Cyber Weekly Newsletter

Cyber Weekly Newsletter for Friday September 13th, 2024

The weekly Security, Tech and Cybercrime newsletter from Riskigy's vCISO Cybersecurity team

Cybersecurity awareness tips and alerts from Riskigy to empower your team to #BeCyberSmart #CyberAware

This Weeks Need-to-Know News and Alerts

?? Adobe fixes Acrobat Reader zero-day with public PoC exploit. The flaw is tracked as CVE-2024-41869 and is a critical use after free vulnerability that could lead to remote code execution when opening a specially crafted PDF document. https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/

?? Microsoft Discloses 4 Zero-Days in September Update. This month's Patch Tuesday contains a total of 79 vulnerabilities the fourth largest of the year. Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows. https://www.darkreading.com/application-security/microsoft-discloses-4-zero-days-in-september-update

?? Hackers have been leveraging publicly available exploit code for two critical vulnerabilities in the WhatsUp Gold network availability and performance monitoring solution from Progress Software. https://www.bleepingcomputer.com/news/security/hackers-targeting-whatsup-gold-with-public-exploit-since-august/ ?

?? WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers. WordPress announced a new security measures that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. https://thehackernews.com/2024/09/wordpress-mandates-two-factor.html ?

?? Cyber Staffing Shortages Remain CISOs' Biggest Challenge. Besides operational issues connected to a talent shortage, the cost of running security platforms and their training costs also keeps CISOs up at night. https://www.darkreading.com/cybersecurity-operations/cyber-staffing-shortages-remain-cisos-biggest-challenge ?

?? GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution. GitLab released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. https://thehackernews.com/2024/09/urgent-gitlab-patches-critical-flaw.html ?

?? FBI says that 2023 was a record year for cryptocurrency fraud, with total losses exceeding $5.6 billion, based on nearly 70,000 reports received through Internet Crime Complaint Center (IC3). A majority of reported losses were incurred by U.S. citizens. https://www.bleepingcomputer.com/news/security/fbi-reported-cryptocurrency-losses-reached-56-billion-in-2023/

?? Progress Software has released security updates to resolve a critical vulnerability, tracked as CVE-2024-7591 in its LoadMaster and Multi-Tenant (MT) hypervisor products. The flaw, with a CVSS score of 10.0, is described as an improper input validation bug https://thehackernews.com/2024/09/progress-software-issues-patch-for.html ?

?? Cybersecurity Talent Shortage Prompts White House Action. The Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed. https://www.darkreading.com/cybersecurity-operations/cybersecurity-talent-shortage-prompts-white-house-action ?

?? SonicWall SSLVPN access control flaw is now exploited in attacks. CVE-2024-40766 in SonicOS is now "potentially" exploited in attacks, urging admins to apply patches as soon as possible. https://www.bleepingcomputer.com/news/security/sonicwall-sslvpn-access-control-flaw-is-now-exploited-in-attacks

From Our Blog

? 'Take A Beat' with the FBI's new Campaign Targeting Scammers

'Take A Beat' with the FBI's new Campaign Targeting Scammers. In response to the growing threat, the FBI has launched a nationwide campaign called “Take A Beat” to raise awareness and enhance defenses against fraudulent activities. Learn more now at https://riskigy.com/f/take-a-beat-with-the-fbis-new-campaign-targeting-scammers ?

? Preparing for National Cybersecurity Awareness Month October 2024

October is a time for Football, Halloween and Cybersecurity Awareness. Since 2004, the President of the United States and Congress have declared October Cybersecurity Awareness Month, dedicated to raising awareness about the importance of cybersecurity in both the public and private sectors.…Read more https://riskigy.com/blog/f/preparing-for-national-cybersecurity-awareness-month-october-2024 ?

? Mitigating Data Breach Costs in 2024

Recently, IBM released its 19th annual Cost of a Data Breach Report, highlighting the increasing costs and disruptions caused by data breaches, with the global average cost reaching $4.88 million in 2024. Among the report's key findings are the impact of staff shortages and data visibility gaps on breach costs… Read more at https://riskigy.com/blog/f/mitigating-data-breach-costs-in-2024

? New Guidance Amid Recent High Profile Insider Threats

Organizations across various sizes and industries face the risk of insider threats, both intentional and unintentional. To address this, the Cybersecurity and Infrastructure Security Agency (CISA) has published the "Resources for Onboarding and Employment Screening Fact Sheet." AI is increasingly being leveraged to create fake workers and scam employers in various ways...Read more at https://riskigy.com/blog/f/new-guidance-amid-recent-high-profile-insider-threats

? How to Manage Post CrowdStrike Auto Update Paranoia

The historic CrowdStrike incident that took down 8.5 million Windows machines last Friday turned out to be a result of a minor, buggy software update. Organizations must control the rollout process and implement testing procedures to prevent faulty updates from wreaking havoc. Establishing a balance between security and innovation is key…Read more at https://riskigy.com/blog/f/how-to-manage-post-crowdstrike-auto-update-paranoia ?

Recent Data Breach News

?? Fortinet confirms data breach after hacker claims to steal 440GB of files. Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from a Microsoft Sharepoint server. https://www.bleepingcomputer.com/news/security/fortinet-confirms-data-breach-after-hacker-claims-to-steal-440gb-of-files ?

?? A data breach at Slim CD, a payment gateway provider, has compromised the credit card details and personal information of nearly 1.7 million individuals, including full name, physical address, credit card number, and payment card expiration date. https://www.bleepingcomputer.com/news/security/payment-gateway-data-breach-affects-17-million-credit-card-owners ?

?? Transport for London staff faces systems disruptions after cyberattack. Transport for London, the city's transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a cyberattack. https://www.bleepingcomputer.com/news/security/transport-for-london-staff-faces-systems-disruptions-after-cyberattack ???

?? Car rental giant Avis discloses data breach impacting customers. American car rental giant Avis notified customers that unknown attackers breached one of its business applications last month and stole some of their personal information. https://www.bleepingcomputer.com/news/security/car-rental-giant-avis-discloses-data-breach-impacting-customers/ ?

?? Seattle-Tacoma Airport IT systems down due to a cyberattack. The Seattle-Tacoma International Airport has confirmed that a cyberattack is likely behind the ongoing IT systems outage that disrupted reservation check-in systems and delayed flights. https://www.bleepingcomputer.com/news/security/seattle-tacoma-airport-it-systems-down-due-to-a-cyberattack ?

Cybersecurity Humor

Friday the 13th: Superstition Meets Cybersecurity

Friday the 13th—whether it sends chills down your spine or makes you roll your eyes, there's no denying its place in folklore and popular culture. Traditionally seen as a harbinger of bad luck, the superstition surrounding this date has persisted for centuries. However, in our digital age, Friday the 13th can take on a new meaning: a timely reminder of the perils lurking in cyberspace. Just as one might take extra precautions on this infamous day, businesses and individuals alike should be vigilant about cybersecurity.

Cybersecurity and Superstition

While superstitions like Friday the 13th may not have a grounding in rationality, they serve as a perfect metaphor for the often unpredictable and capricious world of cybersecurity. Here are some key lessons we can draw from the superstition:

Vigilance Over Complacency

Just as people may be more cautious on Friday the 13th, it's essential to employ good cybersecurity practices consistently rather than waiting for a "bad" event to strike.

Awareness of Hidden Threats

Given its unlucky reputation, people often look over their shoulders or think twice about their actions on Friday the 13th. This heightened awareness can be a valuable attitude in cybersecurity.

Preparation for the Worst

Many believe that bad things are more likely to happen on Friday the 13th, prompting them to take extra precautions. Similarly, preparation is key to mitigating cybersecurity risks.

Takeaways

While Friday the 13th may be steeped in superstition, it serves as a useful reminder for the cybersecurity-conscious. In an era where digital threats are as ubiquitous as they are sophisticated, taking proactive measures and learning from past incidents can spell the difference between security and vulnerability.

So, the next time Friday the 13th appears on your calendar, use it as a cue to double-check your cybersecurity posture. A little extra caution never hurt anyone, and in the realm of cybersecurity, it could save you from a world of trouble.

Cybersecurity Is Complex! We Are Here To Help

Cyberthreats are everywhere, you don’t have to face them alone. Get Cybersecurity & Tech help from Riskigy!

? Looking for an expert to assist your firm or clients??

? Need a pro to explain Tech or Cyber to your management??

? Vetting a new investment or acquisition??

? Want to build a cyber aware staff??

? Need immediate assistance with an incident??

? Considering adding a vCISO or vCTO to your team?

? Seeking help with SOC2, FINRA/SEC, or Cyber Insurance readiness?

Contact us to discuss how we can assist!