CISO Daily Update - December 18, 2024
NEW: Watch the replay of my keynote on Leveraged Cybersecurity: Staying Ahead of (Not Behind) the Pace of Change: https://www.youtube.com/watch?v=2PM_a3yAUQY
NEW DEVELOPMENTS
Texas Tech University Data Breach Impacts 1.4 Million
Source: Infosecuirty Magazine
A ransomware attack on Texas Tech University Health Sciences Center compromised the personal and medical data of 1.4 million individuals between September 17 and 29, 2024. The stolen data includes names, social security numbers, addresses, medical records, and financial information. Ransomware group Interlock claimed responsibility for stealing 2.6TB of data, including patient records, research, and SQL databases. The breach affected 650,000 individuals at the Lubbock campus and 815,000 at the El Paso branch disrupting classes, patient services, and the Texas Tech Physicians' portal. TTUHSC offers free credit monitoring and urges vigilance against fraud. This incident is the largest 2024 attack on a U.S. university by records compromised.
Virtavo Security Camera Users Beware: App Data Spilled Online
Source: Cybernews
A security incident involving Virtavo's Home V App exposed over 8.7 million records compromising the personal data of potentially 100,000 users due to an open Elasticsearch server. Cybernews researchers found logs containing phone numbers, IP addresses, device IDs, and performance metrics updated in real time. The server collected data beyond basic functionality. Exposed data could lead to identity theft, unauthorized surveillance, and location tracking. Researchers recommend securing servers, encrypting data, limiting collection, and notifying affected users.
Man Accused of SQL Injection Hacking Gets 69-Month Prison Sentence
Source: Security Week
32-year-old New York resident Vitalii Antonenko was sentenced to 69 months in prison for hacking, credit card theft, and money laundering, but he will be released shortly due to time served since his 2019 arrest. Antonenko is part of a cybercrime group that exploited SQL injection vulnerabilities to steal payment card data from organizations including hospitality businesses and research institutions. Authorities seized hundreds of thousands of stolen card numbers during his arrest. The group sold the data on cybercrime marketplaces, laundering proceeds through cryptocurrency and cash transactions. Antonenko pleaded guilty in September 2024 concluding the case.
Zero-Day Exploit for Chrome and Edge Browsers Allegedly Up for Sale on Dark Web
Source: Cyber Press
A threat actor claims to be selling a zero-day remote code execution exploit affecting Google Chrome and Microsoft Edge, posing significant risks to millions of users. The exploit allegedly targets a critical vulnerability in the Chromium engine, potentially allowing attackers to gain full control over affected systems. This could lead to data theft, malware distribution, and widespread compromise. Security researchers are working to confirm the claims, and Google and Microsoft are likely preparing patches if the vulnerability is genuine. Users should keep browsers updated and practice caution while browsing.
Microsoft Teams Vishing Spreads DarkGate RAT
Source: Darkreading
Cybercriminals are leveraging Microsoft Teams vishing to deliver the DarkGate remote access Trojan. Threat actors initiated contact through a Microsoft Teams call, posing as a technical support representative. After a failed attempt to install a Microsoft remote support app, they manipulated the victim into downloading AnyDesk, granting them remote access. This allowed the attacker to execute malicious scripts and deploy DarkGate known for system control, data theft, and persistence mechanisms.
Cybercriminals Exploit Google Calendar to Spread Malicious Links
Source: Infosecurity Magazine
According to new research from Check Point, Cybercriminals exploited Google Calendar and Google Drawings to bypass email security systems and distribute malicious links. These phishing emails appear legitimate by leveraging .ics files calendar invites that link to Google Forms or Drawings. Attackers modify sender headers to make the emails seem to originate from trusted sources. Clicking these links can lead users to fake cryptocurrency or support pages that steal personal and financial information. Stolen data is used in financial scams including credit card fraud or unauthorized transactions. Google recommends enabling the “known senders” setting in Calendar to mitigate these attacks. Organizations should enhance protection by using advanced email security, monitoring third-party Google app usage, enabling MFA, and deploying behavior analytics to detect suspicious activity.
Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection
Source: The Hacker News
Hackers are exploiting Microsoft Edge Webview2 to deploy a new stealer malware called CoinLurker targeting cryptocurrency wallets and user credentials. Delivered through fake software updates on compromised sites, phishing emails, and malvertising. CoinLurker uses obfuscation and anti-analysis techniques to evade detection. It retrieves payloads via Web3 infrastructure, masked as legitimate tools, and injects them into the Edge process using stolen Extended Validation certificates. The malware collects data from wallets like Bitcoin, Ethereum, Telegram, Discord, and FileZilla.
VULNERABILITIES TO WATCH
Azure Data Factory Bugs Expose Cloud Infrastructure
Source: Darkreading
Palo Alto Networks’ Unit 42 researchers discovered three vulnerabilities in Azure Data Factory’s Apache Airflow integration that could allow attackers to gain administrative control over enterprise cloud infrastructure. The flaws are two misconfigurations and one weak authentication issue which could enable data exfiltration, malware deployment, and unauthorized access. Exploiting these vulnerabilities involved tampering with DAG files to gain cluster-admin privileges via Kubernetes role misconfigurations and Azure Geneva service weaknesses.
领英推荐
Over 25,000 SonicWall VPN Firewalls Exposed to Critical Flaws
Source: Bleeping Computer
Over 25,000 publicly accessible SonicWall SSLVPN firewalls are vulnerable to critical security flaws with 20,000 running outdated firmware versions no longer supported by the vendor. Using scanning tools like Shodan, researchers found 430,363 exposed SonicWall firewalls, with 119,503 devices confirmed vulnerable to critical and high-severity issues. Ransomware groups like Fog and Akira exploit these flaws to gain initial network access. Bishop Fox identified that many devices run outdated Series 4, 5, or 6 firmware. Proper security measures, such as restricting public access to management interfaces and applying firmware updates are urged to mitigate these vulnerabilities.
CISA Warns of Exploited Adobe ColdFusion, Windows Vulnerabilities
Source: Security Week
CISA added two exploited vulnerabilities CVE-2024-35250 in Windows and CVE-2024-20767 in Adobe ColdFusion to its Known Exploited Vulnerabilities catalog mandating federal agencies to patch them by early January 2025. The Windows flaw, a kernel-mode driver issue patched in June 2024, allows attackers to escalate privileges as demonstrated by DevCore at Pwn2Own 2024. The ColdFusion flaw, patched in March 2024, permits arbitrary file system reads and can be exploited remotely on internet-facing instances without user interaction. Both vulnerabilities pose serious risks.
FBI Warns of HiatusRAT Attacks on Cameras, DVR Systems
Source: Security Week
The FBI warns that HiatusRAT operators exploit years-old web cameras and DVR systems vulnerabilities particularly targeting Xiongmai and Hikvision devices with telnet access. Using the Ingram scanning tool and Medusa for brute-force attacks. The malware leverages flaws like CVE-2017-7921 and CVE-2018-9995 to infiltrate networks across the U.S., Europe, and Latin America. Affected devices include rebranded TBK models. Organizations should scan for vulnerable devices, isolate them, and apply best practices like patch management, strong passwords, MFA, and network segmentation to prevent breaches.
Authentication Bypass Vulnerability in Hitachi Allow Attackers to Gain System Access Remotely
Source: Cyber Press
A critical authentication bypass CVE-2024-10205 vulnerability in Hitachi’s Infrastructure Analytics Advisor and Ops Center Analyzer allows remote attackers to access systems without authentication poses data breaches and operational disruption. With a CVSS score of 9.4, this flaw affects Ops Center Analyzer for versions 10.0.0-00 up to 11.0.3-00 and Infrastructure Analytics Advisor versions 2.1.0-00 to 4.4.0-00 on Linux (x64) platforms. Hitachi urges users to upgrade Ops Center Analyzer to version 11.0.3-00 and contact support for Infrastructure Analytics Advisor updates. No workarounds exist.
SPECIAL REPORTS
GenAI: Security Teams Demand Expertise-Driven Solutions
Source: Infosecuirty Magazine
A recent CrowdStrike survey of 1022 cybersecurity and IT professionals reveals that 64% are researching or adopting generative AI tools, and only 6% have fully implemented them. Despite the high interest, 76% prefer cybersecurity-specific GenAI tools over general-purpose solutions due to concerns about unsuitable guidance. Trust remains critical, with 83% hesitant to rely on tools that may lead to poor security decisions. ROI drives adoption with 31% goals including tool optimization and 30% incident reduction. However, concerns like sensitive data exposure, adversarial attacks, and insufficient regulations persist. Notably, 63% of respondents would switch vendors to access better-fitting GenAI solutions.
US Unveils New National Cyber Incident Response Plan
Source: Infosecuirty Magazine
The U.S. government released a draft of the updated National Cyber Incident Response Plan, detailing public and private sector roles during cyber incidents. This revision, led by the CISA, responds to evolving threats and policies since the 2016 version. The NCIRP outlines coordination across four key areas: asset response, threat response, intelligence response, and affected entity response. The plan focuses on incidents rated Level 2 or higher. Public feedback is invited until January 15, 2025, to refine this framework for improved national cyber resilience.
New APIs Discovered by Attackers in Just 29 Seconds
Source: Infosecuirty Magazine
New research from Wallarm shows that attackers discover newly deployed APIs in as little as 29 seconds. Using the world’s first API honeypot, Wallarm found that 40% of attacks exploited CVEs, 34% involved discovery, and 26% targeted authentication. Common endpoints like “/status” are frequently probed, making unique or randomized names safer. APIs now receive over 54% of threat requests surpassing web applications. Attackers can deploy 50 requests per second across 50 IPs for minimal cost enabling the theft of 10 million records in under a minute. Organizations must strengthen API security practices and tools to address this expanding attack surface.
Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better
Source: The Cyber Express
In 2024 healthcare cybersecurity faced an increase in ransomware attacks compromising patient safety and privacy with high-profile breaches affecting Change Healthcare, Ascension, and NHS London. The U.S. led in attacks experiencing a 36% rise while the UK saw a 700% increase. Medical IoT device vulnerabilities such as unpatched systems and unencrypted traffic contributed to sector challenges. Despite this, the average healthcare breach cost dropped to $9.77 million, aided by AI and automation. For 2025, hope lies in new cybersecurity regulations, zero trust adoption, and bipartisan U.S. efforts to improve defenses.
Finding value in this newsletter? Like or share this post on LinkedIn