CISO Daily Update - November 22, 2024
NEW DEVELOPMENTS
120 Million URL Login-Password Combinations Surfaced on Dark Web Platforms
Source: Cyber Press
A significant data breach exposed 140 million URL-specific login credentials on the dark web. The compromised database includes usernames and passwords linked to various websites and online services. Cybercriminals can exploit this information for account takeovers, identity theft, financial fraud, and phishing attacks.?
Wexford County Computer Systems Returning After Cyberattack Forced Shutdown
Source: UpNorthLive ABC 7
Wexford County's computer systems are gradually being restored following a recent cyberattack that led to a shutdown of online services. The incident was discovered Tuesday morning–prompting officials to take systems offline to assess and ensure data security. While several county phones and computer systems were affected, emergency dispatch services remained operational. The county is working diligently to bring all systems back online securely.
Operation Shipwrecked: US Seizes PopeyeTools Marketplace, Charges 3
Source: Hackread
The U.S. Department of Justice dismantled PopeyeTools, the cybercriminal marketplace that facilitated illicit activities such as the sale of stolen financial data, hacking tools, and fraud tutorials. Since 2016, the platform served over 227,000 customers, generating $1.7 million in revenue by providing access to compromised information and verification services for stolen data. Abdul Ghaffar and Abdul Sami from Pakistan and Javed Mirza from Afghanistan face access device fraud charges–each carries a potential 10-year prison sentence. The FBI seized the PopeyeTools website and confiscated $283,000 in cryptocurrency linked to the operation.
Two Brothers Indicted for Operating Illegal Sports Streaming Service That Netted $7 Million
Source: The Record
Two brothers Noor Nabi Chowdhury and Mohammad Rahman were charged with operating 247TVStream, an illegal sports streaming service that generated over $7 million in revenue from May 2017 to November 2024. They charged subscribers $10 per month for live sports and television content–allegedly relying on legitimate streaming accounts redistributed without authorization. As a result, the copyright owner losses exceeded $100 million. Chowdhury was arrested in New York, while Rahman remains at large. Both face charges of conspiracy, wire fraud, and aggravated identity theft, with potential sentences of up to 28 years. Authorities have seized associated domain names and worked with international partners to dismantle the operation's infrastructure.
Microsoft Disrupts Onnx Phishing-as-a-Service Infrastructure
Source: Bleeping Computer
Microsoft disrupted the ONNX phishing-as-a-service (PhaaS) platform seizing over 240 domains used for global phishing campaigns since 2017. Known as Caffeine and FUHRER, ONNX facilitated attacks targeting Microsoft 365 accounts and distributed millions of phishing emails monthly. The platform provided phishing kits to impersonate companies like Google and Dropbox and enabled attackers to bypass two-factor authentication via Telegram-controlled bots. Subscription packages ranged from $150 to $550 monthly through Telegram channels. Microsoft’s actions aim to dismantle ONNX's infrastructure and reduce the impact of widespread phishing campaigns.
Five Alleged Members of Scattered Spider Cybercrime Group Charged for Breaches, Theft of $11 Million
Source: The Record
U.S. prosecutors charged five individuals linked to the Scattered Spider cybercriminal group for allegedly breaching multiple U.S. companies and stealing $11 million in cryptocurrency. The group used phishing attacks to trick employees into revealing login credentials, enabling access to sensitive corporate and customer data. Victims included organizations in gaming, telecommunications, and cryptocurrency. The defendants face conspiracy charges, aggravated identity theft, and wire fraud. Authorities are working to extradite one suspect from Spain. Investigations continue into the group’s activities from September 2021 to April 2023.
VULNERABILITIES TO WATCH
Palo Alto Networks Warns Hackers Are Breaking Into Its Customers’ Firewalls — Again
Source: TechCrunch
Palo Alto Networks identified two critical zero-day vulnerabilities in its Next-Generation Firewalls actively exploited by attackers. The first, CVE-2024-0012, is an authentication bypass in the PAN-OS management web interface–allowing remote attackers to gain administrator privileges without authentication or user interaction. The second, CVE-2024-9474, is a privilege escalation flaw enabling malicious administrators to execute actions with root privileges on the firewall. The company released security updates to address these vulnerabilities and strongly advises users to apply the patches promptly. Palo Alto Networks recommends restricting access to the management interface to trusted internal IP addresses to mitigate potential exploitation.
Exploitation Attempts Target Citrix Session Recording Vulnerabilities
Source: Security Week
Citrix released patches for two vulnerabilities identified as CVE-2024-8068 and CVE-2024-8069 in its Session Recording component–allowing authenticated attackers to escalate privileges and execute limited remote code. Security researchers at WatchTowr disclosed technical details and a proof-of-concept exploit on November 12, 2024. Despite Citrix's medium severity rating, the disclosure led to exploitation attempts. Citrix will issue an advisory urging users to update their systems promptly.?
Critical AnyDesk Vulnerability Let Attackers Uncover User IP Address
Source: Cyber Security News
A critical vulnerability in AnyDesk identified as CVE-2024-52940 allows attackers to expose users' IP addresses by exploiting the "Allow Direct Connections" feature. The flaw affects AnyDesk versions 8.1.0 and earlier on Windows systems by enabling attackers to retrieve public IP addresses using only the AnyDesk ID and potentially private IP addresses on local networks. With a CVSS score of 7.5, this vulnerability poses significant privacy risks, including tracking, targeted attacks, and bypassing IP-based security. AnyDesk is yet to release a patch. Users are advised to disable the feature, use VPNs, monitor connections, and remain vigilant for updates.
macOS WorkflowKit Race Vulnerability Let Malicious Apps Intercept Shortcuts
Source: Cyber Security News
A critical vulnerability identified in macOS's WorkflowKit framework allows attackers to execute arbitrary code with elevated privileges. This flaw, present in versions before macOS 14.2, stems from a race condition during the processing of workflow files. Exploiting this vulnerability enables unauthorized users to gain root access. Apple addressed this issue in macOS 14.2 by implementing improved checks. Users are strongly advised to update their systems promptly to mitigate potential security risks.
Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects
Source: The Hacker News
Google's AI-enhanced OSS-Fuzz tool identified 26 vulnerabilities across various open-source projects including a medium-severity flaw in the OpenSSL cryptographic library. The specific vulnerability, CVE-2024-9143, is an out-of-bounds memory write issue that could lead to application crashes or remote code execution. This flaw has been present in the codebase for approximately two decades and was discovered using AI-generated fuzz targets, which improved code coverage across 272 C/C++ projects by adding over 370,000 lines of new code.
Critical Kubernetes Vulnerability Let Attackers Execute Arbitrary Commands
Source: Cyber Security News
A critical security vulnerability (CVE-2024-9486) was discovered in Kubernetes' Image Builder project. This flaw allows unauthorized users to gain root access via SSH to virtual machines built with affected versions of Image Builder. The vulnerability specifically impacts VM images created using the Proxmox provider in Image Builder versions 0.1.37 and earlier. To mitigate this risk, it is imperative to update to Image Builder version 0.1.38 or later and redeploy any VMs constructed with the compromised versions. Additionally, disabling the 'builder' account on existing VMs can serve as a temporary safeguard.
SPECIAL REPORTS
MITRE Updates List of 25 Most Dangerous Software Vulnerabilities
Source: Security Week
MITRE’s updated CWE Top 25 Most Dangerous Software Weaknesses ranks cross-site scripting (XSS) as the top vulnerability–surpassing out-of-bounds write flaws, with SQL injection remaining in third place. Rising threats include cross-site request forgery (CSRF), path traversal, and out-of-bounds read vulnerabilities, while exposure of sensitive information and uncontrolled resource consumption have entered the list. CISA with MITRE advises organizations to prioritize these flaws in development and procurement processes, adopt Secure by Design practices, and integrate the CWE Top 25 into vulnerability management strategies to enhance overall cybersecurity resilience.
ICS Security: 145,000 Systems Exposed to Web, Many Industrial Firms Hit by Attacks
Source: Security Week
A recent report by Censys reveals that over 145,000 industrial control systems are exposed to the Internet across 175 countries, with 38% located in North America, 35% in Europe, and 22% in Asia. In the United States, approximately 48,000 ICS devices are accessible online. These systems use widely used protocols such as Modbus, Fox, BACnet, Wind River, EIP, Siemens, and IEC 60870-5-104. Many exposed ICS devices include human-machine interfaces, which are particularly vulnerable and commonly targeted by threat actors. Censys found that 34% of HMIs accessible via the C-More protocol are associated with water systems, a sector often targeted in cyberattacks–23% are used in the agriculture sector.
Finding value in this newsletter? Like or share this post on LinkedIn