THN Cybersecurity Summary: Major Risks, Resources, and Updates (Oct 21 – Oct 27)
Cybersecurity updates can sometimes feel like an ongoing thriller, can’t they? Just when you assume the antagonists are under control, a new peril emerges unexpectedly.
The current week follows the trend, with reports of manipulated vulnerabilities, global surveillance, and disruptive AI activities that could leave you bewildered. But fear not, we are here to simplify everything and equip you with the necessary information to protect yourself.
Get ready with your snacks (and perhaps a security system), and let’s explore the recent cybersecurity developments!
⚡ Risk of the Week
Significant Fortinet Vulnerability Exploited: Fortinet disclosed a severe security weakness affecting FortiManager (CVE-2024-47575, CVSS score: 9.8), enabling unauthorized remote code execution, has been actively exploited in the wild. The identity of the perpetrator remains unknown. Google’s Mandiant is monitoring the activities under the moniker UNC5820.
🚢🔐 Comprehensive Guide to Kubernetes Security
Strategies for implementing a container security mechanism and best practices for Kubernetes Security encapsulated in one resource. This manual covers all essential aspects of constructing a robust security framework and managing a secure operating environment effectively.
Access the Guide
️🔥 Emerging CVEs
CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904
🔔 Latest Highlights
- Severe Encryption Vulnerabilities in 5 Cloud Storage Providers: Researchers have found major cryptographic weaknesses in end-to-end encrypted (E2EE) cloud storage services Sync, pCloud, Icedrive, Seafile, and Tresorit that could be abused for file injection, data alteration, and even unauthorized access to plaintext information. However, these attacks require the intruder to obtain server access to execute successfully.
- Lazarus Group Leveraging Chrome Vulnerability: The Lazarus Group, a North Korean threat actor, has been linked to exploiting a recently patched security vulnerability in Google Chrome (CVE-2024-4947) to gain control over compromised devices. Google addressed the flaw in mid-May 2024. The campaign, initiated in February 2024, involved enticing users to visit a website promoting a multiplayer online battle arena (MOBA) tank game, which contained malicious JavaScript to trigger the exploit and provide attackers with remote access to the devices. The website also concealed a legitimate game but smuggled code to deliver additional harmful payloads. In May 2024, Microsoft attributed the operation to a group codenamed Moonstone Sleet.
- AWS Cloud Development Kit (CDK) Vulnerability Resolved: An addressed security loophole affecting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed a hacker to achieve administrative control over a designated AWS account, leading to a complete account compromise. Following responsible disclosure on June 27, 2024, Amazon rectified the issue in CDK version 2.149.0 released in July 2024.
- SEC Penalties 4 Firms for Misleading SolarWinds Disclosures: The U.S. Securities and Exchange Commission (SEC) penalized four public corporations – Avaya, Check Point, Mimecast, and Unisys – for disseminating “materially deceptive statements” regarding the extensive cyber attack stemming from the SolarWinds breach in 2020. The federal organization accused the companies of downplaying the seriousness of the breach in their official communications.
- 4 REvil Members Sentenced in Russian Court: Four members of the now-defunct REvil ransomware group, namely Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, received significant prison terms in Russia. They were apprehended in January 2022 after a law enforcement intervention.
- Russian authorities’ operation.
📰 All Over the Cyber Universe
- Delta Air Lines Takes Legal Action Against CrowdStrike for July Outage: Delta Air Lines submitted a lawsuit against CrowdStrike in Georgia, U.S., alleging breach of contract and negligence following a major shutdown in July that led to 7,000 flight cancellations, disrupted travel plans for 1.3 million customers, and incurred over $500 million in costs. Delta Air Lines mentioned, “CrowdStrike triggered a worldwide catastrophe by taking shortcuts, cutting corners, and bypassing the very testing and certification processes it claimed to follow, all for its own gain and profit.” The airline further added, “Had CrowdStrike tested the Flawed Update on even a single computer before deploying it, the computer would have crashed.” Responding to the allegations, CrowdStrike stated, “Delta’s allegations are based on disproven misinformation, indicating a lack of comprehension about the workings of modern cybersecurity, and reflecting a desperate effort to shift blame for its sluggish recovery from its failure to update its outdated IT infrastructure.”
- Meta Reveals Secure Method to Store WhatsApp Contacts: Meta has announced a new encrypted storage solution for WhatsApp contacts known as Identity Proof Linked Storage (IPLS), facilitating users to create and store contacts along with their usernames directly within the messaging platform by utilizing key transparency and hardware security module (HSM). Previously, WhatsApp relied on a phone’s contact list for synchronization purposes. Following a security evaluation by NCC Group, which identified and addressed 13 issues in the new system, it was stated that IPLS “intends to save a WhatsApp user’s contacts within the app on WhatsApp servers in a privacy-centric manner” and that “WhatsApp servers do not have access to the contents of a user’s contact metadata.” All identified vulnerabilities were patched by September 2024.
- CISA and FBI Probing Salt Typhoon Strikes: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) declared that the U.S. government is investigating “unauthorized entry into commercial telecommunications infrastructure” by threat actors associated with China. This announcement follows reports of the Salt Typhoon hacking group infiltrating the networks of AT&T, Verizon, and Lumen. CISA confirmed that the affected companies were notified once the “malicious activity” was detected. The extent of the attack campaign and the type of information compromised, if any, remain unclear. Various reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News suggested that Salt Typhoon exploited their access to major telecommunication companies to breach phones or networks utilized by both Democratic and Republican presidential campaigns.
- Rampant IT Personnel Fraud Emerges as a Significant Issue: While North Korea has recently been highlighted for its endeavors to secure positions at Western firms, and in some scenarios, even extorting ransom, a new report from identity security firm HYPR reveals that the fraudulent worker scheme is not limited to a single country. The company revealed that it had extended a job offer to a software engineer claiming to be from Eastern Europe. However, subsequent onboarding processes and video verifications raised suspicions concerning the true identity and whereabouts of the individual, prompting the unnamed party to explore alternative opportunities. No evidence links the fraudulent hiring to North Korea at present, and the motive behind these actions remains unclear. HYPR advised, “Implement a multi-factor verification procedure to link real-world identity with digital identity during the provisioning phase.” The company added, “Video-based verification stands as a critical identity control, not just during onboarding.”
- Innovative Assaults on AI Solutions: Researchers have revealed a method to manipulate digital watermarks produced by AWS Bedrock Titan Image Generator, permitting threat actors to not only add watermarks to any image but also eliminate watermarks from images generated by the tool. AWS patched the issue by September 13, 2024. This discovery comes on the heels of the uncovering of prompt injection vulnerabilities in Google Gemini for Workspace, enabling the AI assistant to deliver false or unintended responses and disseminate malicious documents and emails to target accounts when users request content related to their email communications or document summaries. Recent research has also uncovered a type of LLM hijacking attack where threat actors leverage exposed AWS credentials to interact with large language models (LLMs) on Bedrock, including a case where they empowered a Sexual Roleplaying chat application that subverts the AI model to “accept and respond with content that would typically be blocked” by the system. Earlier this year, Sysdig outlined a similar campaign known as LLMjacking, where stolen cloud credentials are used to target LLM services with the aim of selling access to other malevolent actors. However, in a noteworthy shift, attackers are now endeavoring to utilize the pilfered cloud credentials to activate the models, rather than solely exploiting existing ones.
🔥 Handy Resources & Insights
🎥 Information Security Expert Webinar
Mastering Data Security in the Cloud with DSPM: Are you finding it challenging to stay abreast of data security in the cloud? Avoid letting your confidential data turn into a liability. Join our webinar and discover how to
Global-e, a prominent e-commerce facilitator, significantly enhanced their data security stance through DSPM. CISO Benny Bloch shares their progression, encompassing hurdles, errors, and crucial insights gained. Acquire practical perspectives on deploying DSPM, mitigating risks, and streamlining cloud expenditures. Enroll now to attain a competitive advantage in the contemporary data-centric sphere.
🛡️Consult the Specialist
Q: Which is the most disregarded vulnerability in corporate systems that malefactors often exploit?
A: The frequently overlooked security loopholes in corporate systems typically revolve around IAM misconfigurations such as excessively privileged accounts, weak API protection, uncontrolled shadow IT environments, and inadequately secured cloud collaborations. Solutions like Azure PIM or SailPoint aid in enforcing minimal access privileges by overseeing access evaluations, while Kong or Auth0 bolster API security through cyclic token renewals and WAF surveillance. The menace of shadow IT can be curbed by employing Cisco Umbrella for application identification, and Netskope CASB for reinforcing access management. To safeguard federations, leverage Prisma Cloud or Orca for scrutinizing configurations and fortifying settings, while Cisco Duo allows for adaptive MFA to elevate authentication integrity. Ultimately, fortify service accounts with automated credential supervision through HashiCorp Vault or AWS Secrets Manager, guaranteeing secure, timely access.
🔒 Insight of the Week
Enhance Your DNS Security: While most individuals concentrate on fortifying their gadgets and networks, the Domain Name System (DNS)—which converts human-readable domain names (like example.com) into machine-readable IP addresses—is frequently overlooked. Visualize the internet as an extensive library and DNS as its card index; to locate the desired book (website), you need the correct card (address). Nevertheless, if someone tampers with the index, you might be misled to deceitful websites aiming to pilfer your details. Enhance DNS security by using a privacy-oriented resolver that refrains from tracking your searches (a confidential index), bar harmful sites using a “hosts” file (extract the cards for perilous books), and implement a browser extension with DNS filtering (appoint a librarian to vigilantly monitor). Furthermore, enable DNSSEC to validate the legitimacy of DNS records (ascertain the card’s authenticity) and encrypt your DNS requests via DoH or DoT (whisper your requests to evade eavesdropping).
Final Thought
And there it is – another week’s cybersecurity dilemmas to contemplate. Bear in mind, in this digital era, alertness is paramount. Stay informed, stay vigilant, and remain secure within the constantly evolving cyber realm. We will return next Monday with more updates and insights to guide you through the digital expanse.
About Author
