Cyber News Roundup for December 13, 2024

In this week’s cybersecurity news roundup, we cover a range of critical vulnerabilities and ongoing threats. Highlights include the disclosure of a severe Apache Struts 2 vulnerability with a high CVSS score, a potential shift in U.S. Cyber Command and NSA leadership, and a Microsoft MFA bypass attack named AuthQuake. We’re also seeing a series of high-stakes cyberattacks, including the exploitation of AWS misconfigurations, a ransomware assault on Electrica Group, and a breach at Krispy Kreme. As cyber risks continue to evolve, these incidents serve as a stark reminder of the need for robust security measures.

 

A critical vulnerability in Apache Struts 2 has been disclosed

A critical vulnerability in Apache Struts 2, CVE-2024-53677, has been disclosed with a near-maximum severity score: 9.5 (CVSSv4) and 9.8 (CVSSv3). This flaw allows remote code execution via malicious file uploads and lacks a workaround, making patching to Struts 6.4.0 or higher essential. Applications not using the deprecated File Upload Interceptor are unaffected. Updating requires rewriting actions for compatibility. Despite alternatives, Struts 2 remains popular, with significant downloads monthly. The vulnerability underscores risks, recalling Struts’ role in the 2017 Equifax breach. (The Register)

 

Trump advisors explore splitting NSA and CyberCom leadership roles

Advisers to President-elect Donald Trump are revisiting plans to separate U.S. Cyber Command (CyberCom) and the National Security Agency (NSA), currently led under a “dual-hat” structure. This idea, previously explored during Trump’s first term, has resurfaced within the transition team and right-wing think tanks. Proponents argue the roles are too vast for one leader, while critics warn of operational inefficiencies and risks to NSA’s intelligence-gathering integrity.

The arrangement, established in 2010, has sparked debates across administrations, with President Biden’s 2022 review favoring its retention. Legal hurdles exist, but Trump could bypass Congress with executive actions. A split would raise complex restructuring questions and could dilute CyberCom’s and NSA’s effectiveness. Lawmakers remain skeptical, emphasizing the need for clear justification. Critics also highlight the irony of Trump’s anti-bureaucracy stance driving a move that could create new administrative challenges. For now, the dual-hat structure remains intact. (The Record)

 

Microsoft MFA bypassed in AuthQuake PoC

Researchers at Oasis Security presented details of an attack technique that could have given threat actors access to Outlook emails, OneDrive files, Teams chats, and Azure cloud instances. Needing only an hour to execute, it required no user interaction, and it would not trigger any notification to the victim. The attack is based on exploitation of the authenticator app process, in which a user to obtains a six-digit MFA code on their app. The researchers saw that one session supports up to 10 failed attempts to prevent brute-force attacks, but they then saw that an attacker could execute multiple attempts simultaneously, enabling them to go through possible combinations relatively fast. Oasis named this attack method AuthQuake, and reported it to Microsoft in late June. A temporary fix was deployed a few days later, followed by a permanent fix in October. (Security Week)

 

Ivanti reports multiple critical vulnerabilities in its Cloud Services Application

Ivanti has issued a security advisory for three critical vulnerabilities in its Cloud Services Application (CSA), including a maximum CVSS 10-rated flaw, CVE-2024-11639, which allows unauthenticated attackers to gain administrative privileges via authentication bypass in the admin web console. Two additional vulnerabilities, both rated 9.1, include a command injection flaw (CVE-2024-11772) enabling remote code execution and an SQL injection bug (CVE-2024-11773) that allows arbitrary SQL commands. These flaws are exploitable in CSA versions 5.0.2 and earlier, with patches available in version 5.0.3. Ivanti stated there is no evidence of exploitation but urges immediate updates to prevent potential attacks. This follows previous high-profile CSA vulnerabilities flagged by CISA due to active exploitation risks. (The Register)

 

Chinese APT abuses Visual Studio Code Tunnels for C2 purposes

SentinelOne has published a report on a Chinese cyberespionage campaign that targeted “large business-to-business IT service providers in Southern Europe” from late June to mid-July 2024. The threat actor used SQL injection against Internet-facing web and database servers to gain initial access. The campaign was detected and disrupted during its early stages. Notably, the operation abused Visual Studio Code Remote Tunnels for command-and-control purposes. The researchers explain, “Originally designed to enable remote development, this technology provides full endpoint access, including command execution and filesystem manipulation. Additionally, Visual Studio Code tunneling involves executables signed by Microsoft and Microsoft Azure network infrastructure, both of which are often not closely monitored and are typically allowed by application controls and firewall rules. As a result, this technique may be challenging to detect and could evade security defenses. Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit.” (SentinelOne)

 

Operation PowerOFF hits DDoS sites

Europol announced that a coordinated law enforcement effort across Finland, Australia, Brazil, Canada, the UK, and US led to the shutdown of 27 popular DDoS attack platforms. Dubbed Operation PowerOFF, the effort identified over 300 users of these platforms and the arrests of three administrators. Europol said it timed the takedowns ahead of the December holiday season to prevent the typical spike in DDoS attacks that cause “severe financial loss, reputational damage, and operational chaos for their victims.” (The Record)

 

AI voice generation likely used in influence operation 

Researchers at Recorded Future cited the use of generative AI voice generation technology in a recent Russian-tied campaign to weaken Europe’s support for Ukraine. The researchers found it “very likely” the campaign used commercial AI voice generation products in their efforts, including tech from ElevenLabs. These voices were used over supposed news clips to present Ukranian politicians as corrupt. The tech allowed the campaign to produce videos quickly in various languages across the EU using native speech patterns and dialects. Recorded Future concluded the actual impact of the campaign on public opinion was minimal. (TechCrunch)

 

Krispy Kreme hit with cyberattack

In “affront to all that is sacred” news, the US donut chain Krispy Kreme confirmed it suffered a cyberattack in an SEC filing. The attack began on November 29th, with ongoing impacts on online ordering in the US as of this recording. The attack did not impact in-person ordering and retail deliveries. In its Q3 earnings, the company reported digital orders represented 15.5% of sales. Krispy Kreme immediately sought outside expertise after discovering the attack, but no other details have been released. So far, no threat actors have taken credit for the attack. (Bleeping Computer)

 

Contenders for top cyber roles in the next Trump administration visit Mar-a-Lago

Brian Harrell, a seasoned veteran of the Department of Homeland Security (DHS) under the Trump administration, is reportedly a leading contender for high-ranking cybersecurity roles in the next administration, The Record reports. Sources familiar with the situation reveal that Harrell has been invited to Mar-a-Lago in the coming weeks to interview for roles such as director of the Cybersecurity and Infrastructure Security Agency (CISA) and DHS undersecretary for strategy, policy, and plans. Harrell, who previously served as DHS assistant secretary for infrastructure protection, is well-regarded for his expertise in safeguarding critical infrastructure. Recorded Future News first reported his candidacy for these prominent positions.

He is not the only one under consideration. Matt Hayden, former DHS assistant secretary for cyber, infrastructure, risk, and resilience, and Sean Plankey, a former National Security Council cyber team member and acting assistant secretary at the Department of Energy’s cybersecurity office, are also being discussed for potential leadership at CISA. Two sources confirmed Plankey’s name in the mix for the top CISA role. The forthcoming Mar-a-Lago interviews are part of broader plans to fill key positions within DHS, not only in cybersecurity but also in areas such as immigration enforcement and leadership roles at the Transportation Security Administration (TSA). This diverse hiring strategy reflects the transition team’s focus on securing leadership across various critical sectors. (The Record)

 

A Dell Power Manager vulnerability lets attackers execute malicious code

A critical vulnerability (CVE-2024-49600) in Dell Power Manager, used to manage power settings on Dell systems, allows attackers with local access and low privileges to execute malicious code and escalate privileges. Affecting versions prior to 3.17, the flaw stems from improper access control, enabling unauthorized access to sensitive system functions and potential full system compromise. Rated with a CVSS score of 7.8 (high severity), the vulnerability requires local access but is low in complexity and does not need user interaction. Dell has released version 3.17 to address the issue, urging users to update immediately. No workarounds exist, emphasizing the need for timely patching and robust endpoint security to mitigate risks. (Cyber Security News)

 

Hackers exploit AWS misconfigurations in massive data breach

Independent cybersecurity researchers, Noam Rotem and Ran Locar, uncovered a significant cyber operation exploiting vulnerabilities in public websites hosted on Amazon Web Services (AWS). Researchers linked the campaign to the Nemesis and ShinyHunters hacking groups who used tools like Shodan to scan AWS public IP ranges for application vulnerabilities or misconfigurations. They then scanned exposed endpoints for sensitive data, including credentials for popular platforms like GitHub, Twilio and cryptocurrency exchanges. Verified credentials were later marketed on Telegram channels for hundreds of euros per breach. The researchers and AWS advised customers to avoid use of hard-coded credentials by using services like AWS Secrets Manager, periodically rotating keys and secrets, deploying Web Application Firewalls (WAFs), and using CanaryTokens as tripwires for sensitive information. (Infosecurity Magazine and Dark Reading)

 

Romanian energy giant battles ongoing attack

A cyberattack is in progress—that’s the note investors for the Electrica Group received on Monday. Electrica Group provides energy to more than 3.8 million customers in Romania and is considered one of the most important energy service companies in the country. Providing limited details, a statement from the company’s CEO said they are working to resolve the issue and identify the source of the attack. While not confirmed, the attack is believed to be tied to ransomware. The statement went on to say that critical systems have not been affected, but customers may notice disruptions in service that were purposely implemented to protect internal infrastructure. Some are speculating Russia may have had a hand in the attack after Romania blamed pro-Russian hackers last week for interfering in their presidential election, ultimately forcing the country to annul the results. (The Record)

 

Ransomware disrupts medical device maker

Medical device maker Artivion reports they are still working to restore systems following a November ransomware attack that encrypted files and disrupted order, shipping, and corporate operations. The medical device company, which makes and distributes aortic-centric cardiac and vascular medical products—think mechanical human heart valves and stent grafts to over 100 countries—said the attack has caused disruptions to some order and shipping processes, though the company has largely mitigated most disruptions. As of this recording, no ransomware group has claimed responsibility for the attack. (Security Week)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.