In this issue:

Exim - 1,567,109 servers exposed to a critical flaw;
AT&T - 109 million accounts breached in Snowflake April attack;
Ticket Heist - fake Paris 2024 Olympics tickets flood the market;
Kaspersky - cybersecurity giant shuts down operations in US;
Tether - stablecoin freezes $29m in Cambodia due to scams;
PHP - new critical RCE flaw discovered, update now;
regreSSHion - new flaw discovered related to the dreaded SSH bug;

Vulnerability of the Week - Exim bug (CVE-2024-39929)

Censys reports that over 1.5 million Exim mail servers are vulnerable to CVE-2024-39929, a flaw allowing bypass of security filters by incorrectly parsing multiline RFC2231 header filenames. This could let attackers deliver malicious executables. As of July 10, 2024, 1,567,109 exposed Exim servers remain unpatched, mostly in the U.S., Russia, and Canada. The NSA revealed in May 2020 that Russian hackers Sandworm exploited the Exim CVE-2019-10149 flaw since August 2019. In October, Exim developers patched three zero-days, including CVE-2023-42115, exposing millions of servers to pre-auth RCE attacks.

[Data Breach]

AT&T

Metadata from nearly all call logs and texts made by AT&T customers over six months in 2022 was stolen in April via a breach of the Snowflake platform. The breach affected about 109 million accounts and involved hackers accessing and exfiltrating files containing aggregated metadata.

[Fraud]
Ticket Heist

A large-scale fraud campaign, dubbed "Ticket Heist", targets Russian-speaking users with over 700 domains selling fake tickets for the Paris 2024 Olympics. The operation exploits major sports and music events, registering about 20 new domains monthly since 2022.

[Legal]

Kaspersky

Kaspersky Lab will shut down its U.S. operations on July 20, affecting fewer than 50 employees. This follows U.S. sanctions against Kaspersky executives and its inclusion on the Entity List due to national security risks, making their operations non-viable.

[Cryptocurrency]
Tether

Tether stablecoin froze over 29 million USDT linked to a Cambodian online marketplace used for “pig butchering scams”, a type of cryptocurrency pyramid scheme. Researchers from Elliptic revealed Huione Guarantee's role in Southeast Asian cybercrime, with $11 billion in transactions over three years, primarily in USDT.

[Update]
PHP

Threat actors are exploiting the PHP flaw CVE-2024-4577 (CVSS score: 9.8) to deploy remote access trojans, cryptocurrency miners, and DDoS botnets. The vulnerability, publicly disclosed in June 2024, allows remote command execution on Windows systems using Chinese and Japanese locales by misinterpreting Unicode to ASCII conversions. Update PHP to the latest patched versions to mitigate the risk of exploitation.

[Update]
Linux - regreSSHion

The regreSSHion bug, discovered by Qualys, potentially impacts millions of OpenSSH servers. However, a new flaw related to regreSSHion, CVE-2024-6409, found by an independent researcher, Alexander Peslyak, also allows remote code execution but has a lower immediate impact. Linux distributions are releasing patches, while Windows and macOS are likely unaffected.

Resources

• Bleeping Computer: Critical Exim bug bypasses security filters on 1.5 million mail servers

• The Record: Hackers stole ‘nearly all’ call logs over six months from AT&T

• Bleeping Computer: Kaspersky is shutting down its business in the United States

• Bleeping Computer: Ticket Heist fraud gang uses 700 domains to sell fake Olympics tickets

• The Record: Tether freezes $29 million of cryptocurrency connected to Cambodian marketplace accused of fueling scams

• The Hacker News: PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

• Security Week: Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found