CISO Daily Update - November 14, 2024
NEW DEVELOPMENTS
US Government Charges Hackers Behind Massive AT&T Breach
Source: Cybernews
The U.S. government has formally charged Alexander Connor Moucka and John Binns for the massive AT&T data breach, which involved stealing 50 billion customer records via Snowflake cloud storage. The pair used infostealer malware to infiltrate over 100 corporate Snowflake accounts, impacting companies like Ticketmaster, Santander Bank, and Advance Auto Parts. The breach exposed call logs, payroll details, and personal data. Prosecutors indicate that AT&T, referred to as "Victim-2," paid a ransom to delete the stolen data. Overall exposure affected 165 companies and caused millions in damages.
Ransomware Fiends Boast They’ve Stolen 1.4TB From US Pharmacy Network
Source: The Register
The Embargo ransomware group claims responsibility for a cyberattack on American Associated Pharmacies (AAP). The group allegedly stole 1.4TB of data encrypted AAP's files and demanded $1.3 million in ransom to decrypt and an additional $1.3 million to prevent data leakage. They are known for their EDR-killing tools and aggressive tactics. AAP has not confirmed the attack but its website has prompted users to reset passwords without detailing the cyber incident. Embargo issued a November 20 deadline threatening to leak stolen data.
New Hacking Group Kairos Claiming Breach of Multiple Organizations
Source: Cyber Press
A new hacking group named "Kairos" reportedly breached multiple organizations, primarily in the healthcare and accounting sectors across Taiwan and the United States. The group published sensitive data from six organizations on an Onion blog, including Formosa Certified Public Accountant in Taiwan and several U.S.-based entities such as PMR Centre, Accounting & Advisory Services, Clay Platte Family Medicine Clinic, Kansas Regenerative Medicine, and Sunny Days Sunshine Center. The exposed data encompasses personally identifiable information (PII), medical records, and employee details. Other hacking groups had previously targeted some of these organizations.
Pentagon Leaker Jack Teixeira Sentenced to 15 Years in Federal Prison
Source: Cybernews
A former Air National Guardsman named Jack Teixeira was sentenced to 15 years in federal prison for leaking classified documents on the Russian invasion of Ukraine in a Discord chat in 2022. Teixeira pleaded guilty to six counts of willfully transmitting national defense information as part of a plea deal and acknowledged his actions endangered national security. The case led to a review of clearance procedures and suspensions within his Air National Guard unit. Teixeira faces a $50,000 fine and three years of supervised release.
Delta Air Lines Joins Amazon in Confirming Third-Party Data Leak
Source: Cybernews
Delta Air Lines confirmed a data leak involving 57,000 employee records from a third-party vendor, following a similar disclosure by Amazon. The breach stemmed from the MOVEit Transfer software vulnerability exploited in 2023, with data now surfacing on the dark web. Although Delta’s systems were not directly compromised, the leaked data includes names, contact information, and office locations. Cybercriminals behind the leak, named Nam3L3ss, released the data to promote awareness about data security.
Bitdefender Releases Decryptor for ShrinkLocker Ransomware
Source: The Record
Bitdefender released a decryptor for ShrinkLocker ransomware that exploits Microsoft's BitLocker feature to rapidly encrypt entire drives. This ransomware emerged earlier this year and targets organizations in Mexico, Indonesia, and Jordan, including sectors like steel and vaccine manufacturing and government entities. ShrinkLocker installs BitLocker if it's not already enabled, re-encrypts the system with a randomly generated password, and prompts the user for this password upon reboot–displaying attacker contact information for a ransom payment. The simplicity of ShrinkLocker makes it accessible to less sophisticated cybercriminals. Bitdefender's decryptor aims to assist victims in recovering their data without paying the ransom.?
VULNERABILITIES TO WATCH
CISA Alerts: Five Newly Exploited Vulnerabilities Added to Critical Watchlist
Source: The Cyber Express
The Cybersecurity and Infrastructure Security Agency (CISA) added five newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, urging swift remediation to counter active exploitation risks. These vulnerabilities impact widely used software including Atlassian Jira, Cisco ASA, Metabase, and Microsoft Windows. CISA’s guidance includes specific actions such as applying patches, disabling affected features, and working closely with vendors for complex mitigations. CISA encourages all organizations to incorporate KEV into their cybersecurity protocols for proactive risk management.
Microsoft’s November 2024 Patch Tuesday Addresses 91 Vulnerabilities, Including Four Critical Zero-Days
Source: The Cyber Express
Microsoft's November 2024 Patch Tuesday includes fixes for 91 vulnerabilities, four of which are zero-day exploits, addressing critical remote code execution (RCE) flaws in products like Windows Hyper-V and Microsoft Office SharePoint. Notable vulnerabilities include CVE-2024-21407, a Hyper-V RCE flaw allowing guest-to-host escape, and CVE-2024-21334, an Open Management Infrastructure RCE with a CVSS score of 9.8. Security experts stress the urgency of applying these updates, especially as advanced threat actors may exploit privilege escalation vulnerabilities like CVE-2024-26182. Prompt patching is recommended to safeguard systems against potential attacks.
Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories
Source: Security Week
On November 13, 2024, Intel and AMD released security advisories addressing multiple vulnerabilities. Intel issued 44 advisories covering over 80 vulnerabilities, including 20 plus high-severity issues affecting products such as Server Board S2600ST and S2600BP, graphics drivers, Neural Compressor, and various processors. These vulnerabilities could lead to privilege escalation primarily through local access. AMD published eight advisories detailing vulnerabilities in products like the AMD Secure Processor, System Management Unit, and graphics drivers, with several high-severity issues that could result in arbitrary code execution or privilege escalation. Users are advised to apply the recommended updates promptly to mitigate potential security risks.?
Ivanti Patches 50 Vulnerabilities Across Several Products
Source: Security Week
Ivanti released updates addressing nearly 50 vulnerabilities across multiple products, including eight critical flaws in Connect Secure, Policy Secure, and Endpoint Manager. These vulnerabilities, identified as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 to CVE-2024-39712, and CVE-2024-11005 to CVE-2024-11007, involve argument and command injection issues that could allow authenticated administrators to execute remote code. The company provided patches in Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2, addressing additional high- and medium-severity vulnerabilities leading to privilege escalation, denial-of-service conditions, and remote code execution. Users are advised to apply these updates promptly to mitigate potential security risks.?
High-Severity Vulnerabilities Patched in Zoom, Chrome
Source: Security Week
Zoom and Google released updates to address high-severity vulnerabilities. Zoom’s updates patch six flaws, including CVE-2024-45421, a buffer overflow issue (CVSS 8.5), and CVE-2024-45419, an improper input validation flaw (CVSS 8.1), impacting desktop and mobile apps. Google’s Chrome 131 update fixes 12 vulnerabilities, with CVE-2024-11110 being the most critical–involving an inappropriate implementation bug in Blink. Users are advised to update Zoom and Chrome to the latest versions to mitigate security risks.
ICS Patch Tuesday: Security Advisories Released by CISA, Schneider, Siemens, Rockwell
Source: Security Week
On November 13, 2024, Siemens, Schneider Electric, CISA, and Rockwell Automation released security advisories addressing critical vulnerabilities in their industrial control systems. Siemens patched a critical deserialization flaw in TeleControl Server Basic that allows unauthenticated code execution, and addressed numerous vulnerabilities in Sinec INS, Sinec NMS, and Scalance M-800, many related to third-party components. Schneider Electric fixed a critical issue in EcoStruxure IT Gateway that could enable system control and data access and resolved a high-severity denial-of-service vulnerability in PowerLogic PM5300 series power meters. CISA issued advisories for various ICS products, urging users to review and apply the recommended mitigations. Rockwell Automation's advisories included updates for FactoryTalk ThinManager and other products. Users are advised to implement these patches promptly to mitigate potential security risks.?
OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution
Source: The Hacker News
A recent security analysis of Snap One's OvrC cloud platform identified ten vulnerabilities that could allow attackers to execute remote code on connected IoT devices. These flaws affect OvrC Pro and OvrC Connect, including weak access controls, authentication bypasses, and remote code execution vulnerabilities. Exploitation could lead to unauthorized access and control over devices smart power supplies, cameras, routers, and home automation systems. Snap One has released patches for these vulnerabilities, with eight addressed in May 2023 and the remaining two on November 12, 2024. Users are advised to update their systems promptly to mitigate potential risks.?
SPECIAL REPORTS
Social Engineering Scams Sweep Through Financial Institutions
Source: Help Net Security
Social engineering scams targeting North American financial institutions surged tenfold in 2024, now accounting for 23% of digital banking fraud according to BioCatch. Money mule accounts rose by 94%, with advanced AI tools and deepfakes enabling highly sophisticated attacks–including a recent $25 million scam in Hong Kong. While improved security has reduced account-opening fraud by nearly 60%, check and deposit fraud has tripled with 23% of unauthorized activity occurring on trusted devices. BioCatch recommends that banks strengthen defenses by integrating behavioral and device intelligence with historical data to address these evolving threats effectively.
Infostealers Increasingly Impact Global Security
Source: Help Net Security
Check Point Software's latest threat index shows a surge in infostealer malware, like Lumma Stealer, which has moved up to fourth place globally–impacting multiple countries through cracked game download links and phishing emails targeting GitHub users. Meanwhile, mobile malware Necro has infected over 11 million Android devices using obfuscation and steganography to avoid detection and covertly sign users up for paid services. The report highlights a shift towards more advanced cyber tactics including CAPTCHA-based infection chains and increased use of info-stealing tools to exfiltrate sensitive data. FakeUpdates, Androxgh0st, and AgentTesla lead the malware rankings, while Joker, Necro, and Anubis dominate mobile malware.
Adversarial Advantage: Using Nation-State Threat Analysis to Strengthen U.S. Cybersecurity
Source: Security Intelligence
Nation-state cyber adversaries are shifting from overt data destruction to stealthy espionage–posing significant threats to U.S. infrastructure and sensitive data. CISA identifies China, Russia, North Korea, and Iran as primary actors employing tactics like phishing, exploiting unpatched vulnerabilities, and leveraging zero-day exploits. Understanding these methods enables organizations to allocate security resources effectively. CISA recommends implementing strong multi-factor authentication, maintaining up-to-date systems, and conducting regular security assessments to mitigate these evolving threats.
Finding value in this newsletter? Like or share this post on LinkedIn