CyberSecurity Newsletter December 16th, 2024
In this week’s news: Researchers crack Azure MFA in an hour, CISA warns water facilities, Company thrived for 150 years — then Russian hackers brought it down in three months, Rhode Island took its RIBridges system for applying for public assistance programs like Medicaid offline Friday following a cyberattack, Krispy Kreme revealed it had fallen victim to unauthorized access within its IT systems, Cybersecurity researchers have discovered a new version of the ZLoader and the FBI officials are renewing warnings that your private text messages aren’t secure.
In the wake of a massive cyberattack linked to the Chinese government, FBI officials are renewing warnings that your private text messages aren’t secure:
https://thehill.com/homenews/nexstar_media_wire/5031144-the-fbi-says-your-texts-arent-secure-do-you-need-to-stop
Cybersecurity researchers have discovered a new version of the ZLoader malware that employs a Domain Name System (DNS) tunnel for command-and-control (C2) communications, indicating that the threat actors are continuing to refine the tool after resurfacing a year ago.:
https://thehackernews.com/2024/12/zloader-malware-returns-with-dns.html
CISA and the Environmental Protection Agency (EPA) warned water facilities today to secure Internet-exposed Human Machine Interfaces (HMIs) from cyberattacks. HMIs are dashboards or user interfaces that help human operators connect to, monitor, and control industrial machines and devices via tablets, portable computers, or built-in displays:
https://www.bleepingcomputer.com/news/security/cisa-warns-water-facilities-to-secure-hmi-systems-exposed-online
Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.:
https://www.darkreading.com/cyberattacks-data-breaches/researchers-crack-microsoft-azure-mfa-hour
Rhode Island took its RIBridges system for applying for public assistance programs like Medicaid offline Friday following a cyberattack that may have exposed the personal data of hundreds of thousands of people, reports CBS affiliate WPRI 12.:
https://www.theverge.com/2024/12/14/24321065/rhode-island-cyberattack-ribridges-benefits-offline-personal-information-social-security-snap
Researchers have discovered PUMAKIT, a Linux rootkit with advanced stealth mechanisms capable of hiding files, evading detection, and escalating privileges. This sneaky piece of malware operates under specific conditions, making it a sophisticated threat to older kernels. Watch out for this clever cat burglar of the cyber world!:
https://thenimblenerd.com/article/pumakit-strikes-the-rootkit-that-turns-your-linux-system-into-a-stealthy-ninja-nightmare/
Paul Abbott, a former director of a logistics company that went under after a ransomware attack, is intent on warning others of the growing danger. ‘My company thrived for 150 years — then Russian hackers brought it down in three months’:
https://www.thetimes.com/article/622de192-89aa-46cb-8285-3aec05fb5b05
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and steal data. Cleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use to securely exchange files between their business partners and customers.:
https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/
A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information. The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of passwords to unauthorized parties:
https://cybersecuritynews.com/curl-vulnerability-attackers-sensitive-information/
Elastic Security Lab researchers discovered a new loadable kernel module (LKM) rootkit called PUMAKIT that supports advanced evasion mechanisms. PUMAKIT features a multi-stage design including a dropper, memory-resident executables, and a rootkit. It leverages an LKM rootkit named “PUMA,” using ftrace hooks to modify core system functions. The malware hooks 18 syscalls and several kernel functions using ftrace() to hide files, directories, and the rootkit itself, while evading debugging attempts.:
https://securityaffairs.com/172016/malware/pumakit-sophisticated-rootkit.html
In November 2024, Krispy Kreme revealed it had fallen victim to unauthorized access within its IT systems. This breach disrupted online ordering services nationwide, causing significant inconvenience for customers and impacting the company’s ability to meet demand during one of its busiest promotional events, “Day of the Dozens.” While the company’s physical locations remained unaffected, the event underscores the ever-growing risks facing retailers in an interconnected digital age.:
https://tritoncomputercorp.com/blog/2024/12/15/krispy-kreme-cybersecurity-incident
Hacking Rooftop Solar Is a Way to Break Europe’s Power Grid. The rush to install millions of smart panels is creating vulnerabilities inside electricity networks:
https://www.bloomberg.com/news/articles/2024-12-12/europe-s-power-grid-vulnerable-to-hackers-exploiting-rooftop-solar-panels
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include red teamers, penetration testers, security researchers, as well as malicious actors.:
https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-stolen-from-hackers-in-supply-chain-attack/
Three new mobile-only surveillance tools developed and used by state-sponsored organizations have been discovered by mobile security provider Lookout. These new tools include BoneSpy and PlainGnome which are Android surveillance tools developed by Gamaredon (aka Primitive Bear, Shuckworm), an advanced persistent threat (APT) group associated with the Russian Federal Security Service (FSB).:
https://www.infosecurity-magazine.com/news/lookout-new-spyware-russia-china/
The Chinese Winnti hacking group is using a new PHP backdoor named 'Glutton' in attacks on organizations in China and the U.S., and also in attacks on other cybercriminals. Chinese security firm QAX's XLab discovered the new PHP malware in late April 2024, but evidence of its deployment, along with other files, dates back to December 2023:
https://www.bleepingcomputer.com/news/security/winnti-hackers-target-other-threat-actors-with-new-glutton-php-backdoor/
Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164). Apache announced a vulnerability in Struts2 [1]. The path traversal vulnerability scored 9.5 on the CVSS scale. If exploited, the vulnerability allows file uploads into otherwise restricted directories, which may lead to remote code execution if a webshell is uploaded and exposed in the web root:
https://isc.sans.edu/diary/rss/31520
Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer:
https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection
Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.:
https://thehackernews.com/2024/12/germany-disrupts-badbox-malware-on.html
The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from pprof endpoints, and potential code execution threats, which could lead to data breaches, system outages, and unauthorized access. Vulnerable Prometheus servers are exposed to internet risk exploitation by attackers, which includes a critical “RepoJacking” vulnerability, allowing malicious exporters to be introduced into abandoned or renamed GitHub repositories.:
https://gbhackers.com/prometheus-dos-risk/
Researchers have discovered a new Android banking trojan targeting Indian users, and this malware disguises itself as essential utility services to trick users into providing sensitive information. The malware has already compromised 419 devices, intercepted 4,918 SMS messages, and stolen 623 banking credentials.:
https://gbhackers.com/android-malware-indian-banks/