CISO Daily Update - October 31, 2024
NEW DEVELOPMENTS
Malware Campaign Expands Its Use of Fake CAPTCHAs
Source: The Record
A recent malware campaign is using fake CAPTCHA tests to lure users into downloading malware, taking advantage of their habit of quickly clicking through verification prompts. Kaspersky researchers report that the campaign targets users via ads on adult sites, file-sharing platforms, betting sites, and other high-traffic websites. When users click “I’m not a robot,” they unknowingly trigger malware downloads such as the Lumma infostealer and the Amadey botnet. Lumma, a malware-as-a-service, steals data from cryptocurrency wallets, browser credentials, and password managers. Amadey adds capabilities like taking screenshots and downloading remote access tools for deeper access control.
DarkRaaS Ransomware Group Allegedly Selling Login Access to Oil & Gas Company
Source: Cyber Press
The ransomware group DarkRaaS is reportedly selling unauthorized login access to an unidentified oil and gas company. This access could allow cybercriminals to disrupt operations, steal sensitive data, or cause long-term financial and reputational harm. This matter is being monitored for more details.?
Colorado Accidentally Put Voting System Passwords Online, but Officials Say Election Is Secure
Source: Security Week
Colorado election officials have confirmed that voting system passwords were accidentally posted on the Colorado Secretary of State’s website for several months but were quickly removed upon discovery. Despite the mishap, officials assured the public that this incident does not threaten election integrity, as the passwords are only one layer in a multi-tiered security system requiring dual authentication–with each password managed by different parties. Colorado Secretary of State Jena Griswold stated that her office is investigating the incident, changing passwords, and reviewing access logs.?
Android Malware “FakeCall” Now Reroutes Bank Calls to Attackers
Source: Bleeping Computer
The latest version of the Android malware FakeCall intercepts outgoing calls from victims attempting to reach their banks, redirecting them to attackers instead. Since its detection in 2022, FakeCall has evolved from displaying fake bank interfaces to hijacking the default call handler, allowing attackers to impersonate bank representatives during live calls. Analyzed by Zimperium, this advanced banking trojan also exploits Android’s Accessibility Service to control devices, capture audio and video, gather sensitive data, and execute commands like unlocking screens, taking screenshots, and deleting files. Security experts advise Android users to avoid installing APKs and stick to Google Play for app downloads.
Ransomware Hits Web Hosting Servers via Vulnerable CyberPanel Instances
Source: Help Net Security
Ransomware compromised around 22,000 CyberPanel servers used in web hosting by exploiting two command injection vulnerabilities (CVE-2024-51378 and CVE-2024-51567) in CyberPanel versions 2.3.6 and 2.3.7. These flaws allow remote command execution and authentication bypass. Attackers quickly took advantage of the vulnerabilities—disclosed soon after patches were posted but before the new version was released—encrypting files on servers with extensions like .psaux, .encryp, and .locked. While cybersecurity firm LeakIX has developed a decryptor for .psaux-encrypted files, users are urged to apply patches immediately.
Hackers Steal 15,000 Cloud Credentials From Exposed Git Config Files
Source: Bleeping Computer
The large-scale operation EmeraldWhale has targeted over 15,000 cloud credentials by scanning for exposed Git configuration files and exploiting private repositories on platforms like GitHub, GitLab, and BitBucket. Hackers used tools like httpx and Masscan to scan 500 million IP addresses, searching for exposed Git config and Laravel .env files, revealing credentials that allowed access to sensitive data, phishing, and stolen information. Sysdig uncovered one terabyte of stolen data, compromising 28,000 Git repositories and 6,000 GitHub tokens. Developers are advised to use secret management tools and environment variables to enhance security.
VULNERABILITIES TO WATCH
QNAP Patches Second Zero-Day Exploited at Pwn2Own to Get Root
Source: Bleeping Computer
QNAP has patched a second critical zero-day vulnerability (CVE-2024-50387), which was exploited to gain root access on QNAP NAS devices during Pwn2Own Ireland 2024. This SQL injection flaw in QNAP's SMB Service was patched just a week after researchers used it to take over a TS-464 NAS device. This patch and a recent fix for another zero-day in the HBS 3 Hybrid Backup Sync reflect QNAP's proactive response following Pwn2Own, where over 70 vulnerabilities were disclosed. Given that QNAP devices are frequent ransomware targets for groups like eCh0raix and AgeLocker, administrators are urged to update immediately to reduce the risks of ransomware and data theft.
领英推荐
Google Patches Critical Chrome Vulnerability Reported by Apple
Source: Security Week
Google patched CVE-2024-10487, a critical vulnerability in Chrome’s WebGPU implementation reported by Apple’s Security Engineering and Architecture team. This out-of-bounds write flaw in Dawn could allow arbitrary code execution if exploited. The release also addresses CVE-2024-10488, a high-severity use-after-free vulnerability in WebRTC. At the same time, Mozilla issued updates for Firefox and Thunderbird, fixing 11 vulnerabilities, including two high-severity issues that could lead to permission leaks between sites and exploitable crashes. Users should update to the latest versions to guard against potential threats.
IBM Flexible Service Processor Vulnerability Lets Attackers Gain Service Privileges
Source: Cyber Security News
IBM identified a critical vulnerability in its Flexible Service Processor (FSP)--CVE-2024-45656–which could grant unauthorized network access to service privileges on affected IBM Power Systems. With a CVSS score of 9.8, this high-severity flaw impacts Power10, Power9, and Power8 servers, stemming from static credentials in the FSP. IBM has issued security patches, urging Power10 users to update to firmware FW1030.62 or later, Power9 to FW950.C1, and Power8 to FW860.B4. Organizations using IBM Power Systems should prioritize these updates immediately as no workarounds exist.
LiteSpeed Cache Plugin Vulnerability Poses Admin Access Risk
Source: Infosecurity Magazine
A newly discovered vulnerability in the widely used LiteSpeed Cache plugin for WordPress, active on over 6 million sites, lets unauthenticated visitors gain administrator access by exploiting weak security hash checks in the plugin’s role simulation feature. Labeled CVE-2024-50550, this flaw allows attackers to bypass critical security checks, especially when the Crawler feature is enabled with certain configurations. LiteSpeed has removed the vulnerable role simulation feature and reinforced hash generation in version 6.5.2, which all users should install immediately.
Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information
Source: The Hacker News
Opera patched a security flaw in its browser, known as "CrossBarking," after researchers discovered it allowed malicious extensions to access private APIs. This vulnerability enabled capturing screenshots, altering browser settings, and hijacking accounts. The flaw originated from Opera's publicly accessible subdomains with privileged API access–exploited through content scripts injecting malicious JavaScript. This incident calls for stricter vetting, monitoring, and developer identity verification in extension stores.
SPECIAL REPORTS
Over Half of US County Websites “Could Be Spoofed”
Source: Infosecurity Magazine?
A Comparitech study reveals that over half of U.S. county websites still use non-.gov domains, increasing their vulnerability to spoofing and disinformation campaigns as election season approaches. Among 3,144 county sites analyzed, 57% operate without .gov domains, making them easier targets for threat actors. Additionally, 85 sites lack SSL certificates, and nearly 41% of counties don’t use DMARC email authentication–leaving official emails open to phishing risks. The threat is particularly high in key swing states, with 72% of Michigan counties using non-.gov domains. Security experts advise voters to verify information on official state websites to avoid misleading or malicious sources.
CISA Launches First International Cybersecurity Plan
Source: Infosecuirty Magazine
The US Cybersecurity and Infrastructure Security Agency (CISA) has launched its first international strategic plan to boost global cooperation in protecting critical infrastructure from cyber threats. The 2025-2026 plan focuses on building resilience across international networks that impact US critical systems, strengthening global cybersecurity standards, and improving CISA’s coordination of international efforts. Key objectives include identifying critical foreign systems, developing risk strategies, enhancing cybersecurity partnerships, promoting responsible cyber practices, and preparing CISA’s workforce for global deployments.
Poor Vulnerability Management Could Indicate Larger Cyber Governance Issues, S&P Says
Source: Cybersecurity Dive
Poor vulnerability management may signal deeper cybersecurity governance issues, according to S&P Global Ratings. In a recent report, S&P warned that companies ignoring security vulnerabilities face significant operational, reputational, and financial risks. Referencing the 2024 Verizon Data Breach Investigations Report, S&P highlighted that vulnerability exploitation nearly tripled in 2023, stressing the need for companies to make vulnerability management a priority within their cybersecurity strategies. With the number of CVEs rapidly rising, companies face mounting pressure to address both new and legacy vulnerabilities. Paul Alvarez, S&P’s lead cyber expert, noted that a structured vulnerability management process can greatly reduce cyber risks.
Finding value in this newsletter? Like or share this post on LinkedIn