CyberSecurity Newsletter January 20th, 2025
In this week's news: Chinese hackers infiltrated US Treasury Secretary computers, Wolf Haldenstein Adler Freeman & Herz exposed the personal information of nearly 3.5 million, Clop ransomware gang claims dozens of victims from a Cleo file transfer, Hackers are hiding malware in website images to go unnoticed, Google to require javascript for search and DOJ arrest Army soldier for AT&T and Verizon hack.
The Department of Justice (DOJ) has linked the arrest of a serving U.S. Army soldier in December to a massive hack of AT&T and Verizon last year, according to a court filing on Friday.
https://www.newsweek.com/att-verizon-hacks-linked-us-army-soldier-doj-2017242
Chinese hackers infiltrated US Treasury Secretary's PC — attackers had access to over 400 PCs. According to Bloomberg, the infiltration was more severe than initially reported, as hackers managed to access systems belonging to Secretary Janet Yellen and other top officials.
https://www.tomshardware.com/tech-industry/cyber-security/chinese-hackers-infiltrated-us-treasury-secretarys-pc-attackers-had-access-to-over-400-pcs
Wolf Haldenstein Adler Freeman & Herz LLP ("Wolf Haldenstein") reports it has suffered a data breach that exposed the personal information of nearly 3.5 million individuals to hackers. The incident took place on December 13, 2023, but the firm says data analysis and digital forensic complications severely delayed the completion of its investigation. Last Friday, Wolf Haldenstein published a data breach notice on its website, while an entry on Maine AG's data breach portal sets the total number of persons affected by it to 3,445,537.
https://www.bleepingcomputer.com/news/security/wolf-haldenstein-law-firm-says-35-million-impacted-by-data-breach/
The Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, including HTTPS APIs and mandatory multi-factor authentication, to settle charges that it failed to secure its hosting services against attacks since 2018.
https://www.bleepingcomputer.com/news/security/ftc-orders-godaddy-to-fix-poor-web-hosting-security-practices/
The U.S. Treasury Department has sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that have generated revenue via illegal remote IT work schemes.
https://www.bleepingcomputer.com/news/security/us-cracks-down-on-north-korean-it-worker-army-with-more-sanctions/
Microsoft has expanded its Windows 11 administrator protection tests, allowing Insiders to enable the security feature from the Windows Security settings.
https://www.bleepingcomputer.com/news/security/microsoft-expands-testing-of-windows-11-admin-protection-feature/
A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.
https://www.bleepingcomputer.com/news/security/w3-total-cache-plugin-flaw-exposes-1-million-wordpress-sites-to-attacks/
Silverfort has discovered that a misconfiguration can bypass an Active Directory Group Policy designed to disable NTLMv1, allowing NTLMv1 authentications to persist. Microsoft announced the full decommission of NTLMv1 from Windows 2025.
https://hackread.com/researchers-ntlmv1-bypass-active-directory-policy/
Microsoft has addressed a significant security vulnerability that left Windows 11 open to malware attacks at one of the system's most critical levels for more than half a year. It's concerning – though perhaps not surprising – that Microsoft knowingly left this loophole unpatched for such a long period. Users are strongly advised to apply the update immediately.
https://www.techspot.com/news/106411-microsoft-finally-patches-serious-uefi-secure-boot-flaw.html
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency.
https://thehackernews.com/2025/01/us-sanctions-chinese-cybersecurity-firm.html
The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches.
https://securityaffairs.com/173135/cyber-crime/clop-ransomware-gang-claims-hack-of-cleo-file-transfer-customers.html
President Joe Biden issued his second cybersecurity-focused Executive Order just four days before leaving office. With this new document, “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” the White House aims to improve US national cybersecurity in order to defend the nation’s digital infrastructure against key threats, especially those from China.
https://www.infosecurity-magazine.com/news/biden-tightens-software-security/
Truth Social, the social media platform launched by the Trump Media & Technology Group (TMTG) in 2022, has become a hotspot for various online scams, including phishing schemes and investment fraud, according to a recent analysis by security researchers.
https://www.infosecurity-magazine.com/news/trumps-truth-social-users-targeted/
Hackers are hiding malware in website images to go unnoticed and compromise as many computers as possible, experts have warned. A new Threat Insights Report from HP Wolf Security, based on data from millions of endpoints, claims there are currently large campaigns active spreading VIP Keylogger and 0bj3ctivityStealer.
https://www.techradar.com/pro/security/hackers-hide-malware-into-website-images-to-go-unnoticed
Google says it has begun requiring users to turn on JavaScript, the widely used programming language to make web pages interactive, in order to use Google Search. In an email to TechCrunch, a company spokesperson claimed that the change is intended to “better protect” Google Search against malicious activity, such as bots and spam.
https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/
CVE-2024-3393 - A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
https://github.com/FelixFoxf/-CVE-2024-3393
CVE-2024-55956 - In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cleo_rce_cve_2024_55956.rb