December Cybersecurity News Roundup: Key Highlights and Update

WordPress Breach

• Malicious GitHub Repository: A now-removed repository pretending to offer a WordPress tool facilitated the theft of over 390,000 credentials.
  • Attack Tactics: The threat actor, identified as MUT-1244, used phishing campaigns and trojanized repositories with fake proof-of-concept code.
  • Stolen Data: Sensitive credentials such as SSH private keys and AWS access keys were exfiltrated, posing serious risks to affected users.

Microsoft Vulnerabilities

• Office and Excel Flaws:
  • CVE-2024-49059: A privilege escalation vulnerability in Microsoft Office (CVSS 7.0). Exploited through a race condition, it allows attackers to gain SYSTEM-level access under complex conditions.
  • CVE-2024-49069: A remote code execution (RCE) flaw in Microsoft Excel (CVSS 7.8), stemming from a Use After Free issue. Attackers could execute arbitrary code.
  • Microsoft Advisory: Users are urged to install December’s updates to mitigate risks.

Google Updates

1. Chrome Browser Patches:
   • Critical Vulnerabilities: Two high-severity memory safety flaws in the V8 JavaScript engine were patched. One researcher was awarded $55,000 for their findings.
2. Android Security Update:
   • Patches: Addressed 14 vulnerabilities, including an RCE flaw in the System component (CVE-2024-43767). Google emphasized the importance of upgrading to newer Android versions for enhanced security.
3. Vanir Tool:
   • Purpose: Open-sourced to help Android developers detect and fix missing security patches efficiently.
   • Impact: Aimed at scaling patch management for diverse Android devices with complex update requirements.

Apple Patches

• Updates: iOS 18.2 and macOS Sequoia 15.2 addressed critical issues across various components, such as Kernel and WebKit.
• Notable Fix: CVE-2024-45490 in libexpat allowed remote attackers to execute arbitrary code. Apple encouraged users to update their devices promptly.

WordPress Plugin Exploits

• Vulnerabilities:
  • Hunk Companion (CVE-2024-9707): Allowed unauthorized plugin activation, leading to potential RCE.
  • WP Query Console (CVE-2024-50498): A critical code injection flaw affecting all versions. The plugin has since been removed.
• Recommendations: Administrators should update plugins and review for unauthorized installations.

Ivanti, Atlassian, and Splunk Patches

• Ivanti:
  • Critical Bugs: Authentication bypass (CVSS 10.0) and command injection vulnerabilities in Connect Secure and Cloud Services Application were fixed.
  • Urgent Updates: Ivanti credited CrowdStrike for uncovering the issues and urged users to apply patches immediately.
• Atlassian:
  • Fixed high-severity vulnerabilities in Bamboo Data Center, Bitbucket, and Confluence, mostly related to third-party dependencies.
• Splunk:
  • Resolved multiple vulnerabilities, including a deserialization flaw (CVSS 8.8) in the Secure Gateway app.

Healthcare and Corporate Breaches

1. Major Incidents:
   • Byte Federal: A GitLab flaw led to the exposure of data from 58,000 individuals.
   • Atrium Health: A breach linked to online tracking affected 585,000 individuals.
   • Chemonics International: A year-old breach exposed data of 260,000 people.
2. Employee Data Leak:
   • A hacker released over 760,000 employee records from major organizations, including Bank of America and Nokia.

Germany Neutralizes BADBOX Malware

• Action Taken:
  • The German BSI disrupted the BADBOX operation by sinkholing malicious domains, severing communication with infected devices.
  • Over 30,000 internet-connected devices, preloaded with the malware, were affected.
• Broader Implications:
  • The malware operation highlighted significant supply chain vulnerabilities and risks posed by compromised devices.

AWS Launches Security Incident Response

• Features:
  • Automates incident triaging, prioritization, and alert delivery to security teams.
  • Includes a dashboard with metrics like mean time to resolution (MTTR).
  • Integrates with AWS Organizations for centralized event management.

Halcyon Secures $100M Funding

• Mission: The company aims to combat ransomware with advanced tools and strategies.
• Valuation: Halcyon is now valued at $1 billion after its Series C funding round, led by Evolution Equity Partners.

Adobe Patches for High-Risk ColdFusion Vulnerability

• Summary:
  Adobe released updates to address a ColdFusion vulnerability that allows attackers to exploit a path traversal issue to read arbitrary files on affected systems.
• Details:
  • Vulnerability: CVE-2024-53961, CVSS 7.4
  • Impact: Attackers can access sensitive files, manipulate system data, or cause data breaches.
  • Affected Versions: ColdFusion 2023 (update 11 and earlier) and ColdFusion 2021 (update 17 and earlier).
  • Mitigation: Update to ColdFusion 2023 update 12 and ColdFusion 2021 update 18.
  • Additional Context: This is similar to a previously patched vulnerability (CVE-2023-26360) that allowed code execution and targeted federal systems.

Cisco’s ASA Vulnerability

• Summary:
  A cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) products continues to be exploited.
• Details:
  • Vulnerability: CVE-2014-2120 (medium severity).
  • Impact: Exploitation of the WebVPN login page could allow attackers to steal credentials or deliver malicious scripts.
  • Exploitation Attempts: Increased activity in 2024, particularly by botnets like Androxgh0st.
  • Mitigation: Cisco urges customers to upgrade to fixed software versions.

Fortinet Patches for Severe FortiWLM

• Summary:
  Fortinet addressed a critical path traversal flaw in its Wireless Manager (FortiWLM) product.
• Details:
  • Vulnerability: CVE-2023-34990, CVSS 9.6
  • Impact: Remote attackers could read sensitive files and potentially execute code.
  • Exploitation: Attackers could hijack administrative sessions using session tokens retrieved from logs.
  • Mitigation: Update to FortiWLM versions 8.6.6 and 8.5.5.

Chrome 131 Memory Bugs Fixed

• Summary:
  Google released Chrome 131 to address several high-severity vulnerabilities, including memory safety issues.
• Details:
  • Key Vulnerabilities:
    • CVE-2024-12692: Type confusion in V8 JavaScript engine ($55,000 bounty).
    • CVE-2024-12693: Out-of-bounds memory access in V8 ($20,000 bounty).
    • CVE-2024-12694: Use-after-free vulnerability in Compositing.
    • CVE-2024-12695: Out-of-bounds write in V8.
  • Mitigation: Users should update to versions 131.0.6778.204/.205 for Windows/macOS and 131.0.6778.204 for Linux.

Palo Alto Networks Firewall Vulnerability

• Summary:
  A high-severity vulnerability in PAN-OS software powering Palo Alto firewalls could trigger a denial-of-service (DoS) condition.
• Details:
  • Vulnerability: CVE-2024-3393
  • Impact: Crafted DNS packets could cause firewalls to reboot and enter maintenance mode.
  • Affected Versions:
    • PAN-OS 11.2 (below 11.2.3), 11.1 (below 11.1.5), 10.2 (below 10.2.8), and 10.1 (below 10.1.14).
  • Mitigation: Update to patched versions immediately.

Sophos Patches Critical Firewall Vulnerabilities

• Summary:
  Sophos released patches for SQL injection vulnerabilities in its firewall products, which could lead to remote code execution (RCE).
• Details:
  • Vulnerability: CVE-2024-12727 (CVSS 9.8)
  • Impact: Exploitation could allow attackers to access the reporting database and execute code.
  • Mitigation Steps:
    • Restrict SSH access.
    • Reconfigure HA with a strong passphrase.
    • Apply the latest patches.

Hackers Exploit Fortinet EMS Vulnerability

• Summary:
  Threat actors exploited a critical SQL injection flaw in FortiClient EMS to deploy remote access tools.
• Details:
  • Vulnerability: CVE-2023-48788, CVSS 9.3
  • Impact: Attackers deployed tools like AnyDesk and ScreenConnect.
  • Mitigation: Ensure FortiClient EMS is updated to the latest version.

Apache Tomcat Servers at Attacks

• Summary:
  A critical vulnerability in Apache Tomcat could lead to remote code execution under specific conditions.
• Details:
  • Vulnerability: CVE-2024-56337, CVSS 9.8
  • Impact: Exploitation through race conditions in file systems.
  • Mitigation: Update to the latest versions (e.g., 11.0.2, 10.1.34, or 9.0.98).

CISA Releases Mobile Security

• Summary:
  CISA issued best practices to protect mobile communications in response to cyberattacks targeting telecom infrastructure.
• Recommendations:
  • Use end-to-end encrypted messaging apps (e.g., Signal).
  • Enable Lockdown Mode on iPhones.
  • Use secure DNS services and restrict app permissions.

Apache Traffic Control SQL Injection Vulnerability

• Summary:
  A SQL injection vulnerability in Apache Traffic Control allows privileged users to execute arbitrary SQL commands.
• Details:
  • Impact: Unauthorized access to databases and potential system compromise.
  • Mitigation: Update to version 8.0.2 or later.

Cyber Attack Disrupts Japan Airlines’ Flight Operations

• Summary:
  A DDoS attack disrupted Japan Airlines (JAL) systems, causing delays and ticket sales suspension.
• Details:
  • Impact: 20+ flight delays and temporary suspension of ticket sales.
  • Resolution: Systems restored, and operations resumed within hours.

Cyberhaven Chrome Extension Compromised

• Summary:
  Attackers used a compromised administrator account to publish a malicious Chrome extension update.
• Details:
  • Impact: Exfiltration of session data and cookies.
  • Mitigation: Users should update to version 24.10.5 or newer.

KnowBe4 Hires North Korean Imposter

• Summary:
  A North Korean operative posed as a software engineer and attempted to deploy malware within minutes of starting at KnowBe4.
• Details:
  • Detection: Security systems flagged suspicious activity immediately.
  • Response: The compromised workstation was isolated, preventing further breaches.