CISO Daily Update - November 18, 2024
NEW DEVELOPMENTS
T-Mobile Confirms It Was Hacked in Recent Wave of Telecom Breaches
Source: Bleeping Computer
T-Mobile confirmed its systems were breached in the recent cyberattacks targeting U.S. telecommunications companies, including AT&T and Verizon. The company stated that there is no evidence of significant impacts or customer data compromise. These attacks were attributed to Chinese state-sponsored threat actors known as Salt Typhoon, aimed to access private communications and law enforcement information requests. T-Mobile continues to monitor the situation, collaborating with industry peers and relevant authorities to ensure the security of its systems and customer information.?
Cybersecurity Flaws in US Drinking Water Systems Put 26 Million at Risk
Source: Hackread
The U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) identified significant cybersecurity vulnerabilities in drinking water systems serving populations of 50,000 or more–affecting approximately 193 million people. A passive assessment conducted on October 8, 2024, revealed that 97 systems serving 26.6 million individuals possess critical or high-risk vulnerabilities. Additionally, 211 systems supporting over 82.7 million people were found with externally visible open portals classified as medium and low-risk issues.
Colicom’s Customer Database Leak, Hackers Claim on Hacking Forums
Source: Cyber Press
A threat actor on a dark web forum claimed responsibility for leaking Colicom's customer database and exposing the sensitive personal information of approximately 200,000 customers. The compromised data reportedly includes full names, phone numbers, and physical addresses. The hacker suggested that vulnerabilities within Colicom's internal systems facilitated the breach. Colicom has not issued an official statement regarding the incident. Experts advise affected customers to monitor their accounts for suspicious activity and remain vigilant against potential phishing attempts.?
Bitfinex Hacker Ilya Lichtenstein Was Sentenced to 5 Years in Prison
Source: Security Affairs
Ilya Lichtenstein, the hacker behind the 2016 Bitfinex cryptocurrency exchange breach is sentenced to five years in prison for stealing and laundering approximately 120,000 Bitcoin–worth over $7.6 billion today. His wife, Heather Morgan, who assisted in laundering the stolen funds is scheduled for sentencing on November 18, 2024. The couple employed complex methods to conceal their activities, including using fictitious identities and converting Bitcoin into other cryptocurrencies. Authorities have recovered over 96% of the stolen funds–marking a significant milestone in cryptocurrency crime enforcement.
VULNERABILITIES TO WATCH
Palo Alto Networks Confirmed Active Exploitation of Recently Disclosed Zero-Day
Source: Security Affairs
Palo Alto Networks confirmed the active exploitation of a zero-day vulnerability in its PAN-OS firewall management interface. It was initially reported as a remote code execution flaw with a CVSS score of 9.3 exploited to deploy web shells–granting persistent remote access to attackers. Palo Alto released indicators of compromise (IoCs), including malicious IP addresses and web shell hashes, urging users to isolate the management interface, use trusted internal IPs, and follow best practices like using dedicated VLANs and secure protocols. The U.S. CISA has added related vulnerabilities, CVE-2024-9463 and CVE-2024-9465, to its Known Exploited Vulnerabilities catalog.
Security Plugin Flaw in Millions of WordPress Sites Gives Admin Access
Source: Bleeping Computer
A critical authentication bypass vulnerability (CVE-2024-10924) was identified in the 'Really Simple Security' WordPress plugin, affecting its free and Pro versions. This plugin is installed on over four million websites and offers SSL configuration, login protection, two-factor authentication, and real-time vulnerability detection. Discovered by Wordfence on November 6, 2024, the vulnerability resides in the plugin's two-factor REST API actions–allowing unauthorized access to any user account including administrators. This vulnerability enables remote attackers to gain full administrative control over affected sites. Wordfence recommends that hosting providers force-update the plugin on customer sites and scan databases to ensure no vulnerable versions remain.
A Botnet Exploits E GeoVision Zero-Day to Compromise EoL Devices
Source: Security Affairs
A botnet exploited a zero-day vulnerability in GeoVision devices–specifically targeting end-of-life (EoL) models–to compromise systems and launch distributed denial-of-service (DDoS) attacks. GeoVision is known for its surveillance products, but did not provide patches for these outdated devices–leaving them susceptible to exploitation. Security experts advise organizations using GeoVision equipment to assess their device inventory, replace unsupported models, and implement robust network security measures to mitigate potential threats.?
8.8 Rated PostgreSQL Vulnerability Puts Databases at Risk
Source: Hackread
Cybersecurity researchers at Varonis uncovered a high-severity vulnerability in PostgreSQL (CVE-2024-10979), allowing unprivileged users to manipulate environment variables within the PL/Perl extension. Exploit could potentially lead to arbitrary code execution, data theft, or system compromise. The flaw affects versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21, with a CVSS score of 8.8. Immediate mitigation involves updating to fixed versions, restricting allowed extensions, limiting CREATE EXTENSIONS permissions, and enforcing least privilege access to minimize potential damage.
Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform
Source: The Hacker News
Researchers identified two critical security vulnerabilities in Google's Vertex AI platform that could allow attackers to escalate privileges and exfiltrate machine learning models from the cloud. By exploiting custom job permissions, malicious actors can gain unauthorized access to all data services within a project. Additionally, deploying a compromised model can lead to the exfiltration of other fine-tuned models–posing risks to proprietary and sensitive data. Google addressed these issues following responsible disclosure. Organizations are advised to implement strict controls on model deployments and audit permissions to safeguard their AI environments.?
watchTowr Finds New Zero-Day Vulnerability in Fortinet Products
Source: Infosecurity Magazine
Security firm watchTowr identified a zero-day vulnerability in Fortinet's FortiManager product, dubbed "FortiJump Higher." This flaw allows a managed FortiGate device to escalate privileges and gain control over the FortiManager instance–potentially compromising all managed appliances. Notably, this vulnerability persists even in versions patched for the earlier "FortiJump" exploit (CVE-2024-47575), indicating that previous fixes may have been inadequate. WatchTowr has reported these findings to Fortinet.
SPECIAL REPORTS
NIST Report on Hardware Security Risks Reveals 98 Failure Scenarios
Source: Help Net Security?
The National Institute of Standards and Technology (NIST) has released a report titled "Hardware Security Failure Scenarios: Potential Hardware Weaknesses," identifying 98 failure scenarios that expose vulnerabilities in computer hardware. These scenarios highlight issues such as improper access control, coding standard deficiencies, and lifecycle management errors, which attackers could exploit to bypass security measures, access sensitive data, or disrupt system operations. NIST emphasizes the importance of integrating security measures early in hardware development.
Critical Vulnerabilities Persist in High-Risk Sectors
Source: Help Net Security
A Black Duck report found that the finance and insurance sectors have the highest number of vulnerabilities among the 19 industries. From June 2023 to June 2024, over 200,000 security scans revealed 96,917 vulnerabilities, with cryptographic failures and injection flaws being the most common. The finance industry reported 565 critical vulnerabilities in small sites, 580 in medium sites, and 154 in large ones. While smaller assets in finance addressed these issues within 28 days on average, the utility sector took up to 107 days.
Ransomware Groups Use Cloud Services For Data Exfiltration
Source: Infosecurity Magazine
Ransomware groups exploit cloud services like Amazon S3 and Microsoft Azure Blob Storage for data exfiltration and attacks–often leveraging misconfigurations or stolen credentials to gain unauthorized access. SentinelOne reports that attackers use tactics such as scheduling encryption key deletions to threaten data loss and creating encrypted snapshots to disrupt access. Groups like BianLian and Rhysida have transitioned to using Azure Storage Explorer for data theft, moving away from traditional tools like MEGAsync. Organizations should deploy cloud security posture management solutions, enforce multifactor authentication, and monitor for misconfigurations to secure cloud environments effectively.
Finding value in this newsletter? Like or share this post on LinkedIn
Let's talk about #cybersecurity #cyberresilience #cr-maps #cyberinsurance #cyberriskmanagement #cyberpolicies #cyberprocesses #networking
1 周This comment makes me cringe every time! " The company stated that there is no evidence of significant impacts or customer data compromise." I'd advise never saying this unless you are 100% sure. Nothing erodes trust like having to backtrack on this statement...