Cyber News Roundup for December 6, 2024
Cybersecurity continues to be a critical focus in the face of ever-evolving threats. This week, several major incidents and advisories highlight the increasing risks across multiple sectors. From the FBI and CISA urging the use of encrypted messaging apps to protect personal communications, to the revelations of hacking groups targeting U.S. telecom networks and companies facing vulnerabilities, these developments underscore the importance of robust security measures. Notable incidents include Cloudflare’s service disruption, the rise of sophisticated phishing tools bypassing multi-factor authentication, and ongoing concerns over legacy vulnerabilities in widely used devices. In this roundup, we take a closer look at these stories and the implications for both individuals and organizations in securing their digital environments.
FBI and CISA urge Americans to use encrypted apps rather than calling
Further developments from the Salt Typhoon attack on U.S. telecommunications companies, officials from both agencies are recommending that Americans use start using encrypted messaging apps. Speaking to the media on Tuesday, Jeff Greene, executive assistant director for cybersecurity at CISA, along with a senior FBI official who asked not to be named, said they plan to use the same message as they do inside their respective organizations: Encryption is your friend,” whether it’s on messaging or encrypted voice communication. They also suggest people considering using a cellphone that “automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.” (NBC News)
Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours
This story pertains to a bug that appeared on November 14 in the internet security company’s log collection service, one that allows its customers to monitor the traffic on their websites and filter it based on certain criteria. They are also used to investigate security incidents, DDoS attacks, traffic patterns, and to perform site optimizations. This is a big service, amounting to over 50 trillion customer event logs every day, of which around 4.5 are sent to customers. The incident was caused by a misconfiguration in a log forwarder component in Cloudflare’s pipeline. The pause then created a massive spike once the system tried to resolve itself. Cloudflare has now implemented several measures to prevent future occurrences. (BleepingComputer)
Phishing tool Rockstar 2FA targets Microsoft 365 creds
Researchers at Trustwave are warning of a Phishing-as-a-service toolkit named Rockstar 2FA, which apparently targets Microsoft 365 accounts and bypasses multi-factor authentication via adversary-in-the-middle attacks. It is an updated version of the DadSec/Phoenix phishing kit. The attacks involve theft of a victim’s password and session cookie though the creation of a proxy server between a target user and the website the user wishes to visit, which itself is a phishing site. Trustwave points out a unique feature of this current campaign being websites whose common theme is cars. (Cybersecurity News)
FBI advises telecoms to boost security following Chinese hacking campaign
Since October, we’ve been covering ongoing reports that China-backed hacking group, Salt Typhoon, was reportedly in the networks of AT&T, Verizon, and Lumen (formerly CenturyLink), among others. These attacks are thought to be part of a broad Chinese espionage campaign targeting U.S. officials and also wiretap systems that might identify Chinese individuals under U.S. surveillance. On Tuesday, U.S. government officials warned that Salt Typhoon is still inside networks of some phone and internet providers. Additionally on Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to telecommunication companies to bolster their defenses through deployment of encryption as well as centralized and consistent monitoring. The government’s guidance was issued jointly with security agencies and organizations in New Zealand, Australia, Canada, and Britain. (SecurityWeek and TechCrunch)
Decade-old Cisco vulnerability under active exploit
Cisco is warning customers that an input validation vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA) WebVPN login page is now actively being exploited by threat actors. Cisco documented the bug back in 2014 and exploitation could allow an unauthenticated remote attacker to launch cross-site scripting (XSS) attacks. Cisco discovered exploitation attempts in November 2024 and said customers should upgrade to a fixed software release. The company added that there are no workarounds for this flaw. This issue highlights how implementing legacy security fixes can get lost in the sea of security priorities that organizations are facing. (Dark Reading)
Misconfigured WAFs heighten security risks
According to a report from Zafran, nearly 40% of Fortune 100 companies leveraging their content delivery network (CDN) providers for Web Application Firewall (WAF) services may be exposing back-end servers to attacks. WAFs act as intermediaries between users and Web applications, inspecting traffic for an array of threats and blocking malicious activity. In total, Zafran found 2,028 domains belonging to 135 companies exposing at least one supposedly WAF-protected server. This means attackers could access the servers over the Internet to launch attacks like denial-of-service (DoS) and ransomware. The researchers explained that the issues stem from organizations not following best practices including adequately validating Web requests to back-end origin servers, filtering IP addresses and establishing encrypted TLS connections between the CDN provider and their servers. While some responsibility does lie with customers, the researchers said, “CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place.” (Dark Reading)
Japan warns of I-O Data zero-day router flaws exploited in attacks
Japan’s Computer Emergency Response Team aka CERT, is warning of a zero-day vulnerabilities in I-O Data router devices. These can be exploited to modify device settings, execute commands, or even turn off the firewall. “The vendor has acknowledged the flaws in a security bulletin published on its website.” But, the fixes are only expected to land on December 18, which means users will be exposed to risks until then unless mitigations are enabled. The three flaws, which were identified on November 13, and which all have CVE numbers, relate to information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. (BleepingComputer)
Microsoft stands firm on TPM requirements for Windows 11
Microsoft is pushing hard on its upgraded security culture by dashing the hopes some may have about lower hardware requirements for Windows 11. Windows 10 end of support is approaching in October 2025, and Microsoft says that its Trusted Platform Module (TPM) 2.0 requirement for Windows 11 is “non-negotiable.” PM 2.0. It’s a hardware-level chip or firmware capability that helps encrypt or decrypt data, confirm digital signatures, and assist with any other cryptographic operations. (The Verge)
Senators fume over response to ‘disturbing and widespread’ Chinese hack of US telecoms
Senators have expressed deep frustration over the Biden administration’s handling of a significant cyberattack by the Chinese government-linked group “Salt Typhoon,” which infiltrated numerous U.S. and global telecommunications systems. This breach, considered the most severe in telecom history, compromised the phones of officials, including President-elect Donald Trump, and potentially exposed the communications of a vast number of Americans. During a Capitol Hill briefing, lawmakers criticized the lack of accountability and demanded more transparency. Senator Rick Scott (R-Fla.) questioned the absence of preventive measures, while Senator Josh Hawley (R-Mo.) described the breach as “breathtaking” and called for declassification of details to inform the public about the potential exposure of their communications.
Senate Intelligence Committee Chair Mark Warner (D-Va.) highlighted the failure of telecom companies to secure critical systems, noting that the hackers remain embedded in these networks. In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are collaborating with telecom providers to address the breach, though the full extent of the infiltration remains uncertain. CISA Director Jen Easterly announced that the Department of Homeland Security’s Cyber Safety Review Board would formally investigate the hack, with recommendations expected next year.
Lawmakers are also considering legislation to enhance cybersecurity in telecommunications, aiming to implement measures before year’s end. Senator Mike Rounds (R-S.D.) emphasized the need for enforceable cybersecurity standards for telecom companies, acknowledging that addressing these security concerns will require time. The bipartisan concern underscores the necessity for stringent cybersecurity protocols and potential retaliatory actions against China, as the administration continues to investigate and seek long-term solutions to this critical national security threat. (Politico, Reuters, Yahoo)
Russian hackers hack hackers
In No Honor Among Thieves News, a new report from Lumen’s Black Lotus Labs details how the Russian cyber-espionage group Turla used the infrastructure of the Pakistani-linked group Storm-0156 to launch their attacks. Researchers had been observing operations by Storm-0156, finding a C2 server on an Indian government network. This server began interacting with three IP addresses known to be linked to Turla. Further research shows Turla has been using the Pakistani group’s infrastructure since 2022, using the servers to launch various backdoors and other malware. Eventually, Turla became more ambitious, moving laterally into Storm-0156’s workstation and gaining direct access to its data and tooling. Researchers at Microsoft contributing to the report said Turla used this access to target Afghan government agencies. This isn’t a new tactic for Turla. Back in 2019, the NSA put out an advisory that it hijacked infrastructure by the Iran-backed group OilRig to carry out attacks. (Bleeping Computers)
Cisco switches hit with bootloader vulnerability
The flaw impacts over 100 device models across Cisco’s MDS, Nexus, and UCS Fabric Interconnect lines, allowing attackers to bypass the bootloader verification process and load software. The flaw doesn’t require authentication but physical access to the switches. Cisco released several NX-OS updates to patch the flaws and will roll out the updates for all devices by the end of the month, excluding one discontinued Nexus model. It cautioned that no mitigations for this flaw will be provided in the interim other than preventing physical access to the switches. (Security Week)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
