Cyber News Roundup for October 18, 2024
In an increasingly interconnected and technologically advanced world, the scope and complexity of cyber threats and security challenges have never been greater. From drones probing military bases to critical vulnerabilities in widely used software and hackers exploiting outdated physical access controls, organizations and governments face a wide range of risks that demand immediate attention and action. This week’s articles highlight the latest cybersecurity challenges, emphasizing the urgent need for proactive defenses against these emerging threats.
Mystery Drones Swarmed a U.S. Military Base for 17 Days. The Pentagon Is Stumped
In December, a fleet of advanced drones, suspected to be of Chinese origin, swarmed U.S. military installations near Norfolk, Virginia, including the home of Navy SEAL Team 6. These drones, capable of speeds over 100 mph and synchronized via AI, flew for 17 days, causing concern within the Biden administration. Due to legal restrictions preventing the military from shooting them down unless an imminent threat was posed, no decisive action was taken, even though the drones hovered over one of the most sensitive U.S. military bases.
A month later, a Chinese student was arrested after flying a drone near the base. The incident, along with similar drone sightings near nuclear facilities and other sensitive military sites, raised alarms about possible espionage or reconnaissance missions to test U.S. defenses. Critics argue that the administration’s inaction demonstrated weakness and missed an opportunity to send a strong message to China. This series of incidents is seen as part of a broader pattern of probing U.S. responses to potential threats. (WSJ, Fox News )
A critical vulnerability in Veeam Backup & Replication software is being exploited
A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) is being exploited by hackers to deploy ransomware, including Fog and Akira variants. The flaw allows unauthenticated remote code execution, enabling attackers to create unauthorized accounts and gain privileged access. Attackers initially gained access through compromised VPN gateways without multifactor authentication. Sophos reported several attacks over the past month, highlighting the need for patching, updating outdated VPNs, and implementing strong security measures. Veeam has released a patch (version 12.2.0.334), and administrators are urged to apply it immediately. (Cyber Security News)
Iranian hackers exploit Windows flaw to elevate privileges
An Iranian state-sponsored hacking group named APT34 and also known as OilRig, is targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf Region with an enhanced campaign. As reported by researchers at Trend Micro, the group is deploying a backdoor that uses Microsoft Exchange servers to steal credentials and which exploits a known Windows flaw to elevate their privileges on compromised devices. This flaw is a high-severity privilege escalation vulnerability with a CVE number that Microsoft fixed in June. According to BleepingComputer, “Microsoft has acknowledged a proof-of-concept exploit for this CVE numbered flaw, but has not yet marked it as actively exploited, nor has CISA reported it in its Known Exploited Vulnerability catalog.” (BleepingComputer)
Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server
These two tunneling protocols are being officially deprecated by Microsoft for future versions of Windows Server, along with a recommendation that admins move to different protocols that offer increased security. The Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) have been in use for more than 20 years to allow remote access to corporate networks and Windows servers. However, PPTP has “become vulnerable to offline brute force attacks of captured authentication hashes, and L2TP provides no encryption unless coupled with another protocol, like IPsec, and even then, weaknesses can appear. Microsoft now recommends users move to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security. (BleepingComputer)
Organizations Slow to Protect Doors Against Hackers
A recent study reveals that many organizations have been slow to secure vulnerable door access controllers, leaving them open to remote attacks. Researcher Shawn Merdinger, through his project “Box of Rain,” identified exposed systems in sectors such as healthcare, education, and law enforcement. Despite warnings and reports, many controllers remain vulnerable due to default credentials or unprotected web interfaces, potentially allowing hackers to gain unauthorized access. The findings highlight the ongoing risks posed by outdated physical access controls. (SecurityWeek)
Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Remote Code
Splunk has patched multiple high-severity vulnerabilities in its Enterprise and Cloud Platform products that allow remote code execution. These flaws, including CVE-2024-45733 (CVSS 8.8), affect Windows versions below 9.2.3 and 9.1.6. Another issue, CVE-2024-45731, allows file writing to the system root, while CVE-2024-45732 could enable unauthorized access to data. Splunk recommends upgrading to the latest versions and applying mitigations, such as disabling Splunk Web and ensuring proper installation configurations. These vulnerabilities highlight the critical need for timely security updates to protect sensitive systems. (Cyber Security News)
Must patch flaw exposes tens of thousands
We are now getting a clearer idea of just how many IPs are vulnerable to the Fortinet vulnerability that CISA placed on its critical patch list last week. According to CyberScoop, around 87,000 IPs are likely susceptible to the vulnerability, which has a 9.8 rating on the CVSS scale. Fortinet released a fix in February, but the issue remains widespread, with the majority of vulnerable IPs located in Asia, North America, and Europe. Federal agencies are required to address the issue by the end of October. (CyberScoop)
Firefox zero-day update to include Tor
Shortly after Firefox rolled out version 131.0.2 with a fix for a critical zero-day vulnerability (CVE-2024-9680), the Tor browser was also updated to patch the issue. The bug, which could lead to remote code execution via a use-after-free flaw in the Animation timeline, had been actively exploited in the wild, as confirmed by Mozilla and reported by ESET. Both Firefox and Tor quickly responded to the exploit, delivering fixes within 25 hours of identifying the issue. (Security Week)
Nearly 400 U.S. healthcare institutions hit with ransomware over past 12 months
On Tuesday, Microsoft released a report revealing that between July 2023 and June 2024, 389 U.S.-based healthcare institutions were successfully hit with ransomware. The attacks caused network and system outages, delays in critical medical operations and rescheduled appointments. Microsoft customers reported a 2.75x increase in human-operated ransomware encounters. The researchers said that the motives of Russian, North Korean and Iranian cybercriminals appear to have shifted from destruction to financial gain. The report did yield some positive news, showing that the percentage of ransomware attacks that reached the encryption stage has decreased significantly over the past two years. (The Record and The Register)
Encryption flaws found in WeChat
Researchers at Citizen Lab investigated the MMTLS encryption protocol used by the massively popular WeChat app. They found that MMTLS was a modified version of TLS 1.3 that introduced cryptographic weaknesses. While the researchers could not craft an attack to exploit these weaknesses, they noted that MMTLS uses deterministic initialization vectors, which opens the door to a brute force attack and goes against NIST recommendations. The protocol also lacks forward secrecy due to its heavy use of session-resuming pre-shared keys. The researchers published full findings and methodologies on GitHub. (Citizen Lab)
CISA refines SBOM guidance
The US Cybersecurity and Infrastructure Security Agency published a new edition of its Framing Software Component Transparency document, providing new guidance on creating software bill of materials (SBOMs). This now sets out SBOM attributes into minimum expected, recommended, and aspirational categories. The baseline requirements primarily focus on transparency and interoperability with existing SBOM formats. CISA also pointed out that to make SBOMs useful, the industry needs coordinated and automated methods to share SBOM data. (Infosecurity Magazine)
Hackers steal data from Verizon’s push-to-talk (PTT) system
Hackers have stolen data from Verizon’s push-to-talk (PTT) system, which is marketed to government agencies and first responders, and are now selling the data on a Russian cybercrime forum. 404 Media reports the breach did not affect Verizon’s main consumer network, but it targeted a third-party provider supporting the PTT system. The stolen data includes call logs, emails, and phone numbers. Verizon confirmed that a small subset of customer data was exposed but noted that no sensitive information such as Social Security numbers was leaked. The hackers, including Cyberphantom and Judische, are part of a cybercriminal group known as the “Com,” responsible for numerous high-profile breaches. The hackers are selling the stolen data instead of extorting Verizon. (CyberInsider)
CISA and its partners warn of Iranian brute force password attempts
A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and other international authorities warns that Iranian cyber actors are increasingly using brute force methods like password spraying and “push bombing” to target global critical infrastructure sectors. These attackers focus on healthcare, government, IT, and energy sectors to steal credentials and gain deeper access to systems. The advisory highlights that Iranian actors have exploited MFA vulnerabilities and sold stolen credentials, urging organizations to enhance security by implementing phishing-resistant MFA and monitoring for suspicious logins and behaviors. (Gov Info Security)
F5 publishes quarterly security notification, addressing BIG-IP and BIG-IQ vulnerabilities
News about the fixes for these vulnerabilities came in the company’s October edition of its quarterly security notification. The update for BIG-IP, a collection of hardware platforms and software solutions address a high-severity security defect affecting the appliance’s monitor functionality. The update for BIG-IQ, which centralizes management, licensing, monitoring, and analytics for a dispersed BIG-IP infrastructure, is described as “a stored cross-site scripting (XSS) bug in an undisclosed page of the appliance’s user interface.” F5 makes no mention of either of these vulnerabilities being exploited in the wild. Further details are available in the F5 quarterly security notification, a link to which is available in the show notes to this episode. (F5 Quarterly Security Notification)
Vulnerability warning from Kubernetes and VMWare, plus new KEV catalog entries
Finally, just a quick summary of some vulnerabilities of note this week, a Kubernetes Image Builder vulnerability could allow attackers to gain root access if exploited under specific conditions. This applies only to Kubernetes clusters with nodes using VM images from the Image Builder project and its Proxmox provider. VMware has fixed “a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager,” and CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a Microsoft Windows Kernel TOCTOU race condition vulnerability, a Mozilla Firefox use-after-free vulnerability, and a SolarWinds Web Help Desk hardcoded credential vulnerability. Links to details on these is available in the show notes. (Security Affairs, Security Affairs and Security Affairs)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
