CISO Daily Update - November 19, 2024
NEW DEVELOPMENTS
AnnieMac Data Breach Impacts 171,000 People
Source: Security Week
AnnieMac Home Mortgage disclosed a data breach affecting over 171,000 individuals. The breach was detected on August 23, 2024, and involved unauthorized access to systems between August 21 and August 23–during which hackers viewed or copied files containing personal information, including names and social security numbers. In response, AnnieMac has enhanced its security measures and offers free credit monitoring and identity theft protection services. At this time, there is no evidence of the compromised information being used for identity theft or fraud.?
Ford Motor Data Breach, Sensitive Data Allegedly Exposed on Hacking Forums
Source: Cyber Press
Ford Motor Company allegedly experienced a data breach with sensitive corporate information reportedly circulating on the dark web. The compromised data may include internal documents, operational details, and potentially customer information. Cybersecurity experts detected the breach when the data appeared on hacking forums. Ford has not yet confirmed the specific details of the compromised information. Cybersecurity analysts urge the company to conduct a thorough investigation and promptly notify any affected parties.
Space Tech Giant Maxar Confirms Hacker Accessed Employees’ Personal Data
Source: TechCrunch
Maxar Technologies confirmed a data breach resulting in unauthorized access to the personal information of current and former employees. Discovered on October 11, 2024, the attacker was using a Hong Kong-based IP address to infiltrate a system containing sensitive employee data including names, home addresses, social security numbers, and employment details. The intrusion occurred on October 4, 2024, and persisted for approximately one week before Maxar secured its network and blocked further unauthorized access.? Maxar promptly notified law enforcement, engaged a cybersecurity firm to investigate, and implemented security measures to address vulnerabilities.?
Ransomware Attack on Oklahoma Medical Center Impacts 133,000
Source: Security Week
Great Plains Regional Medical Center in Oklahoma notified over 133,000 individuals of a ransomware attack that compromised personal information including names, social security numbers, and health details. The breach occurred between September 5 and September 8, 2024, during which attackers accessed and encrypted certain files, some of which were not recoverable. The medical center has restored its systems and offers free credit monitoring. To date, no known ransomware group has claimed responsibility for the attack.
Microsoft 365 Admin Portal Abused to Send Sextortion Emails
Source: Bleeping Computer
Cybercriminals exploited the Microsoft 365 Admin Portal to distribute sextortion emails to make fraudulent messages appear legitimate and bypass standard email security measures. Sextortion scams typically claim to have compromising images or videos of the recipient and demand payment to prevent public exposure. Attackers enhance the credibility of their threats by leveraging the trusted Microsoft 365 infrastructure. Organizations should implement strict access controls, regularly monitor for unusual activity within their Microsoft 365 environments, and educate users about recognizing and reporting suspicious emails.?
Library of Congress Says an Adversary Hacked Some Emails
Source: Security Week
The Library of Congress reported a cyber breach compromising email communications between congressional offices and library staff from January to September 2024. The breach did not affect the House and Senate's IT networks or the U.S. Copyright Office systems. The library has referred the incident to law enforcement and is implementing measures to prevent future breaches. An analysis is underway to determine which emails were accessed and affected congressional offices and staff will be notified accordingly.
AI Training Software Firm iLearningEngines Says it Lost $250,000 in Recent Cyberattack
Source: TechCrunch
AI training software company iLearningEngines reported a cyberattack resulting in a $250,000 financial loss. The breach involved unauthorized access to the company's financial systems, which led to fraudulent transactions. iLearningEngines has engaged cybersecurity experts to investigate the incident and is implementing enhanced security measures to prevent future breaches. The company is working with law enforcement agencies to identify the attackers.
VULNERABILITIES TO WATCH
Apache HertzBeat Vulnerability Let Attackers Exfiltrate Sensitive Data
Source: Cyber Security News
A recently discovered vulnerability in Apache HertzBeat (CVE-2024-45791) affects versions before 1.6.1–potentially exposing sensitive tokens through HTTP GET query strings. Classified as low severity, the flaw could allow unauthorized actors to access confidential data and compromise monitored systems and user information. Security researcher Icaro Torres identified the flaw, prompting a response from the Apache HertzBeat team. Administrators were urged to update installations promptly and follow best practices to secure monitoring environments.
Zohocorp ManageEngine ADAudit Plus Vulnerable To SQL Injection Attacks
Source: Cyber Security News
Zohocorp disclosed a critical SQL injection vulnerability (CVE-2024-49574) in ManageEngine ADAudit Plus, affecting versions before build 8123. Classified as high severity, it impacts the reports module–allowing authenticated attackers to execute arbitrary SQL commands, access sensitive database information, and manipulate or delete critical data. ManageEngine has released a fix in build 8123. Organizations should back up current installations, follow upgrade instructions, and prioritize the update to mitigate potential exploitation and enhance security.
Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild
Source: GB hackers
A critical zero-day vulnerability is identified in Citrix's Virtual Apps and Desktops solution and is used to facilitate secure remote access to desktop applications. This unpatched flaw allows unauthenticated attackers to execute commands remotely–potentially compromising entire servers and all active sessions. The vulnerability is particularly concerning to Citrix's session recording feature which relies on a vulnerable .NET deserialization function. Security researchers have released proof-of-concept exploit code.
Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability
Source: GB Hackers?
Sonatype disclosed two critical vulnerabilities in Nexus Repository Manager 2.x OSS/Pro versions up to 2.15.1: CVE-2024-5082 and CVE-2024-5083. CVE-2024-5082 is a remote code execution flaw that allows attackers to execute malicious code by publishing specially crafted Maven artifacts. CVE-2024-5083 is a stored cross-site scripting vulnerability enabling attackers to embed malicious scripts in Maven artifacts, which execute when viewed by administrators. Sonatype urges users to upgrade to version 2.15.2 to mitigate these risks.?
SPECIAL REPORTS
US Government Agencies Impersonated in Aggressive DocuSign Phishing Scams
Source: Hackread
A 98% surge of cybercriminals increasingly impersonating U.S. government agencies in DocuSign phishing scams was observed between November 8 and November 14, 2024. These scams involve sending fraudulent DocuSign requests that appear to originate from entities like the Department of Health and Human Services or the Maryland Department of Transportation. Recipients are tricked into providing sensitive information or authorizing unauthorized transactions. Organizations should implement multi-layered security strategies, verify the authenticity of DocuSign requests, and educate employees about recognizing phishing attempts.?
‘ClickFix’ Cyber-Attacks for Malware Deployment on the Rise
Source: Infosecuirty Magazine
Cybersecurity researchers report a rise in 'ClickFix' social engineering attacks where threat actors use fake error messages to trick users into executing malicious commands. Since March 2024, this tactic has been used by various groups, including a suspected Russian espionage operation targeting Ukrainian organizations. Malware like AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport has been deployed in these campaigns. Attackers impersonate legitimate software such as Microsoft Word or Google Chrome–displaying deceptive dialogue boxes that direct users to execute harmful PowerShell scripts.
Finding value in this newsletter? Like or share this post on LinkedIn