CISO Daily Update - December 9, 2024
NEW DEVELOPMENTS
Anna Jaques Hospital Ransomware Breach Exposed Data of 300K Patients
Source: Bleeping Computer
Anna Jaques Hospital confirmed that on December 25, 2023 a ransomware attack exposed the sensitive health data of over 310,000 patients. The Massachusetts-based community hospital was targeted by the Money Message ransomware group and saw their data leaked on January 26, 2024, after refusing to meet extortion demands. Exposed information includes demographics, medical records, insurance details, social security numbers, driver’s licenses, and financial data. The hospital notified affected individuals and offered 24-month credit monitoring through Experian.
Atrium Health Data Breach Impacts 585,000 People
Source: Security Week
Atrium Health reported a data breach affecting over 585,000 individuals. The disclosure was to the Department of Health and Human Services, and was linked to online tracking technologies on its patient portal from 2015 to 2019. These tracking tools may have transmitted personal data including names, email addresses, IP addresses, and treatment information to third-party vendors like Google and Meta. Atrium assures there’s no evidence of misuse. This incident follows another breach disclosed in September 2024 involving phishing attacks that compromised employee email accounts containing patient data.
Blue Yonder Says Some Customers Restored as Ransomware Gang Boasts of Attack
Source: The Record
A Panasonic-owned software firm Blue Yonder reported that several customers’ systems were restored after a ransomware attack allegedly orchestrated by the Termite gang. The cyberattack disrupted the supply chain and operational services for numerous business including supermarkets and manufacturers. Termite claims to have stolen 680 GB of data, including emails, insurance documents, and company records. Since April, the gang’s ransomware code has been linked to the Babuk family, though it reportedly still contains flaws. Blue Yonder was acquired by Panasonic for $8.5 billion in 2021 and is collaborating with external cybersecurity firms to recover operations and bolster defenses.
Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data
Source: The Hacker News
Hackers are using fake video conferencing apps to target Web3 professionals with the Realst information stealer. The attackers create AI-generated fake companies and contact targets via Telegram inviting them to business meetings and directing them to download malicious apps named Clusee, Cuesee, Meeten, and others. The malware is compatible with both Windows and macOS and steals cryptocurrency wallet data, banking information, iCloud Keychain data, and browser credentials. On macOS, users are tricked into entering system passwords using osascript while the Windows variant employs an NSIS installer signed with a stolen certificate. The attackers use AI to generate convincing website content.
QR Codes Bypass Browser Isolation for Malicious C2 Communication
Source: Bleeping Computer
Cybercriminals developed a novel technique to bypass browser isolation and execute command-and-control operations using QR codes. Browser isolation protects devices by executing web content remotely and only streaming visual data to the local browser. Mandiant identified a method that encodes C2 commands in QR codes displayed on web pages which survive browser isolation and are decoded by headless malware clients on infected devices. However, this method faces practical limitations such as low data capacity up to 438 bytes/sec and latency issues. Despite not being suitable for large payloads, the technique remains a threat, especially in environments needing robust traffic monitoring and headless browser detection. Security admins are advised to implement defense-in-depth strategies to mitigate this risk.
VULNERABILITIES TO WATCH
SonicWall Patches 6 Vulnerabilities in Secure Access Gateway
Source: Security Week
SonicWall released patches for six high-severity vulnerabilities in the SMA100 SSL-VPN secure access gateway including flaws that could lead to remote code execution. The most critical issues CVE-2024-45318 and CVE-2024-53703 are buffer overflow bugs affecting the web management interface and Apache web server library scoring 8.1 on the CVSS scale. Other patched vulnerabilities CVE-2024-40763 include a heap-based buffer overflow, CVE-2024-38475 a path traversal flaw, CVE-2024-45319 an authentication bypass, and CVE-2024-53702 a weak pseudo-random number generator. These issues impact SMA 100 series appliances running firmware version 10.2.1.13-72sv and earlier, resolved in version 10.2.1.14-75sv.
PoC Exploit Published for Unpatched Mitel MiCollab Vulnerability
Source: Security Week
WatchTowr disclosed a proof-of-concept exploit for an unpatched arbitrary file read vulnerability in the Mitel MiCollab platform, impacting over 16,000 internet-accessible instances. The vulnerability, which allows attackers to access restricted files, requires administrative authentication. WatchTowr's exploit chains this flaw with CVE-2024-41713, a critical path traversal vulnerability enabling authentication bypass. While Mitel patched CVE-2024-41713 on October 9, the arbitrary file read vulnerability remains unresolved, though Mitel plans to address it in a future release. Users are urged to update to MiCollab version 9.8 SP2 to mitigate risks.
Recommended by LinkedIn
Critical Vulnerability Discovered in SailPoint IdentityIQ
Source: Security Week
A directory traversal vulnerability (CVE-2024-10905) in SailPoint's IdentityIQ IAM platform exposes restricted files to potential attackers with a CVSS score of 10/10. The flaw, affecting IdentityIQ versions up to patch levels 8.4p2, 8.3p5, and 8.2p8, allows unauthorized HTTP access to protected static content. Successful exploitation could lead to credential theft, data exfiltration, or file modification. SailPoint released e-fixes for supported versions and plans to incorporate them in upcoming patches. No active exploitation has been reported and users are urged to update immediately to mitigate risk.
Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks
Source: The Hacker News
Cybersecurity researchers at JFrog uncovered multiple vulnerabilities in popular open-source machine learning frameworks, including MLflow, H2O, PyTorch, and MLeap, potentially leading to remote code execution and data compromise. The flaws include CVE-2024-27132 XSS in MLflow leading to RCE, CVE-2024-6960 unsafe deserialization in H2O, a path traversal issue in PyTorch's TorchScript, and CVE-2023-5245 Zip Slip vulnerability in MLeap. Exploiting these flaws could enable attackers to hijack ML clients, and access ML services, and backdoor models.
Rockwell Automation Vulnerabilities Let Attackers Execute Remote Code
Source: Cyber Security News
Rockwell Automation disclosed four critical vulnerabilities in its Arena software version 16.20.03 earlier which could lead to remote code execution. The vulnerabilities CVE-2024-11155 use-after-free, CVE-2024-11156 out-of-bounds write, CVE-2024-11158 uninitialized variable, and CVE-2024-12130 out-of-bounds read have CVSS scores of 7.8 and 8.5. Attackers can exploit these flaws using malicious DOE files to manipulate memory and resources, potentially compromising sensitive information and disrupting operations. Users should upgrade to Arena version 16.20.06 or later and adopt best practices.
SPECIAL REPORTS
GenAI Makes Phishing Attacks More Believable and Cost-Effective
Source: Help Net Security
Phishing attacks are becoming more believable and cost-effective due to the rise of generative AI. While 57% of organizations rely on anti-phishing training, only 32% believe it is highly effective against AI-powered threats. GenAI enables attackers to create personalized and convincing phishing content at scale and low cost. Despite this, 90% of respondents believe GenAI benefits security teams as much as threat actors.
Teenagers Leading New Wave of Cybercrime
Source: Help Net Security News
Cybercrime is surging with a new wave of teenage hackers and AI-powered attacks. The average age of cybercrime arrests is now 19, with teens recruited through gaming and social media. AI misuse is increasing with employees potentially leveraging AI training for insider fraud. GenAI's high energy consumption creates new vulnerabilities such as attacks targeting power supplies to disrupt cloud infrastructure. Hacker-on-hacker attacks are also increasing. AI-driven fraud, including deepfakes and dynamic identity theft, will likely dominate 2025 headlines. Experts predict escalating ransomware sophistication, supply chain breaches, and reputation-damaging cyber incidents, necessitating stronger cybersecurity investments to combat these evolving threats.
Top Five Industries Aggressively Targeted By Phishing Attacks
Source: Cyber Security News
Phishing attacks are increasingly sophisticated, targeting specific industries with customized subject lines to enhance credibility. According to Cofense Intelligence, the top five industries most aggressively targeted from Q3 2023 to Q3 2024 are Finance and Insurance with 15.5%, Manufacturing with 11.3%, Mining, Quarrying, and Oil and Gas Extraction with 10.3%, Healthcare and Social Assistance with 8.2%, and Retail Trade with 7.4%. Attackers tailor subject lines with names, emails, or company details, with malicious attachments primarily in .HTM(L) with 90.3% and .DOC(X) with 9.4% formats. Industry-specific lures include invoices, proposals, and contract notifications.
Finding value in this newsletter? Like or share this post on LinkedIn