CISO Daily Update - October 3, 2024
NEW DEVELOPMENTS
Crook Made Millions by Breaking Into Execs’ Office365 Inboxes, Feds Say
Source: ARS Technica
UK national Robert B. Westbrook faces charges of securities, wire, and computer fraud for hacking into the Office365 email accounts of executives at five U.S. companies. Westbrook allegedly accessed quarterly financial reports before their public release–using this information to make $3.75 million from stock trades in 2019 and 2020 by predicting market movements. He reportedly exploited Office365’s password reset feature and set up auto-forwarding rules to monitor emails. If convicted, Westbrook could face up to 20 years in prison and millions in fines.
Sanctioned North Korean Unit Tried to Hack at Least 3 US Organizations This Summer
Source: The Record
In August, the North Korean hacking group APT45 attempted to breach at least three U.S. organizations. This came just a month after the U.S. Justice Department indicted one of its members. While the group targeted private companies, they failed to deploy ransomware. APT45 was sanctioned in 2019 and has a history of attacking U.S. hospitals, Air Force bases, and NASA. Despite their growing sophistication since 2009, including espionage operations, the recent indictment hasn’t slowed their activity. Symantec linked the group to these recent attempts through custom malware and unique indicators of compromise.
Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals
Source: The Hacker News
A spear-phishing campaign is targeting HR professionals with the dangerous More_eggs malware, hidden in fake job applications. These malicious files are disguised as resumes to trick recruiters into downloading the malware through spear-phishing emails or malicious URLs. Once activated, the More_eggs backdoor can steal credentials and enable additional attacks. Attributed to the Golden Chickens group and used by other cybercriminals like FIN6, this malware performs system reconnaissance and communicates with command-and-control servers to deliver further malicious payloads.
Zero-Day Breach at Rackspace Sparks Vendor Blame Game
Source: Security Affairs
A zero-day vulnerability in ScienceLogic’s monitoring app led to a breach at Rackspace–sparking a blame game between the involved vendors. ScienceLogic identified the root cause as an undocumented flaw in a third-party utility bundled with its SL1 software. Discovered on September 24, the breach exposed Rackspace’s internal monitoring data including customer information and encrypted credentials. Rackspace faced this breach months after a costly ransomware attack on its Exchange service in December 2022. ScienceLogic has since patched the exploited vulnerability.
Record-Breaking DDoS Attack Peaked at 3.8 Tbps, 2.14 Billion Pps
Source: Security Week
Cloudflare recently mitigated a massive DDoS attack that peaked at 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps), setting new records for volumetric attacks. The month-long campaign began in early September and targeted a customer of an unnamed hosting provider. The attack affected multiple sectors, including financial services, telecoms, and internet providers. The attackers used over 100 hyper-volumetric L3/4 DDoS strikes powered by compromised devices worldwide–including web servers, DVRs, and routers.
NIST’s Security Flaw Database Still Backlogged With 17K+ Unprocessed Bugs. Not Great
Source: The Register
NIST's National Vulnerability Database (NVD) is struggling with a backlog of more than 17,000 unprocessed vulnerabilities–missing its target to clear this by September 30. The delay in analyzing Common Vulnerabilities and Exposures (CVEs) has disrupted organizations that depend on NVD data to track and address security flaws. The backlog, caused by earlier cuts to operations, raises concerns about the risks posed by unaddressed vulnerabilities. While projects like CISA’s Vulnrichment provide temporary relief, the backlog continues to strain global cybersecurity efforts.
VULNERABILITIES TO WATCH
CISA: Network Switch RCE Flaw Impacts Critical Infrastructure
Source: Bleeping Computer
CISA issued a warning about two serious vulnerabilities in Optigo Networks ONS-S8 Aggregation Switches commonly used in critical infrastructure. These flaws, CVE-2024-41925 and CVE-2024-45367, allow attackers to bypass authentication and execute remote code. The vulnerabilities are caused by improper password verification and PHP remote file inclusion and are highly risky due to their ease of exploitation and remote access potential. With no patches currently available, CISA recommends isolating switch management traffic, using VPNs, allowlisting devices, and following strict security protocols to mitigate risks.
Critical Zimbra RCE Flaw Exploited to Backdoor Servers Using Emails
Source: Bleeping Computer
Hackers are actively exploiting a critical remote code execution (RCE) flaw in Zimbra email servers (CVE-2024-45519) to backdoor systems through specially crafted emails. The vulnerability is in Zimbra's postjournal service, which allows attackers to send malicious commands in the CC field of an email. Once exploited, they can install a webshell on the server, giving them full control for data theft or further attacks. Mass exploitation began on September 28 after a proof-of-concept was released. Zimbra has issued patches, and users should update their systems or apply mitigation measures immediately.
Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities
Source: The Hacker News
Hackers could potentially exploit 14 newly discovered vulnerabilities in over 700,000 DrayTek routers. Two critical flaws—a buffer overflow in the "GetCGI()" function and an OS command injection vulnerability in the "recvCmd" binary—pose the greatest risks, allowing remote code execution or denial-of-service attacks. The vulnerabilities also include cross-site scripting (XSS) issues and weak admin credentials. DrayTek released patches for all the identified vulnerabilities, even for 11 end-of-life devices. Users are urged to update their routers, disable unused remote access, and implement security measures like access control lists and two-factor authentication to protect their networks.
Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit
Source: The Hacker News
Cybersecurity researchers revealed that attackers exploited a critical vulnerability, dubbed CosmicSting (CVE-2024-34102), to compromise 5% of Adobe Commerce and Magento stores. Adobe patched this flaw in June 2024, which allows remote code execution–enabling attackers to steal encryption keys and gain administrative access by injecting malicious scripts through the Magento REST API. Attackers have also paired CosmicSting with another vulnerability (CVE-2024-2961) to take full control of affected systems. Merchants are urged to upgrade their software, rotate encryption keys, and invalidate old keys to prevent further attacks.
New Bluetooth Vulnerability Leaks Your Passcode to Hackers While Pairing
Source: Cyber Security News
A newly discovered Bluetooth vulnerability (CVE-2020-26558) allows hackers to intercept passcodes during the pairing process. Known as "Impersonation in the Passkey Entry Protocol," this flaw affects Bluetooth Core Specifications from versions 2.1 to 5.4 for BR/EDR and from 4.2 to 5.4 for LE Secure Connections. Attackers within range can manipulate public key exchanges during pairing, potentially launching a man-in-the-middle attack. Bluetooth Core Specification 5.4 advises devices to reject pairing if the peer’s public key X coordinate matches the local device’s key. Users should update their devices and follow security recommendations to prevent exploitation.
SPECIAL REPORTS
Cybersecurity Hiring Slows, Pros’ Stress Levels Rise
Source: Help Net Security
According to ISACA, cybersecurity professionals are facing increasing stress, with 66% reporting that their jobs are more stressful than five years ago. Key factors include a more complex threat landscape (81%), budget limitations (45%), and hiring and retention struggles (45%). Despite the rising threat of cyberattacks, budgets and staffing haven't kept pace, with 51% of organizations stating their cybersecurity budgets are underfunded and 57% reporting understaffed teams. Though economic conditions have slightly reduced turnover, stress and lack of career development remain major challenges for retention. Organizations must prioritize supporting their cybersecurity teams to prevent burnout.
CISA: Thousands of Bugs Remediated in Second Year of Vulnerability Disclosure Program
Source: The Record
CISA's Vulnerability Disclosure Policy (VDP) Platform triaged more than 7,000 vulnerabilities in 2023, leading to 1,094 valid disclosures and 872 remediated vulnerabilities. The platform supports federal civilian agencies in managing bug reports from researchers who identified 250 critical vulnerabilities this year. Participating agencies saved an estimated $4.45 million in remediation costs and experienced faster validation of submissions. The VDP continues to strengthen federal cybersecurity by efficiently addressing vulnerabilities and providing valuable insights into emerging threats.
80% of Manufacturing Firms Have Critical Vulnerabilities
Source: Infosecurity Magazine
A recent Black Kite analysis shows that 80% of manufacturing firms have critical vulnerabilities with CVSS scores of 8 or higher–making them prime targets for cyber-attacks. Poor patch management is a key issue, with 67% of companies having flaws listed in CISA's Known Exploited Vulnerabilities Catalog. Additionally, 69% of firms have leaked credentials, and 62% suffer from broken cryptographic algorithms. The manufacturing sector now tops the list for ransomware attacks, accounting for 21% of all incidents between April 2023 and March 2024.
Finding value in this newsletter? Like or share this post on LinkedIn