Cyber News Roundup for December 20, 2024
In this week’s roundup, we’re seeing significant cybersecurity threats making headlines across the globe. APT29, linked to Russia’s SVR, has launched a widespread spearphishing campaign, while CISA is advising high-risk individuals on securing their communications in the face of ongoing Chinese espionage activities. We also dive into rising risks from Mirai malware infections, the latest on the TikTok ban challenge, and emerging vulnerabilities in devices ranging from routers to cameras. Stay ahead of the curve with the latest cyber developments.
BeyondTrust suffers cyberattack
BeyondTrust, a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions, itself suffered a cyberattack in on December 2. “Its products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.” After detecting “anomalous behavior” it was determined that “hackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.” “BeyondTrust immediately revoked the API key, and notified known impacted customers. It is not yet clear whether the threat actors were able to use the compromised Remote Support SaaS instances to breach downstream customers. (BleepingComputer)
Fortinet warns of critical flaw in Wireless LAN ManagerThis flaw, which has now been patched, tht could have allowed admin access and sensitive information disclosure on the Wireless LAN Manager (FortiWLM) product. Security researcher Zach Hanley from Horizon3.aistated that the vulnerability, which has a CVE number as well as a CVSS score of 9.6, “enables remote attackers to exploit log-reading functions via crafted requests to a specific endpoint.” A subsequent report from Horizon3 stated that FortiWLM’s verbose logs “expose session IDs, enabling attackers to exploit log file read vulnerabilities to hijack sessions and access authenticated endpoints.” The CVE number for this vulnerability is available in the show notes to this episode. CVE-2023-34990 (Security Affairs)
Juniper routers with default passwords are attracting Mirai infections, says manufacturer
According to an advisory from Juniper, customers last week started reporting “suspicious behavior” on their Session Smart Routers. What the customers all had in common was that they were still using the factory-set passwords on the devices. Investigation found a variant of Mirai malware that had been scanning for such vulnerable routers. Once infected, the devices were “subsequently used as a DDOS attack source” attempting to disrupt websites with junk traffic, Juniper says. The company does not mention how many devices were infected or where the attacks were directed. Juniper recommends that customers with Session Smart Routers “immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound internet traffic.” (The Record)
CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, requiring federal agencies to enhance cloud security by adopting secure configuration baselines. The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA’s Secure Cloud Business Applications (SCuBA) standards. Agencies must identify cloud tenants and create an inventory by February 21, 2025, deploy SCuBA assessment tools by April 25, 2025, and implement mandatory SCuBA policies, including Microsoft Office 365 baselines, by June 20, 2025. Annual updates to cloud tenant inventories and continuous reporting are also required. CISA plans to maintain and update policies, assist agencies, and monitor compliance. While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience.
Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical infrastructure projects. The “Playbook for Strengthening Cybersecurity in Federal Grant Programs” offers model language and recommendations for incorporating cybersecurity into grant-making processes and project assessments. Reflecting Biden administration priorities like the Investing in America initiative, the playbook emphasizes secure-by-design principles and critical infrastructure resilience. While advisory, it encourages agencies and grant recipients to prioritize cybersecurity in upcoming infrastructure upgrades. (SecuityWeek, CISA)
HiatusRAT malware operators are scanning for vulnerable web cameras and DVRs
The US FBI has issued an alert warning that HiatusRAT malware operators are conducting scanning campaigns against Chinese-branded web cameras and DVRs across the US, Australia, Canada, New Zealand, and the United Kingdom. The Bureau states, “The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords. Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the actors targeted Xiongmai and Hikvision devices with telnet access.” The FBI recommends limiting the use of these devices or isolating them from the rest of the network. (FBI)
Supreme Court to hear TikTok ban challenge
The long road to a TikTok ban in the US might be approaching a final stop. As a refresher, Congress passed a law in April requiring ByteDance to divest TikTok or see the app cut off from app stores and web-hosting services in the US. That law is set to go into effect on January 19th. On December 6th, a DC Circuit appeals court ruled that Americans saw concerns over the Chinese government’s ability to gather data and potentially manipulate content as “well-founded” and represented a “compelling national security interest.” Now, the US Supreme Court will hear TikTok’s challenge to that ruling on January 10th. The outgoing Biden administration will present the government’s case. (CBS)
US weighs TP-Link ban
The Wall Street Journal reports that the U.S. government is considering a ban on TP-Link routers amid rising security concerns. Investigations by the Commerce, Defense, and Justice Departments suggest TP-Link routers, made by a China-based company, may pose national security risks. A Microsoft report linked TP-Link devices to a Chinese hacking network targeting Western organizations. The devices dominate the U.S. home and small-business router segment with a 65% market share TP-Link routers are often shipped with unresolved security flaws, and the company reportedly doesn’t cooperate with security researchers. The Justice Department is also probing whether TP-Link’s low pricing strategy violates antitrust laws. The potential ban could disrupt the router market, which TP-Link has dominated due to affordability and partnerships with over 300 U.S. internet providers.
TP-Link denies selling products below cost and insists on compliance with U.S. laws. While U.S. officials haven’t disclosed evidence of deliberate collusion with Chinese state-sponsored hackers, concerns persist. TP-Link’s founders remain connected to Chinese institutions conducting military cyber research. Despite efforts to rebrand as U.S.-centric, including announcing a California headquarters, critics see the company’s ties to China as inseparable. If enacted, the ban would mark the largest removal of Chinese telecom equipment in the U.S. since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. The move underscores the broader challenges of securing the telecommunications supply chain, with U.S. officials acknowledging systemic vulnerabilities across the router market, including domestic brands. (WSJ)
Cisco data leaked
In October, the threat actor IntelBroker claimed they had obtained data from Cisco in a breach, including source code and encryption keys. A company investigation found this data was obtained from a public-facing DevHub environment. This ordinarily hosts source code and other materials meant for public consumption, but Cisco said a configuration error caused some private data to be inadvertently published. This week, IntelBroker published 2.9 gigabytes of data obtained from DevHub, claiming they obtained a total of 4.5 terabytes. Since its initial incident reports on the leaked data, Cisco removed a statement saying it found no evidence that personal information or financial data was compromised. (Security Week)
Microsoft quietly patches two potentially critical vulnerabilities
Microsoft announced the patching of two potentially critical vulnerabilities in Update Catalog and Windows Defender. These flaws, tracked as CVE-2024-49071 and CVE-2024-49147, have been fully mitigated and require no user action. The Windows Defender flaw, rated medium-severity based on CVSS scores, could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization. The Update Catalog vulnerability, involving deserialization of untrusted data, was a privilege escalation issue on the webserver. Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching. The company is now assigning CVE identifiers to cloud service vulnerabilities for transparency, following industry trends. Similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server-side vulnerabilities. (SecurityWeek)
Iran-linked threat actor deploys new ICS malware
Researchers at Claroty have discovered a new strain of IoT/OT malware “IOCONTROL” used by Iran-affiliated attackers to target devices in Israel and the US. The researchers state, “IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Some of the affected vendors include: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others.” Notably, Claroty says, “One particular IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States. The malware is essentially custom built for IoT devices but also has a direct impact on OT such as the fuel pumps that are heavily used in gas stations.” The malware has been deployed by a threat actor tracked as the “CyberAv3ngers,” which is believed to have ties to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). (Claroty)
South Carolina credit union suffers cyberattack
SRP Federal Credit Union, one of the largest credit unions in South Carolina, filed breach notification documents with regulators in Maine and Texas on Friday following suspicious activity detected on its network. Initial investigations show that threat actors accessed the network at times between September 5 and November 4, of this year, and “potentially acquired certain files…during that time.” The Texas filing stated that the stolen data included names, Social Security numbers, driver’s license numbers, dates of birth and financial information like account numbers as well as credit or debit card number. The Nitrogen ransomware gang has claimed responsibility for the attack and for the theft of 650GB of customer data. The credit union company has not yet confirmed that it was a ransomware attack.(The Record)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
