Cyber Weekly Newsletter

Cyber Weekly Newsletter for Friday November 15, 2024

The weekly Security, Tech and Cybercrime newsletter from Riskigy's vCISO Cybersecurity team

Cybersecurity awareness tips and alerts from Riskigy to empower your team to #BeCyberSmart #CyberAware

This Weeks Need-to-Know News and Alerts

??Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate. Fifty-two of the patched vulnerabilities are remote code execution flaws.? https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html

???Palo Alto Networks’ customer migration tool hit by trio of CVE exploits. CISA warned of two critical and actively exploited vulnerabilities in Expedition one week after another CVE came under active exploitation in the same product. https://www.cybersecuritydive.com/news/palo-alto-networks-migration-tool-exploits/733072 ? ?

?? Microsoft's? Patch Tuesday contains a high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack. https://www.darkreading.com/cloud-security/2-zero-day-bugs-microsoft-nov-update-active-exploit

?? Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as 'PAN-SA-2024-0015,' is actively being exploited in attacks. https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-critical-rce-zero-day-exploited-in-attacks ??

??? Microsoft pulls Exchange security updates over mail delivery issues. Microsoft has pulled the November 2024 Exchange security updates released during this month's Patch Tuesday because of email delivery issues on servers using custom mail flow rules. https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-exchange-security-updates-over-mail-delivery-issues ??

?? Citrix Patches Zero-Day Recording Manager Bugs. There is a disagreement over whether the remote code execution (RCE) flaws allow for unauthenticated exploitation or not. Researchers say the company is downplaying a "good old unauthenticated RCE." https://www.darkreading.com/cloud-security/citrix-patches-zero-day-recording-manager-bugs

?? Critical Veeam RCE bug now used in Frag ransomware attacks. After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks

?? Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes. Cloaking refers to the practice of serving different content to search engines like Google and users with the ultimate goal of manipulating search rankings and deceiving users. https://thehackernews.com/2024/11/google-warns-of-rising-cloaking-scams.html

?? Microsoft Power Pages Leak Millions of Private Records. Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment. https://www.darkreading.com/cybersecurity-operations/microsoft-power-pages-millions-private-records

?? FBI, CISA, and NSA reveal most exploited vulnerabilities. The cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days. https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-most-exploited-vulnerabilities-of-2023 ???

?? Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims. Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html ??

?? DocuSign's Envelopes API abused to send realistic fake invoices. Threat actors are abusing DocuSign's Envelopes API to create and mass-distribute fake invoices that appear genuine, impersonating well-known brands like Norton and PayPal. https://www.bleepingcomputer.com/news/security/docusigns-envelopes-api-abused-to-send-realistic-fake-invoices ?

?? A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. The flaw is tracked as CVE-2024-11120 has a critical severity (CVSS v3.1 score: 9.8). https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/ ???

?? High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables. The flaw in the open-source database system could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure. https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html

?? Hackers Target macOS Using Flutter-Embedded Malware. Threat actors have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. https://thehackernews.com/2024/11/north-korean-hackers-target-macos-using.html

From Our Blog

? FBI Issues warning about Fraudulent Emergency Data Requests

The Federal Bureau of Investigation (FBI) has released a notification to highlight a trend of compromised US and foreign government email addresses used to conduct fraudulent emergency data requests. Fraudulent Emergency Data Requests (EDRs) are a growing cybersecurity threat where hackers impersonate law enforcement officials to obtain sensitive user data from technology companies and service providers....Read more at?https://riskigy.com/blog/f/fbi-issues-warning-about-fraudulent-emergency-data-requests

? How to Avoid Common Password Mistakes

Passwords play a critical role in business security, making proper management essential. At the forefront of this topic is the National Institute of Standards and Technology (NIST), which recently released updated guidelines outlining technical requirements and recommendations for password management and authentication…Read more at https://riskigy.com/blog/f/how-to-avoid-common-password-mistakes

? AI is the new Boogeyman: Outspooking Freddy, Jason, and Michael

Horror movies? Pfft. Child's play! We've all been at the edge of our seats watching Freddy Krueger show up in dreams with those fashionable knives-for-fingers gloves, Jason Voorhees make camping the worst idea ever, and Michael Myers basically ruin Halloween for everyone in Haddonfield. Learn more now at https://riskigy.com/blog/f/ai-is-the-new-boogeyman-outspooking-freddy-jason-and-michael

? AI Has Changed Phishing Attacks from Bad to Worse

Cybersecurity Awareness Month has arrived, and this year, the conversation is dominated by how artificial intelligence (AI) is reshaping the world. AI has brought advancements across many industries but has also given cybercriminals new tools to enhance their attacks, especially phishing…Read more at https://riskigy.com/blog/f/ai-has-changed-phishing-attacks-from-bad-to-worse

? 10 Terrifying Facts Every Business Should Know About Ransomware

In recognition of Cybersecurity Awareness Month, we’re sharing 10 terrifying facts every business should know about ransomware from the annual Ransomware Task Force report. Ransomware is one of the most dangerous and expensive cyber threats facing organizations today. With attacks happening more frequently and targeting organizations of all sizes and sectors, the consequences of being unprepared can be devastating… Read more at https://riskigy.com/blog/f/10-terrifying-facts-every-business-should-know-about-ransomware

Recent Data Breach News

?? Amazon confirms employee data breach after vendor hack. Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. https://www.bleepingcomputer.com/news/security/amazon-confirms-employee-data-breach-after-vendor-hack/

?? Leaked info of 122 million linked to B2B data aggregator breach circulating since February 2024. The data comes from DemandScience (formerly Pure Incubation), a B2B demand generation company that aggregates data. https://www.bleepingcomputer.com/news/security/leaked-info-of-122-million-linked-to-b2b-data-aggregator-breach ?

?? Google AI Platform Bugs Leak Proprietary Enterprise LLMs. The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models. https://www.darkreading.com/cloud-security/google-ai-platform-bugs-proprietary-enterprise-llms ??????

?? US govt officials’ communications compromised in recent telecom hack. CISA and the FBI confirmed that Chinese hackers compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers. https://www.bleepingcomputer.com/news/security/chinese-hackers-compromised-us-government-officials-private-communications-in-recent-telecom-breach ?

?? Canadian Suspect Arrested Over Snowflake Data Breach and Extortion Attacks. Canadian law enforcement authorities have arrested an individual who is suspected to have conducted a series of hacks stemming from the breach of cloud data platform Snowflake. https://thehackernews.com/2024/11/canadian-suspect-arrested-over.htm ????

??? Halliburton revealed that an August ransomware attack has led to $35 million in losses after the breach caused the company to shut down IT systems and disconnect customers. Halliburton is a global provider of products and services to the energy industry. https://www.bleepingcomputer.com/news/security/halliburton-reports-35-million-loss-after-ransomware-attack

?? A former Disney World employee hacked servers after being fired, altering prices, adding profanities, and mislabeling allergy info. The FBI arrested the man last week, falsely declaring some items as allergy-safe could put the lives of visitors at risk. https://securityaffairs.com/170489/cyber-crime/former-disney-world-employee-arrested.html ??

Blog Post Spotlight

SEC 2025 Examination Priorities: Highlight Focus on Cybersecurity

As we steer towards 2025, the United States Securities and Exchange Commission (SEC) has laid out a roadmap that underscores its commitment to safeguarding the integrity of the financial markets against the backdrop of rapid technological evolution. This commitment is vividly reflected in its recently unveiled Examination Priorities for Fiscal Year 2025. In an era where digital threats loom large and technological advancements are relentless, the SEC's focus on cybersecurity emerges not just as a priority but as a necessity.

The Securities and Exchange Commission (SEC) has released its 2025 examination priorities, with a significant focus on cybersecurity. As cyber threats continue to evolve, the SEC aims to ensure that firms are adequately protecting investor information, records, and assets.?

Here are key cybersecurity-related priorities for 2025:

1. Data Loss Prevention

The SEC will scrutinize firms’ data loss prevention measures. This includes evaluating how firms prevent unauthorized access and loss of sensitive data. Effective data loss prevention strategies are crucial for safeguarding investor information and maintaining trust.

2. Access Controls

Access controls are a critical component of cybersecurity. The SEC will examine how firms implement and manage access controls to protect sensitive information. This includes ensuring that only authorized personnel have access to critical systems and data.

3. Account Management

Proper account management is essential to prevent unauthorized access. The SEC will focus on how firms manage user accounts, including the processes for creating, modifying, and terminating accounts. This also involves monitoring for suspicious activity and ensuring that accounts are secure.

Incident Response and Notification

A noteworthy aspect of the SEC's cybersecurity emphasis is its focus on Incident Response and Notification Procedures. In an acknowledgement of the inevitability of cyber incidents, the SEC prioritizes the examination of how registered entities prepare for, respond to, and recover from cybersecurity breaches. This entails a thorough review of entities' incident response plans to verify their effectiveness in swiftly identifying, containing, and mitigating the impacts of cyber incidents.

Equally critical is the scrutiny of firms’ notification processes. The SEC considers the timely disclosure of cyber incidents to affected stakeholders and regulators as essential. This aligns with the broader goal of transparency and the protection of investors from the adverse consequences of latent vulnerabilities and undisclosed breaches.

Third-Party Risks

The SEC's approach to addressing these concerns in 2025 is multifaceted, focusing on ensuring that firms have comprehensive risk management strategies and controls in place for their third-party engagements. The key areas include:

Due Diligence and Oversight: Firms are expected to conduct thorough due diligence before engaging with third-party vendors and continuously monitor these relationships to ensure adherence to cybersecurity standards. The SEC prioritizes examining the processes firms use to evaluate the cybersecurity practices of third parties and the contractual obligations imposed on these vendors to maintain high cybersecurity standards.

Incident Response and Vendor Management:?

A significant component of third-party risk management is how firms prepare for and respond to incidents that originate from or affect third-party products and services. Firms must have robust communication channels and incident response plans that include third parties to ensure swift action and mitigation. The SEC will focus on the integration of third-party risk into firms’ overall incident response plans and the effectiveness of these plans in addressing incidents involving external vendors.

Takeaways

These priorities not only underscore the importance of cybersecurity vigilance but also highlight the SEC’s commitment to adaptive and proactive regulatory oversight. The SEC’s focus on these areas highlights the importance of robust cybersecurity practices in protecting investors and maintaining the integrity of the financial markets.?

The SEC’s 2025 Examination Priorities mark a significant stride towards a future where financial stability is intrinsically linked with cybersecurity resilience. It’s a call to action for market participants to elevate their cybersecurity postures, ensuring that they not only comply with regulatory expectations but also contribute to the overarching goal of maintaining market integrity

By addressing these key areas, the SEC aims to mitigate risks and protect the interests of investors in an increasingly digital and interconnected world. Firms are encouraged to review and strengthen their cybersecurity measures in line with these priorities to ensure compliance and enhance their overall security posture.

Cybersecurity Is Complex! We Are Here To Help

Cyberthreats are everywhere, you don’t have to face them alone. Get Cybersecurity & Tech help from Riskigy!

? Looking for an expert to assist your firm or clients?

? Need a pro to explain Tech or Cyber to your management?

? Vetting a new investment or acquisition?

? Want to build a cyber aware staff?

? Need immediate assistance with an incident?

? Considering adding a vCISO or vCTO to your team?

? Seeking help with SOC-2, SEC/FINRA, or FTC readiness?

Contact us to discuss how we can assist!