Telecom security bill, Google’s quantum chip, Chinese cyber firm sanctions
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Senator announces new bill to secure telecom companies
On Tuesday, Senator Ron Wyden announced a new draft bill that aims to secure U.S. communication networks in response to a recent rash of hacks allegedly carried out by Chinese government hackers. The Secure American Communications Act would order the Federal Communications Commission to issue binding cybersecurity rules to telecom carriers. These rules include testing systems annually for security vulnerabilities and documenting findings and corrective measures. Telecoms will also have to contract for independent annual compliance audits while telecom CEOs and Chief Information Security Officers will need to attest to their compliance with the new rules.
Google unveils new quantum chip
On Monday, Google announced its most powerful quantum computing chip to date, dubbed “Willow.” In under five minutes, Willow performed a computation that would take one of today’s fastest supercomputers 10 septillion years (written out, that’s a ‘1’ with 25 zeros after it!). Unlike classic digital computers that calculate based on whether a bit is a 0 or 1 (on or off), quantum computers rely on incredibly tiny qubits. Qubits can be on or off but also somewhere in between. While Qubits offer more computational power, they are also more prone to error giving rise to skepticism that quantum computers will ever live up to their hype. Google’s mission with Willow was to reduce qubit error rates and, according to Google’s Quantum AI founder Hartmut Neven, its new chip achieves that.
U.S. sanctions Chinese cybersecurity firm for firewall hacks
On Tuesday, the Department of Justice (DOJ) unsealed an indictment against Chinese cybersecurity company Sichuan Silence and one employee for involvement in a major hacking campaign. Sichuan Silence employee, Guan Tianfeng (also known as GbigMao), discovered a zero-day SQL injection vulnerability (CVE-2020-12271) in Sophos XG firewalls. Guan used the exploit to compromise more than 81,000 Sophos firewalls worldwide, over a quarter of which belonged to U.S. government and critical infrastructure organizations. Guan stole data and attempted to infect victim systems with a Ragnarok ransomware variant. The U.S. State Department announced up to a $10 million reward for information about Sichuan Silence or Guan through its Rewards for Justice program.
(Bleeping Computer and TechCrunch)
Patched file transfer products being exploited
Security researchers at Huntress are warning that vulnerabilities in several file transfer products from Cleo are under active exploitation. Cleo recently patched a vulnerability (CVE-2024-50623) that affects the company’s LexiCom, VLTransfer and Harmony products. However, the researchers warned that even fully patched systems (running 5.8.0.21) are still exploitable. Huntress advised customers to move, “any internet-exposed Cleo systems behind a firewall until a new patch is released.” Cleo confirmed the issue and provided customers with immediate steps to mitigate the issue while they continue to develop a new patch.
(The Record and Dark Reading)
Recommended by LinkedIn
Thanks to today’s episode sponsor, ThreatLocker
Plugin bug allows Stripe refunds on millions of WordPress sites
A high severity authentication vulnerability (CVE-2024-11205) has been discovered in the WPForms WordPress plugin used in over 6 million websites. WPForms is an easy-to-use drag-and-drop form builder for creating contact, feedback, subscription, and payment forms, and offers support for Stripe, PayPal, and Square. The consequences of exploitation could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. For site owners, this could mean loss of revenue, business disruption, and trust issues with their customer base. A patch was released on November 18 for version 1.9.2 of the plugin, but according to wordpress.org stats, roughly 3 million sites remain on older, vulnerable plugin versions.
You should probably patch that (Patch Tuesday edition)
Yesterday, Microsoft released its December 2024 Patch Tuesday security fixes which addressed a total of 71 flaws, 57 of which allow for Remote Code Execution (RCE) or Privilege Escalation. The most severe issue is a 9.8 severity bug in Lightweight Directory Access Protocol (LDAP), but Microsoft notes that it is difficult to exploit. One moderate flaw in the Common Log File System Driver (CVE-2024-49138) is under active exploit and allows attackers to gain SYSTEM privileges on Windows devices.
Meanwhile, Adobe issued its own swath of patches yesterday, addressing more than 160 vulnerabilities across 16 products. More than a dozen issues relate to Adobe Animate, and all of the issues are rated critical and can lead to arbitrary code execution. Twenty-two vulns affect Adobe Connect, including several rated critical and high and can also be exploited for arbitrary code execution and privilege escalation. A whopping ninety of the issues were in Adobe Experience Manager, however, only one has critical severity. Adobe says it’s not aware of any in-the-wild exploits for the vulnerabilities.
Finally, yesterday Ivanti warned customers about a new maximum-severity authentication bypass vulnerability (CVE-2024-11639) in its Cloud Services Appliance (CSA) solution. Ivanti is not aware of active exploitation of the flaw but advises admins to upgrade vulnerable appliances. Ivanti also patched other medium, high, and critical vulnerabilities in Desktop and Server Management (DSM), Connect Secure and Policy Secure, Sentry, and Patch SDK products.
(Bleeping Computer [1][2] and The Register and SecurityWeek [1][2])
Hackers exploit AWS misconfigurations in massive data breach
Independent cybersecurity researchers, Noam Rotem and Ran Locar, uncovered a significant cyber operation exploiting vulnerabilities in public websites hosted on Amazon Web Services (AWS). Researchers linked the campaign to the Nemesis and ShinyHunters hacking groups who used tools like Shodan to scan AWS public IP ranges for application vulnerabilities or misconfigurations. They then scanned exposed endpoints for sensitive data, including credentials for popular platforms like GitHub, Twilio and cryptocurrency exchanges. Verified credentials were later marketed on Telegram channels for hundreds of euros per breach. The researchers and AWS advised customers to avoid use of hard-coded credentials by using services like AWS Secrets Manager, periodically rotating keys and secrets, deploying Web Application Firewalls (WAFs), and using CanaryTokens as tripwires for sensitive information.
“CP3O” pleads guilty to multi-million dollar cryptomining scheme
45-year-old Charles O Parks III (known online as “CP30”) pleaded guilty to wire fraud charges in a federal court in Brooklyn, New York. Over a period of eight months in 2021, Parks created cloud accounts using fake identities and company names. Parks used the accounts to mine Ether (ETH), Litecoin (LTC), and Monero (XMR) while ignoring payment and usage inquiries from the cloud providers. Parks defrauded two well-known cloud providers out of over $3.5 million. Parks allegedly raked in $970,000 which he used to make lavish purchases including a Mercedes Benz, expensive jewelry, and first class hotels and travel.