High-profile security incidents provide examples of how common vulnerabilities can be exploited. If you pay attention, you can learn from others' mistakes.

Source: Alfonso Fabio Iozzino via Alamy Stock Photo

COMMENTARY

The statistics paint a clear picture — over 9,000 cyber incidents were reported in just the first half of 2024, translating to nearly one new attack every single hour.

This escalating risk has pushed cybersecurity to the forefront of business strategy. According to a study by Accenture, 96% of CEOs identified security as essential to their company's growth, prompting continuous investment. Yet, despite these efforts, 74% of them expressed concern about their ability to effectively mitigate or withstand cyberattacks due to the increasing complexity of threats. High-profile security incidents provide examples of common vulnerabilities and highlight strategies for businesses to avoid sophisticated attacks.

**1\. The Importance of Password Policy**

Maintaining a strong password policy is essential for all organizations. A typical policy should mandate a minimum length of eight (better 12) characters, combining letters, numbers, and special symbols. Regularly updating passwords is also a widely accepted practice.

However, experience has shown us that guideline compliance is only one part of the equation. At Sigma Software Group, we emphasize the importance of thoughtful password creation, encouraging our team to steer clear of easily guessable patterns, like "Spring2024!" or "Summer2024!" This proactive mindset helps foster a culture of security awareness, which is crucial for preventing password breaches — an alarming trend that affects individuals and organizations alike.

The damage: A striking example of this vulnerability occurred in 2020 when Dutch ethical hacker Victor Gevers guessed then-candidate Donald Trump's Twitter password on his fifth attempt. The password, "maga2020!" — a nod to Trump's campaign slogan "Make America Great Again" — highlighted a significant security gap. Gevers clarified that his intention wasn't to steal sensitive information but to raise awareness about online security risks. He advocates for stronger online security measures, including complex password protocols, two-factor authentication, and effective password management.

The lesson: By adopting a comprehensive approach to password protection, organizations can significantly mitigate risks and bolster their overall cybersecurity posture.

**2\. Multifactor Authentication Hits Its Limits**

Multifactor authentication (MFA) was once hailed as a major leap forward in security. By requiring additional layers of verification — such as passwords, hardware tokens, or biometric scans — MFA significantly raises the barrier for unauthorized access. However, while MFA adds protection, it is far from infallible.

Consider a scenario where a user loses their phone and laptop simultaneously. Regaining access to critical accounts often involves contacting IT support to verify their identity — an approach that seems secure but has its flaws, as the gaming giant EA Games found out the hard way.

The damage: In July 2021, EA Games suffered a significant breach due to a clever MFA bypass. Hackers used stolen cookies containing an employee's login credentials to infiltrate the company's Slack channel. Impersonating the employee, they contacted IT support, claiming they had lost their phone at a party and needed a new multifactor authentication token. This social engineering tactic worked, granting them access to EA's corporate network.

The outcome was disastrous. The hackers stole 780GB of sensitive data, including the source code for FIFA 21, the Frostbite engine, and various internal development tools. This data has since been sold on underground forums.

The lesson: While EA confirmed that no player data was compromised, the incident exposed the vulnerabilities in its security protocols. EA has since acknowledged the gravity of the breach and has been bolstering its defenses to prevent future occurrences.

**3\. Humans Are Only Human**

Even the most advanced security systems are not immune to vulnerabilities. A seemingly minor mistake can introduce significant risks, regardless of the sophistication of tools or protocols in place.

The damage: A pertinent example comes from Estonia, where engineers implemented best practices while developing national digital identity cards. Unfortunately, errors during this process resulted in critical security flaws affecting over 750,000 cardholders.

These issues primarily stemmed from the card manufacturer, Gemalto. Between 2014 and 2017, Estonian authorities uncovered a major vulnerability in the cryptographic library responsible for private key generation. This flaw created a potential pathway for identity theft, yet Gemalto failed to promptly inform the government. Consequently, Estonian officials had to take emergency measures, suspending the use of digital certificates on the affected cards. This situation led to litigation, resulting in a settlement where Gemalto agreed to pay €2.2 million in compensation.

Additional vulnerabilities arose from ID card management practices. Gemalto generated private keys outside the secure chip and reused the same key across multiple cardholders. This oversight allowed for potential impersonation — although, fortunately, no actual identity misuse was reported. Estonian experts quickly identified and rectified the issue, ensuring that the threat to digital identities remained theoretical.

The lesson: A robust security framework is insufficient on its own; the human element must also be addressed. To mitigate the potential risks associated with human error, organizations should implement strategies that enhance oversight and resilience. This includes providing comprehensive staff training to elevate security awareness, conducting regular security audits of both internal systems and third-party providers, and establishing clear security protocols that empower employees to recognize and address potential security issues.

**In a Nutshell**

A recurring theme in these case studies is the impact of human error. As cybersecurity becomes more complex, shortcuts — such as using simple passwords or bypassing MFA — often create vulnerabilities that attackers exploit.

The primary and biggest challenge in cybersecurity lies in striking a balance between implementing robust security controls and maintaining user convenience.

Cybersecurity is an ongoing process, not a one-time fix. No single tool can offer complete protection, so a multilayered defense approach, where measures complement each other, is the most effective strategy to mitigate risks and stay ahead of evolving threats.

**About the Author**

CISO, Sigma Software Group

Dmytro Tereshchenko is the Chief Information Security Officer at Sigma Software Group, a global tech company and a member of the trade association techUK. He also teaches at Sigma Software University and SET University.

With over 21 years of comprehensive IT experience, including a decade specializing in cybersecurity, Dmytro brings extensive expertise in risk and incident management, secure SDLC, and regulatory compliance. Leveraging his profound software development background and cybersecurity expertise, Dmytro is a crucial member of Sigma Software Group's application security consulting service. In this role, Dmytro and his team help companies assess, develop, and implement tailored application security management systems to maintain and improve the security level of their online services portfolio.

Cybersecurity Lessons From 3 Public Breaches

Hackers are constantly evolving, and so too should our security protocols.

Source: Brain light via Alamy Stock Photo

COMMENTARY

We witnessed some of the largest data breaches in recent history in 2024, with victims including industry titans like AT&T, Snowflake (and, therefore, Ticketmaster), and more. For US businesses, data breaches cost more than $9 million on average, and they cause lasting damage to customer and partner trust. 

Still, a resounding 98% of companies work with vendors that have had a breach. While business leaders have become more cautious in identifying vendors, they're integral to the growth of a business — providing critical goods, services, and technology to support ever-evolving business models and complex supply chains. 

These vendors may never be able to fully guarantee security and peace of mind, so security teams must regularly conduct due diligence measures to make more informed decisions and mitigate risks as much as possible. As businesses plan for the coming year, here are tips for ensuring your data, privacy, and information assets are secured and protected in 2025. 

**Proactive Security Reviews**

Vendors are essential, but relying on them without verifying their security practices is like playing with fire. Conducting regular security reviews will help your team mitigate potential risks before they turn into costly incidents. A security review is a comprehensive analysis of a vendor's ability to protect sensitive data, comply with industry regulations, and respond to potential breaches. Conducting a security review involves evaluating several key areas, such as data encryption, compliance with standards like the European Union's General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA), and incident response protocols.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Ongoing audits and real-time monitoring track a vendor's changing security posture and detect emerging vulnerabilities. Continuous monitoring ensures compliance and proactive threat detection, preventing gaps in security oversight.

The SolarWinds breach, for example, could have been mitigated with better continuous monitoring, which would have detected the malicious software update earlier.

A practical approach is to implement quarterly security assessments for vendors that handle critical infrastructure. These assessments can identify evolving risks, ensuring that a one-time review doesn't leave blind spots in long-term vendor security. 

To streamline assessments, leverage automation tools, vulnerability scanners, and compliance platforms to hand off repetitive tasks, improve accuracy, and save time, ensuring comprehensive reviews without manual bottlenecks. Using AI-driven security tools reduces detection times for vulnerabilities, helping companies address issues faster.

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

Security reviews aren't a complete fail-safe, but they do equip businesses to choose vendors that align with their security postures. With consistent, proactive security reviews, businesses can reduce their risk of cyberattacks, breaches, and regulatory fines.

**Updates to Legacy Systems**

Legacy systems are inherently risky, as outdated software and hardware are not receiving regular security updates. Assess your legacy systems for vulnerabilities, and plan to invest in upgrades or replacements. If an immediate replacement isn't possible, isolate legacy systems from your shared networks and utilize segmentation to contain threats. 

**Advanced Security Measures **

Once you have a process for regular security reviews and risk assessments in place, and your tech stack is protected from vulnerabilities, implement advanced security measures like encryption and access controls to protect your data and your team's data. 

**Encryption Protocols**

Encryption is a fundamental security measure that protects data at rest and in transit. For data at rest, ensure you are encrypting sensitive information stored on servers, databases, and other storage devices using robust encryption algorithms such as AES-256. For data in transit, encrypting information transmitted over networks using protocols like Transport Layer Security (TLS) is crucial to prevent interception and eavesdropping.

Related:Europol Cracks Down on Holiday DDoS Attacks

**Access Control Systems**

Stringent access controls help to ensure that only authorized personnel can access sensitive information. Multifactor authentication (MFA) is required to access critical systems and data, adding an extra layer of security beyond just passwords.

Role-based access control (RBAC) assigns permissions based on roles within an organization, so that employees have access only to the information necessary for their job functions. Regularly review and update these permissions to reflect changes in roles and responsibilities.

Identifying and mitigating IT infrastructure vulnerabilities, conducting thorough risk assessments, and implementing advanced security measures are critical steps in preventing data breaches. Organizations can significantly enhance their security posture, protect sensitive information, and ensure compliance with regulatory requirements by focusing on these areas. As we look ahead to 2025, remember to remain vigilant and agile: Hackers are constantly evolving, and so too should our security protocols. 

**About the Author**

Founder & CEO, SecurityPal

Pukar C. Hamal is founder and CEO of SecurityPal, an San Francisco-based startup delivering customer assurance — a holistic security framework designed to accelerate enterprise transactions and innovation. Born in a rural village in Nepal and proficient in eight languages, Pukar understands that innovation and economic potential aren't limited to Western "tech hubs," which is why SecurityPal has offices worldwide, including in Kathmandu, Nepal. Pukar’s vision with SecurityPal is to accelerate business growth and innovation by simplifying and securing the customer journey. Trusted by the world's most innovative companies, including OpenAI, MongoDB, Airtable, and Figma, SecurityPal has helped organizations answer nearly 2 million security questions.

Tips for Preventing Breaches in 2025

Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

As part of the commitment to CISA's Secure by Design pledge, Snowflake will begin blocking sign-ins using single-factor authentication next year.

NEWS BRIEF

Snowflake has announced a new authentication policy that will require all customers to enable multifactor authentication (MFA) on their accounts by November 2025 or risk having their access blocked.

The three-phase policy change comes after Snowflake's recent decision to enable MFA by default on all new accounts.

"MFA will be enforced by default for all human users in any Snowflake account created as of October 2024," Snowflake's Anoosh Saboori and Brad Jones wrote back in September.

In the first phase, planned for April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.

The second phase, in August, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.

In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access.

Snowflake customers must make the necessary changes before November. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake's Trust Center that can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.

The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen, and several victims were hit with subsequent extortion attempts.

**About the Author**

Snowflake Rolls Out Mandatory MFA Plan

FCC Chairwoman Jessica Rosenworcel recommended "urgent action" to safeguard the nation's communications systems from real and present cybersecurity threats.

Source: Asharkyu via Shutterstock

NEWS BRIEF

In the wake of recent cyberattacks against US communications companies by foreign actors, the Federal Communications Commission (FCC) has proposed new cybersecurity rules on how telecommunication companies should secure their networks. 

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said FCC Chairwoman Jessica Rosenworcel in a statement last week. "As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses." 

Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications and to submit annual certifications to FCC confirming that they have created, updated, and implemented a cybersecurity risk management plan to fortify their defenses against future attacks. The proposal focuses on a "modern framework to help companies secure their networks," Rosenworcel said.

"The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways," said Trey Ford, chief information security officer at Bugcrowd, in an emailed statement. "The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with - how inventory, score, and treat cyber risks - and the challenges in communicating what needs done, when, and how."

The Chinese-state sponsored hacker group Salt Typhoon hit several Internet service provider networks in the US earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks, and the intelligence community is still trying to determine the scope and impact of the attacks.

In what is considered one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance with the National Security Agency and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities, and limiting the attack surface. It also highlighted ways to harden Cisco network gear. 

After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC, along with CISA and the Director of National Intelligence, to create specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures, work to patch any uncovered vulnerabilities, and tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear whether there will be any immediate action on this legislation.

If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FCC Proposes New Cybersecurity Rules for Telecoms

The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.

Source: Zoonar GmbH via Alamy Stock Photo

A Windows zero-day security vulnerability under active exploit leads Microsoft's December 2024 Patch Tuesday security update, which hardly constitutes a sleigh of festive tidings for security admins: A stocking stuffed with 71 patches.

The tech giant unwrapped CVEs in Windows and Windows Components, Office and Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager.

This year's holiday-season entry brings the total number of patches for the year to 1,020, Redmond's second-most voluminous year for fixes after 2020's 1,250. Out of this month's CVEs, 16 are rated as critical.

**Windows CLFS Zero-Day Allows Privilege Escalation**

The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw in the Windows Common Log File System (CLFS) Driver.

“CLFS is a logging service that supports user and kernel-mode operations,” explained Henry Smith, senior security engineer at Automox, in an emailed analysis. "While the details are still limited, the root cause likely ties back to improper data validation. … Early indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability."

The potential impact is substantial, he added, given that an exploit leads to SYSTEM-level privileges on Windows Server. When paired with a remote code execution (RCE) bug, it's a perfect recipe for completely taking over a PC.

Related:Microsoft NTLM Zero-Day to Remain Unpatched Until April

Satnam Narang, senior staff research engineer at Tenable, noted via email that ransomware operators in particular have "developed a penchant for exploiting CLFS elevation-of-privilege flaws over the last few years."

He noted, "unlike advanced persistent threat (APT) groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash-and-grab tactics by any means necessary. By using elevation-of-privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims."

**Critical Remote-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP**

The critical-severity CVE-2024-49112 (CVSS 9.8) is perhaps the most concerning CVE in this month's stocking of misery. It's an unauthenticated RCE issue in the Windows Lightweight Directory Access Protocol (LDAP).

According to Dustin Childs at the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Domain Controllers by sending a specially crafted set of LDAP calls.

Related:Microsoft Expands Access to Windows Recall AI Feature

"Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM," Childs wrote in a blog post on Dec. 10. "Microsoft provides some … interesting mitigation advice. They recommend disconnecting Domain Controllers from the Internet. While that would stop this attack, I'm not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly."

Another critical RCE vulnerability to address quickly is CVE-2024-49117 (CVSS 8.8) in Windows Hyper-V. An exploit would allow someone on a guest virtual machine (VM) to execute code on the underlying host OS, or perform a cross-VM attack.

"The good news here is that the attacker does need to be authenticated," Childs noted. "The bad news is that the attacker only requires basic authentication — nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you'll definitely want to get this patched quickly."

A total of nine critical bugs affect Windows Remote Desktop Services, with one (CVE-2024-49132, CVSS 8.1) allowing RCE by exploiting a use-after-free memory condition.

"The exploit requires precise timing, making it an advanced attack," Ryan Braunstein, security manager at Automox, said via email. "Specifically, if a user connects through the Remote Desktop Gateway role, an attacker could intentionally trigger the use-after-free scenario. Successfully exploited, this vulnerability can allow attackers to execute their code remotely, gaining control of the system."

Related:Open Source Security Priorities Get a Reshuffle

That means exploitation is on the difficult side, but Braunstein cautioned that "over time, it's likely that cyberattackers develop tools that simplify the attack process. Until then, there are no effective workarounds, making immediate patching your best chance to mitigate this risk."

There are also eight other critical vulnerabilities that rate 8.1 on the CVSS scale in Remote Desktop Services, including five other UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which involves sensitive data storage in improperly locked memory; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper resource handling during RDP sessions.

"These vulnerabilities underscore persistent issues in RDP components, including memory management, timing, and operational handling," said Mike Walters, president and co-founder of Action1, via email. “\[With\] varied root causes, \[it shows that\] attackers can exploit different facets of RDP services. Organizations should avoid exposing RDP services to the global Internet and implement robust security controls to mitigate risks. These flaws further prove the dangers of leaving RDP open and unprotected."

**Other December 2024 Security Vulnerabilities to Patch Now**

Security experts also flagged two other bugs for security admins to add to their holiday checklists, including an EoP vulnerability in the Windows Resilient File System (ReFS).

Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It offers data resilience, storage efficiency, and improved performance.

"CVE-2024-49093 (CVSS 8.8) revolves around a scope change that allows an attacker to elevate privileges from a low-privilege app container environment," explained Seth Hoyt, senior security engineer at Automox, via email. "Normally, app containers are designed to limit a process's ability to access files, memory, and other resources. Exploiting this vulnerability enables attackers to escape those confines, gaining broader system-level access. This means they can interact with files, processes, and memory previously out of reach."

From there, cyberattackers could move laterally across the environment, he added.

The final lump of coal called out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a research project on AI-created music.

“We've been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities," ZDI's Childs said. "That's what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch Tuesday

The threat actor group recently took credit for a similar attack on Blue Yonder that affected multiple organizations, including Starbucks.

Source: znakki via Shutteratock

Ransomware group "Termite" — which recently claimed supply chain vendor Blue Yonder as a victim — may be behind widespread exploit activity targeting a previously fixed vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software.

Cleo is currently developing a new patch for the flaw but nothing is currently available for the issue, which means the vulnerability is a zero-day under active attack.

**Widespread Attacks**

The attacks appear to have begun on Dec. 3 and have claimed at least 10 victims across multiple sectors, including consumer products, trucking and shipping, and the food industry, according to researchers at Huntress Labs who are tracking the activity. A search for vulnerable, Internet-exposed Cleo systems suggests that the actual number of victims may be higher, the security vendor said.

Rapid7 also said it had received reports of compromise and post-exploit activity involving the Cleo vulnerability from multiple customers. "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," Rapid7 wrote in a blog post on Dec. 10. The company recommended affected organizations take "emergency action" to mitigate risk related to the threat.

More than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution use Cleo software for a variety of use cases. Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global.

Huntress identified the vulnerability that Termite is targeting as CVE-2024-50623, an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21. Cleo disclosed the vulnerability in October and urged customers to immediately upgrade affected products to the fixed version 5.8.0.21.

However, the patch appears to have been insufficient, because all previously affected versions of Cleo software, including the patched 5.8.0.21, remain vulnerable to the same CVE, Huntress said. "This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," Huntress researcher John Hammond wrote. "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."

**Working on a Patch**

Cleo has acknowledged the issue and said it plans to issue a new CVE, or identifier, for the bug. In an emailed statement, a company spokesperson described the flaw as a critical issue. The statement noted that Cleo has notified customers about the threat and advised them on how to mitigate exposure till its patch becomes available. "Our investigation is ongoing," the statement said. "Customers are encouraged to check Cleo's security bulletin webpage regularly for updates."

Hammond said Huntress's analysis of the threat actor's post-exploit activity showed the attacker deploying Web shell-like functionality for establishing persistence on compromised endpoints. Huntress also observed the threat actor enumerating potential Active Directory assets with nltest.exe and other domain reconnaissance tools.

In comments to Dark Reading, Huntress director of adversary tactics Jamie Levy says that available evidence points to Termite as the likely perpetrator. Like the victims of the ongoing attacks, Blue Yonder had an instance of Cleo's software open to the Internet, she says. Termite claimed Blue Yonder as one of its victims and appeared to confirm it by publicly listing files belonging to the company, Levy notes.

**The New Cl0p?**

"There have been some rumblings that Termite might be the new Cl0p," Levy says, and data has emerged that appears to substantiate those claims. Also, Cl0p's activities have waned while Termite's activities have increased. Both are operating in similar fashions. "We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment," Levy says.

Max Rogers, senior director of security operations at Huntress, described the new Cleo zero-day as something that enables easy access to Cleo systems for attackers with the exploit code. "The most effective immediate action is to ensure that affected systems are not accessible from the Internet, which significantly reduces the risk of exploitation."

Rogers additionally recommends that organizations disable the autorun feature in Cleo software to limit the attack surface while waiting for an updated patch. "However, at this time," he says, "the only guaranteed way to protect systems is to make them inaccessible over the Internet until a new patch is out."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks

Because the streaming service website offers no content restrictions, attackers are able to hijack and manipulate live streams.

Source: Norman Pogson via Alamy Stock Photo

NEWS BRIEF

Deepfakes are becoming a threat to recordings and live video streams of Scottish Parliamentary proceedings.

Scottish Parliament TV is a website providing livestreaming services and archived recordings from the Debating Chamber and committee rooms to the public masses. The website contains no content restrictions, allowing users to download streaming video clips in real time. The licensing to reuse the material is also relatively broad.

The Scottish Parliament was one of the first legislatures to allow this kind of public access to its proceedings, but with the transparency comes major cybersecurity risks according to Ben Collier of the Scottish Centre for Crime and Justice Research (SCCJR) and the University of Edinburgh, adding they "could threaten public trust in democracy."

Researchers at the University of Edinburgh and SCCJR have identified three key threats that the Scottish Parliament faces when it comes to deepfakes: attackers hijacking a live stream by breaking into the network and chain of video and intercepting the data, showing viewers a manipulated video on the live stream rather than the true version; threat actors creating deepfake videos of Parliament and distributing them via social media channels for wider dissemination; and, lastly, using the parliamentary video archive provide training resources to AI for creating malicious materials to target members of the Scottish Parliament.

There are currently no processes put in place by the Scottish Parliament to prevent such attacks, but the researchers laid out several solutions to help mitigate these threats, such as developing an intervention and reporting plan, implementing more authentication checks, and creating a communications team with the broadcasting unit to support any Parliament members that are targeted.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Scottish Parliament TV at Risk From Deepfakes

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

The software supply chain is a growing target, and organizations need to take special care to safeguard it.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

In 2011, Marc Andreessen coined a phrase we're now all familiar with: "Software is eating the world." More than 13 years later, the expression still rings true. The world runs on software, and each day it continues to transform industries and fuel the global economy. Companies are generating more software — faster than ever before — in order to keep up in today's dynamic and ultracompetitive business landscape.

Innovation is a beautiful thing, but the increased volume and velocity with which software is being built and delivered creates more opportunities for something to go wrong in the software supply chain. Over the past decade, we've seen this happen time and time again.

Around this time last year, Okta disclosed that it had experienced a significant security breach, where bad actors gained access to private customer data through its support management system, highlighting the dangers of third-party risk. In 2020, the SolarWinds platform update mechanism was compromised and used to send malicious software that impacted more than 18,000 of its customers. And back in 2017, Equifax suffered a massive breach due to a failure to patch a known security flaw in its software.

This is just a small sampling of the types of software supply chain attacks that have plagued organizations over the past decade. Unfortunately, these attacks show no signs of slowing down — quite the opposite, actually.

Research indicates software supply chain attacks are occurring at a rate of one successful attack every two days, and Gartner predicts that by 2025, 45% of organizations will have experienced a software supply chain attack. Alarmingly, one report found that there has been a staggering 742% increase in these attacks over the past three years.

The uptick in software supply chain attacks can be attributed to a combination of several factors. Often, organizations simply don't realize the breadth of their exposure. As software shops move toward more sophisticated software delivery and consumption models (e.g., continuous integration/continuous delivery \[CI/CD\] and cloud), their supply chains become more vulnerable. Additionally, typical attack vectors have become increasingly difficult to exploit (thanks to vendors incorporating more sophisticated security measures into platforms and software), which has forced bad actors to uncover new vulnerabilities and become more creative in their attacks. More recently, the spike in adoption of generative AI (GenAI) tools like coding assistants has created new and difficult-to-monitor security gaps. At the same time, attackers are leveraging GenAI themselves to carry out more sophisticated attacks at a higher volume.

Enterprises must urgently find a balance between creating and releasing high-quality software quickly, while upholding a high level of security at each link in the software supply chain.

Here's how they can maintain security without impeding innovation:

**Thoroughly Vet Vendors on an Ongoing Basis (and Treat GenAI Tools With the Same Level of Scrutiny)**

If anything can be learned from Okta's breach, it's that third-party vendors must be carefully vetted if they're to be trusted with private customer data and other sensitive information. Too often, development shops assume that the third-party code they consume is a black box.

Organizations need to look at each vendor's software bill of materials (SBOMs) so they're aware of any open source or third-party components of their code and can therefore identify possible vulnerabilities. They should also assess the vendor's track record for security and review its policies, procedures, and certifications.

Vetting vendors shouldn't be a box the organization checks at the beginning of their engagement and then forgets about. The vetting process must be ongoing: Organizations should continually be asking questions and keeping a pulse on the vendor's new offerings, policies, compliance certifications, and more.

Of note, GenAI tools should be subjected to the same level of scrutiny as third-party vendors. Organizations need visibility into how the large language model (LLM) works, what data it was trained on, whether the model is open or closed, and how user inputs and generated content are collected and used. They'll also need to assess the accuracy and quality of the code the LLM generates, as well as have a plan in place to mitigate any inaccurate or buggy code it produces.

**Consume Open Source Projects Carefully**

Open source projects are critical for rapid development and innovation, but organizations need to be very careful about how they consume open source code. Last year alone, researchers found 245,032 malicious packages in open source projects available for public download. Open source repositories are a prime target for bad actors, who can wreak havoc by attacking a single package that, in turn, impacts an entire ecosystem of companies and their customers.

Organizations should use code only from open source projects that adhere to strict compliance frameworks, such as the OpenSSF Scorecard, System Package Data Exchange (SPDX), and OpenVEX. This ensures they have visibility into the security hygiene of the project before they borrow its code. Additionally, organizations should adopt a software composition analysis (SCA) solution and have a plan in place to address any open source vulnerabilities, should they emerge.

**Evaluate the Security of Your Entire Software Delivery Process**

There's no silver bullet for securing the software supply chain. Organizations must diligently evaluate the security of each step of the software delivery process — including design, development, testing, deployment, maintenance, and beyond.

By infusing security measures throughout the CI/CD pipeline, companies can identify and remediate vulnerabilities early in the development process so they don't lead to a full-blown breach down the line. They can accomplish this through automated security solutions that flag potential issues and source composition analysis (SCA) tools that scan code for known vulnerabilities, and by implementing source code access controls to prevent unauthorized access.

The security cat-and-mouse game is never over. As the industry works diligently to expand its knowledge and strengthen security, attackers are just as hard at work planning and carrying out nefarious activities. The software supply chain is a growing target, and organizations need to take special care to safeguard it. By carefully vetting vendors, mindfully consuming open source, and securing the entire software delivery process, organizations can strike a balance between driving innovation and maintaining software supply chain security.

**About the Author**

Chief Architect Officer, Apiiro

Eldan Ben-Haim has a proven track record in technology leadership, with 25 years of experience in software development, many of them in cybersecurity. Currently CAO atApiiro, he previously served as CTO at Transmit Security and prior to that held the position of vice president of R&D at Trusteer, a cybersecurity company acquired by IBM.

Source

DARKReading