CISO Daily Update - November 20, 2024
NEW DEVELOPMENTS
Ransomware Gang Akira Leaks Unprecedented Number of Victims’ Data in One Day
Source: The Record
The Akira ransomware group published a volume of victim data on its darknet leak site–listing 35 organizations in a single day, with 32 confirmed as new victims. Akira has been active since March 2023–extorting $42 million from approximately 250 attacks. The group is known for targeting cloud services and business sectors primarily in the U.S. Cybersecurity researchers suggest the sudden surge may indicate aggressive expansion or previously delayed releases, but speculation persists about potential motivations. Most victims are in the business services sector with some based in Canada, Germany, and the U.K.
Threat Actor Turns Thousands of IoT Devices Into Residential Proxies
Source: Security Week
The threat actor Water Barghest compromised over 20,000 IoT devices, monetizing them as residential proxies for threat actors seeking to anonymize their activities. Using automation and techniques like erasing log files and accepting cryptocurrency payments, Water Barghest infects devices with Ngioweb malware–exploiting vulnerabilities from brands like Cisco, Netgear, and Synology. Compromised devices are listed on proxy marketplaces within minutes–able to quickly generate revenue while evading detection. The group has been active since 2018.
Helldown Ransomware Exploits Zyxel VPN Flaw to Breach Networks
Source: Bleeping Computer
The Helldown ransomware exploited a vulnerability in Zyxel firewalls (CVE-2024-42057) to breach corporate networks, steal data, and encrypt devices. Discovered in August 2024, Helldown primarily targets small and medium-sized firms in the U.S. and Europe using tactics like creating malicious accounts, exploiting IPSec VPN flaws for lateral movement, and disabling defenses based on the leaked LockBit 3 builder.?
Spotify Abused to Promote Pirated Software and Game Cheats
Source: Bleeping Computer
Cybercriminals abuse Spotify playlists and podcasts to promote pirated software, game cheats, and scam links. By injecting targeted keywords and URLs into playlist titles and podcast descriptions, they exploit Spotify’s reputation and indexing by search engines like Google to boost visibility. Victims clicking these links risk encountering malware, adware, or fraudulent surveys. Spotify removed some flagged content, citing platform rules against malicious practices.
Phobos Ransomware Administrator Faces US Cybercrime Charges
Source: Help Net Security
The U.S. Department of Justice charged 42-year-old Russian national Evgenii Ptitsyn with operating Phobos ransomware and extorting over $16 million from more than 1,000 victims globally. Extradited from South Korea, Ptitsyn appeared in a Maryland court on November 4. Since 2020, he allegedly sold ransomware access on the darknet–enabling affiliates to steal and encrypt data and demanding ransom under the threat of exposure. Ptitsyn faces 13 charges, including wire fraud and computer hacking, with penalties of up to 20 years per wire fraud count and 10 years for each hacking charge.
VULNERABILITIES TO WATCH
VMware Virtual Machines Under Attack: Hackers Exploit Critical vCenter Server Flaw
Source: Cybernews
Broadcom warns about the active exploitation of two critical vulnerabilities in VMware vCenter Server, including a remote code execution flaw. These vulnerabilities allow attackers to execute arbitrary code on unpatched servers–posing significant risks to organizations relying on vCenter Server for virtual infrastructure management. Administrators are strongly advised to apply the latest security patches to mitigate potential threats.
Critical Windows Kerberos Flaw Exposes Millions of Servers to Attack
Source: Hackread
A critical vulnerability in Microsoft's Kerberos authentication protocol was identified for potentially exposing millions of servers to unauthorized access and remote code execution. CVE-2024-43639 with a CVSS score of 9.8, allows attackers to send crafted requests to vulnerable systems. Microsoft addressed this issue in its recent Patch Tuesday updates. Administrators are strongly advised to apply these patches promptly to safeguard their systems.
D-Link Urges Users to Retire VPN Routers Impacted by Unfixed RCE Flaw
Source: Bleeping Computer
D-Link urges users to replace end-of-life VPN routers, including the DSR-150, DSR-150N, DSR-250, and DSR-250N models, after discovering a critical remote code execution (RCE) vulnerability that will not be patched. The flaw was reported by security researcher 'delsploit,' and affects firmware versions 3.13 to 3.17B901C. D-Link emphasizes that using these unsupported routers increases exposure to exploitation. Users are strongly advised to retire these devices and transition to newer, supported models to maintain network security.
Vulnerable Jupyter Servers Targeted for Sports Piracy
Source: Security Week
Misconfigured JupyterLab and Jupyter Notebook servers are exploited to stream pirated sports content. Researchers at Aqua Security observed attackers accessing unsecured Jupyter servers, installing the FFmpeg tool, and redirecting live sports streams to their platforms. This unauthorized broadcasting generates advertising revenue for the attackers and results in financial losses for legitimate broadcasters. To mitigate such risks, it's crucial to properly configure Jupyter servers, implement strong authentication measures, and regularly monitor for unauthorized access.
CISA Adds Progress Kemp LoadMaster, Palo Alto Networks Pan-Os, and Expedition Bugs to Its Known Exploited Vulnerabilities Catalog
Source: Security Affairs
CISA added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474. These flaws impact Progress Kemp LoadMaster and Palo Alto Networks PAN-OS and Expedition. CVE-2024-1212 enables unauthenticated attackers to execute system commands on Progress Kemp LoadMaster devices, while CVE-2024-0012 allows attackers to bypass authentication on PAN-OS management interfaces to gain administrative access. CVE-2024-9474 lets administrators escalate privileges to root on PAN-OS firewalls. Federal agencies must address these vulnerabilities by December 5, 2024, and private organizations are urged to review and mitigate these risks to secure their systems.
Oracle Patches Exploited Agile PLM Vulnerability (CVE-2024-21287)
Source: Help Net Security
Oracle issued a security patch to address CVE-2024-21287, a critical vulnerability in the Oracle Agile PLM Framework actively targeted by attackers. This flaw affects version 9.3.6 of the Agile PLM Framework, specifically the Agile Software Development Kit and the Process Extension components. It allows unauthenticated remote attackers to access sensitive data over HTTP and HTTPS protocols. Oracle strongly advises users to apply the provided updates promptly to mitigate potential risks.
SPECIAL REPORTS
Google Report Shows CISOs Must Embrace Change to Stay Secure
Source: Help Net Security
A Google report with Hypothesis Group highlights the inadequacy of traditional security measures against evolving threats. 96% of security leaders express confidence in managing their environments, and 63% admit security has weakened due to hybrid work models and generative AI adoption. The study reveals that 61% of companies now use more security tools than two years ago, but this has not reduced incidents or costs. Organizations with ten or more tools face higher incident rates and expenses than those with fewer tools.? Mid-sized enterprises are vulnerable due to outdated technologies and are increasingly open to cloud-native, unified security solutions. The report urges Chief Information Security Officers to consolidate tools and adopt secure-by-design strategies instead of incremental fixes.
Ransomware Gangs on Recruitment Drive for Pen Testers
Source: Infosecuirty Magazine
Ransomware gangs are recruiting penetration testers to strengthen their attacks, as revealed in Cato Networks' Q3 2024 report. Job postings on the Russian Anonymous Marketplace (RAMP) seek experts to ensure ransomware deployment success. This trend shows the growing sophistication of ransomware-as-a-service (RaaS) operations with advanced tools like locker source code sold for $45,000–lowering the entry barrier for cybercriminals. Organizations must adopt robust security measures to counter these evolving threats.
Companies Take Over Seven Months to Recover From Cyber Incidents
Source: Infosecurity Magazine
A Fastly report reveals organizations take an average of 7.34 months to fully recover from cybersecurity incidents–significantly longer than the 5.85 months predicted by IT decision-makers (ITDMs). Recovery activities include implementing stronger security measures (43%), offering employee training (41%), restoring backups (38%), stakeholder communication (34%), and forensic analysis (25%). Companies reducing cybersecurity investments face even longer recovery times, averaging 10.88 months. 86% of respondents have improved patch deployment processes following high-profile incidents.
Finding value in this newsletter? Like or share this post on LinkedIn
Cyber Resilience Thought Leader | CEO, Cyber Risk Opportunities | Cybersecurity LinkedIn Learning Course Instructor | Co-host Cyber Risk Management Podcast | Amazon Best Selling Author | International Keynote Speaker
2 天前The story out of Infosecurity Magazine is particularly useful in my ongoing efforts to educate senior decision makers about the high levels of sophistication many cyber-attackers operate at: "Ransomware gangs are recruiting penetration testers to strengthen their attacks, as revealed in Cato Networks' Q3 2024 report." Thanks Marcos Christodonte II and Beth Maundrill and Cato Networks!