Cybersecurity News Review - Week 50
Welcome to this week's roundup of some of the most interesting cybersecurity updates. Subscribe for a concise and informed perspective on the latest threats and protective measures in the field.
Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws
Microsoft's December 2024 Patch Tuesday addresses 71 security flaws, including one actively exploited zero-day vulnerability. The update fixes 16 critical vulnerabilities, all remote code execution flaws, along with various other vulnerability types. The actively exploited zero-day (CVE-2024-49138) allows attackers to gain SYSTEM privileges on Windows devices. Other vendors, including Adobe, CISA, Cisco, and SAP, also released security updates for their products. The patches include fixes for numerous elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities across Microsoft's product line.
Plugin bug allows Stripe refunds on millions of WordPress sites
A high-severity vulnerability (CVE-2024-11205) in the popular WordPress plugin WPForms affects versions 1.8.4 to 1.9.2.1, potentially allowing subscriber-level users to issue unauthorized Stripe refunds or cancel subscriptions. The flaw, discovered by researcher 'vullu164' and reported through Wordfence's bug bounty program, stems from improper authentication checks in AJAX functions. Awesome Motive, the plugin's vendor, released a patched version 1.9.2.2 in November 2024. With at least 3 million WordPress sites potentially vulnerable, users are urged to upgrade to the latest version or disable the plugin to prevent potential revenue loss and business disruption, although no active exploitation has been detected yet.
Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection
A critical security vulnerability (CVE-2024-54143) has been discovered in OpenWrt's Attended Sysupgrade feature, potentially allowing attackers to distribute malicious firmware packages. The flaw, which has a CVSS score of 9.3, could be exploited to inject arbitrary commands into the build process and create malicious firmware images signed with legitimate keys. Additionally, a hash collision issue could enable attackers to serve previously built malicious images as legitimate ones, posing a significant supply chain risk. OpenWrt has patched the vulnerability in ASU version 920c8a1, and users are urged to update immediately to protect against potential threats.
AMD’s trusted execution environment blown wide open by new BadRAM attack
BadRAM is a new attack that undermines AMD's Secure Encrypted Virtualization (SEV-SNP) technology used in cloud computing. Researchers demonstrated how an attacker with physical access to a server can manipulate memory modules to misreport their capacity, allowing unauthorized access to protected memory regions. This attack enables the creation of undetectable backdoors in virtual machines and the bypassing of cryptographic attestations meant to ensure VM integrity. The method involves modifying the Serial Presence Detect (SPD) chip on memory modules, either through a $10 hardware device or, in some cases, software alone. BadRAM poses a significant threat to cloud security, potentially compromising sensitive data stored on servers in major cloud providers like Amazon AWS, Google Cloud, and Microsoft Azure.
Microsoft MFA Bypassed via AuthQuake Attack
Oasis Security discovered a critical vulnerability in Microsoft's multi-factor authentication (MFA) system, dubbed AuthQuake, which allowed bypassing MFA if an attacker had the target's username and password. The exploit involved simultaneously executing multiple attempts to guess the six-digit MFA code, potentially granting access to various Microsoft services. The attack method was undetectable to victims and took about an hour on average to succeed. Microsoft implemented a temporary fix within days of being notified in June and released a permanent solution in October, introducing stricter rate limits for failed attempts. The vulnerability could have affected millions of Microsoft Office 365 users before it was patched.
Attackers Can Use QR Codes to Bypass Browser Isolation
Security researchers from Mandiant have demonstrated a proof-of-concept cyberattack that bypasses three types of browser isolation security techniques. The attack uses QR codes to send malicious commands from a command-and-control server to a victim's device, circumventing the usual HTTP request-based communication that browser isolation typically blocks. By rendering a webpage with a QR code containing embedded data, the attack can transmit instructions even when the page is displayed in a remote browser. While this method has some limitations, such as data size restrictions and increased latency, it highlights a potential vulnerability in browser isolation technology. Despite this discovery, Mandiant still recommends browser isolation as part of a comprehensive cybersecurity strategy, along with other protective measures.
Chinese hackers use Visual Studio Code tunnels for remote access
Chinese hackers targeted large IT service providers in Southern Europe using Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems. This tactic, observed by SentinelLabs and Tinexta Cyber in a campaign dubbed 'Operation Digital Eye,' exploits legitimate Microsoft infrastructure to create backdoors. The attackers gained initial access through SQL injection, deployed PHP-based webshells, and used RDP and pass-the-hash attacks for lateral movement. They then installed VSCode as a persistent Windows service, configuring it to create remote-access development tunnels. This method allows hackers to connect to breached devices via a web interface, with traffic routed through Microsoft Azure, making detection challenging. While the exact threat actor remains unknown, the campaign highlights a growing trend in abusing legitimate development tools for malicious purposes.
Latest round of MITRE ATT&CK evaluations put cybersecurity products through rigors of ransomware
MITRE Corporation released findings from its sixth round of ATT&CK evaluations, assessing 19 vendors' cybersecurity solutions against ransomware and North Korean malware, including macOS systems for the first time. The evaluation tested detection and protection capabilities against Cl0p and LockBit ransomware strains, as well as sophisticated Mac-targeted malware. Key findings included significant disparities in vendors' detection rates and ability to distinguish malicious activity from benign behavior, with some vendors showing higher false-positive rates than detection rates. The evaluation also revealed challenges in protecting against post-compromise threats and difficulties in assessing Mac-based threats due to limited public threat intelligence. MITRE emphasized that the evaluations do not rank vendors but provide insights for organizations to make informed decisions based on their specific needs and threat models.
U.K. cybersecurity chief warns of gap between risks and defenses
The new head of the UK's National Cyber Security Centre, Richard Horne, has warned of a widening gap between cyber risks and defenses. This warning coincides with a report from Green Raven, revealing that many senior cybersecurity professionals in large UK organizations feel helpless and despair at rising cyber losses. Factors contributing to these feelings include alert fatigue, lack of awareness beyond security teams, insufficient upper management support, and inadequate tools for thwarting attacks. While AI-powered tools are seen as a potential solution by many professionals, they also present risks as threat actors adopt AI faster. The article emphasizes the need for industry collaboration and better education to address these challenges and potentially reduce the overall cost of cybercrime.
Cybercrime Gangs Abscond With 1000s of AWS Credentials
Cybercriminal gangs exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations. Researchers uncovered the operation, which involved scanning millions of sites for vulnerable endpoints. The attackers, linked to known threat groups Nemesis and ShinyHunters, used a two-step attack sequence of discovery and exploitation. They scanned AWS IP ranges, used Shodan for reverse lookups, and analyzed SSL certificates to expand their attack surface. The criminals then extracted various credentials and data from product-specific endpoints. AWS confirmed the operation targeted flaws on the customer application side of the shared responsibility cloud model. Researchers provided recommendations for organizations to protect themselves, including avoiding hardcoded credentials, conducting web scans, and using web application firewalls.
New IOCONTROL malware used in critical infrastructure attacks
Iranian hackers are using a new malware called IOCONTROL to target IoT devices and OT/SCADA systems in critical infrastructure in Israel and the US. The malware, linked to the CyberAv3ngers group, can affect various devices from multiple manufacturers and is capable of causing significant disruptions. It was discovered in a Gasboy fuel control system and can potentially control pumps, payment terminals, and other systems. The malware uses modular configuration, MQTT protocol for communication, and DNS over HTTPS for evasion. It supports commands for system information reporting, command execution, self-deletion, and port scanning. As of December 2024, the malware remains undetected by antivirus engines, posing a significant threat to critical infrastructure.
Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online
Cybersecurity researchers have identified significant vulnerabilities in thousands of servers using the Prometheus monitoring toolkit. These exposed servers are at risk of information leakage, denial-of-service attacks, and remote code execution. Unauthenticated Prometheus servers can expose sensitive data like credentials and API keys, while the "/debug/pprof" endpoints could be exploited for DoS attacks. The "/metrics" endpoint may reveal valuable information for attackers conducting reconnaissance. Additionally, a supply chain threat involving repojacking techniques could lead to the deployment of malicious exporters. To mitigate these risks, organizations are advised to implement proper authentication, limit public exposure, monitor endpoints, and take precautions against repojacking attacks.
'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks
A ransomware group called "Termite" is exploiting a vulnerability in Cleo's file transfer software, affecting products like LexiCom, VLTransfer, and Harmony. The attacks began on December 3 and have impacted at least 10 victims across various industries. Although Cleo previously released a patch for the vulnerability (CVE-2024-50623), it proved insufficient, leaving even patched systems vulnerable. Cleo is currently developing a new patch but recommends moving Internet-exposed systems behind a firewall as an interim measure. Security researchers from Huntress Labs and Rapid7 are tracking the activity and suggest that Termite may be related to the Cl0p ransomware group. The vulnerability allows easy access to Cleo systems, and experts advise organizations to take immediate action to mitigate the risk.
Wyden proposes bill to secure US telecoms after Salt Typhoon hacks
Senator Ron Wyden introduced the "Secure American Communications Act" in response to Chinese state hackers breaching U.S. telecommunications networks. The bill requires the FCC to implement binding cybersecurity rules for telecom providers, including annual vulnerability testing, patching, and independent audits. This legislation aims to address long-standing security vulnerabilities in American telecom systems, which have allowed foreign hackers to access calls, messages, and phone records. The FCC Chairwoman also announced urgent action to secure telecom networks. The breaches, attributed to the Salt Typhoon hacking group, affected multiple major carriers and potentially compromised substantial internet traffic. While classified communications are not believed to be affected, officials cannot confirm if the hackers have been completely removed from the systems.
Operation PowerOFF Takes Down DDoS Boosters
Law enforcement agencies worldwide have taken action against Distributed Denial-of-Service (DDoS) attack platforms in an operation called PowerOFF. They seized 27 'booter' and 'stresser' websites, arrested three administrators, and identified over 300 users. The operation aims to disrupt cybercriminal activities during the festive season, a peak period for DDoS attacks. Europol provided support and facilitated information exchange. To prevent future incidents, authorities are launching an online ad campaign to deter potential offenders, particularly targeting young people. Additional preventive measures include warning letters, emails, and in-person visits to users of illegal services.
Cybercriminal marketplace Rydox seized in international law enforcement operation
In a joint international operation, the Justice Department announced the dismantling of Rydox, an online marketplace for stolen personal information and cybercrime tools. Three individuals alleged to be the site's administrators were arrested. Rydox, operational since 2016, was linked to over 7,600 illicit sales and generated more than $230,000 in revenue from selling sensitive data of U.S. residents. The operation involved law enforcement agencies from the U.S., Albania, Kosovo, and Malaysia. Two Kosovo nationals were apprehended in Kosovo and will be extradited to the U.S., while a third was detained in Albania. Authorities seized the domain, associated servers, and approximately $225,000 in cryptocurrency linked to the defendants.
Subscribe and come back next week to get another quick overview of recent industry events.