CISO Daily Update - December 16, 2024
NEW DEVELOPMENTS
Rhode Island Says Personal Data Likely Breached in Social Services Cyberattack
Source: TechCrunch
A cyberattack on Rhode Island’s RIBridges social services portal and Healthsource RI insurance marketplace may have exposed the personal data of hundreds of thousands of residents. The breached information could include names, addresses, dates of birth, social security numbers, and banking details. Deloitte detected the attack on December 5 and confirmed malicious code on December 13, prompting a system shutdown. While residents can still apply for benefits using paper forms, cybercriminals have threatened to release the stolen data unless a ransom is paid.
South Carolina Credit Union Says 240,000 Impacted by Recent Cyberattack
Source: The Record
South Carolina's largest SRP Federal Credit Union reported a cyberattack affecting over 240,000 individuals. Hackers accessed SRP systems between September 5 and November 4, 2024, stealing sensitive data, including names, social security numbers, driver’s license numbers, birth dates, and financial information like account numbers and credit/debit card details. Although SRP’s online banking and core processing systems remained unaffected, the ransomware gang Nitrogen claimed responsibility–alleging the theft of 650 GB of customer data. This incident follows a broader trend of ransomware targeting credit unions.
UnitedHealth’s Optum Left an AI Chatbot, Used by Employees to Ask Questions About Claims, Exposed to the Intern
Source: TechCrunch
UnitedHealth subsidiary Optum restricted access to its internal AI chatbot after a security researcher discovered it was publicly accessible online without a password. The chatbot is designed to help employees handle health insurance claims and disputes referencing internal standard operating procedures but does not contain sensitive personal or protected health data. Despite being a proof-of-concept tool, it stored hundreds of employee chat histories. This incident follows UnitedHealth's ongoing scrutiny for allegedly using AI to deny patient claims, with legal challenges accusing the company of prioritizing automated systems over medical professionals. Optum took the chatbot offline stating it was never in production use.
390,000 WordPress Accounts Stolen From Hackers in Supply Chain Attack
Source: Bleeping Computer
Threat actor MUT-1244 stole over 390,000 WordPress credentials in a year-long campaign by exploiting other cybercriminals through a trojanized WordPress credentials checker. The attack targeted red teamers, penetration testers, and malicious actors compromising SSH private keys and AWS access tokens. The malware spread via phishing emails and trojanized GitHub repositories containing fake proof-of-concept exploits. These repositories included in legitimate threat intelligence sources, tricked users into executing malicious payloads. The second-stage payload facilitated data exfiltration to Dropbox and file.io. Despite exposure, hundreds of systems remain compromised in this ongoing supply chain attack.
Winnti Hackers Target Other Threat Actors With New Glutton PHP Backdoor
Source: Bleeping Computer
Chinese state-sponsored Winnti hackers APT41 deployed a new PHP backdoor named Glutton to target organizations in China and the U.S. Discovered in April 2024 and still active since December 2023, Glutton is a modular, ELF-based backdoor that provides tailored attack flexibility but lacks stealth and encryption sophistication. The malware executes in PHP processes, leaving no files behind, and targets frameworks like ThinkPHP, Yii, Laravel, and Dedecms. It maintains persistence by modifying system files and exfiltrates data via 22 commands from its C2 server. Winnti embeds Glutton in trojanized software sold on cybercrime forums to compromise other hackers and extract sensitive browser data. This "black eats black" strategy turns cybercriminals' activities against them. The initial access vector remains unknown.
IOCONTROL Cyberweapon Used to Target Infrastructure in the US and Israel
Source: Security Affairs
Iran-linked threat actors CyberAv3ngers deployed the IOCONTROL malware to target IoT and OT/SCADA systems in critical infrastructure across the U.S. and Israel. This cyberweapon, developed by a nation-state, compromised devices like IP cameras, routers, and fuel management systems from D-Link, Hikvision, and Gasboy. Active from late 2023 through mid-2024, IOCONTROL maintained persistence via backdoors and communicated with its C2 server using the MQTT protocol and DNS over HTTPS to evade detection. The malware's capabilities include executing OS commands, port scanning, and self-deletion. The attackers claim to have compromised 200 gas stations, shut down services, and stolen credit card data.
DOJ Indicts 14 North Koreans Who Fraudulently Earned $88 Million Working for US Firms
Source: The Record
Fourteen North Korean nationals have been indicted for a six-year scheme involving identity theft, wire fraud, and money laundering, earning at least $88 million by posing as U.S.-based IT workers. These operatives, working for North Korea-controlled companies Yanbian Silverstar and Volasys Silverstar, funneled salaries back to Pyongyang and extorted employers by threatening to leak sensitive data. The Justice Department seized $764,800 connected to the scheme including fake credentials, stolen identities, and complicit U.S. citizens to evade detection. FBI officials warn that thousands of North Korean IT workers continue these operations daily. Companies are urged to thoroughly vet remote employees to protect sensitive data and avoid funding North Korea’s government programs.
Texas Adds Data Broker Specializing in Driver Behavior to List of Alleged Privacy Law Violators
Source: The Record
Texas Attorney General Ken Paxton accused data broker Arity of Allstate of violating the state’s privacy law by collecting and selling driver behavior data without clear notice or consent. Arity gathers data via an SDK embedded in partner apps, tracking sensitive details like speed and geolocation. The investigation revealed that apps such as MyRadar, GasBuddy, Life360, Sirius XM, Tapestri, and Miles shared user data with Arity without disclosing these relationships in their privacy policies. While MyRadar insists the data is anonymized and opt-in, Texas alleges Arity failed to provide opt-out methods or obtain affirmative consent.
Recommended by LinkedIn
VULNERABILITIES TO WATCH
U.S. CISA Adds Cleo Harmony, VLTrader, and LexiCom Flaw to Its Known Exploited Vulnerabilities Catalog
Source: Security Affairs
CISA added critical vulnerability CVE-2024-50623 with a CVSS score of 8.8 in Cleo Harmony, VLTrader, and LexiCom software to its Known Exploited Vulnerabilities catalog. This flaw identified as an unrestricted file upload/download issue allows remote code execution. Despite Cleo's patch version 5.8.0.21, Huntress researchers confirmed that systems remain exploitable. Exploitation began circulating on December 9, with attackers actively targeting these products. A Python script developed by Caleb Stewart demonstrated successful exploitation even on patched versions. CISA mandates federal agencies to address this vulnerability by January 3, 2025 and recommends private organizations do the same to mitigate potential threats.
Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform
Source: Security Week
Claroty researchers uncovered Ruijie Networks’ Reyee cloud management platform and Reyee OS devices critical vulnerabilities exposing around 50,000 devices to potential takeovers. The flaws, including CVE-2024-47547 with a CVSS of 9.4, CVE-2024-48874 with a CVSS of 9.8, and CVE-2024-52324 with a CVSS of 9.8 allow attackers to authenticate using predictable serial numbers and exploit MQTT communication to perform denial-of-service attacks, send false data, or execute arbitrary commands. An "Open Sesame" attack lets nearby attackers access internal networks via Ruijie access points without Wi-Fi credentials. Ruijie already addressed these vulnerabilities.
Dell Issues Critical Security Update for Multiple Vulnerabilities
Source: Cyber Press
Dell Technologies released DSA-2024-405 to address two critical vulnerabilities affecting PowerFlex appliances, racks, custom nodes, InsightIQ, and Data Lakehouse. CVE-2024-37143 with CVSS at 10.0 allows unauthenticated remote code execution due to improper link resolution, while CVE-2024-37144 with CVSS at 8.2 enables privileged local attackers to access sensitive information. These flaws could lead to system compromise, unauthorized access, and data breaches. Dell recommends updating PowerFlex to version 46.381.00, InsightIQ to 5.1.1, and Data Lakehouse to 1.2.0.0 to mitigate risks.
Curl Vulnerability Let Attackers Access Sensitive Information
Source: Cyber Security News
A security flaw in curl CVE-2024-11053 affects versions 6.5 through 8.11.0 exposing passwords during HTTP redirects when using .netrc files for credentials. If a redirect occurs and the .netrc file lacks a password for the target hostname, curl may mistakenly leak credentials from the initial host to the redirected host. Classified as CWE-200 Exposure of Sensitive Information, this flaw impacts both the curl command-line tool and libcurl library. Though rated Low in severity, users should upgrade to curl 8.11.1, apply patches, or avoid using .netrc files with redirects. The fix was released on December 11, 2024.
SPECIAL REPORTS
Akira and RansomHub Surge as Ransomware Claims Reach All-Time High
Source: Infosecurity Magazine
Ransomware claims hit a record high in November 2024, with Corvus Insurance reporting 632 victims on ransomware groups' data leak sites–more than double the monthly average of 307. This surge surpassed the previous peak of 527 claims in May 2024. The increase is driven by heightened activity from groups like RansomHub, which claimed 98 victims, and Akira, which spiked to 73 victims after steady activity since March 2023. Other groups, including Kill Security, SAFEPAY, and Qilin, collectively accounted for nearly 50% of claims. The data reflects ransomware claims on leak sites and may not capture all ransomware incidents.
2024 Sees Sharp Increase in Microsoft Tool Exploits
Source: Infosecurity Magazine
According to Sophos’ Active Adversary Report, in the first half of 2024 threat actors’ exploitation of Microsoft tools increased by 51% compared to 2023. Researchers identified 187 unique Microsoft Living Off the Land Binaries across 190 incidents, with 89% RDP, 76% cmd.exe, 71% PowerShell, and 58% net.exe being the most abused. LockBit ransomware remained dominant, responsible for 21% of incidents, followed by Akira at 9%, Faust at 7.5%, and Qilin at 6%. Compromised credentials, while still the leading attack vector at 39% dropped significantly from 56% in 2023. Meanwhile, vulnerability exploitation nearly doubled to 30.5%, with brute-force attacks at 18.4%. Sophos also noted a 12% rise in third-party artifacts like Mimikatz and Cobalt Strike.
CISOs Need to Consider the Personal Risks Associated With Their Role
Source: Help Net Security
Personal liability concerns are reshaping the role of CISOs with 70% of cybersecurity leaders reporting a negative impact on their perception of the position. The increased scrutiny driven internal changes, with 44% of organizations implementing processes to reduce cybersecurity exposure. While 41% say this trend elevated board-level attention to cybersecurity, only 10% have seen corresponding budget increases. The threat of prosecution is seen as a driver of accountability by 49% of respondents, though only 15% believe it will deter future IT professionals from becoming CISOs. Boards must provide clear governance, incident response procedures, and dedicated resources.
Finding value in this newsletter? Likeorshare this post on LinkedIn
Managing Partner @ Recrewmint | We help companies find CISO and Cybersecurity talent with precision & innovation
1moThe UnitedHealth incident is a major challenge right now. Security teams don't have the governance, tools, and assessments to verify AI. The CIO or tech team wants to push to production, and the security teams don't know how to verify Ai assets, resulting in a push-pull culture and increased risk environment.