CISO Daily Update - December 10, 2024
NEW DEVELOPMENTS
One Email to Expose Them All: Single User Breach Exposes Data of 11K Children
Source: Cybernews
A phishing attack on health IT firm Datavant exposed the sensitive data of over 11,000 children after just one user’s compromised email account was breached between May 8-9, 2024. The breach included names, addresses, social security numbers, financial information, and medical details. However, Datavant’s systems and data storage have remained unaffected. In response, Datavant enhanced security measures, pledged phishing awareness training, and offered two years of free identity monitoring for affected individuals.
Medical Device Maker Artivion Scrambling to Restore Systems After Ransomware Attack
Source: Security Week
Medical device manufacturer Artivion disclosed a ransomware attack identified on November 21, 2024 that caused disruptions to order and shipping processes. The Atlanta-based company took systems offline to contain the breach. While Artivion continues serving customers and restoring systems securely, remediation efforts are incurring costs, some of which may not be covered by insurance. The company believes the incident won’t materially impact its finances but acknowledges potential future risks. No ransomware group claimed responsibility.
Wayne-Westland Community Schools Bouncing Back to Normal Operations After Cyberattack
Source: ABC 7 Detroit
Wayne-Westland Community Schools in Michigan is gradually returning to normal operations after a cyberattack disrupted internet and phone access district-wide. Internet services were partially restored, and teachers adapted resiliently to ensure student learning continued. Despite initial frustrations from parents, interim superintendent Jenny Curry defended the decision to keep schools open citing secure buildings, effective staff, and ongoing communication through email and the ClassDoJo app. No evidence of student data breaches so far. Officials and the Executive Director of Technology are investigating the incident. Full phone service restoration is still underway.
Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices
Source: The Hacker News
The Socks5Systemz botnet is fueling the illegal proxy service PROXY.AM–leveraging over 85,000 compromised devices globally. Originating in 2013 and rebuilt as "Socks5Systemz V2" in December 2023, this malware transforms infected systems into proxy exit nodes for cybercriminals to mask their activities. The malware is distributed via loaders like PrivateLoader, SmokeLoader, and Amadey; the botnet primarily affects countries like India, Indonesia, Ukraine, and Vietnam. The service offers proxies for $126 to $700 per month.
Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering
Source: The Hacker News
The Black Basta ransomware group evolved its social engineering tactics by incorporating email bombing, QR codes, and impersonation schemes since October 2024. After overwhelming users' inboxes with spam, attackers impersonate IT staff via Microsoft Teams and trick users into installing remote access tools like AnyDesk or Microsoft's Quick Assist. This access is then exploited to deliver malware like Zbot and DarkGate for credential theft and network enumeration. QR codes sent via chat may direct victims to malicious sites for credential harvesting. Black Basta's hybrid approach combines botnets and social engineering using bespoke tools like KNOTWRAP dropper, KNOTROCK ransomware executor, and PORTYARD tunneling utility.
VULNERABILITIES TO WATCH
QNAP Patches Vulnerabilities Exploited at Pwn2Own
Source: Security Week
QNAP released patches for multiple high-severity vulnerabilities in QTS and QuTS Hero disclosed during the Pwn2Own Ireland 2024 contest. The most critical flaw, CVE-2024-50393 with CVSS 8.7, allows remote command injection. Another severe flaw, CVE-2024-48868 with CVSS 8.7, involves a CRLF injection bug that can alter application data. CVE-2024-48865 with CVSS 7.3 addresses improper certificate validation, exposing systems to local network compromise. Updates for these flaws are included in QTS 5.1.9, QTS 5.2.2, QuTS Hero h5.1.9, and QuTS Hero h5.2.2 builds released in November 2024. A separate patch for CVE-2024-48863 with CVSS 7.7 in the License Center fixes a command execution issue. Users are urged to apply these updates promptly.
Recommended by LinkedIn
Synology Router Vulnerabilities Let Attackers Inject Arbitrary Web Script
Source: Cyber Security News
Synology patched multiple moderate-severity vulnerabilities in its Router Manager software versions before 1.3.1-9346-10, which could allow attackers to inject arbitrary web scripts or HTML. Identified as CVE-2024-53279 through CVE-2024-53285, these XSS flaws affect functionalities such as File Station, Network Center Policy Route, Wake-on-LAN, WiFi Connect, Router Port Forwarding, and DDNS Records. Exploitation, which requires authenticated users with admin privileges and could lead to data theft, session manipulation, interface defacement, or arbitrary command execution. Synology users are urged to update to SRM version 1.3.1-9346-10 or later to mitigate these risks.
Qlik Sense Enterprise For Windows Vulnerability Let Attackers Execute Remote Code
Source: Cyber Security News
A critical vulnerability in Qlik Sense Enterprise for Windows could enable remote code execution and broken access control. Affecting all versions up to May 2024 Patch 9, the flaws allow unprivileged users with network access to execute arbitrary EXE files or remote commands on the server. Assigned CVSS scores of 8.8 and 7.5 could compromise servers if exploited. Qlik released patches for versions up to November 2024 and urges immediate upgrades. A workaround for extension issues involves modifying Repository.exe.config.
Critical Windows Zero-Day Vulnerability Exploited in the Wild – PoC Released
Source: Cyber Security News
Microsoft patched a critical zero-day vulnerability (CVE-2024-38193) exploited by the Lazarus APT group to target Windows users in fields like cryptocurrency and aerospace. The flaw creates a use-after-free scenario affecting Registered I/O extensions–a race condition in the AFD.sys driver for WinSock allowed Lazarus to deploy FudModule rootkit malware, bypassing security measures and achieving SYSTEM-level privileges. With a CVSS score of 7.8, the vulnerability posed a high risk of system compromise and data theft. Patched in August 2024 Patch Tuesday. Users are urged to update immediately to prevent exploitation and safeguard against privilege escalation attacks.
SPECIAL REPORTS
Businesses Plagued by Constant Stream of Malicious Emails
Source: Help Net Security
In 2024, 36.9% of all business emails were unwanted with 2.3% containing malicious content, according to Hornetsecurity’s analysis of 55.6 billion emails. Phishing remains the top attack method responsible for a third of all cyberattacks followed by 22.7% malicious URLs and 6.4% advanced fee scams. A rise in reverse-proxy credential theft, which uses fake login pages to steal credentials in real time contributed to a decline in malicious attachments. HTML files, PDFs, and archive files remain the most common malicious attachments. Shipping brands like DHL and FedEx are frequently impersonated while phishing attempts targeting Mastercard, Netflix, DocuSign, and Facebook have surged.
API Attacks Surge 3000%: Why Cybersecurity Needs to Evolve in 2025
Source: The Cyber Express
API attacks surged by 3,000%, driven by the increasing reliance on APIs for digital operations, making cybersecurity evolution critical for 2025. A study analyzing 1.26 billion attacks in Q3 2024 found 271 million targeted APIs, with API-based threats now 85% more frequent than traditional web attacks. SMBs face a 175% higher rate of DDoS attacks per site due to limited cybersecurity resources, exposing them to financial and reputational harm. Sector-specific risks include BFSI, healthcare, retail, and power industries, all heavily targeted by bot-driven attacks and vulnerability exploits. Unpatched flaws such as those in Metabase's GeoJSON API and Versa Networks.
Public and Private Sectors Must Partner to Address Generative AI’s Interdependent Energy and Security Requirements
Source: CyberScoop
Generative AI’s immense power demands and security risks require urgent public-private collaboration to protect energy infrastructure and ensure AI system integrity. AI model training consumes up to seven times more electricity than traditional computing, straining an already vulnerable power grid targeted by cyberattacks. Security concerns arise from safeguarding foundational models, training data, and user queries, yet no standardized security model exists for AI like in cloud computing. Federal agencies, including CISA, NRC, DoE, and NIST, must streamline regulations, enhance grid resilience, and enforce security standards. Balancing AI innovation with energy capacity and national security requires coordinated efforts to address these interdependent challenges.
Finding value in this newsletter? Like or share this post on LinkedIn