This week
- Romania annuls election results over TikTok influence campaign (This Week)
- Child sex abuse victims sue Apple for not implementing protections (Interesting Reads)
- BadRAM vulnerability in AMD chips (Vulnerabilities)
- Cleo file transfer attacks (This Week)
- $3B funding for US telcos to replace Chinese equipment (This Week)
Cleo file transfer under active attack
- Threat actors are targeting a vulnerability in file transfer systems sold by software company Cleo. At least 24 businesses have been compromised in attacks reminiscent of Cl0p ransomware’s attacks against MOVEit appliances in 2023. “Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers,” Huntress security researcher John Hammond told TechCrunch. LINK
- CVE-2024-50623 (8.8/10) is an “unrestricted file upload and download vulnerability” in the firm’s Harmony, VLTrader, and LexiCom products that “could lead to remote code execution”. The exploit is triggered by uploading specific types of files automatically processed by a specific parser. Cleo first published a security advisory on 30th October, with a second CVE (CVE-2024-55956) and advisory being released this week for a patch to the issue. ADVISORY 1, ADVISORY 2
- Software company Blue Yonder, which recently suffered a ransomware attack, apparently had a Cleo filter transfer system exposed to the Internet, however it’s not known if this was the used to compromise the organisation. A crude search of Shodan revealed a further 160 Cleo endpoints still vulnerable and accessible on the Internet. LINK
$3 billion funding hole in FCC programme filled following Salt Typhoon campaign
- A $3 billion funding hole in a Federal Telecommunications Commission (FTC) programme to ‘rip and replace’ telecommunications equipment by Chinese manufacturers Huawei and ZTE has been closed this week. (vol. 7, iss. 19)
- The additional funds, over the original $1.8 billion allocated through the Secure and Trusted Communications Act, were met through the annual National Defense Authorization Act, with senators and witnesses called to the bill’s hearing saying the scheme can be used to close holes exploited in the Salt Typhoon campaign. LINK
Romania annuls general election first round over potential foreign interference
- Romania has annulled the results of the first round in its general election after suspicions around the surge in votes for an ultranationalist candidate. LINK
- Călin Georgescu was polling poorly just weeks before the election when a wave of what is suspected to be inauthentic TikTok and social media content promoted the candidate to large portions of the population. Romania’s intelligence services have pointed the finger at Russian state influence operations. LINK
- TikTok influencers that backed Georgescu’s campaign are fleeing Romania following a series of raids by tax authorities. Some share links to organised crime groups. LINK
- Events in Romania are unfolding as the US prepares to ban or force a divestment of the Chinese-owned social media company on 19th January, the day before President-elect Trump’s inauguration. LINK
Interesting stats
71 cyber security incidents have been reported under the Securities and Exchange Commission’s cyber reporting rules that came into force 11 months ago. LINK
~3% better Passkey signup rate when positioning them as a faster way to sign in than when saying it’s more secure, according to Microsoft (see Interesting Reads below).
86% of 1,000 executives surveyed by PagerDuty believe companies have focussed too much on security and not enough on service disruptions. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Microsoft product managers Sangeeta Ranjit and Scott Bingham have an interesting read on the user experience designs they deployed in ‘convincing a billion users to love passkeys’. UX is an important part of engaging any audience, and you should be considering how you’re going to make users’ lives easier and more secure in your security programme. LINK
- Russia has been conducting tests of its ‘sovereign internet’ capability, with residents in some Muslim-majority regions being disconnected from the global Internet for around 24 hours. Internet regulator Rozkomnadzor has run similar tests in the past as Russia aims to establish a parallel internet under its control and laws, dubbed Runet, that could operate independently. LINK
- Thousands of victims of child sexual abuse are suing Apple for $1.2 billion after the company pulled a controversial child sex abuse materials (CASM) scanning functionality from its iDevices. Apple had announced the feature but not rolled it out to users before making a U-turn in the wake of concerns that governments could use the technology to surveil users. LINK
- Cameron Prescott-Young’s piece challenging the cyber risk status quo in the Journal of the Royal Corps of Signals. LINK (page 54)
⚠️ Incidents:
- Krispy Kreme says online ordering in the US was affected by unauthorised activity it detected on its network on 29th November. In an SEDC filing, the doughnut company expects a “reasonable” financial fallout from the incident, resulting from loss of revenues and unplanned cyber response costs. LINK
- Byte Federal, operator of 1,200 Bitcoin ATMs in the United States, has filed with Maine’s attorney general saying that unauthorised actors may have access to the personal data of 58,000 customers. LINK
🏴☠️ Ransomware:
- The Lynx ransomware group has claimed responsibility for an attack against Romanian electricity distribution company Electrica Group. The company, which supplies 3.8 million customers with energy, says that SCADA and operational systems are unaffected. LINK
- Termite ransomware group has claimed responsibility for the attack on Blue Yonder. LINK
🕵️ Threat Intel:
- A malicious NPM package has stolen 390,000 credentials over 12 months from a trojanized WordPress credentials checker. The @0xengine/xmlrpc package also stole SSH and AWS keys from security researchers, pen testers and other threat actors. LINK
- Credit rating agency Moody’s believes that ransomware groups will target larger companies in 2025 in search of larger paydays as revenue per victim falls. LINK
- Chinese threat actors use Visual Studio Code (VSCode) tunnels to access compromised developer devices remotely. Sentinel One says the suspected STORM-0866 (aka Sandman) group is abusing legitimate Microsoft functionality in attacks against IT service providers in Southern Europe. LINK
- Russian state-linked Secret Blizzard threat actors are hiding behind the infrastructure of other cybercrime groups to launch attacks against Ukraine military personnel, according to Microsoft. LINK
🪲 Vulnerabilities:
- Ivanti’s Cloud Services Appliance (CSA) has three critical vulnerabilities, including one ‘perfect 10’. CVE-2024-11639 (10/10) is an authentication bypass issue in CSA’s web console, CVE-2024-11772 (9.1/10) is a command injection in the admin console, and CVE-2024-11773 (9.1/10) is an SQL Injection vulnerability. CSA is part of Ivanti’s ‘modern device management’ suite, allowing customers to “manage and secure your macOS and Windows devices, whether they are in the office, travelling, or working from home.” Gaining access could allow attackers to control all of your endpoints. Get patching. LINK, ADVISORY
- Apache Struts 2 has a critical remote code execution vulnerability. CVE-2024-53677 (9.8/10) is fixed in version 6.4.0 and higher. LINK, ADVISORY
- BadRAM, a vulnerability in the firmware of AMD chips, could allow attackers with physical access to bypass protections designed to stop them from being able to read memory contents. While the attack requires physical access to succeed, the vulnerability in the protections in question is specifically intended to stop this type of access: for example, protecting cloud tenants from snooping by their cloud provider. AMD has released an update that addresses CVE-2024-21944 (5.3/10). LINK, ADVISORY
- OpenWrt’s Attended Sysupgrade feature, which allows developers to build packages for distribution, could have been abused to poison legitimate firmware images. There’s no sign that the issue was abused, and it was fixed within hours of reporting, but it’s an interesting case around hash collisions. LINK
🛠️ Security engineering:
- Results from the latest round of MITRE ATT&CK evaluations of enterprise endpoint security vendors have been published. Tests have focussed on the tactics and techniques used by North Korean and high-profile ransomware operators. LINK, RESULTS
- Snowflake will phase out single-factor authentication by November 2025. Users of the big data platform provider found their data being stolen earlier this year after attackers realised they could get in simply by phishing credentials from Snowflake users or administrators. LINK
🏭 Operational technology:
- Iranian threat actors are using malware dubbed IOCONTROL against IoT and OT systems in Israeli and US critical infrastructure providers. LINK
- Researchers have discovered vulnerabilities in Skoda Superb’s infotainment system that could allow malicious code installation to track the victim’s location. Danila Parnishchev of PCAutomotive says that the vulnerabilities in the Skoda Superb III’s media unit can only be accessed via Bluetooth, requiring the attacker to be within ~10m of the vehicle. Synchronised contact details are available because they are not encrypted on the infotainment system. The PCAutomotive team was unable to gain access to safety-critical systems via this route. LINK
🧿 Privacy:
- Mozilla is ditching the ‘Do Not Track’ toggle from Firefox, citing the standard’s optional nature, which many websites ignore. LINK
📜 Policy & Regulation:
- The European Union’s Cyber Resilience Act (CRA) entered force this week, with compliance required by December 2027. The CRA requires hardware and software manufacturers connected to the Internet to meet good practice requirements and, in exchange, can display the blocs ‘CE’ mark. Sellers of these goods must also only stock goods that meet these regulations. Products that are already subject to regulations, including some open-source software, are excluded from the regulation. Following the same format as NIS and GDPR, breaches of “essential cybersecurity requirements” may be met with penalties of up to 2.5% of global annual turnover or €15 million (whichever is greater). LINK
👮 Law Enforcement:
- The US Treasury Department sanctioned Chinese company Sichuan Silence for ransomware attacks against US critical infrastructure companies in April 2020. “Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide,” a press release from the Office of Foreign Assets Control (OFAC) says. “The purpose of the exploit was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan [an employee] also attempted to infect the victims’ systems with the Ragnarok ransomware variant.” LINK
- A US court has indicted 14 IT workers believed to have earned $88 million over six years at US companies for the North Korean regime. The State Department has also announced a $5 million reward for information from individuals or companies that may have been involved in the scheme. LINK
- Spanish and Peruvian police have busted open a voice phishing scam ring and arrested 83 individuals. The scammers impersonated banks and defrauded at least 10,000 people of an estimated €3 million ($3.15M). LINK
- A law enforcement operation across 15 countries has shut down DDoS-for-hire platforms. Operation PowerOFF has resulted in the shutdown of 27 DDoS services, three arrests, and the identification of 300 customers on the platforms. LINK
💰 Investments, mergers and acquisitions:
- Fortinet has acquired email, collaboration and web security outfit Perception Point for an estimated $100 million. LINK
- Private equity firm Keensight Capital has acquired a majority stake in human risk management platform MetaCompliance. LINK
And finally
- Ten out of ten for this excellent headline in Tom Gerken’s piece for BBC News: Hackers find hole in Krispy Kreme doughnuts’ cyber-security. LINK