CyberSecurity updates
2024-12-26 16:40:32 Pacfic

BeyondTrust Breach via API Key - 7d
BeyondTrust Breach via API Key

BeyondTrust has experienced a security incident where hackers breached their Remote Support SaaS instances by exploiting an API key, allowing for account password resets. Two critical vulnerabilities were discovered and patched, namely command injection (CVE-2024-12356) and escalation of privilege (CVE-2024-12686). This incident highlights the risks associated with API key compromise and the importance of proper security measures for SaaS platforms and privileged access management solutions.

Mirai Botnet Targets Juniper Routers With Default Passwords - 6d

Juniper Networks has issued a warning regarding the Mirai botnet exploiting Session Smart Routers (SSR) due to unchanged default passwords. The Mirai botnet is actively targeting these devices, which could lead to significant security breaches. It is crucial for Juniper SSR users to immediately change the default password to prevent infection and secure their systems against this threat. This highlights the critical importance of strong password hygiene.

FlowerStorm platform targets Microsoft 365 accounts - 4d
FlowerStorm platform targets Microsoft 365 accounts

A new Microsoft 365 phishing-as-a-service platform called ‘FlowerStorm’ has emerged, filling the gap left by the shutdown of the Rockstar2FA cybercrime service. FlowerStorm is a sophisticated service which allows threat actors to create and deploy phishing campaigns specifically targeting Microsoft 365 accounts. This activity shows a clear increase in targeted phishing campaigns aimed at Microsoft users, which could lead to account compromise, data breaches and other associated risks. The sophisticated platform allows threat actors to automate much of the phishing process, increasing their efficiency and reach. This demonstrates the ease with which cybercriminals can set up and deploy complex phishing schemes.

NSO Liable for WhatsApp Spyware Attacks - 4d
NSO Liable for WhatsApp Spyware Attacks

A US Judge has ruled that NSO Group is liable for exploiting a vulnerability in WhatsApp to spy on 1,400 users. The court found NSO Group violated the Computer Fraud & Abuse Act, and WhatsApp is entitled to sanctions against NSO. NSO Group’s spyware, Pegasus, was used to target victims. This ruling has been called a landmark and major victory for WhatsApp. NSO used a zero-click exploit in WhatsApp to target the users.

Apple Notifies Spyware Victims, Not Analyzing Devices - 5d
Apple Notifies Spyware Victims, Not Analyzing Devices

Apple is notifying users who are likely targeted by government-sponsored spyware, but is redirecting them to third-party security labs instead of performing forensic analysis. This decision stems from their position that in-depth forensic analysis could inadvertently reveal spyware capabilities to the attackers. This approach is praised by security experts as it balances victim protection and security research.

Next.js Authorization Bypass Exposes Root Pages - 6d
Next.js Authorization Bypass Exposes Root Pages

A high-severity authorization bypass vulnerability (CVE-2024-51479) has been discovered in Next.js, a widely used React framework. This flaw allows unauthorized access to certain pages directly under the application’s root directory, bypassing middleware-based authorization checks. The vulnerability affects versions from 9.5.5 up to 14.2.14. It requires immediate patching to version 14.2.15 to mitigate the risk.

UnitedHealthcare AI chatbot exposed to internet - 12d

UnitedHealthcare’s Optum had an AI chatbot used by employees exposed to the internet. This chatbot, designed for employees to inquire about claims, was accessible publicly. The exposure raises concerns about the security of sensitive data and the potential for unauthorized access. This incident highlights the risks associated with deploying AI tools without adequate security measures. The AI chatbot exposure occurred amid broader scrutiny of UnitedHealthcare for its use of AI in claims denials.

Fortinet Flaws Allow Remote Code Execution - 6d
Fortinet Flaws Allow Remote Code Execution

Multiple critical vulnerabilities have been discovered in Fortinet’s products including FortiWLM and FortiClient EMS. These vulnerabilities, including path traversal and SQL injection flaws, allow attackers to execute arbitrary code and access sensitive data. Exploitation of these vulnerabilities can lead to complete system compromise highlighting the need for immediate patching and proper vulnerability management.

HiatusRAT Malware Targets Webcams and DVRs - 8d
HiatusRAT Malware Targets Webcams and DVRs

The FBI has issued a warning regarding a new HiatusRAT malware campaign which is targeting web cameras and DVRs, particularly those made by Chinese manufacturers. The attackers are exploiting vulnerabilities like weak default passwords, and are using tools like Ingram and Medusa to gain unauthorized access. Once compromised the devices are used as proxies and converted into covert communication channels. This campaign is targeting IoT devices in the US, Australia, Canada, New Zealand, and the UK. System administrators are urged to limit the use of the affected devices or isolate them from the rest of the network to prevent further exploitation.

Arctic Wolf Acquires BlackBerry's Cylance for $160M - 9d
Arctic Wolf Acquires BlackBerry

Arctic Wolf Networks Inc. has acquired BlackBerry’s Cylance endpoint security unit for $160 million in cash and 5.5 million Arctic Wolf shares. This acquisition is a significant strategic move for Arctic Wolf, enhancing its cybersecurity offerings. The deal marks a substantial decrease in value for Cylance, which BlackBerry acquired for $1.4 billion in 2018. The sale reflects a shift in BlackBerry’s focus away from endpoint security and towards software for cyber and IoT. This move is expected to close in BlackBerry’s fiscal Q4 and will reshape the cybersecurity landscape, providing Arctic Wolf with valuable assets and technologies.

ConnectOnCall Breach Exposes 900K User Data - 9d

ConnectOnCall, a healthcare communication platform, suffered a significant data breach that exposed the personal information of approximately 900,000 patients and healthcare providers. The breach occurred in May 2024 and involved the compromise of sensitive data, potentially including names, contact information, and medical details. The attackers exploited a vulnerability that allowed them to gain unauthorized access to the platform’s systems. This incident highlights the critical need for robust security measures in healthcare communication platforms to protect patient data and ensure privacy, given that these breaches can have serious consequences for affected individuals, including potential identity theft and misuse of personal health information.

CISA and ONCD Strengthen Infrastructure Security - 6d
CISA and ONCD Strengthen Infrastructure Security

CISA and ONCD have released a playbook to help grant-making agencies incorporate cybersecurity into federally funded infrastructure projects. The playbook provides a framework, recommended actions and model language for grant programs. The goal is to enhance cyber resilience in critical infrastructure projects.

US Considers Banning TP-Link Routers - 6d
US Considers Banning TP-Link Routers

The U.S. government is investigating TP-Link routers for potential national security risks due to their alleged use in cyberattacks. This could lead to a ban on TP-Link routers in 2025, raising concerns about supply chain security and the vulnerability of network infrastructure. This situation underscores the complexities of global cybersecurity and the challenges of identifying and mitigating risks associated with network hardware, highlighting the importance of thorough supply chain risk management and security audits for network devices.

FortiWLM Path Traversal and Next.js Auth Bypass - 6d

A critical path traversal vulnerability (CVE-2023-34990) has been identified in FortiWLM, allowing unauthenticated attackers to access sensitive files. Additionally, a separate authorization bypass (CVE-2024-51479) has been discovered in Next.js. Both vulnerabilities permit unauthorized actions, including potential code execution. Users are advised to patch their systems immediately to mitigate these serious risks which have been actively exploited in the wild.

Citrix Netscaler Password Spray Attacks Reported - 11d
Citrix Netscaler Password Spray Attacks Reported

Citrix has reported ongoing password spraying attacks against their NetScaler products and various platforms. These attacks target user authentication against historical, pre-nFactor endpoints, causing resource exhaustion, excessive logging, management CPU overload, and appliance instability. The attacks are primarily brute-force attempts and represent a significant threat to organizations utilizing these products. Citrix has provided mitigation steps to address these issues which should be implemented urgently.