee is part of Cambodian conglomerate Huione Group, which is owned by the cousin of current prime minister Hun Manet.  Merchants on the marketplace, launched in 2021 apparently as a place to trace legitimate goods like property and cars, have pulled in at least $11bn over the past three years.

VMWare recently pushed out patches for a high-risk SQL injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.  The company noted that the vulnerability tracked as CVE-2024-22280 allows for unauthorized read and write operations in the database through specially crafted SQL queries.  The bug carries a CVSS severity score of 8.5/10.  The affected products include VMware Aria Automation version 8.x and VMware Cloud Foundation versions 5.x and 4.x.

The National Security Agency (NSA) joins the Australian Signals Directorate (ASD) and other agencies in publishing a Cybersecurity Advisory (CSA) titled "PRC MSS Tradecraft in Action." It delves into the tradecraft of a cyber actor group associated with the People's Republic of China (PRC) Ministry of State Security (MSS). The CSA aims to help cybersecurity professionals prevent, identify, and remediate network intrusions by sharing case studies of the adversary's tactics and techniques. This article continues to discuss the CSA on "PRC MSS Tradecraft in Action."

Cisco Talos reports that ransomware attackers are increasingly focusing on defense evasion to boost dwell time in victim networks. This is due to the double-extortion ransomware model, in which attackers steal sensitive data and threaten to publish it online while locking down victims' systems. According to researchers, ransomware threat actors seek persistent access to gain insight into the target network's structure, find resources to support their attack, and identify valuable data. A new Cisco Talos report delves into 14 of the most active ransomware groups between 2023 and 2024.

Cloud computing and virtualization software vendor Citrix recently released patches to fix multiple security vulnerabilities, including critical and high-severity issues, in its flagship NetScaler product line.  The company noted that the most severe of these issues is CVE-2024-6235, an improper authorization bug that could allow attackers to access sensitive information.  Citrix also fixed CVE-2024-6236, a buffer overflow bug in NetScaler Console, Agent, and SVM products that could be exploited to cause a denial-of-service (DoS) condition.