CISO Daily Update - December 6, 2024
NEW DEVELOPMENTS
Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese Hackers
Source: The Hackers News
Suspected Chinese hackers conducted a four-month cyberattack targeting a large U.S. organization with a significant presence in China. Evidence of the intrusion began in April 2024 involving lateral movement, email harvesting via compromised Exchange servers, and data exfiltration. Techniques included DLL side-loading and open-source tools like FileZilla and Impacket. The initial access point remains unclear, and researchers note ties to state-sponsored groups like Crimson Palace.
California Teen Suspected of Being a Member of Scattered Spider Hacking Gang
Source: Bloomberg
A 19-year-old California resident, Remington Ogletree, was charged with wire fraud and is suspected of being a Scattered Spider hacking group member. Known for phishing and social engineering, Scattered Spider targeted major organizations like MGM Resorts and Coinbase. Ogletree allegedly participated in activities from October 2023 to May 2024. Released on $50,000 bail, he faces restrictions on device use, messaging apps, and domain registrations. The charges against him are sealed.
FBI Shares Tips on How to Tackle AI-Powered Fraud Schemes
Source: Bleeping Computer
The FBI warns that generative AI enables more sophisticated fraud schemes including fake social media profiles, deepfake videos, voice cloning used in romance scams, investment fraud, and extortion. Criminals exploit AI to create realistic images, text, and videos. The FBI advises using secret phrases to verify identities, looking for imperfections in AI-generated media, limiting public sharing of personal content, and verifying claims through official channels. Victims should report fraud to IC3 with detailed interaction information.
Backdoor Slipped Into Popular Code Library, Drains ~$155k From Digital Wallets
Source: Ars Technica
Hackers exploited a backdoor in the solana-web3.js library to steal approximately $155,000 in Solana cryptocurrency. The compromised versions 1.95.6 and 1.95.7 were available for five hours, and collected private keys and wallet addresses from decentralized apps handling private keys. A social engineering attack on the library maintainers led to malicious code insertion that exfiltrated sensitive data. Developers are urged to update to version 1.95.8, rotate all authority keys, and treat any affected systems as fully compromised.
Feds Are Probing 764, the Com’s Use of Cybercriminal Tactics to Carry Out Violent Crimes
Source: CyberScoop
Law enforcement reports reveal that child sextortion group 764 and the global network "The Com" use cybercrime tactics, including SIM swapping, IP grabbing, and social engineering, to target minors for exploitation, grooming, and extortion. These groups employ tools like "The Bible," a guide detailing ATM skimming, doxxing, and psychological manipulation to coerce minors into self-harm or other violent acts. FBI investigations link these activities to domestic terrorism and highlight the widespread impacts across 23 countries. Authorities urge awareness, reporting, and use of tools like "Take It Down" to assist victims in removing exploitative content online.
VULNERABILITIES TO WATCH
Mitel MiCollab Zero-Day Flaw Gets Proof-of-Concept Exploit
Source: Bleeping Computer
Researchers discovered a zero-day vulnerability in Mitel MiCollab, allowing unauthorized file access through path traversal attacks targeting the 'ReconcileWizard' servlet. Despite being reported in August 2024, the flaw remains unpatched, exposing sensitive files like /etc/passwd. Organizations are advised to restrict server access, monitor suspicious activity, and apply firewall rules to reduce risk until a patch becomes available.
Recommended by LinkedIn
Bootloader Vulnerability Impacts Over 100 Cisco Switches
Source: Security Week
A bootloader vulnerability in Cisco's NX-OS software (CVE-2024-20397) impacts over 100 device models, allowing attackers to bypass image signature verification. Exploitation requires physical access or administrative privileges and affects MDS, Nexus, and UCS Fabric Interconnect products with secure boot enabled. Cisco released patches and plans to update all affected devices by the end of December 2024 except for discontinued Nexus 92160YC-X models. No exploitation was reported.
CISA Adds Three Critical Vulnerabilities to KEV Catalog: Immediate Action Urged
Source: The Cyber Express
CISA added three critical vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate action to mitigate risks. CVE-2023-45727 allows XXE attacks on North Grid Proself products, CVE-2024-11680 enables authentication bypass in ProjectSend, and CVE-2024-11667 exposes Zyxel firewalls to path traversal attacks. These vulnerabilities could lead to unauthorized access, data theft, and system compromise. Organizations are strongly advised to apply patches, enhance authentication measures, and conduct regular security audits to address these flaws.
WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts
Source: Cyber Security News
A vulnerability in the Gutentor plugin for WordPress (CVE-2024-10178) allows attackers with contributor-level access to inject malicious scripts via the Countdown widget. This Stored Cross-Site Scripting flaw affects versions up to 3.3.9 and stems from insufficient input sanitization. Exploited scripts execute when users access compromised pages. This vulnerability is rated medium severity with a CVSS score of 6.4.
HCL DevOps Deploy / Launch Vulnerability Let Embed Arbitrary HTML Tags
Source: GB Hackers
A vulnerability in HCL DevOps Deploy and HCL Launch tracked as CVE-2024-42195 allows attackers to embed arbitrary HTML tags in the Web UI, risking sensitive information exposure. Affected versions include HCL Launch 7.0–7.3.2.8 and HCL DevOps Deploy 8.0–8.0.1.3. While exploitation requires low privileges, the complexity is high. Users are urged to upgrade to patched versions HCL Launch 7.3.2.9, and DevOps Deploy 8.0.1.4 via the HCL Software License Portal.
SPECIAL REPORTS
GenAI Makes Phishing Attacks More Believable and Cost-Effective
Source: Help Net Security
Ivanti highlights the growing threat of GenAI-powered phishing attacks, which enable malicious actors to craft personalized, convincing messages at low cost and large scale. While 57% of organizations use anti-phishing training, only 32% find it highly effective. GenAI also aids security teams with enhanced threat detection and predictive capabilities, but data silos hinder its full potential. Ivanti emphasizes upskilling cybersecurity professionals and evolving training strategies to counter this dual-edged AI technology. Surveys of 14,500 professionals reveal skepticism about AI’s role in improving employee outcomes.
Finding value in this newsletter? Like or share this post on LinkedIn