CISO Daily Update - December 12, 2024
NEW DEVELOPMENTS
Security Arteries Burst: 446K Exposed in Vein Treatment Center Breach
Source: Cybernews
The Center for Vein Restoration suffered a data breach impacting over 445,000 individuals, compromising highly sensitive information including social security numbers, lab results, health insurance details, diagnoses, and treatment information. Discovered on October 6th, the breach exposes victims to health identity fraud, tailored phishing attacks, and potential blackmail. CVR has over 110 locations. Victims are urged to monitor healthcare statements closely.
Cyber Incident Disrupting Krispy Kreme Online Orders
Source: Infosecurity Magazine
Krispy Kreme reported a cyber-incident that impacted online orders and affected business operations. Detected on November 29, 2024, the disruption led to losses in digital sales, advisory fees, and recovery costs, though cyber insurance is expected to cover some expenses. Digital orders accounted for 15.5% of Q3 2024 sales. In-store purchases and fresh doughnut deliveries remain unaffected globally. The incident's full scope is still under investigation. The company expects no long-term material impact on its financial condition.
ZLoader Malware Returns With DNS Tunneling to Stealthily Mask C2 Comms
Source: The Hacker News
The latest ZLoader malware variant v2.9.4.0 resurfaced with advanced features including DNS tunneling for command-and-control communications. Distributed via remote desktop connections disguised as tech support, ZLoader now includes an interactive shell for executing commands, deploying payloads, and exfiltrating data. Researchers from Zscaler report its increasing association with Black Basta ransomware attacks and enhanced anti-analysis techniques.
Antidot Malware Targets Employee Androids with Malicious Payloads
Source: Cyber Press
A sophisticated phishing campaign distributed the Antidot banking Trojan variant, AppLite Banker, through malicious Android dropper apps disguised as CRM tools. It targets employees via fake job offers and employs ZIP manipulation and social engineering to infiltrate devices, steal banking, cryptocurrency, and financial credentials. The malware exploits Android Accessibility Services to bypass lock screens, display fake overlays, and capture sensitive data from 172 targeted apps. Users are urged to stay vigilant, avoid unsolicited downloads, and implement strong mobile security measures.
Operation PowerOFF Shuts Down 27 DDoS-for-Hire Platforms
Source: Bleeping Computer
Operation PowerOFF led by Europol and involving 15 countries, shut down 27 DDoS-for-hire services, arrested three administrators, and identified 300 customers using these platforms to launch disruptive cyberattacks. These "booter" services rent out botnets to perform DDoS attacks, often targeting businesses during critical periods like the holiday season. Seized platforms, including zdstresser[.]net and starkstresser[.]net, now displays law enforcement notices. Dutch authorities arrested four individuals and identified 200 others linked to these services.
VULNERABILITIES TO WATCH
Microsoft Azure MFA Flaw Allowed Easy Access Bypass
Source: Infosecurity Magazine
A vulnerability in Microsoft’s Multi-Factor Authentication system allowed attackers to bypass security for services like Outlook, OneDrive, Teams, and Azure Cloud, impacting up to 400 million Office 365 paid accounts globally. The flaw exploited weaknesses in the time-based one-time password system, with insufficient rate-limiting and extended code validity windows, enabling brute-force attacks within 70 minutes without alerting users. Discovered by Oasis Security Research, Microsoft issued a temporary fix in July 2024, with a permanent solution by October 2024.
Atlassian, Splunk Patch High-Severity Vulnerabilities
Source: Security Week
Atlassian and Splunk patched over two dozen vulnerabilities including high-severity flaws in third-party components. Atlassian fixed 10 high-severity bugs in Bamboo, Bitbucket, and Confluence Data Center and Server, affecting libraries like Apache Commons Compress and Hazelcast. Splunk addressed 15 vulnerabilities including CVE-2024-53247 critical deserialization flaw in the Secure Gateway app with CVSS 8.8 that could allow remote code execution. Users are strongly advised to apply these updates promptly to mitigate potential risks.
Recommended by LinkedIn
TCC iOS Subsystem Vulnerability Exposes iCloud Data To Attackers
Source: Cyber Security News
A critical vulnerability CVE-2024-44131 in Apple's TCC iOS subsystem allowed malicious apps to access sensitive iCloud data without user consent, posing risks to files, health data, and app backups. Exploiting symbolic link manipulation within Files.app, attackers could bypass permission prompts to compromise user privacy. This flaw impacted both iOS and macOS platforms. Apple patched the issue in iOS 18 and macOS 15. Businesses are reminded to adopt comprehensive mobile security solutions to safeguard data and mitigate evolving mobile threats effectively.
Critical LDAP Client Vulnerability Let Attackers Gain Vulnerable System Access Remotely
Source: Cyber Security News
Microsoft patched a critical Remote Code Execution vulnerability (CVE-2024-49124) affecting LDAP clients to gain unauthorized system access remotely. The flaw arises from a race condition CWE-362 due to improper synchronization during execution to send specially crafted requests and execute code with SYSTEM-level privileges. With a CVSS score of 8.1, exploitation requires no user interaction or privileges but involves high attack complexity. No active exploitation or public exploit code was reported. Organizations are urged to apply the December 2024 Patch Tuesday updates to mitigate potential risks.
SPECIAL REPORTS
Open Source Malware Up 200% Since 2023
Source: Help Net Security
Sonatype’s 2024 Open Source Malware Threat Report reveals a 200% increase in malicious packages since 2023 with over 778,500 recorded since 2019. Open-source ecosystems like npm and PyPI handling trillions of requests annually, are prime targets due to low entry barriers and lack of author verification. 98.5% of malicious packages come from npm, driven by JavaScript’s rapid growth. 64.75% of PUAs dominate malware types, followed by 24.2% security-holding packages and 7.86% data exfiltration. Shadow downloads bypassing security checks rose by 32.8% in the past year. Sonatype’s CTO, Brian Fox, stresses that enterprises must proactively block open-source malware before it infiltrates CI/CD pipelines because traditional endpoint security and vulnerability scans are insufficient against these threats.
Containers Have 600+ Vulnerabilities on Average
Source: Help Net Security
Containers are becoming the weakest link in software supply chains with each container image averaging 604 known vulnerabilities. A study of 70 Docker Hub images revealed 389 components per container with 1 in 8 lacking manifests. Over 45% of vulnerabilities are 2-10+ years old with 4% weaponized for ransomware and botnet attacks. Additionally, containers had an average of 4.8 misconfigurations, including overly permissive controls. As reliance on containerized applications grows, organizations must adopt full SBOM visibility, prioritize vulnerability management, and enhance security operations to mitigate supply chain risks.
Survey: People Don’t Care About Data Breaches, but They Should
Source: Cybernews
A survey by All About Cookies reveals that 65% of Americans received data breach notifications in the past year yet 50% feel desensitized due to breach fatigue. While breaches occur frequently with over 3,000 in 2023 alone with only 46% actively checking if their data was compromised. People tend to act when breaches expose highly sensitive data like social security numbers, financial records, or medical information. Despite burnout, 57% use credit monitoring services and password managers to protect themselves.
Global Ongoing Phishing Campaign Targets Employees Across 12 Industries
Source: Hackread
A sophisticated phishing campaign targeted employees from over 30 companies across 12 industries, including energy, finance, and government sectors, with over 200 malicious links designed to steal login credentials. Attackers leverage trusted domain abuse, dynamic company branding, and document platform impersonation to bypass Secure Email Gateways. Stolen credentials are transmitted in real time via Command-and-Control servers or Telegram bots. Group-IB researchers urge organizations to implement multi-factor authentication, employee training, and advanced email filtering systems to mitigate these ongoing threats.
Finding value in this newsletter? Like or share this post on LinkedIn