THN Cybersecurity Summary: Major Risks, Instruments, and Updates (October 21 – October 27)

October 28, 2024Ravie LakshmananCyber Security / Hacking News

Cybersecurity updates can sometimes appear like an endless suspense movie, right? Just as you believe the antagonists are contained, a fresh danger arises from the darkness.

This week is no different, filled with stories of utilized vulnerabilities, global espionage, and AI antics that might leave you bewildered. However, fret not, we’re present to dissect everything in simple terms and equip you with the awareness essential to remain secure.

So grab your snacks (and perhaps a protective barrier), and let’s delve into the most recent cybersecurity saga!

⚡ Risk of the Week

Critical Fortinet Weakness Subjected to Exploitation: Fortinet unveiled that a serious security vulnerability affecting FortiManager (CVE-2024-47575, CVSS score: 9.8), which enables unauthorized remote code execution, has now fallen victim to active exploitation in the wild. The identity of the perpetrators remains unknown. Mandiant, a subsidiary of Google, is monitoring the operation under the alias UNC5820.

🚢🔐 Kubernetes Security for Dummies

Strategies for deploying a container security solution and best security practices for Kubernetes skillfully combined. This manual encompasses all the crucial aspects of developing a robust security basis and operating a well-shielded OS.

Access the Guide

️🔥 Current CVE Trends

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

🔔 Important Updates

• Significant Cryptographic Weaknesses in 5 Cloud Storage Providers: Researchers in cybersecurity have identified major cryptographic vulnerabilities in end-to-end encrypted (E2EE) cloud storage services Sync, pCloud, Icedrive, Seafile, and Tresorit that could be utilized to insert files, alter file data, and even obtain direct entry to plaintext. Nonetheless, these assaults rely on an intruder obtaining server access to execute.
• Lazarus Manipulates Chrome Vulnerability: Lazarus Group, a threat actor from North Korea, has been accused of zero-day exploiting a now-fixed vulnerability in Google Chrome (CVE-2024-4947) to take control of infected devices. Google addressed the vulnerability in mid-May 2024. The campaign, which reportedly began in February 2024, involved luring users to a website advertising a multiplayer online battle arena (MOBA) tank game, incorporating malicious JavaScript to trigger the exploit and grant attackers remote access to the devices. The website also distributed a fully operational game but packaged with code to deliver additional payloads. In May 2024, Microsoft linked the activity to a group it tracks as Moonstone Sleet.
• AWS Cloud Development Kit (CDK) Vulnerability Resolved: A patched security flaw affecting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have potentially permitted an intruder to achieve administrative control over a targeted AWS account, leading to a complete account hijacking. Post responsible disclosure on June 27, 2024, Amazon addressed the issue in CDK version 2.149.0 released in July 2024.
• SEC Imposes Fines on 4 Companies for Deceptive SolarWinds Disclosures: The U.S. Securities and Exchange Commission (SEC) took action against four public enterprises, Avaya, Check Point, Mimecast, and Unisys, for releasing “materially misleading statements” concerning the extensive cyber attack resulting from the SolarWinds breach in 2020. The federal agency accused these firms of downplaying the breach’s seriousness in their public announcements.
• 4 REvil Operatives Jailed in Russia: Four members of the dissolved REvil ransomware syndicate, namely Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, were sentenced to multiple years in prison in Russia. Initially arrested in January 2022 following a law enforcement raid…

• The action carried out by Russian authorities.

📰 News from the Cyber World

• Delta Air Lines Takes Legal Action Against CrowdStrike for July Disruption: Delta Air Lines has initiated a legal proceeding against CrowdStrike in the U.S. state of Georgia, alleging the cybersecurity provider of contract violation and negligence following a significant disruption in July that resulted in 7,000 flight cancellations, disrupted travel plans for 1.3 million customers, and led to monetary losses exceeding $500 million. Delta Air Lines stated that CrowdStrike’s actions caused a global disaster due to cutting corners and evading necessary testing and certification processes solely for its own gain. According to Delta, “If CrowdStrike had verified the Defective Update on just one device before its deployment, the device would have crashed.” On the other hand, CrowdStrike rejected Delta’s claims, stating that they are based on disproven misinformation and a sign of ignorance regarding modern cybersecurity practices, representing a desperate effort to shift blame away from Delta’s failure to upgrade its outdated IT infrastructure.
• Meta Introduces Secure WhatsApp Contacts Storage Solution: Meta has unveiled a novel encrypted storage mechanism named Identity Proof Linked Storage (IPLS) for WhatsApp contacts. This new system enables users to create and store contacts, along with their usernames, directly within the messaging platform by utilizing key transparency and hardware security module (HSM). Previously, WhatsApp relied on the device’s contact list for synchronization purposes. NCC Group, which conducted a security evaluation of the newly implemented framework and discovered 13 issues, mentioned that IPLS intends to store a WhatsApp user’s in-app contacts on WhatsApp servers in a manner that respects privacy, ensuring that WhatsApp servers do not have access to a user’s contact metadata. All identified shortcomings have been addressed as of September 2024.
• Investigation Launched by CISA and FBI into Salt Typhoon Attacks: The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. announced that the government is scrutinizing “unauthorized entry into commercial telecommunications infrastructure” by threat actors associated with China. This development follows reports indicating that the Salt Typhoon hacking group infiltrated the networks of AT&T, Verizon, and Lumen. After the identification of the “malicious activity,” the impacted organizations were notified, although the extent of the breach and the compromised information, if any, remain undisclosed. Various reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have indicated that Salt Typhoon exploited their access to major telecom companies to penetrate the phones or networks utilized by Democratic and Republican presidential campaigns.
• Rising Concerns Over Deceptive IT Worker Scheme: While recent news has highlighted North Korea’s efforts to secure employment at Western firms, including instances of demanding ransom, a recent report from identity security organization HYPR revealed that fraudulent employee schemes are not exclusive to North Korea. HYPR recounted an incident where they extended an offer to a software engineer purportedly from Eastern Europe. However, during subsequent onboarding and video verification processes, several indicators raised doubts regarding the individual’s true identity and location, leading them to explore other opportunities. No concrete evidence links this fraudulent hire to North Korea, and their motives remain unclear. HYPR recommended implementing a multi-factor verification process to establish a connection between real-world identity and digital identity during provisioning. They emphasized that video-based verification serves as a crucial identity control, not limited to onboarding procedures.
• New Exploits Targeting AI Tools: Researchers recently unearthed a method to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator. This exploit enables threat actors to apply and remove watermarks from images created using the tool. AWS has since addressed the vulnerability as of September 13, 2024. Additionally, vulnerabilities in Google Gemini for Workspace were discovered, allowing the AI assistant to produce misleading responses or distribute malicious content to targeted accounts when users inquire about email-related content. Another recent revelation involved the exploitation of exposed AWS credentials to engage with large language models (LLMs) on Bedrock, enabling threat actors to fuel applications such as a Sexual Roleplaying chat tool by bypassing the AI model’s content restrictions. These findings follow a campaign earlier this year called LLMjacking, detailed by Sysdig, where stolen cloud credentials were utilized to target LLM services for resale to other threat actors. Intriguingly, attackers are now endeavoring to activate the models using stolen cloud credentials, rather than merely exploiting pre-existing models.

🔥 Reliable Information & Perspectives

🎥 Webinar Featuring Information Security Expert

Enhance Data Security in the Cloud with DSPM: Facing challenges in maintaining data security in cloud environments? Safeguard your sensitive data from becoming a liability. Participate in our webinar to discover how to effectively secure your data assets.Global-e, a prominent e-commerce facilitator, significantly enhanced their data security stance through the utilization of DSPM. Benny Bloch, the CISO, discloses the journey they undertook, outlining the obstacles faced, errors made, and invaluable insights gained. Acquire practical advice on deploying DSPM, mitigating risks, and optimizing cloud expenses. Enroll now to gain a competitive advantage in today’s data-centric environment.

🛡️Consult the Specialist

Q: Which security vulnerability in corporate systems is commonly underestimated by attackers and exploited?

A: Overlooked vulnerabilities in corporate systems often arise from IAM misconfigurations like excessively permissive accounts, loose API security, unmanaged shadow IT, and inadequately secured cloud federations. Solutions like Azure PIM or SailPoint assist in establishing least privilege by overseeing access reviews, while Kong or Auth0 fortify APIs through token rotation and WAF monitoring. Mitigate the risks from shadow IT by utilizing Cisco Umbrella for application exploration, and Netskope CASB for reinforcing access management. For securing federations, adopt Prisma Cloud or Orca for scanning settings and enhancing configurations, while Cisco Duo enables adaptive MFA for robust authentication. Lastly, protect service accounts with automated credential management through tools like HashiCorp Vault or AWS Secrets Manager to ensure secure and timely access.

🔒 Insight of the Week

Enhance Your DNS Security: While many concentrate on fortifying their devices and networks, the Domain Name System (DNS)—which converts readable domain names (such as example.com) into machine-readable IP addresses—is often disregarded. Picture the internet as an extensive library and DNS as its card index; to locate the book (website) you desire, you require the correct card (address). However, if someone tampers with the index, you may be directed to fraudulent websites aiming to pilfer your information. To boost DNS security, utilize a privacy-centric resolver that doesn’t track your queries (a private index), block malicious sites by leveraging a “hosts” file (remove the cards for dangerous books), and employ a browser extension with DNS filtering (employ a librarian to monitor). Furthermore, activate DNSSEC to authenticate DNS records (assess the card’s legitimacy) and encrypt your DNS requests with DoH or DoT (whisper your requests to maintain confidentiality).

Summary

Here you have it – another week’s collection of cybersecurity hurdles to reflect on. Bear in mind, in this digital epoch, staying vigilant is crucial. Keep yourself informed, remain attentive, and stay secure in the ever-changing cyber realm. We’ll return next Monday with more updates and insights to guide you through the digital domain.