CISO Daily Update - November 11, 2024
NEW DEVELOPMENTS
Major Oilfield Supplier Hit by Ransomware Attack
Source: Infosecurity Magazine
Major supplier to the U.S. oil industry Newpark Resources faced a ransomware attack on October 29, 2024, that disrupted critical systems and business applications. Despite the attack, the company maintained its manufacturing and field operations by following established downtime protocols. Newpark quickly launched its cybersecurity response plan and enlisting internal and external experts to investigate and contain the breach. Although the full impact remains under review, the company expects minimal financial losses.
Threat Actors Claim Breach of Finastra Database
Source: Cyber Press
Threat actors claimed responsibility for breaching Finastra's database–extracting 400 GB of compressed data from the company’s Enterprise Service Bus (ESB) via IBM Aspera, a high-speed file transfer tool. The breach reportedly occurred this month and is concerning given Finastra’s role as a technology provider to over 9,000 financial institutions worldwide. This incident comes after a previous ransomware attack on Finastra in March 2020.
U.S. Agency Cautions Employees to Limit Phone Use Due to Salt Typhoon Hack of Telco Providers
Source: Security Affairs
Following a breach by Salt Typhoon, a cyber-espionage group linked to Chinese intelligence, a U.S. government agency has instructed employees to limit mobile phone use to critical communications only. This advanced attack targeted major U.S. telecommunications providers–giving hackers unauthorized access to sensitive data including call records and unencrypted text messages. The breach has raised national security concerns as agencies evaluate its impact on critical infrastructure. In response, the agency is enforcing stricter communication protocols to minimize exposure and counter the ongoing threat of state-sponsored cyberattacks.
Lynx Ransomware Group Claims to Have Breached DZS
Source: Cyber Press
The Lynx ransomware group claimed responsibility for a cyberattack on DZS, a leading U.S.-based provider in fiber access, optical telecommunications, and cloud software technology. Known for its aggressive double-extortion tactics, Lynx asserts that it has exfiltrated significant amounts of sensitive data from DZS systems, including proprietary and potentially customer-related information. The group has released data samples to support its claims and is pressuring DZS to pay the ransom. Since mid-2024, Lynx has targeted various organizations.
Following Trump Win, FBI Warns of ‘Slave Plantation’ Texts Targeting African Americans
Source: The Record
After the recent U.S. presidential election, African Americans nationwide reported receiving anonymous racist text messages instructing them to "report to a plantation to pick cotton," a disturbing allusion to slavery. The FBI, now actively investigating, acknowledged the offensive nature of the messages and is coordinating with the Justice Department and other federal agencies. Recipients, including high school and college students, expressed shock and concern over the targeted harassment. Civil rights organizations urge individuals who receive these messages to promptly report them to law enforcement.
Hackers Now Use Zip File Concatenation to Evade Detection
Source: Bleeping Computer
Hackers are using ZIP file concatenation to slip malware past security measures–embedding malicious code in compressed archives that evade detection. This technique merges several ZIP files into one, each with a central directory and end marker. Some archive managers only process the first ZIP structure, while others can extract hidden malicious content from later structures. This inconsistency enables attackers to hide malware within files that appear safe to make detection and mitigation more challenging.
Malicious PyPI Package With 37,000 Downloads Steals AWS Keys
Source: Bleeping Computer
A malicious Python package named “fabrice” has been found in the Python Package Index (PyPI) and has been available since 2021 with over 37,000 downloads. This package ios designed to impersonate the legitimate “fabric” library and targets Windows and Linux systems with platform-specific scripts to steal Amazon Web Services (AWS) credentials. On Linux, it creates a hidden directory to store and run encoded shell scripts from an external server. On Windows, it downloads and executes an encoded VBScrip– launching a PowerShell process that exfiltrates AWS credentials.
Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows
Source: Hackread
Hackers are using Microsoft Excel files in phishing emails to deploy a powerful variant of the Remcos RAT (Remote Access Trojan) on Windows systems–enabling unauthorized remote control and data theft. FortiGuard Labs reports that attackers exploit the CVE-2017-0199 vulnerability in Office programs to execute an obfuscated HTML Application (HTA) file, which downloads the main Remcos payload. The malware establishes persistence by altering system registry settings and uses advanced evasion techniques–including Vectored Exception Handling, API hash identification, and process hollowing to avoid detection. Remcos connects to a C&C server, providing capabilities like keylogging, screen recording, and webcam capture for extensive surveillance.
VULNERABILITIES TO WATCH
Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI
Source: Security Week
Unpatched vulnerabilities in Mazda’s infotainment system, particularly the Mazda Connect Connectivity Master Unit (CMU), expose the system to arbitrary code execution with root privileges. These flaws arise from inadequate input sanitization, allowing an attacker with physical access to exploit the system using a specially crafted USB device. Impacted models include Mazda 3 vehicles from 2014 to 2021, among others, with vulnerabilities identified in software version 74.00.324A and possibly in earlier versions. Mazda has yet to release patches, leaving these infotainment systems vulnerable to potential compromise.
Critical Veeam RCE Bug Now Used in Frag Ransomware Attacks
Source: Security Week
Ransomware groups including Akira, Fog, and now Frag, are actively exploiting a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR). Tracked as CVE-2024-40711, this vulnerability stems from the deserialization of untrusted data and enables unauthenticated attackers to execute arbitrary code on vulnerable VBR servers. Although Veeam released security updates on September 4, 2024, threat actors quickly adopted the exploit to gain unauthorized access and deploy ransomware. Organizations using VBR should apply the latest patches immediately to reduce this major security risk.
SPECIAL REPORTS
These Major Software Firms Took CISA’s Secure-by-Design Pledge. Here’s How They’re Implementing It
Source: The Record
Six months into their commitment to CISA's secure-by-design pledge, major tech firms report notable security gains. Amazon Web Services (AWS) now requires multi-factor authentication (MFA) for administrator accounts and supports FIDO2 passkeys, leading to nearly 700,000 new MFA enrollments since April 2024. Fortinet has activated automatic updates on entry-level devices and enforces MFA for cloud service users–strengthening patch adoption and user security. Microsoft’s Secure Future Initiative includes publishing CVEs for critical cloud service flaws, standardizing identity technologies to minimize authentication errors, and mandating MFA for Azure, Entra, and Intune services. These advancements align with CISA’s mission to elevate cybersecurity across the tech industry.
Scammers Steal Over $1 Trillion in a Year, Report Reveals
Source: Cybernews
Cybercriminals are taking advantage of the rapid digital transformation driven by the COVID-19 pandemic,--fueling a significant rise in scam activities. Over 4 billion scam calls are made monthly, with 23% of Americans reporting financial losses from such calls in 2021. To counter this wave, companies like ANT Group have adopted a four-step strategy: educating users, deploying advanced algorithms to detect scams, enabling users to report suspicious activities, and refining systems based on user feedback. This proactive approach aims to prevent scams and protect vulnerable individuals from falling victim to fraud.?
Why AI-Enhanced Threats and Legal Uncertainty Are Top of Mind for Risk Executives
Source: Help Net Security
In the third quarter of 2024, enterprises identified AI-enhanced malicious attacks as the top emerging risk for the third consecutive quarter, according to Gartner's survey. Complexities in IT vendor dependencies and an uncertain regulatory and legal landscape also ranked high. The July CrowdStrike outage shows the risks of over-reliance on major IT vendors, while recent U.S. Supreme Court rulings created uncertainties around federal agencies' regulatory authority.?
Finding value in this newsletter? Like or share this post on LinkedIn
Technology evolves, so too must our defenses Marcos Christodonte II