Cyber News Roundup for November 15, 2024

Still using 123456 as your password? If so, it’s time to rethink your approach to security. Cyber threats are evolving rapidly, and the risks are only growing. In this week’s roundup, we cover the latest developments, from the industries most at risk of cyber attacks to critical vulnerabilities you need to address immediately. Read on for essential insights into the cybersecurity landscape.

 

Moody’s designates the industries at highest risk of cyber attack

Moody’s has assigned a “very high” cyber risk rating to the telecommunications, airline, and power generation sectors due to increasing digitization and weak cybersecurity practices. These industries collectively face $7.1 trillion in debt. Telecommunications, notably vulnerable, has seen major breaches, including attacks on AT&T, Lumen, and Verizon by China’s Salt Typhoon group. Airlines’ cyber risk rose after a CrowdStrike software update failure exposed their reliance on tech. Other sectors, including automotive, education, manufacturing, energy, and ports, also saw risk levels increase to “high.” (scworld)

NIST misses its deadline for clearing the NVD backlog

NIST announced it’s working through a large backlog of over 18,000 vulnerabilities in the National Vulnerability Database (NVD) but missed its original goal of clearing it by September 30. Despite hiring more analysts and addressing all Known Exploited Vulnerabilities (KEV), NIST struggled due to incompatible data formats from Authorized Data Providers (ADPs). NIST is developing new systems to streamline data processing and pledged to provide updates on further progress, though it hasn’t set a new deadline for clearing the entire backlog. (SecurityWeek)

 

China threat actors breached U.S. broadband providers to spy on U.S. government officials

The US FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that Chinese government hackers conducted a “broad and significant cyber espionage campaign” that compromised several US telecom companies, TechCrunch reports. The Wall Street Journal reported last month that the breached companies include AT&T, Lumen, and Verizon. The hackers targeted systems used by the Federal government to carry out court-authorized network wiretapping requests.

The FBI and CISA stated, “[W]e have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.” (Security Affairs)

 

123456 tops the list of most popular passwords again

NordPass, maker of a password manager and sister company of NordVPN, has announced its list of the 200 most common passwords and the results are disappointing. In this sixth year of publishing its list derived from a 2.5TB database of passwords, personal and professional, from around the world, including on the dark web, comes to a single conclusion: people are really bad at choosing hard-to-crack passwords. The list contains variations on the 123456 theme and the qwerty theme as well as single word passwords like “password” and “secret,” all of which can be cracked in less than a second. “The personal and corporate passwords analyzed by NordPass were stolen by malware or exposed in data breaches. In most cases, the email addresses were leaked along with the passwords, helping NordPass determine which ones were for personal use and which ones were for business use.” The company says there really hasn’t been any improvement over these six years. A link to the NordPass report is available in the show notes to this episode. (NordPass)

 

Hackers use macOS extended file attributes to hide malicious code

This new technique abuses extended attributes for macOS files in order to deliver a new trojan that researchers call RustyAttr. In this procedure, threat actors “hide malicious code in custom file metadata and also use decoy PDF documents to help evade detection.” MacOS extended attributes (EAs) handle hidden metadata which is most often associated with files and directories, and is not directly visible with Finder. In the case of RustyAttr attacks, the EA name is ‘test’ and holds a shell script. To avoid detection during this process, some samples launch decoy PDF files or display error dialogs. (BleepingComputer)

 

In Switzerland, malware now arrives by postal mail

Switzerland’s Federal Office for Cybersecurity (OFCS) has issued a warning about letters being sent via regular post that pretend to be from the country’s meteorological agency, MeteoSwiss and which are being used to spread malware. These postal letters, with dates up to November 12, appear to offer access to a new weather app via a printed QR code. In reality this link downloads the stealer malware ‘Coper’ and ‘Octo2’, which seek out login details for more than 383 mobile apps, including e-banking apps.” Although this is not the first time a postal service has been used to deliver malware, experts note that the additional overhead, namely postage, mean it is still rare. (The Record)

 

Zoom discloses multiple vulnerabilities

Zoom disclosed multiple vulnerabilities in its applications, including a critical buffer overflow flaw (CVE-2024-45421) with a CVSS score of 8.5, allowing authenticated users to execute remote code. Another significant issue (CVE-2024-45419) involves improper input validation, which could lead to unauthorized information disclosure. Affected products include the Workplace App, Rooms Client, Video SDK, and Meeting SDK across Windows, macOS, iOS, Android, and Linux. Users are advised to update to the latest versions (6.2.0 or later) to mitigate risks. (Cyber Security News)

 

Federal agencies and Five Eyes partners list the past year’s most exploited vulnerabilities

CISA, the FBI, NSA, and Five Eyes intelligence agencies have identified the top 15 most exploited security vulnerabilities from last year, urging organizations to patch these flaws immediately. In a joint advisory, they emphasized the critical need for effective patch management to reduce network exposure. The report highlights an increase in zero-day exploits in 2023 compared to 2022, noting that the majority of frequently targeted vulnerabilities were zero-days, which allowed attackers to infiltrate high-value targets more effectively. Twelve of the top 15 vulnerabilities had patches released last year, underscoring the importance of swift patch deployment as cybercriminals continue targeting unpatched flaws.

Leading the list is CVE-2023-3519, a code injection vulnerability in NetScaler ADC/Gateway. This vulnerability, exploited by state actors, enabled remote code execution on unpatched servers, compromising U.S. critical infrastructure. By mid-August, hackers had used this flaw to backdoor over 2,000 Citrix servers worldwide. The advisory also mentions 32 additional vulnerabilities frequently exploited in 2023, offering guidance on minimizing risk. Meanwhile, MITRE recently updated its list of dangerous software weaknesses, underscoring ongoing challenges. Jeffrey Dickerson, NSA’s cybersecurity director, warned that exploitation of known vulnerabilities will persist, urging network defenders to remain vigilant and proactive through 2024 and beyond. (Bleepingcomputer)

 

Volt Typhoon rebuilding botnet

In early 2024, the US government announced it had disrupted the botnet used by Volt Typhoon, a threat actor with suspected links to the Chinese government. This botnet predominantly used unpatched Cisco, Fortinet, and Netgear devices. We’re not seeing signs that the group is building a new botnet. Researchers at SecurityScorecard saw a cluster tied to the group covertly routing traffic, primarily made up of compromised Netgear ProSafe, Mikrotik, and Cisco RV320 devices. This appears to be using the same core infrastructure and techniques previously used by Volt Typhoon. (Security Week)

 

DoD leaker sentenced

The US attorney for Massachusetts announced it sentenced former Massachusetts Air National Guardsman Jack Teixeira to 15 years in prison for stealing and leaking classified information. Court documents show Teixeira shared classified documents on Discord sometime in 2022, including troop movements and information on equipment provided to Ukraine. The leaks were discovered in March 2023. Teixeira pleaded guilty to six counts related to that in March 2024 as part of a plea deal. (NBC)

 

End-of-life D-Link NAS devices under attack

Researchers at Netsecfish discovered a command injection vulnerability on D-Link NAS devices that allows an unauthenticated attacker to use GET requests to inject shell commands. This flaw has been under active exploitation since November 8th. However, the impacted models, DNS-320, 325, and 340L, are now end-of-life, and D-Link said it had no plans to release a patch. Researchers found over 41,000 unique IP addresses for vulnerable devices found online. D-Link advises customers to replace the devices or, at the very least, restrict them from open internet access.  (Bleeping Computer)

 

Cybercriminals use game-related apps to distribute Winos4.0

Cybercriminals are using game-related apps to distribute Winos4.0, a malware framework that grants full control over infected Windows systems. Rebuilt from the Gh0strat malware, Winos4.0 was detected in various gaming tools and optimization utilities, which lure users into downloading the infection. Similar to Cobalt Strike, the malware enables cyber espionage, ransomware deployment, and lateral movement. Once executed, the malware downloads a fake BMP file from a malicious server, beginning a multi-stage infection. The first DLL file establishes persistence and injects shellcode, while the second stage connects to a command-and-control server. Subsequent stages gather system details, check for anti-virus software, and capture sensitive information, including crypto wallet data and screenshots. This final stage sets up a persistent backdoor, allowing the attacker long-term access. Fortinet warns users to download apps only from trusted sources to mitigate risk. (The Register)

Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points

Hewlett Packard Enterprise (HPE), a major tech company specializing in enterprise hardware and software, announced patches this week for multiple vulnerabilities in its Aruba Networking access points, widely used in business networks. Among the vulnerabilities are two critical command injection flaws (CVE-2024-42509, CVE-2024-47460), which could allow remote, unauthenticated attackers to execute code as privileged users by sending specially crafted packets to UDP port 8211. These flaws impact Aruba devices running Instant AOS-8 and AOS-10, including some end-of-life versions. HPE advised that enabling cluster security on AOS-8 and blocking access to UDP/8211 for AOS-10 can mitigate risks. Additionally, three high-severity remote code execution (RCE) vulnerabilities could allow authenticated attackers to compromise system files and execute commands. The patches, included in AOS-10.7.0.0, AOS-10.4.1.5, Instant AOS-8.12.0.3, and Instant AOS-8.10.0.14, were released through Aruba’s bug bounty program, with no evidence of active exploitation. (SecurityWeek)

 

CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical security flaw (CVE-2024-5910) in Palo Alto Networks’ Expedition tool, used for firewall migration and configuration. The flaw, classified as a “Missing Authentication” vulnerability (CWE-306), enables attackers with network access to potentially hijack the Expedition admin account. This could grant cybercriminals access to sensitive configuration data, including credentials and highly privileged information.

CISA stresses that the vulnerability poses a significant risk due to the level of access it grants, although there is no confirmation yet of active exploitation. Organizations using the Expedition tool are urged to apply Palo Alto’s recommended mitigations. If these aren’t feasible, CISA advises discontinuing the tool’s use to prevent potential compromise. The deadline for federal agencies addressing this vulnerability is November 28, as CISA emphasizes immediate action to mitigate any potential threat. (gbhackers)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.