Cybersecurity continues to be a critical focus in the face of ever-evolving threats. This week, several major incidents and advisories highlight the increasing risks across multiple sectors. From the FBI and CISA urging the use of encrypted messaging apps to protect personal communications, to the revelations of hacking groups targeting U.S. telecom networks and companies facing vulnerabilities, these developments underscore the importance of robust security measures. Notable incidents include Cloudflare’s service disruption, the rise of sophisticated phishing tools bypassing multi-factor authentication, and ongoing concerns over legacy vulnerabilities in widely used devices. In this roundup, we take a closer look at these stories and the implications for both individuals and organizations in securing their digital environments.

 

FBI and CISA urge Americans to use encrypted apps rather than calling

Further developments from the Salt Typhoon attack on U.S. telecommunications companies, officials from both agencies are recommending that Americans use start using encrypted messaging apps. Speaking to the media on Tuesday, Jeff Greene, executive assistant director for cybersecurity at CISA, along with a senior FBI official who asked not to be named, said they plan to use the same message as they do inside their respective organizations: Encryption is your friend,” whether it’s on messaging or encrypted voice communication. They also suggest people considering using a cellphone that “automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.” (NBC News)

 

Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours

This story pertains to a bug that appeared on November 14 in the internet security company’s log collection service, one that allows its customers to monitor the traffic on their websites and filter it based on certain criteria. They are also used to investigate security incidents, DDoS attacks, traffic patterns, and to perform site optimizations. This is a big service, amounting to over 50 trillion customer event logs every day, of which around 4.5 are sent to customers. The incident was caused by a misconfiguration in a log forwarder component in Cloudflare’s pipeline. The pause then created a massive spike once the system tried to resolve itself. Cloudflare has now implemented several measures to prevent future occurrences. (BleepingComputer)

 

Phishing tool Rockstar 2FA targets Microsoft 365 creds

Researchers at Trustwave are warning of a Phishing-as-a-service toolkit named Rockstar 2FA, which apparently targets Microsoft 365 accounts and bypasses multi-factor authentication via adversary-in-the-middle attacks. It is an updated version of the DadSec/Phoenix phishing kit. The attacks involve theft of a victim’s password and session cookie though the creation of a proxy server between a target user and the website the user wishes to visit, which itself is a phishing site. Trustwave points out a unique feature of this current campaign being websites whose common theme is cars. (Cybersecurity News)

 

FBI advises telecoms to boost security following Chinese hacking campaign

Since October, we’ve been covering ongoing reports that China-backed hacking group, Salt Typhoon, was reportedly in the networks of AT&T, Verizon, and Lumen (formerly CenturyLink), among others. These attacks are thought to be part of a broad Chinese espionage campaign targeting U.S. officials and also wiretap systems that might identify Chinese individuals under U.S. surveillance. On Tuesday, U.S. government officials warned that Salt Typhoon is still inside networks of some phone and internet providers. Additionally on Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to telecommunication companies to bolster their defenses through deployment of encryption as well as centralized and consistent monitoring. The government’s guidance was issued jointly with security agencies and organizations in New Zealand, Australia, Canada, and Britain. (SecurityWeek and TechCrunch)

 

Decade-old Cisco vulnerability under active exploit

Cisco is warning customers that an input validation vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA) WebVPN login page is now actively being exploited by threat actors. Cisco documented the bug back in 2014 and exploitation could allow an unauthenticated remote attacker to launch cross-site scripting (XSS) attacks. Cisco discovered exploitation attempts in November 2024 and said customers should upgrade to a fixed software release. The company added that there are no workarounds for this flaw. This issue highlights how implementing legacy security fixes can get lost in the sea of security priorities that organizations are facing. (Dark Reading)

 

Misconfigured WAFs heighten security risks

According to a report from Zafran, nearly 40% of Fortune 100 companies leveraging their content delivery network (CDN) providers for Web Application Firewall (WAF) services may be exposing back-end servers to attacks. WAFs act as intermediaries between users and Web applications, inspecting traffic for an array of threats and blocking malicious activity. In total, Zafran found 2,028 domains belonging to 135 companies exposing at least one supposedly WAF-protected server. This means attackers could access the servers over the Internet to launch attacks like denial-of-service (DoS) and ransomware. The researchers explained that the issues stem from organizations not following best practices including adequately validating Web requests to back-end origin servers, filtering IP addresses and establishing encrypted TLS connections between the CDN provider and their servers. While some responsibility does lie with customers, the researchers said, “CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place.” (Dark Reading)

 

Japan warns of I-O Data zero-day router flaws exploited in attacks

Japan’s Computer Emergency Response Team aka CERT, is warning of a zero-day vulnerabilities in I-O Data router devices. These can be exploited to modify device settings, execute commands, or even turn off the firewall. “The vendor has acknowledged the flaws in a security bulletin published on its website.” But, the fixes are only expected to land on December 18, which means users will be exposed to risks until then unless mitigations are enabled. The three flaws, which were identified on November 13, and which all have CVE numbers, relate to information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. (BleepingComputer)

 

Microsoft stands firm on TPM requirements for Windows 11

Microsoft is pushing hard on its upgraded security culture by dashing the hopes some may have about lower hardware requirements for Windows 11. Windows 10 end of support is approaching in October 2025, and Microsoft says that its Trusted Platform Module (TPM) 2.0 requirement for Windows 11 is “non-negotiable.” PM 2.0. It’s a hardware-level chip or firmware capability that helps encrypt or decrypt data, confirm digital signatures, and assist with any other cryptographic operations. (The Verge)

 

Senators fume over response to ‘disturbing and widespread’ Chinese hack of US telecoms

Senators have expressed deep frustration over the Biden administration’s handling of a significant cyberattack by the Chinese government-linked group “Salt Typhoon,” which infiltrated numerous U.S. and global telecommunications systems. This breach, considered the most severe in telecom history, compromised the phones of officials, including President-elect Donald Trump, and potentially exposed the communications of a vast number of Americans. During a Capitol Hill briefing, lawmakers criticized the lack of accountability and demanded more transparency. Senator Rick Scott (R-Fla.) questioned the absence of preventive measures, while Senator Josh Hawley (R-Mo.) described the breach as “breathtaking” and called for declassification of details to inform the public about the potential exposure of their communications.

Senate Intelligence Committee Chair Mark Warner (D-Va.) highlighted the failure of telecom companies to secure critical systems, noting that the hackers remain embedded in these networks.  In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are collaborating with telecom providers to address the breach, though the full extent of the infiltration remains uncertain. CISA Director Jen Easterly announced that the Department of Homeland Security’s Cyber Safety Review Board would formally investigate the hack, with recommendations expected next year.

Lawmakers are also considering legislation to enhance cybersecurity in telecommunications, aiming to implement measures before year’s end. Senator Mike Rounds (R-S.D.) emphasized the need for enforceable cybersecurity standards for telecom companies, acknowledging that addressing these security concerns will require time. The bipartisan concern underscores the necessity for stringent cybersecurity protocols and potential retaliatory actions against China, as the administration continues to investigate and seek long-term solutions to this critical national security threat.  (Politico, Reuters, Yahoo)

 

Russian hackers hack hackers

In No Honor Among Thieves News, a new report from Lumen’s Black Lotus Labs details how the Russian cyber-espionage group Turla used the infrastructure of the Pakistani-linked group Storm-0156 to launch their attacks. Researchers had been observing operations by Storm-0156, finding a C2 server on an Indian government network. This server began interacting with three IP addresses known to be linked to Turla. Further research shows Turla has been using the Pakistani group’s infrastructure since 2022, using the servers to launch various backdoors and other malware. Eventually, Turla became more ambitious, moving laterally into Storm-0156’s workstation and gaining direct access to its data and tooling. Researchers at Microsoft contributing to the report said Turla used this access to target Afghan government agencies. This isn’t a new tactic for Turla. Back in 2019, the NSA put out an advisory that it hijacked infrastructure by the Iran-backed group OilRig to carry out attacks. (Bleeping Computers)

 

Cisco switches hit with bootloader vulnerability

The flaw impacts over 100 device models across Cisco’s MDS, Nexus, and UCS Fabric Interconnect lines, allowing attackers to bypass the bootloader verification process and load software. The flaw doesn’t require authentication but physical access to the switches. Cisco released several NX-OS updates to patch the flaws and will roll out the updates for all devices by the end of the month, excluding one discontinued Nexus model. It cautioned that no mitigations for this flaw will be provided in the interim other than preventing physical access to the switches. (Security Week)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

As you gather around the Thanksgiving table later this week, the last thing you want is to be the one out of the loop on the latest cybersecurity headlines. Trust us, your friends and family will never let you live it down! From new attack techniques to massive outages and government recommendations on password legacies, we’ve rounded up the must-know news so you can stay informed and keep the dinner table chatter on point. Read on to get the full scoop—because you don’t want to be left in the digital dust this holiday season!

 

APT28 uses novel technique to breach organizations via nearby WiFi networks

Volexity has published a report on a novel attack vector used by the Russian threat actor GruesomeLarch (commonly known as “APT28” or “Fancy Bear”) to breach enterprise Wi-Fi networks. The threat actor first compromised vulnerable organizations in close proximity to the targeted entity until they found a system that had both wired and wireless network connections. They would then use this system’s Wi-Fi adapter to connect to the SSID of the targeted organization’s Wi-Fi and authenticate to it, granting them access to the target’s network.

The researchers note, “Volexity believes this represents a new class of attack that has not previously been described, in which a threat actor compromises one organization and performs credential-stuffing attacks in order to compromise other organizations in close physical proximity via their Wi-Fi networks. To reiterate, the compromise of these credentials alone did not yield access to the customer’s environment, as all Internet-facing resources required use of multi-factor authentication (MFA). However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect.” Volexity adds, “The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away.” Volexity says the threat actor used this technique to steal information on Ukrainian matters just before Russia’s invasion of Ukraine in February 2022. (Volexity)

 

Microsoft 365 outage update

If you were wondering whether Microsoft’s outages on Monday should have been your cue to start your Thanksgiving vacation early, you weren’t alone. Microsoft addressed widespread Microsoft 365 outages affecting services like Exchange Online, Microsoft Teams, SharePoint Online, and Outlook. The issue, caused by a “recent change,” has led to difficulties accessing these platforms and performing certain actions within Microsoft Fabric and Defender for Office 365. Microsoft deployed a fix to the affected environments, initiated manual restarts on impacted systems, and, as of this recording, is monitoring progress. While this follows a major outage in July caused by a DDoS attack, Microsoft has not attributed the current incident to any malicious activity. (Bleeping Computer)

 

“Hair on Fire” over China’s cyber campaign

The Biden administration met with telecom executives to discuss the impact of China’s cyber espionage campaign targeting U.S. telecommunications networks, which may require a large-scale rebuild of infrastructure.Senator Mark Warner, chair of the Senate Intelligence Committee, has raised alarms over China’s persistent cyberattacks on U.S. telecommunications networks, describing their severity as far exceeding previous incidents. He said China’s actions make Russia-linked incidents like the SolarWinds hack and Colonial Pipeline attack look like “child’s play.” Warner highlighted that attackers exploited wiretapping capabilities and stole extensive data from U.S. networks, while the administration’s meeting emphasized sharing intelligence on the ongoing threat. China denies these claims, but U.S. officials have described the activity as significant and unresolved. (The Register)

 

Meta takes down millions of accounts linked to pig-butchering scams

Facebook’s parent company Meta has taken down over two million accounts this year tied to pig-butchering scams, CyberScoop reports. Pig butchering is a form of investment scam that involves forming a long-term, trusted relationship with the victim and tricking them into pouring a great deal of money into a phony investment scheme, usually involving cryptocurrency. The scams often begin on dating apps or social media sites.

Many of these scams are run out of criminal forced-labor operations in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines. Meta states, “During the COVID-19 pandemic, scam compounds run by organized crime emerged in the Asia Pacific region as one of the major sources of ‘pig butchering’ and other scam activity. And while they are mostly based in Asia, scam centers target people across the globe. These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.” (Cyberscoop, Meta)

 

DoJ seizes credit card marketplace PopeyeTools

The dark web marketplace that specialized in selling stolen credit cards long with cybercrime tools, and which has been in business 2016 was taken down by agents of the Department of Justice last week with three of its key operators now facing fraud-related charges, and the websites and hosting services seized. According to court documents, the PopeyeTools marketplace offered services such as “unauthorized payment card data and PII for cards that were marketed as ‘live’ as well as logs of stolen bank account information, email spam lists, scam pages, and guides and tutorials.” (Department of Justice announcement)

 

North Korean front companies impersonate U.S. IT firms for military funding

According to researchers at SentinelOne, as well as a report form Palo Alto Networks, threat actors connected to North Korea continue to impersonate U.S.-based software and technology consulting businesses. In a global campaign, which Palo Alto Networks Unit 42 is tracking as Wagemole, the actors use forged identities to get hired obtain employment at companies in the U.S. and elsewhere, sending most of their salary back to their home country. This most recent chapter in this ongoing story identifies some front companies by name, analyzed by SentinelOne, which were “all registered through NameCheap and claimed to be development outsourcing, consulting, and software businesses, while copying their content from legitimate companies.” The list is available in the show notes to this episode. (The Hacker News)

 

Volunteer DEFCON hackers take on U.S. water infrastructure concerns

The Franklin project, launched at this year’s DEFCON, is intended to employ the skills of top hackers to “not only … strengthen U.S. resilience to online attacks, but also to chronicle what is being done in a yearly Hacker’s Almanack so that others can learn essential skills. The program is partnered with the Harris School of Public Policy’s Cyber Policy Initiative at the University of Chicago, as well as the National Rural Water Association (NRWA). Together they are using the coders’ talents to investigate water companies in Utah, Vermont, Indiana, and Oregon, to fix any issues they find, and then pass the knowledge on. (The Register)

 

VMware vCenter Server flaws are being actively exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that two vulnerabilities affecting VMware vCenter Server are being actively exploited. One of the flaws (CVE-2024-38812) has been assigned a CVSS score of 9.8 and can allow an attacker to achieve remote code execution. Broadcom issued updated patches in October after determining that its September patches didn’t fully address the vulnerability. The company strongly encourages customers to ensure they’ve applied the new patches. The vulnerabilities affect “VMware vCenter and any products that contain vCenter, including VMware vSphere and VMware Cloud Foundation.” (CISA, vmware)

 

MITRE offers updated list of most dangerous software vulnerabilities

MITRE, the not-for-profit organization that oversees federally funded R&D centers with an eye to cybersecurity, has updated its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses” list, reflecting the newest developments in the cyber threat landscape. At the top of the list is cross-site scripting in top place followed by out-of-bounds write flaws, SQL injection bugs. Missing authorization comes in at number 10. CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to “review the list and prioritize these weaknesses in development and procurement processes.” (Security Week and MITRE)

 

Easily exploitable bugs found in Ubuntu Server utility after 10 years

The researchers at Threat Research Unit of Qualys, say they refuse to release exploit code for five bugs in Ubuntu Server’s needrestart utility. They state they were “able to develop a working exploit but wouldn’t release it, describing the findings as alarming.” The five vulnerabilities described by the researchers were actually introduced in April 2014. They reside in the needrestart utility of Ubuntu Server, which is designed to determine if a restart is needed following, for example, a critical library update or an upgrade is made. All five vulnerabilities have CVE numbers and four of them have a 7.8 CVSS score. (The Register)

 

Japan’s government suggests putting your usernames and passwords in your will

Described as “digital end of life planning” Japan’s National Consumer Affairs Center on Wednesday released a collection of suggestions to help avoid the complications and costs associated with passing to the great beyond with passwords still hidden. Helping loved ones deal with a digital legacy can include: ensuring family members can unlock your smartphone or computer; maintaining a list of subscriptions with user IDs and passwords; adding these details to a document intended for the person or persons responsible for managing such affairs, and designate a person to have access to the smartphone and other accounts. (The Register)

 

Oracle patches zero-day flaw

Oracle has issued a patch for an actively exploited vulnerability (CVE-2024-21287) affecting its Agile Product Lifecycle Management software, BleepingComputer reports. Oracle stated, “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure.” The flaw was assigned a CVSS score of 7.5. (Bleepingcomputer, Oracle)

 

Chinese threat actors infiltrate more telcos

CrowdStrike has published a report on LIMINAL PANDA, a Chinese threat actor targeting telecommunications companies in countries associated with China’s Belt and Road Initiative. The researchers note, “The adversary targets these organizations to directly collect network telemetry and subscriber information or to breach other telecommunications entities by exploiting the industry’s interoperational connection requirements.” The goal of the operation is likely cyberespionage. CrowdStrike explains, “LIMINAL PANDA has previously focused on telecommunications providers in southern Asia and Africa, suggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may also be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access. Equally, depending on their current collection requirements, the adversary could employ similar TTPs to target telecoms in other regions.” (Axios, CrowdStrike)

 

Apple issues emergency security update

The company issued a patch for two vulnerabilities impacting most of Apple’s portfolio, including iOS, iPadOS, macOS Sequoia, Safari, and visionOS. Researchers at Google’s Threat Analysis Group initially disclosed the issues to Apple. One flaw impacts JavaScriptCore; the other is a “cookie management issue” in WebKit. The company said it found signs of active exploitation on Intel-based Mac systems, although no details on any threat actors targeting the vulnerabilities were released. These mark the sixth zero-day vulnerabilities disclosed by Apple this year. (Infosecurity Magazine)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Still using 123456 as your password? If so, it’s time to rethink your approach to security. Cyber threats are evolving rapidly, and the risks are only growing. In this week’s roundup, we cover the latest developments, from the industries most at risk of cyber attacks to critical vulnerabilities you need to address immediately. Read on for essential insights into the cybersecurity landscape.

 

Moody’s designates the industries at highest risk of cyber attack

Moody’s has assigned a “very high” cyber risk rating to the telecommunications, airline, and power generation sectors due to increasing digitization and weak cybersecurity practices. These industries collectively face $7.1 trillion in debt. Telecommunications, notably vulnerable, has seen major breaches, including attacks on AT&T, Lumen, and Verizon by China’s Salt Typhoon group. Airlines’ cyber risk rose after a CrowdStrike software update failure exposed their reliance on tech. Other sectors, including automotive, education, manufacturing, energy, and ports, also saw risk levels increase to “high.” (scworld)

NIST misses its deadline for clearing the NVD backlog

NIST announced it’s working through a large backlog of over 18,000 vulnerabilities in the National Vulnerability Database (NVD) but missed its original goal of clearing it by September 30. Despite hiring more analysts and addressing all Known Exploited Vulnerabilities (KEV), NIST struggled due to incompatible data formats from Authorized Data Providers (ADPs). NIST is developing new systems to streamline data processing and pledged to provide updates on further progress, though it hasn’t set a new deadline for clearing the entire backlog. (SecurityWeek)

 

China threat actors breached U.S. broadband providers to spy on U.S. government officials

The US FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that Chinese government hackers conducted a “broad and significant cyber espionage campaign” that compromised several US telecom companies, TechCrunch reports. The Wall Street Journal reported last month that the breached companies include AT&T, Lumen, and Verizon. The hackers targeted systems used by the Federal government to carry out court-authorized network wiretapping requests.

The FBI and CISA stated, “[W]e have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.” (Security Affairs)

 

123456 tops the list of most popular passwords again

NordPass, maker of a password manager and sister company of NordVPN, has announced its list of the 200 most common passwords and the results are disappointing. In this sixth year of publishing its list derived from a 2.5TB database of passwords, personal and professional, from around the world, including on the dark web, comes to a single conclusion: people are really bad at choosing hard-to-crack passwords. The list contains variations on the 123456 theme and the qwerty theme as well as single word passwords like “password” and “secret,” all of which can be cracked in less than a second. “The personal and corporate passwords analyzed by NordPass were stolen by malware or exposed in data breaches. In most cases, the email addresses were leaked along with the passwords, helping NordPass determine which ones were for personal use and which ones were for business use.” The company says there really hasn’t been any improvement over these six years. A link to the NordPass report is available in the show notes to this episode. (NordPass)

 

Hackers use macOS extended file attributes to hide malicious code

This new technique abuses extended attributes for macOS files in order to deliver a new trojan that researchers call RustyAttr. In this procedure, threat actors “hide malicious code in custom file metadata and also use decoy PDF documents to help evade detection.” MacOS extended attributes (EAs) handle hidden metadata which is most often associated with files and directories, and is not directly visible with Finder. In the case of RustyAttr attacks, the EA name is ‘test’ and holds a shell script. To avoid detection during this process, some samples launch decoy PDF files or display error dialogs. (BleepingComputer)

 

In Switzerland, malware now arrives by postal mail

Switzerland’s Federal Office for Cybersecurity (OFCS) has issued a warning about letters being sent via regular post that pretend to be from the country’s meteorological agency, MeteoSwiss and which are being used to spread malware. These postal letters, with dates up to November 12, appear to offer access to a new weather app via a printed QR code. In reality this link downloads the stealer malware ‘Coper’ and ‘Octo2’, which seek out login details for more than 383 mobile apps, including e-banking apps.” Although this is not the first time a postal service has been used to deliver malware, experts note that the additional overhead, namely postage, mean it is still rare. (The Record)

 

Zoom discloses multiple vulnerabilities

Zoom disclosed multiple vulnerabilities in its applications, including a critical buffer overflow flaw (CVE-2024-45421) with a CVSS score of 8.5, allowing authenticated users to execute remote code. Another significant issue (CVE-2024-45419) involves improper input validation, which could lead to unauthorized information disclosure. Affected products include the Workplace App, Rooms Client, Video SDK, and Meeting SDK across Windows, macOS, iOS, Android, and Linux. Users are advised to update to the latest versions (6.2.0 or later) to mitigate risks. (Cyber Security News)

 

Federal agencies and Five Eyes partners list the past year’s most exploited vulnerabilities

CISA, the FBI, NSA, and Five Eyes intelligence agencies have identified the top 15 most exploited security vulnerabilities from last year, urging organizations to patch these flaws immediately. In a joint advisory, they emphasized the critical need for effective patch management to reduce network exposure. The report highlights an increase in zero-day exploits in 2023 compared to 2022, noting that the majority of frequently targeted vulnerabilities were zero-days, which allowed attackers to infiltrate high-value targets more effectively. Twelve of the top 15 vulnerabilities had patches released last year, underscoring the importance of swift patch deployment as cybercriminals continue targeting unpatched flaws.

Leading the list is CVE-2023-3519, a code injection vulnerability in NetScaler ADC/Gateway. This vulnerability, exploited by state actors, enabled remote code execution on unpatched servers, compromising U.S. critical infrastructure. By mid-August, hackers had used this flaw to backdoor over 2,000 Citrix servers worldwide. The advisory also mentions 32 additional vulnerabilities frequently exploited in 2023, offering guidance on minimizing risk. Meanwhile, MITRE recently updated its list of dangerous software weaknesses, underscoring ongoing challenges. Jeffrey Dickerson, NSA’s cybersecurity director, warned that exploitation of known vulnerabilities will persist, urging network defenders to remain vigilant and proactive through 2024 and beyond. (Bleepingcomputer)

 

Volt Typhoon rebuilding botnet

In early 2024, the US government announced it had disrupted the botnet used by Volt Typhoon, a threat actor with suspected links to the Chinese government. This botnet predominantly used unpatched Cisco, Fortinet, and Netgear devices. We’re not seeing signs that the group is building a new botnet. Researchers at SecurityScorecard saw a cluster tied to the group covertly routing traffic, primarily made up of compromised Netgear ProSafe, Mikrotik, and Cisco RV320 devices. This appears to be using the same core infrastructure and techniques previously used by Volt Typhoon. (Security Week)

 

DoD leaker sentenced

The US attorney for Massachusetts announced it sentenced former Massachusetts Air National Guardsman Jack Teixeira to 15 years in prison for stealing and leaking classified information. Court documents show Teixeira shared classified documents on Discord sometime in 2022, including troop movements and information on equipment provided to Ukraine. The leaks were discovered in March 2023. Teixeira pleaded guilty to six counts related to that in March 2024 as part of a plea deal. (NBC)

 

End-of-life D-Link NAS devices under attack

Researchers at Netsecfish discovered a command injection vulnerability on D-Link NAS devices that allows an unauthenticated attacker to use GET requests to inject shell commands. This flaw has been under active exploitation since November 8th. However, the impacted models, DNS-320, 325, and 340L, are now end-of-life, and D-Link said it had no plans to release a patch. Researchers found over 41,000 unique IP addresses for vulnerable devices found online. D-Link advises customers to replace the devices or, at the very least, restrict them from open internet access.  (Bleeping Computer)

 

Cybercriminals use game-related apps to distribute Winos4.0

Cybercriminals are using game-related apps to distribute Winos4.0, a malware framework that grants full control over infected Windows systems. Rebuilt from the Gh0strat malware, Winos4.0 was detected in various gaming tools and optimization utilities, which lure users into downloading the infection. Similar to Cobalt Strike, the malware enables cyber espionage, ransomware deployment, and lateral movement. Once executed, the malware downloads a fake BMP file from a malicious server, beginning a multi-stage infection. The first DLL file establishes persistence and injects shellcode, while the second stage connects to a command-and-control server. Subsequent stages gather system details, check for anti-virus software, and capture sensitive information, including crypto wallet data and screenshots. This final stage sets up a persistent backdoor, allowing the attacker long-term access. Fortinet warns users to download apps only from trusted sources to mitigate risk. (The Register)

Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points

Hewlett Packard Enterprise (HPE), a major tech company specializing in enterprise hardware and software, announced patches this week for multiple vulnerabilities in its Aruba Networking access points, widely used in business networks. Among the vulnerabilities are two critical command injection flaws (CVE-2024-42509, CVE-2024-47460), which could allow remote, unauthenticated attackers to execute code as privileged users by sending specially crafted packets to UDP port 8211. These flaws impact Aruba devices running Instant AOS-8 and AOS-10, including some end-of-life versions. HPE advised that enabling cluster security on AOS-8 and blocking access to UDP/8211 for AOS-10 can mitigate risks. Additionally, three high-severity remote code execution (RCE) vulnerabilities could allow authenticated attackers to compromise system files and execute commands. The patches, included in AOS-10.7.0.0, AOS-10.4.1.5, Instant AOS-8.12.0.3, and Instant AOS-8.10.0.14, were released through Aruba’s bug bounty program, with no evidence of active exploitation. (SecurityWeek)

 

CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical security flaw (CVE-2024-5910) in Palo Alto Networks’ Expedition tool, used for firewall migration and configuration. The flaw, classified as a “Missing Authentication” vulnerability (CWE-306), enables attackers with network access to potentially hijack the Expedition admin account. This could grant cybercriminals access to sensitive configuration data, including credentials and highly privileged information.

CISA stresses that the vulnerability poses a significant risk due to the level of access it grants, although there is no confirmation yet of active exploitation. Organizations using the Expedition tool are urged to apply Palo Alto’s recommended mitigations. If these aren’t feasible, CISA advises discontinuing the tool’s use to prevent potential compromise. The deadline for federal agencies addressing this vulnerability is November 28, as CISA emphasizes immediate action to mitigate any potential threat. (gbhackers)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Last week at the 2024 DoDIIS conference in Omaha, along with RedSeal experts Jeff Spugnardi and Steve Terrell, we engaged in critical discussions about the latest advancements and challenges in cybersecurity. Zero Trust continues to dominate conversations across the Intelligence Community (IC), solidifying its role as more than a buzzword—no longer an exploration, Zero Trust is a fundamental shift in cyber defense strategies for federal agencies.

The push for Zero Trust in the federal government officially began in 2021 when an executive order directed agencies to enhance their cybersecurity posture by adopting a Zero Trust architecture. This order marked a significant shift, emphasizing stringent access controls, identity verification, and data protection to defend against increasingly sophisticated cyber threats. Following this, the Office of Management and Budget (OMB) outlined a Federal Zero Trust Strategy in early 2022, establishing a five-pillar framework: Identity, Devices, Networks, Applications and Workloads, and Data. These pillars provide a comprehensive structure for agencies to implement Zero Trust principles across their networks and secure sensitive data effectively.

One key takeaway from the conference was the emphasis on moving from network-centric to data-centric defenses. As Major General John Phillips from EUCOM discussed, defending data requires a mindset that goes beyond traditional perimeter-based security. This change is particularly relevant in the era of cloud adoption and remote work, where information assets are dispersed across a wider digital landscape. The shift to a data-centric Zero Trust model aligns with the IC’s goal to ensure that sensitive data remains protected, even within highly controlled environments like the JWICS network used by the Department of Defense. RedSeal can proactively protect networks that are disconnected. There are no agents or bots on your networks.

It also aligns with RedSeal’s focus on helping organizations to visualize, monitor, and analyze complex network infrastructures, gaining a comprehensive view of potential vulnerabilities across cloud, hybrid, and on-premises environments. The first step in security is knowing what you have, RedSeal’s comprehensive model ensures that security teams have a clear understanding of how data flows within and across these environments.

As Major General John Phillips noted, data protection goes beyond traditional perimeter defenses. RedSeal’s continuous network assessment and risk prioritization tools help identify and secure sensitive data at every point in its lifecycle. By mapping the network’s entire digital terrain, RedSeal allows agencies to enforce access policies and detect areas of potential compromise before they’re exploited.

This proactive approach directly supports the IC’s goal to protect sensitive data in dispersed and high-risk environments, such as JWICS and other airgap networks. In short, RedSeal empowers cybersecurity teams to operationalize Zero Trust principles effectively, moving from a reactive to a resilient security stance in line with today’s complex digital landscapes.

Speakers at the conference, including NSA’s Jennifer Kron, highlighted that Zero Trust is a journey, not a one-time deployment. As agencies operationalize cyber defenses, they’re also striving to create a maturity model to assess progress across Zero Trust pillars, from identity management to data protection. Leaders underscored the importance of training cyber defenders to adapt to this paradigm, equipping them with skills to safeguard information, not just networks.

RedSeal’s solutions play a pivotal role in supporting these Zero Trust efforts, as our platform provides continuous visibility into complex network environments and helps agencies assess the maturity of their Zero Trust architecture. Recently recognized with a Breakthrough Award for our innovation in cybersecurity, RedSeal is committed to empowering organizations to secure their critical assets, map their attack surface, and identify vulnerabilities before adversaries do. For those looking to bolster their Zero Trust strategies, RedSeal offers the tools and expertise needed to stay ahead in today’s evolving threat landscape.

Contact us to learn how we can support your organization’s Zero Trust journey.