Transport for London (TfL) Faces Ongoing Cyberattack, No Service Disruptions

Transport for London (TfL), the agency overseeing Greater London’s transportation network, is grappling with a cyberattack that has primarily affected its internal IT systems.

While TfL assured that no customer data has been compromised and public transport services remain unaffected, it has engaged the UK government, including the National Crime Agency and National Cyber Security Centre, for support. Employees have been advised to work from home as the investigation continues.

Shashi Verma, TfL’s Chief Technology Officer, emphasised the organisation’s commitment to securing its systems, stating, “The security of our systems and customer data is very important to us.” While no data loss has been detected, the attack serves as a reminder of the ongoing risks to critical infrastructure in the UK, with potential widespread implications if left unchecked.

DDoS Attacks Surge in Frequency and Duration, Report Finds

A recent report by Radware reveals a significant rise in distributed denial of service (DDoS) attacks, with some lasting as long as 100 hours over six days. The number and volume of these attacks have surged, with a 137% increase in the first quarter of 2024 compared to the previous quarter. One particularly alarming Web DDoS attack campaign involved 10 waves, averaging 4.5 million requests per second (RPS) and peaking at 14.7 million RPS.

New attack vectors like HTTP/2 Rapid Reset and Continuation floods played a key role in the increase, while attackers leveraged cloud infrastructure to launch these assaults. Hacktivist-driven DDoS attacks have also intensified, particularly targeting organisations in Europe, the Middle East, and Africa, often due to regional conflicts and major events like the 2024 Olympic Games in Paris.

Radware’s report shows that finance, healthcare, and technology sectors remain the most affected, with network-layer attack volumes up 127% year over year. Additionally, malicious DNS queries and web application/API attacks have seen a sharp rise.

Google Fixes Actively Exploited Vulnerability in Android OS

Google has patched a high-severity vulnerability in its Android operating system, tracked as CVE-2024-32896, which is actively being exploited in targeted attacks. This privilege escalation flaw, with a CVSS score of 7.8, is found in the Android Framework component and allows attackers to gain elevated privileges without needing additional execution rights, although user interaction is required for exploitation.

The vulnerability, first addressed in the September 2024 Android Security Bulletin, stems from a logic error in the code. Google had previously flagged the issue in June 2024, when it was discovered in Pixel Firmware being used in zero-day attacks. The flaw, along with CVE-2024-29748, which had a partial mitigation, has now been fully resolved with the release of Android 14 QPR3. While the vulnerabilities affect multiple Android devices, the fixes initially focused on Pixel devices.

The maintainers of GrapheneOS, a security-focused Android variant, have highlighted that these vulnerabilities allow attackers to disrupt reboots for data wipes using the device admin API.

Android users are urged to update to the latest version to protect against this actively exploited flaw.

Cisco Patches High-Severity DoS Vulnerability in NX-OS Software

Cisco recently addressed a critical denial of service (DoS) vulnerability in its NX-OS software, which powers the Cisco Nexus data center switches.

The flaw, identified as CVE-2024-20446, received a high severity rating with a CVSS score of 8.6. It affected the DHCPv6 relay agent in certain versions of NX-OS, specifically when enabled on Nexus 3000, 7000, and 9000 series switches. A remote attacker could exploit the vulnerability by sending malicious DHCPv6 packets, causing the device to crash repeatedly.

Cisco has urged users to update to the latest NX-OS release to patch the flaw, as no workaround is available. Disabling the DHCPv6 relay agent can act as a temporary mitigation.

Dutch Watchdog Fines Clearview AI €30.3 Million for GDPR Violations

The Dutch Data Protection Agency (DPA) has fined US-based facial recognition company Clearview AI €30.3 million($33.7 million) for illegally maintaining a database of billions of images scraped from the internet without consent.

The DPA alleges that Clearview’s practices violate the European Union’s General Data Protection Regulation (GDPR), which mandates user consent for data collection. A separate penalty of up to €5 million was also imposed for non-compliance.

DPA Chairman Aleid Wolfsen stated, “Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world.” Despite Clearview AI’s claim that the decision is “unenforceable,” the DPA maintains the company’s services are illegal under Dutch law.

Three Men Plead Guilty to Running OTP Interception Service in the UK

Three men in the UK have pleaded guilty to operating otp[.]agency, an online service that allowed scammers to intercept one-time passcodes (OTPs), a crucial second layer of authentication used by many websites. Launched in November 2019, OTP Agency enabled criminals who had already stolen bank credentials to initiate fake phone calls to targets, tricking them into sharing OTPs sent via SMS. These codes were then relayed to the scammers, granting access to victims’ accounts.

The National Crime Agency (NCA) identified Callum Picari, 22, from Essex, as the owner and developer of the service, alongside Vijayasidhurshan Vijayanathan, 21, and Aza Siddeeque, 19, both from Buckinghamshire.

Over 12,500 individuals were targeted during the 18 months OTP Agency operated. Though the service was shut down after a 2021 investigation, similar OTP interception services remain active.

Halliburton Hit by Major Cyberattack, Shuts Down Systems

Global oil giant Halliburton has confirmed a significant cyberattack that disrupted its operations and forced the company to shut down some systems. The attack, which was discovered on August 21, 2024, led Halliburton to activate its cybersecurity response plan, take systems offline, and hire external experts for remediation.

While the U.S. Department of Energy stated that the attack did not impact energy services, internal sources revealed disruptions to global connectivity and the company’s north Houston campus. Reports suggest the RansomHub ransomware group was behind the attack, though Halliburton has not officially confirmed this. The company continues to investigate the incident and update stakeholders on its response efforts.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.