Threat actors punch holes in the company's online ordering systems, tripping up doughnut deliveries across the US after a late November breach.

Source: Matthew Horwood via Alamy Stock Photo

US doughnut dealer Krispy Kreme suffered a cybersecurity incident that's made a mess of online ordering but spared retail operations that continue to serve up sugar-coated confections nationwide.

A Securities and Exchange Commission filing from Krispy Kreme disclosed the company was subject to an "unauthorized activity on a portion of its information technology systems" in late November.

"The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement," the Krispy Kreme 8-K filing explained. "As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known."

Krispy Kreme added that while the cybersecurity incident is likely to have a "material impact" on the business until it is able to recover, anticipated losses are likely to be offset by cyber insurance.

Beyond operational impact, the statement did not indicate whether customer data was compromised. Paul Bischoff, consumer privacy advocate at Comparitech, recommended anyone who's ordered doughnuts online through Krispy Kreme should expect they've been exposed.

"Most attacks of this nature don't just disrupt systems," Bischoff added. "They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months."

**Krispy Kreme Incident Recovery Continues**

As the company recovers from the incident, Ilia Sotnikov, security strategist at Netwrix, said the Krispy Kreme cybersecurity team likely worked quickly to avoid more widespread damage.

"All their shops are open and all delivery commitments to retail and restaurant partners are fulfilled," Sotnikov said in a statement. "This means that the team identified the intrusion and was ready to swiftly follow the incident response plan."

Beyond initial concerns about business continuity, the entire Krispy Kreme supply chain is potentially vulnerable to follow-on cyberattacks, according to Ryan Sherstobitoff, senior vice president of threat research and intelligence at Security Scorecard.

"As one of the world's largest doughnut companies with over 400 US locations, this breach raises concerns about not only operational disruptions amidst the holidays but also the potential exposure of sensitive data within Krispy Kreme and its supply chain," Sherstobitoff noted, in a statement. "With the holiday season in full swing, retailers must remain vigilant. Cybercriminals are lurking, waiting to exploit any distraction."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Krispy Kreme Doughnut Delivery Gets Cooked in Cyberattack

Researchers at Cavero have created a correlating numbers mechanism, adding a layer of privacy that even threat actors can't gain enough information to breach.

Source: ArtemisDiana via Alamy Stock Photo

A future that uses quantum computing is not far off — but not quite here either. When it does arrive, it will ultimately render the methods we use to encrypt information useless. And while some organizations and businesses may be slow to act, bad actors are already preparing, stealing large amounts of encrypted data and putting it on hold until a later date, when quantum capabilities become available and allow them to decrypt it.

These attacks are known as harvest now, decrypt later (HNDL) attacks — and they pose a serious threat in the future, should bad actors gain access to quantum computers and find the means to actually use them.

"What we need is a new way for us to be able to encrypt data which protects that data now and in the future as well," says Frey Wilson, co-founder and CTO at Cavero Quantum.

**The Cavero Method**

Cavero has created a cryptographic system that uses symmetric keys in two different ways, one using computation complexity and the other using an information theoretical method. The latter typically uses physical resources, but Wilson notes that Cavero achieves it by using the properties of random numbers.

"If you can create two correlated data sets and ensure that any third data set is correlated \[but\] not in the same way as the initial two, then from the correlated data, you can use essentially low entropy sections of that data to be able to generate a key mutually," says Wilson, ahead of a Black Hat Europe 2024 briefing on the approach.

Related:Library of Congress Offers AI Legal Guidance to Researchers

These keys aren't passkeys, though the intention is on the same track, Wilson stresses. Passkeys fall under the category of asymmetric keys, a cryptographic method of encrypting and decrypting data. The risk with this, however, is that passkeys are limited within their own ecosystems, such as Apple or Amazon, unable to cross-correlate with other ecosystems.

"Because this key is sent from a central server initially, there's a moment that the key is in transit to get to a device," says James Trenholme, CEO of Cavero Quantum. "It has the potential to be hacked or viewed by a third party."

Cavero aims to solve this problem by providing a solution that doesn't share any information publicly. Keys are mutually generated for each party using the correlating numbers mechanism, so that even if a threat actor is watching the exchange in the middle, they are unable to gather enough information to calculate or intercept the key, Trenholme adds.

**The Past & Future of Cryptography Keys**

Wilson says the solution, which uses smaller key sizes and is deployable on any device regardless of the size, is unique in its approach.

Related:'White FAANG' Data Export Attack: A Gold Mine for PII Threats

"That appeal to history is absolutely something that we hear regularly," says Wilson of their solution, which is nearly 12 years in the making. "This is based off a body of work that has existed here that we’ve taken, and we've expanded on. It just so happens that we've taken it in a direction that's been slightly different to other people."

Wilson plans to go into detail on that at Black Hat Europe, noting that "it's a new way of looking at the methodology that sits underneath it."

Going forward, the pair would like to see Cavero's keys used as the cornerstone in many, if not all, types of communications. And while its natural for a CEO to say this about their company's product, it seems as though Cavero's keys are in the best interest of communications processes in the name of privacy and security.

Some industries will benefit from Cavero's technology sooner than others, like those that manage high-value data or have a long-term data source.

"We'd like to see it used in every kind of communication, whether it be a voice call, a message, a data transfer, logging applications, the list goes on," says Trenholme, including telecommunications, defense, financial services, identity frameworks, and more.

Related:'Bootkitty' First Bootloader to Take Aim at Linux

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Symmetrical Cryptography Pioneer Targets the Post-Quantum Era

A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Source: Fabio Principe via AdobeStock Photo

Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.

When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.

The researchers achieved the bypass, which they dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million, he explained.

"Simply put — one could execute many attempts simultaneously," Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, "making this vulnerability and attack technique dangerously low profile," Hason wrote.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," Hason wrote.

**Ample Time to Guess MFA Code**

Another issue that allowed for the MFA bypass was that the available timeframe an attacker had to guess a single code was 2.5 minutes longer than the recommended timeframe for a time-based one-time password (TOTP) according to RFC-6238, the Internet Engineering Task Force (IETF) recommendation for implementing MFA authentication.

RFC-6238 recommends that a code expires after 30 seconds; however, most MFA applications provide a short grace period and allow these codes to be valid longer.

"This means that a single TOTP code may be valid for more than 30 seconds," Hason explained. "The Oasis Security Research team's testing with Microsoft sign-in showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent."

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

This extra time meant that the researchers had a 3% chance of correctly guessing the code within the extended timeframe, Hason explained. A malicious actor trying to crack the code would have been likely to proceed and run further sessions until they hit a valid guess, which the researchers proceeded to do without encountering any limitations, he said.

After 24 sessions of trying to guess the code, which would take around 70 minutes, a malicious actor would already pass the 50% chance of hitting the valid code. In their research, the Oasis team attempted this method several times, and once even found they guessed the code early on in the process, exposing how quickly MFA could be bypassed.

**Best Practices for Safe MFA**

While MFA is still considered one of the most secure ways to protect passwords to online accounts, the research demonstrates that no system is completely attacker-proof. Oasis recommended that organizations continue to use either authenticator apps or strong passwordless methods for protecting user accounts from malicious attacks.

Related:Europol Cracks Down on Holiday DDoS Attacks

Other best practices include one that has long been recommended for years as part of basic password hygiene: users should change passwords to their online accounts frequently. Moreover, any organization using MFA to protect accounts should add a mail alert to notify users of failed MFA attempts, even if they don't notify them of every failed password sign-in attempt, Hason noted.

This latter advice also should be applied to any organization building MFA into a system or application, according to Oasis. MFA app designers also should ensure they include rate limits that don't allow for indefinite attempts to sign in, and lock an account after a certain time to limit successful MFA attacks or bypasses.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Researchers Crack Microsoft Azure MFA in an Hour

High-profile security incidents provide examples of how common vulnerabilities can be exploited. If you pay attention, you can learn from others' mistakes.

Source: Alfonso Fabio Iozzino via Alamy Stock Photo

COMMENTARY

The statistics paint a clear picture — over 9,000 cyber incidents were reported in just the first half of 2024, translating to nearly one new attack every single hour.

This escalating risk has pushed cybersecurity to the forefront of business strategy. According to a study by Accenture, 96% of CEOs identified security as essential to their company's growth, prompting continuous investment. Yet, despite these efforts, 74% of them expressed concern about their ability to effectively mitigate or withstand cyberattacks due to the increasing complexity of threats. High-profile security incidents provide examples of common vulnerabilities and highlight strategies for businesses to avoid sophisticated attacks.

**1\. The Importance of Password Policy**

Maintaining a strong password policy is essential for all organizations. A typical policy should mandate a minimum length of eight (better 12) characters, combining letters, numbers, and special symbols. Regularly updating passwords is also a widely accepted practice.

However, experience has shown us that guideline compliance is only one part of the equation. At Sigma Software Group, we emphasize the importance of thoughtful password creation, encouraging our team to steer clear of easily guessable patterns, like "Spring2024!" or "Summer2024!" This proactive mindset helps foster a culture of security awareness, which is crucial for preventing password breaches — an alarming trend that affects individuals and organizations alike.

The damage: A striking example of this vulnerability occurred in 2020 when Dutch ethical hacker Victor Gevers guessed then-candidate Donald Trump's Twitter password on his fifth attempt. The password, "maga2020!" — a nod to Trump's campaign slogan "Make America Great Again" — highlighted a significant security gap. Gevers clarified that his intention wasn't to steal sensitive information but to raise awareness about online security risks. He advocates for stronger online security measures, including complex password protocols, two-factor authentication, and effective password management.

The lesson: By adopting a comprehensive approach to password protection, organizations can significantly mitigate risks and bolster their overall cybersecurity posture.

**2\. Multifactor Authentication Hits Its Limits**

Multifactor authentication (MFA) was once hailed as a major leap forward in security. By requiring additional layers of verification — such as passwords, hardware tokens, or biometric scans — MFA significantly raises the barrier for unauthorized access. However, while MFA adds protection, it is far from infallible.

Consider a scenario where a user loses their phone and laptop simultaneously. Regaining access to critical accounts often involves contacting IT support to verify their identity — an approach that seems secure but has its flaws, as the gaming giant EA Games found out the hard way.

The damage: In July 2021, EA Games suffered a significant breach due to a clever MFA bypass. Hackers used stolen cookies containing an employee's login credentials to infiltrate the company's Slack channel. Impersonating the employee, they contacted IT support, claiming they had lost their phone at a party and needed a new multifactor authentication token. This social engineering tactic worked, granting them access to EA's corporate network.

The outcome was disastrous. The hackers stole 780GB of sensitive data, including the source code for FIFA 21, the Frostbite engine, and various internal development tools. This data has since been sold on underground forums.

The lesson: While EA confirmed that no player data was compromised, the incident exposed the vulnerabilities in its security protocols. EA has since acknowledged the gravity of the breach and has been bolstering its defenses to prevent future occurrences.

**3\. Humans Are Only Human**

Even the most advanced security systems are not immune to vulnerabilities. A seemingly minor mistake can introduce significant risks, regardless of the sophistication of tools or protocols in place.

The damage: A pertinent example comes from Estonia, where engineers implemented best practices while developing national digital identity cards. Unfortunately, errors during this process resulted in critical security flaws affecting over 750,000 cardholders.

These issues primarily stemmed from the card manufacturer, Gemalto. Between 2014 and 2017, Estonian authorities uncovered a major vulnerability in the cryptographic library responsible for private key generation. This flaw created a potential pathway for identity theft, yet Gemalto failed to promptly inform the government. Consequently, Estonian officials had to take emergency measures, suspending the use of digital certificates on the affected cards. This situation led to litigation, resulting in a settlement where Gemalto agreed to pay €2.2 million in compensation.

Additional vulnerabilities arose from ID card management practices. Gemalto generated private keys outside the secure chip and reused the same key across multiple cardholders. This oversight allowed for potential impersonation — although, fortunately, no actual identity misuse was reported. Estonian experts quickly identified and rectified the issue, ensuring that the threat to digital identities remained theoretical.

The lesson: A robust security framework is insufficient on its own; the human element must also be addressed. To mitigate the potential risks associated with human error, organizations should implement strategies that enhance oversight and resilience. This includes providing comprehensive staff training to elevate security awareness, conducting regular security audits of both internal systems and third-party providers, and establishing clear security protocols that empower employees to recognize and address potential security issues.

**In a Nutshell**

A recurring theme in these case studies is the impact of human error. As cybersecurity becomes more complex, shortcuts — such as using simple passwords or bypassing MFA — often create vulnerabilities that attackers exploit.

The primary and biggest challenge in cybersecurity lies in striking a balance between implementing robust security controls and maintaining user convenience.

Cybersecurity is an ongoing process, not a one-time fix. No single tool can offer complete protection, so a multilayered defense approach, where measures complement each other, is the most effective strategy to mitigate risks and stay ahead of evolving threats.

**About the Author**

CISO, Sigma Software Group

Dmytro Tereshchenko is the Chief Information Security Officer at Sigma Software Group, a global tech company and a member of the trade association techUK. He also teaches at Sigma Software University and SET University.

With over 21 years of comprehensive IT experience, including a decade specializing in cybersecurity, Dmytro brings extensive expertise in risk and incident management, secure SDLC, and regulatory compliance. Leveraging his profound software development background and cybersecurity expertise, Dmytro is a crucial member of Sigma Software Group's application security consulting service. In this role, Dmytro and his team help companies assess, develop, and implement tailored application security management systems to maintain and improve the security level of their online services portfolio.

Cybersecurity Lessons From 3 Public Breaches

Hackers are constantly evolving, and so too should our security protocols.

Source: Brain light via Alamy Stock Photo

COMMENTARY

We witnessed some of the largest data breaches in recent history in 2024, with victims including industry titans like AT&T, Snowflake (and, therefore, Ticketmaster), and more. For US businesses, data breaches cost more than $9 million on average, and they cause lasting damage to customer and partner trust. 

Still, a resounding 98% of companies work with vendors that have had a breach. While business leaders have become more cautious in identifying vendors, they're integral to the growth of a business — providing critical goods, services, and technology to support ever-evolving business models and complex supply chains. 

These vendors may never be able to fully guarantee security and peace of mind, so security teams must regularly conduct due diligence measures to make more informed decisions and mitigate risks as much as possible. As businesses plan for the coming year, here are tips for ensuring your data, privacy, and information assets are secured and protected in 2025. 

**Proactive Security Reviews**

Vendors are essential, but relying on them without verifying their security practices is like playing with fire. Conducting regular security reviews will help your team mitigate potential risks before they turn into costly incidents. A security review is a comprehensive analysis of a vendor's ability to protect sensitive data, comply with industry regulations, and respond to potential breaches. Conducting a security review involves evaluating several key areas, such as data encryption, compliance with standards like the European Union's General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA), and incident response protocols.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Ongoing audits and real-time monitoring track a vendor's changing security posture and detect emerging vulnerabilities. Continuous monitoring ensures compliance and proactive threat detection, preventing gaps in security oversight.

The SolarWinds breach, for example, could have been mitigated with better continuous monitoring, which would have detected the malicious software update earlier.

A practical approach is to implement quarterly security assessments for vendors that handle critical infrastructure. These assessments can identify evolving risks, ensuring that a one-time review doesn't leave blind spots in long-term vendor security. 

To streamline assessments, leverage automation tools, vulnerability scanners, and compliance platforms to hand off repetitive tasks, improve accuracy, and save time, ensuring comprehensive reviews without manual bottlenecks. Using AI-driven security tools reduces detection times for vulnerabilities, helping companies address issues faster.

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

Security reviews aren't a complete fail-safe, but they do equip businesses to choose vendors that align with their security postures. With consistent, proactive security reviews, businesses can reduce their risk of cyberattacks, breaches, and regulatory fines.

**Updates to Legacy Systems**

Legacy systems are inherently risky, as outdated software and hardware are not receiving regular security updates. Assess your legacy systems for vulnerabilities, and plan to invest in upgrades or replacements. If an immediate replacement isn't possible, isolate legacy systems from your shared networks and utilize segmentation to contain threats. 

**Advanced Security Measures **

Once you have a process for regular security reviews and risk assessments in place, and your tech stack is protected from vulnerabilities, implement advanced security measures like encryption and access controls to protect your data and your team's data. 

**Encryption Protocols**

Encryption is a fundamental security measure that protects data at rest and in transit. For data at rest, ensure you are encrypting sensitive information stored on servers, databases, and other storage devices using robust encryption algorithms such as AES-256. For data in transit, encrypting information transmitted over networks using protocols like Transport Layer Security (TLS) is crucial to prevent interception and eavesdropping.

Related:Europol Cracks Down on Holiday DDoS Attacks

**Access Control Systems**

Stringent access controls help to ensure that only authorized personnel can access sensitive information. Multifactor authentication (MFA) is required to access critical systems and data, adding an extra layer of security beyond just passwords.

Role-based access control (RBAC) assigns permissions based on roles within an organization, so that employees have access only to the information necessary for their job functions. Regularly review and update these permissions to reflect changes in roles and responsibilities.

Identifying and mitigating IT infrastructure vulnerabilities, conducting thorough risk assessments, and implementing advanced security measures are critical steps in preventing data breaches. Organizations can significantly enhance their security posture, protect sensitive information, and ensure compliance with regulatory requirements by focusing on these areas. As we look ahead to 2025, remember to remain vigilant and agile: Hackers are constantly evolving, and so too should our security protocols. 

**About the Author**

Founder & CEO, SecurityPal

Pukar C. Hamal is founder and CEO of SecurityPal, an San Francisco-based startup delivering customer assurance — a holistic security framework designed to accelerate enterprise transactions and innovation. Born in a rural village in Nepal and proficient in eight languages, Pukar understands that innovation and economic potential aren't limited to Western "tech hubs," which is why SecurityPal has offices worldwide, including in Kathmandu, Nepal. Pukar’s vision with SecurityPal is to accelerate business growth and innovation by simplifying and securing the customer journey. Trusted by the world's most innovative companies, including OpenAI, MongoDB, Airtable, and Figma, SecurityPal has helped organizations answer nearly 2 million security questions.

Tips for Preventing Breaches in 2025

Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

As part of the commitment to CISA's Secure by Design pledge, Snowflake will begin blocking sign-ins using single-factor authentication next year.

NEWS BRIEF

Snowflake has announced a new authentication policy that will require all customers to enable multifactor authentication (MFA) on their accounts by November 2025 or risk having their access blocked.

The three-phase policy change comes after Snowflake's recent decision to enable MFA by default on all new accounts.

"MFA will be enforced by default for all human users in any Snowflake account created as of October 2024," Snowflake's Anoosh Saboori and Brad Jones wrote back in September.

In the first phase, planned for April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.

The second phase, in August, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.

In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access.

Snowflake customers must make the necessary changes before November. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake's Trust Center that can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.

The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen, and several victims were hit with subsequent extortion attempts.

**About the Author**

Snowflake Rolls Out Mandatory MFA Plan

FCC Chairwoman Jessica Rosenworcel recommended "urgent action" to safeguard the nation's communications systems from real and present cybersecurity threats.

Source: Asharkyu via Shutterstock

NEWS BRIEF

In the wake of recent cyberattacks against US communications companies by foreign actors, the Federal Communications Commission (FCC) has proposed new cybersecurity rules on how telecommunication companies should secure their networks. 

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said FCC Chairwoman Jessica Rosenworcel in a statement last week. "As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses." 

Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications and to submit annual certifications to FCC confirming that they have created, updated, and implemented a cybersecurity risk management plan to fortify their defenses against future attacks. The proposal focuses on a "modern framework to help companies secure their networks," Rosenworcel said.

"The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways," said Trey Ford, chief information security officer at Bugcrowd, in an emailed statement. "The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with - how inventory, score, and treat cyber risks - and the challenges in communicating what needs done, when, and how."

The Chinese-state sponsored hacker group Salt Typhoon hit several Internet service provider networks in the US earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks, and the intelligence community is still trying to determine the scope and impact of the attacks.

In what is considered one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance with the National Security Agency and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities, and limiting the attack surface. It also highlighted ways to harden Cisco network gear. 

After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC, along with CISA and the Director of National Intelligence, to create specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures, work to patch any uncovered vulnerabilities, and tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear whether there will be any immediate action on this legislation.

If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FCC Proposes New Cybersecurity Rules for Telecoms

The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.

Source: Zoonar GmbH via Alamy Stock Photo

A Windows zero-day security vulnerability under active exploit leads Microsoft's December 2024 Patch Tuesday security update, which hardly constitutes a sleigh of festive tidings for security admins: A stocking stuffed with 71 patches.

The tech giant unwrapped CVEs in Windows and Windows Components, Office and Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager.

This year's holiday-season entry brings the total number of patches for the year to 1,020, Redmond's second-most voluminous year for fixes after 2020's 1,250. Out of this month's CVEs, 16 are rated as critical.

**Windows CLFS Zero-Day Allows Privilege Escalation**

The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw in the Windows Common Log File System (CLFS) Driver.

“CLFS is a logging service that supports user and kernel-mode operations,” explained Henry Smith, senior security engineer at Automox, in an emailed analysis. "While the details are still limited, the root cause likely ties back to improper data validation. … Early indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability."

The potential impact is substantial, he added, given that an exploit leads to SYSTEM-level privileges on Windows Server. When paired with a remote code execution (RCE) bug, it's a perfect recipe for completely taking over a PC.

Related:Microsoft NTLM Zero-Day to Remain Unpatched Until April

Satnam Narang, senior staff research engineer at Tenable, noted via email that ransomware operators in particular have "developed a penchant for exploiting CLFS elevation-of-privilege flaws over the last few years."

He noted, "unlike advanced persistent threat (APT) groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash-and-grab tactics by any means necessary. By using elevation-of-privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims."

**Critical Remote-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP**

The critical-severity CVE-2024-49112 (CVSS 9.8) is perhaps the most concerning CVE in this month's stocking of misery. It's an unauthenticated RCE issue in the Windows Lightweight Directory Access Protocol (LDAP).

According to Dustin Childs at the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Domain Controllers by sending a specially crafted set of LDAP calls.

Related:Microsoft Expands Access to Windows Recall AI Feature

"Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM," Childs wrote in a blog post on Dec. 10. "Microsoft provides some … interesting mitigation advice. They recommend disconnecting Domain Controllers from the Internet. While that would stop this attack, I'm not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly."

Another critical RCE vulnerability to address quickly is CVE-2024-49117 (CVSS 8.8) in Windows Hyper-V. An exploit would allow someone on a guest virtual machine (VM) to execute code on the underlying host OS, or perform a cross-VM attack.

"The good news here is that the attacker does need to be authenticated," Childs noted. "The bad news is that the attacker only requires basic authentication — nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you'll definitely want to get this patched quickly."

A total of nine critical bugs affect Windows Remote Desktop Services, with one (CVE-2024-49132, CVSS 8.1) allowing RCE by exploiting a use-after-free memory condition.

"The exploit requires precise timing, making it an advanced attack," Ryan Braunstein, security manager at Automox, said via email. "Specifically, if a user connects through the Remote Desktop Gateway role, an attacker could intentionally trigger the use-after-free scenario. Successfully exploited, this vulnerability can allow attackers to execute their code remotely, gaining control of the system."

Related:Open Source Security Priorities Get a Reshuffle

That means exploitation is on the difficult side, but Braunstein cautioned that "over time, it's likely that cyberattackers develop tools that simplify the attack process. Until then, there are no effective workarounds, making immediate patching your best chance to mitigate this risk."

There are also eight other critical vulnerabilities that rate 8.1 on the CVSS scale in Remote Desktop Services, including five other UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which involves sensitive data storage in improperly locked memory; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper resource handling during RDP sessions.

"These vulnerabilities underscore persistent issues in RDP components, including memory management, timing, and operational handling," said Mike Walters, president and co-founder of Action1, via email. “\[With\] varied root causes, \[it shows that\] attackers can exploit different facets of RDP services. Organizations should avoid exposing RDP services to the global Internet and implement robust security controls to mitigate risks. These flaws further prove the dangers of leaving RDP open and unprotected."

**Other December 2024 Security Vulnerabilities to Patch Now**

Security experts also flagged two other bugs for security admins to add to their holiday checklists, including an EoP vulnerability in the Windows Resilient File System (ReFS).

Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It offers data resilience, storage efficiency, and improved performance.

"CVE-2024-49093 (CVSS 8.8) revolves around a scope change that allows an attacker to elevate privileges from a low-privilege app container environment," explained Seth Hoyt, senior security engineer at Automox, via email. "Normally, app containers are designed to limit a process's ability to access files, memory, and other resources. Exploiting this vulnerability enables attackers to escape those confines, gaining broader system-level access. This means they can interact with files, processes, and memory previously out of reach."

From there, cyberattackers could move laterally across the environment, he added.

The final lump of coal called out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a research project on AI-created music.

“We've been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities," ZDI's Childs said. "That's what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch Tuesday

The threat actor group recently took credit for a similar attack on Blue Yonder that affected multiple organizations, including Starbucks.

Source: znakki via Shutteratock

Ransomware group "Termite" — which recently claimed supply chain vendor Blue Yonder as a victim — may be behind widespread exploit activity targeting a previously fixed vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software.

Cleo is currently developing a new patch for the flaw but nothing is currently available for the issue, which means the vulnerability is a zero-day under active attack.

**Widespread Attacks**

The attacks appear to have begun on Dec. 3 and have claimed at least 10 victims across multiple sectors, including consumer products, trucking and shipping, and the food industry, according to researchers at Huntress Labs who are tracking the activity. A search for vulnerable, Internet-exposed Cleo systems suggests that the actual number of victims may be higher, the security vendor said.

Rapid7 also said it had received reports of compromise and post-exploit activity involving the Cleo vulnerability from multiple customers. "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," Rapid7 wrote in a blog post on Dec. 10. The company recommended affected organizations take "emergency action" to mitigate risk related to the threat.

More than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution use Cleo software for a variety of use cases. Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global.

Huntress identified the vulnerability that Termite is targeting as CVE-2024-50623, an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21. Cleo disclosed the vulnerability in October and urged customers to immediately upgrade affected products to the fixed version 5.8.0.21.

However, the patch appears to have been insufficient, because all previously affected versions of Cleo software, including the patched 5.8.0.21, remain vulnerable to the same CVE, Huntress said. "This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," Huntress researcher John Hammond wrote. "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."

**Working on a Patch**

Cleo has acknowledged the issue and said it plans to issue a new CVE, or identifier, for the bug. In an emailed statement, a company spokesperson described the flaw as a critical issue. The statement noted that Cleo has notified customers about the threat and advised them on how to mitigate exposure till its patch becomes available. "Our investigation is ongoing," the statement said. "Customers are encouraged to check Cleo's security bulletin webpage regularly for updates."

Hammond said Huntress's analysis of the threat actor's post-exploit activity showed the attacker deploying Web shell-like functionality for establishing persistence on compromised endpoints. Huntress also observed the threat actor enumerating potential Active Directory assets with nltest.exe and other domain reconnaissance tools.

In comments to Dark Reading, Huntress director of adversary tactics Jamie Levy says that available evidence points to Termite as the likely perpetrator. Like the victims of the ongoing attacks, Blue Yonder had an instance of Cleo's software open to the Internet, she says. Termite claimed Blue Yonder as one of its victims and appeared to confirm it by publicly listing files belonging to the company, Levy notes.

**The New Cl0p?**

"There have been some rumblings that Termite might be the new Cl0p," Levy says, and data has emerged that appears to substantiate those claims. Also, Cl0p's activities have waned while Termite's activities have increased. Both are operating in similar fashions. "We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment," Levy says.

Max Rogers, senior director of security operations at Huntress, described the new Cleo zero-day as something that enables easy access to Cleo systems for attackers with the exploit code. "The most effective immediate action is to ensure that affected systems are not accessible from the Internet, which significantly reduces the risk of exploitation."

Rogers additionally recommends that organizations disable the autorun feature in Cleo software to limit the attack surface while waiting for an updated patch. "However, at this time," he says, "the only guaranteed way to protect systems is to make them inaccessible over the Internet until a new patch is out."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading