Security Breach at Nominet Attributed to VPN Vulnerability
Nominet, the operator of the .UK domain registry and one of the largest country code registries globally, recently disclosed a security breach stemming from a zero-day vulnerability in third-party VPN software by Ivanti. The breach occurred two weeks ago, allowing attackers to exploit this critical vulnerability to gain access to Nominet’s network. Although no evidence of data leakage or backdoor installations has been identified, the company swiftly restricted VPN access and notified relevant authorities, including the UK’s National Cyber Security Centre (NCSC). This zero-day exploitation highlights the ongoing risks faced by organizations relying on remote access tools. Nominet assured customers that its domain registration and management systems remain secure and operational, supported by robust access controls and firewalls. Ivanti has since released patches to address this vulnerability, urging all users to follow updated security advisories to safeguard their systems.
Path of Exile 2 Admin Account Breach Exposes Players to Hacks
The developers of Path of Exile 2 (PoE 2) have confirmed that a compromised admin account allowed threat actors to exploit the game’s backend, leading to at least 66 player accounts being hacked since November. Using the breached admin credentials, attackers bypassed two-factor authentication to change account passwords, resulting in the theft of in-game items like Divine Orbs and rare gear. While developers are investigating, their log retention policy has limited the ability to determine the full scope of affected accounts. This breach originated from an outdated Steam account linked to an admin profile, exploited through partial credit card details provided to Steam Support. The developers admitted critical security lapses, such as improperly logged password changes, which facilitated the hacks. In response, Grinding Gear Games has implemented stricter security measures but stated that restoring stolen items or compensating impacted players is not possible.
Google OAuth Vulnerability Exploits Abandoned Domains
A flaw in Google’s OAuth “Sign in with Google” feature allows attackers to exploit defunct startup domains to access sensitive data tied to former employee accounts. Trufflesecurity researchers identified this vulnerability, revealing that attackers could recreate email accounts of past employees to infiltrate various SaaS platforms like Slack, Notion, and Zoom. The issue arises from inconsistencies in Google’s unique user identifiers (sub claims), which some services disregard, relying instead on email or domain ownership claims that attackers can assume. Despite being reported in 2024, the flaw remains exploitable, with Google recommending domain closure best practices. This issue impacts millions of accounts linked to failed startups, where domains become available for purchase. Researchers propose solutions such as immutable user and workspace IDs, though these add complexity and cost. To mitigate risks, users are advised to avoid linking personal accounts to work domains and to remove data from accounts before leaving an organization.
Critical Vulnerabilities Expose Rsync Servers to Exploitation
Over 660,000 Rsync servers are vulnerable to six newly discovered flaws, including a critical heap-buffer overflow (CVE-2024-12084) that enables remote code execution. Rsync, widely used for file synchronization and incremental data transfers, is a key tool in backup systems and server management. The vulnerabilities, identified by Google Cloud and independent researchers, allow attackers to exploit servers with minimal access. For example, a flaw in checksum handling permits arbitrary code execution, even with anonymous access. Combined with information leaks and path traversal vulnerabilities, these flaws create dangerous exploitation chains, potentially exposing sensitive data or enabling privilege escalation. CERT/CC and Red Hat have emphasized the risks, warning that Rsync’s default configuration often allows anonymous syncing, heightening exposure. Users are strongly urged to upgrade to version 3.4.0 immediately, as earlier versions lack sufficient protection against remote code execution and other threats posed by these vulnerabilities.
Wolf Haldenstein Data Breach Exposes Millions to Risk
Wolf Haldenstein Adler Freeman & Herz LLP has confirmed a data breach that compromised the personal information of nearly 3.5 million individuals. Hackers accessed the firm’s servers on December 13, 2023, exposing sensitive data, including Social Security numbers, employee IDs, medical diagnoses, and claims information. This breach significantly heightens the risk of phishing, scams, and targeted attacks. Despite detecting the breach in late 2023, delays in forensic analysis postponed public notification until December 2024. Additionally, the firm has struggled to locate contact details for many impacted individuals, further complicating direct outreach. While no evidence suggests misuse of the stolen data, Wolf Haldenstein advises vigilance against suspicious activities and offers credit monitoring to potentially affected parties. Individuals concerned about their data are urged to contact the firm, place fraud alerts, or initiate security freezes to mitigate potential risks.
Star Blizzard Targets Diplomats via WhatsApp Phishing
Russian threat actor Star Blizzard has launched a spear-phishing campaign to compromise WhatsApp accounts of high-value targets, including diplomats, defense policymakers, and Ukraine aid organizations. According to a Microsoft report, this campaign marks a shift in Star Blizzard’s tactics following the exposure of their earlier methods. The attack begins with emails impersonating U.S. officials, inviting targets to join a WhatsApp group supporting Ukraine. Victims are lured into requesting a working QR code after receiving a purposely broken one. The attackers then provide a malicious QR code to link their device to the victim’s WhatsApp account, enabling message access and data exfiltration. This campaign relies on social engineering without malware, bypassing traditional antivirus defenses. Microsoft urges vigilance, recommending users verify linked devices in WhatsApp and log out suspicious connections. Despite prior disruption of their operations in 2024, Star Blizzard continues to adapt and exploit new attack vectors.
Conclusion
In conclusion, the ever-evolving cyber threat landscape underscores the importance of proactive measures to mitigate risks, from ransomware attacks to vulnerabilities in widely used systems. Organizations must prioritize security strategies to protect sensitive data and maintain operational continuity.
As specialists in ransomware recovery and cybersecurity, we provide tailored solutions such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. Additionally, our Cyber Defense Academy, Cybersecurity Risk Assessment, and Incident Response Retainer services are designed to enhance your resilience against future threats. Contact us today to strengthen your cybersecurity defenses.