November Cybersecurity News Roundup: Key Highlights and Update

Two-Step Phishing Attack Exploits Microsoft Visio Files and SharePoint

A new advanced phishing technique employs Microsoft Visio files and SharePoint in a two-step attack, representing a sophisticated shift in phishing strategies. Security researchers have observed a surge in these two-step attacks, utilizing Visio files to deceive users, highlighting a significant evolution in phishing tactics. The method exploits users’ confidence in well-known Microsoft tools to circumvent security systems and steal credentials.

How the Attack Works

Researchers from Perception Point provided the following breakdown of the attack flow:

• Compromised Accounts: Attackers take over email accounts and send phishing messages from legitimate, trusted accounts, making them more likely to pass authentication checks.
• Email Content: The emails often include attachments like .vsdx files or .eml files (Outlook email messages), disguised as legitimate documents such as proposals or purchase orders.
• Visio File Delivery: Clicking the link in the email redirects users to a Microsoft SharePoint page hosting the Visio file, which might feature branding from the compromised organization, making it appear credible.
• Embedded Link in Visio: Within the Visio file, attackers include a link, often presented as a “View Document” button. Users are instructed to press the Ctrl key and click, which helps bypass automated security tools.

Security Vulnerability Addressed by New Patches from Microsoft and Chrome

Microsoft and Google released critical security updates to address vulnerabilities in their respective products.

Microsoft Exchange Server Updates

Microsoft issued Security Updates (SUs) for Exchange Server 2019 and 2016, specifically targeting versions Exchange Server 2019 CU13 and CU14, as well as Exchange Server 2016 CU23. These updates address several vulnerabilities, including a spoofing vulnerability identified as CVE-2024-49040, which could allow attackers to forge legitimate senders on incoming emails, making malicious messages more effective.

Google Chrome 131 Release

Google released Chrome 131 to the stable channel for Windows, Mac, and Linux, addressing 12 security vulnerabilities. Among these, a high-severity flaw (CVE-2024-11110) related to an inappropriate implementation in Blink, Chrome’s rendering engine, was identified. This vulnerability could potentially allow attackers to execute arbitrary code on a user’s system.

Veeam Issues Patch for High-Severity Vulnerability Amid Expanding Exploits

Veeam has recently addressed a high-severity vulnerability in its Backup Enterprise Manager, identified as CVE-2024-40715. This flaw allows remote attackers to bypass authentication through man-in-the-middle (MITM) attacks. To mitigate this risk, Veeam has released a hotfix for Backup Enterprise Manager version 12.2.0.334, which is available directly via their knowledge base article KB4682.

In addition, threat actors have been exploiting a critical vulnerability in Veeam Backup & Replication software, tracked as CVE-2024-40711, to deploy a new ransomware strain known as “Frag.” This vulnerability, with a CVSS score of 9.8, was patched in early September 2024. However, approximately a month later, it began being exploited in ransomware attacks involving Fog and Akira strains.

Attackers have been leveraging compromised VPN appliances to gain initial access to networks. Subsequently, they exploit the Veeam vulnerability to create unauthorized administrator accounts, facilitating further malicious activities.

To protect against these threats, it is crucial for organizations to apply the latest security patches provided by Veeam and ensure that their VPN appliances are secure. Regularly updating software and monitoring for unusual activities can help mitigate the risks associated with these vulnerabilities.

Remote Code Execution Vulnerability in Palo Alto Networks and Citrix Virtual Apps

Palo Alto Networks has issued an advisory urging customers to act swiftly in response to reports of a potential remote code execution (RCE) vulnerability affecting PAN-OS.

In the meantime, the network security vendor advises users to properly configure the management interface according to best practices, ensuring that access is restricted to trusted internal IP addresses to minimize the attack surface.

Cybersecurity researchers have uncovered new vulnerabilities in Citrix Virtual Apps and Desktops that could be exploited for unauthenticated remote code execution (RCE). According to watchTowr, a new zero-day flaw in Citrix’s Session Recording Manager could allow attackers to achieve unauthenticated RCE against Citrix Virtual Apps and Desktops.

CISA Alerts on Exploited Vulnerabilities in Palo Alto Networks and Android

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about two critical vulnerabilities currently being exploited in the wild, affecting Palo Alto Networks’ Expedition tool and Google’s Android operating system.

Palo Alto Networks’ Expedition Vulnerability (CVE-2024-5910)

CISA has identified a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool designed to assist in migrating firewall configurations from various vendors to PAN-OS. This flaw allows attackers with network access to take over an Expedition admin account, potentially exposing sensitive configuration secrets, credentials, and other critical data. Consequently, CISA has added CVE-2024-5910 to its Known Exploited Vulnerabilities Catalog, mandating that U.S. federal agencies secure vulnerable servers by November 28.

Google’s Android Vulnerability (CVE-2024-43093)

Simultaneously, Google has disclosed an actively exploited vulnerability in the Android operating system, tracked as CVE-2024-43093. This elevation of privilege flaw resides in the Android Framework component and could result in unauthorized access to sensitive directories, such as “Android/data,” “Android/obb,” and “Android/sandbox.” Google has released patches as part of the November 2024 security update to address this issue.

SAP Releases Patch for High-Severity Vulnerabilities

SAP issued eight new security advisories as part of the November 2024 patch release, including one for a high-severity vulnerability in Web Dispatcher. According to the enterprise security firm Onapsis, this flaw can be exploited by unauthenticated attackers to create a malicious page that executes content in a victim’s browser. The vulnerability can enable both cross-site scripting (XSS) and server-side request forgery (SSRF) attacks, potentially leading to remote code execution on the server.

SAP customers are strongly encouraged to apply the relevant security note to address this issue. Alternatively, they can reduce the risk by disabling the Admin UI—either by deleting specific files or changing profile parameters—or by removing the administrative role entirely from all users.

Additionally, SAP has updated a high-priority advisory initially released during the July 2024 patch update. This advisory addresses a missing authorization check in Product Design Cost Estimating (PDCE), tracked as CVE-2024-39592.

The remaining security notes from the November patch resolve medium-severity issues affecting Host Agent, NetWeaver, Cash Management (Cash Operations), and Bank Account Management.

GoIssue: New Phishing Tool Targets GitHub Developers in Bulk Email Campaigns

Cybersecurity experts are highlighting a new sophisticated tool called GoIssue, designed for large-scale phishing attacks targeting GitHub users. This tool enables cybercriminals to scrape email addresses from GitHub profiles and execute mass phishing campaigns, thereby increasing the risk of source code theft and network breaches.

Originally promoted by a threat actor known as “cyberdluffy” (also referred to as Cyber D’ Luffy) on the Runion forum this past August, GoIssue is marketed as a tool for extracting email addresses from public GitHub profiles and sending bulk phishing emails directly to user inboxes.

The phishing links are embedded in email messages automatically triggered by GitHub after developer accounts are tagged in spam comments on random issues or pull requests, using accounts that have already been compromised. These fraudulent emails direct users to log in to their GitHub accounts and authorize a new OAuth application, under the guise of applying for job opportunities.

Clicking on the URL within the email or in the attached .eml file leads victims to a Microsoft SharePoint page hosting a Visio (.vsdx) file. The SharePoint account used to upload and host these Visio files is typically compromised as well.

Roblox Developers Targeted by Weaponized npm Packages

Researchers have uncovered five malicious npm packages specifically targeting Roblox developers, aiming to spread malware to steal credentials and personal information. These harmful packages include “autoadv,” “ro.dll,” “node-dlls,” and two versions of “rolimons-api,” all crafted to resemble legitimate modules frequently used within the Roblox developer community.

One package, named “node-dlls,” was created to impersonate the legitimate “node-dll” package, which has seen over 35,800 downloads. This tactic, known as typosquatting, tricks users into downloading harmful versions instead of the genuine package. Similarly, the packages “[email protected]” and “[email protected]” were developed to imitate Rolimon’s API Module, which is a tool Roblox developers often use to integrate Rolimon’s data into their projects.

While unofficial wrappers like the Rolimons Lua module on GitHub and the Rolimons Python package—downloaded over 17,000 times—are available, the malicious “rolimons-api” versions took advantage of the developers’ familiarity and trust in well-known tools.

The threat actor effectively established a backdoor on the victims’ PCs by running the malware downloaded through these fake packages. This allowed for the deployment of the Skuld infostealer and Blank Grabber malware, initiating the theft of sensitive data such as banking information, credentials, and personal files.

Zero-Day Vulnerability in Windows Theme and Task Scheduler Flaw Discovered

Microsoft released security updates addressing 91 vulnerabilities across the Windows ecosystem, including four zero-day flaws, two of which are actively exploited.

Zero-Day Vulnerabilities

Among the zero-day vulnerabilities, two are actively exploited:

• CVE-2024-49040: A spoofing vulnerability in Microsoft Exchange Server 2016 and 2019 that could allow attackers to forge legitimate senders on incoming emails, making malicious messages more effective.
• CVE-2024-49019: An elevation of privilege flaw in Active Directory that could enable attackers to gain domain administrator privileges.

Windows Themes Zero-Day Vulnerability

Additionally, a new zero-day vulnerability related to Windows Themes has been identified, allowing attackers to steal NTLM credentials from compromised systems. This issue is similar to the previously addressed CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability.

Elevation of Privilege Flaw in Microsoft Active Directory Certificate Services

Microsoft’s November 2024 Patch Tuesday updates have addressed a significant security vulnerability, CVE-2024-49019, affecting Active Directory Certificate Services (AD CS). This elevation of privilege (EoP) issue arises from weak authentication mechanisms, allowing attackers to gain unauthorized access to sensitive resources. The vulnerability is classified under CWE-1390, which pertains to weak authentication.

Enterprises utilizing AD CS for digital certificate management are advised to apply the provided security updates promptly to mitigate potential risks associated with this vulnerability. Implementing robust authentication practices is also recommended to enhance security.

Google Patches Two Exploited Android Vulnerabilities in Latest Update

Google has issued a warning about the active exploitation of two vulnerabilities, CVE-2024-43047 and CVE-2024-43093, which have been addressed in the latest Android security update.

CVE-2024-43047

This high-severity vulnerability is a use-after-free issue in closed-source Qualcomm components within the Android kernel, leading to privilege escalation. It was disclosed in early October 2024 after evidence of in-the-wild exploitation was found by Amnesty International and Google’s Threat Analysis Group (TAG).

CVE-2024-43093

Also rated as high-severity, this elevation of privilege flaw affects Android’s Framework component and the Documents UI component of Project Mainline, which is updated through Google Play. The vulnerability allows unauthorized access to sensitive directories and has been actively exploited.

Security Update Details

The November 5, 2024, security patch level includes fixes for 23 vulnerabilities, including CVE-2024-43093, and updates to kernel versions. Google advises users to apply these updates promptly to protect their devices from potential exploitation.

Ransomware Attacks Halliburton, Newpark, Georgia Hospital, City of Columbus & Microchip Technology

Recent ransomware attacks have significantly impacted various organizations across multiple sectors, underscoring the severe financial and operational consequences of such cyber threats.

Halliburton

In August 2024, energy services giant Halliburton experienced a ransomware breach that resulted in a $35 million loss. This incident highlights the substantial financial risks associated with cyberattacks in the energy sector.

Newpark Resources

Newpark Resources, a Texas-based oilfield supplier, announced disruptions to its information systems and business applications following a ransomware attack. The company reported that while manufacturing and field operations continued using established downtime procedures, critical systems and corporate functions were affected.

Memorial Hospital and Manor

Memorial Hospital and Manor in Bainbridge, Georgia, fell victim to a ransomware attack that rendered its Electronic Health Record (EHR) system inaccessible. This disruption poses significant challenges to patient care and hospital operations.

City of Columbus, Ohio

The City of Columbus reported that personal information of 500,000 individuals was stolen during a ransomware attack in July 2024. The breach has raised concerns about data security and the protection of citizens’ personal information.

Microchip Technology

Microchip Technology disclosed in its latest financial report that expenses related to a recent cybersecurity incident amounted to $21.4 million. The company is implementing measures to enhance its cybersecurity posture and prevent future breaches.

Data Breaches Amazon Employee, Debt Relief Firm, Law Firm & Saint Xavier University

Recent data breaches have compromised sensitive information across various organizations:

Amazon Employee Data Breach

Amazon has confirmed that some employee data was compromised due to the MOVEit hacking campaign. The breach exposed work contact information, including email addresses, phone numbers, and building locations. Amazon stated that its systems remain secure, and no sensitive employee data like social security numbers or financial information were compromised.

Forth Data Breach

Debt relief solutions provider Forth (Set Forth) is notifying 1.5 million individuals that their personal information was compromised in a May 2024 data breach. The compromised data includes names, addresses, dates of birth, and Social Security numbers.

Presbyterian Healthcare Services Data Breach

The information of over 300,000 Presbyterian Healthcare Services patients was compromised due to a data breach at law firm Thompson Coburn. The breach exposed patient names, addresses, dates of birth, Social Security numbers, and health insurance information.

Bugcrowd Secures $50 Million in Growth Capital for Expansion

Bugcrowd, a leader in crowdsourced cybersecurity, has recently secured a $50 million growth capital facility from Silicon Valley Bank.

This funding aims to support the company’s expansion and innovation efforts. Earlier in February 2024, Bugcrowd raised $102 million in strategic growth funding, bringing its total funding to over $180 million.

Bugcrowd’s platform enables organizations to run bug bounty programs, facilitating the identification of vulnerabilities in their products and systems. The company serves more than 1,200 customers, including prominent entities such as Google, T-Mobile, OpenAI, and the Pentagon’s Chief Digital and Artificial Intelligence Office

Microsoft Disrupts ONNX Phishing Service and Identifies Operator

Microsoft has taken down 240 phishing websites and disrupted the ONNX service, which it claims is operated by an Egyptian individual. Since 2017, Microsoft has been monitoring cybercrime activities linked to Nady, who has been involved in creating and selling various phishing services, including ONNX, Caffeine, and the more recent FUHRER.

These phishing kits, offered as part of a phishing-as-a-service (PhaaS) model, are available for as low as $150 per month. They allow users to easily launch large-scale phishing campaigns to collect victims’ credentials. The ONNX operation also facilitated adversary-in-the-middle (AitM) attacks, enabling criminals to intercept and manipulate authentication between users and legitimate services, thereby bypassing security measures like multi-factor authentication.

Microsoft’s decisive actions send a clear message to those who misuse similar services to cause harm online: the company is committed to protecting its services and customers. It continues to enhance both technical and legal measures to improve its impact against cyber threats.

Microsoft Patches Exploited Vulnerability in Partner Network Website

Microsoft has addressed a critical elevation of privilege vulnerability, identified as CVE-2024-49035, in its Partner Network website (partner.microsoft.com). This flaw, which was actively exploited, allowed unauthenticated attackers to gain elevated privileges over a network.

In addition to CVE-2024-49035, Microsoft patched other significant vulnerabilities:

• Copilot Studio: A cross-site scripting (XSS) vulnerability (CVE-2024-49038) that could enable unauthorized attackers to escalate privileges over a network.
• Azure PolicyWatch: A missing authentication for a critical function flaw (CVE-2024-49052) allowing unauthorized attackers to escalate privileges over a network.
• Dynamics 365 Sales: A spoofing vulnerability (CVE-2024-49053) that could trick authenticated users into clicking specially crafted URLs, potentially redirecting them to malicious sites.

Microsoft has implemented mitigations for these vulnerabilities, with most requiring no user action. However, to address CVE-2024-49053, users should update Dynamics 365 Sales apps for Android and iOS to version 3.24104.15 or later.

These proactive measures underscore Microsoft’s commitment to safeguarding its platforms and users from emerging cyber threats.

New VPN Attack Targets Palo Alto Networks and SonicWall Products

Vulnerabilities have been identified in Palo Alto Networks and SonicWall VPNs, potentially allowing remote code execution and privilege escalation. The attack, which can impact both Windows and macOS, exploits the trust relationship between the VPN client and server. A tool called NachoVPN has been developed to simulate a rogue VPN server that can take advantage of these vulnerabilities.

To carry out the attack, a malicious actor must trick the user into connecting to their rogue VPN server—something that AmberWolf suggests can be done through social engineering tactics.

Palo Alto Networks Vulnerability (CVE-2024-5921)

Palo Alto Networks has classified the issue (CVE-2024-5921) as a medium-severity flaw involving insufficient certificate validation in the GlobalProtect app for Windows, macOS, and Linux. To exploit this vulnerability, the attacker would need either local non-admin access to the operating system or be on the same subnet as the victim. The vulnerability has been addressed with the release of GlobalProtect version 6.2.6 for Windows, and other mitigations are available. Although Palo Alto Networks is not aware of any active malicious exploitation, a proof-of-concept (PoC) using the NachoVPN tool has been made publicly available.

SonicWall Vulnerability (CVE-2024-29014)

SonicWall is tracking a high-severity vulnerability identified as CVE-2024-29014. The company released patches in mid-July, confirming that firewalls running SonicOS and the NetExtender Linux client are not affected. According to AmberWolf, this vulnerability allows remote code execution with system-level privileges. Exploitation only requires the user to visit a malicious website and accept a browser prompt.

IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR

IBM has released patches for two high-severity remote code execution (RCE) vulnerabilities affecting Data Virtualization Manager and Security SOAR.

Data Virtualization Manager Vulnerability (CVE-2024-52899)

The flaw, tracked as CVE-2024-52899 with a CVSS score of 8.5, affects Data Virtualization Manager for z/OS. It could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, potentially leading to arbitrary code execution on the server. IBM has provided fix packs for versions 1.1 and 1.2 of Data Virtualization Manager for z/OS to address this issue.

Security SOAR Vulnerability (CVE-2024-45801)

A second RCE vulnerability, tracked as CVE-2024-45801 with a CVSS score of 7.3, is described as a prototype pollution flaw in the depth check of the DOMPurify component used in the user interface. This could be exploited to execute arbitrary code. IBM has released a patch to mitigate this risk.

Additional Vulnerabilities

IBM has also issued patches for:

• CVE-2024-49353: A high-severity flaw in Watson Speech Services Cartridge for Cloud Pak for Data that could lead to a crash.
• CVE-2024-6119: A denial-of-service (DoS) vulnerability in OpenSSL.

In addition to these high-severity flaws, IBM addressed three medium- and low-severity issues in Engineering Lifecycle Management. These vulnerabilities could be exploited in cross-site scripting (XSS) attacks, allow a user to modify any accessible dashboard, or enable the recovery of plaintext administrative credentials through network sniffing.

Source Code Leak Shuts Down $3,000-a-Month ‘Banshee Stealer’ macOS Malware

The Banshee Stealer macOS malware operation, which emerged earlier this year, has reportedly ceased following the unauthorized disclosure of its source code. The identity and motives of the individual responsible for the leak remain unknown. Vx-Underground, a threat intelligence and research project, has archived the leaked source code and made it accessible on their GitHub account.

Initially advertised in August 2024 on cybercrime forums for a monthly subscription fee of $3,000, Banshee Stealer was believed to be developed by Russian threat actors. The malware targeted macOS systems, aiming to collect extensive data from infected devices, including:

• System Information: Comprehensive details about the hardware and installed software.
• User’s OS Password: Capturing the operating system’s password.
• Keychain Data: Extracting passwords and other sensitive information stored in the macOS Keychain.
• Web Browser Data: Stealing cookies, login credentials, browsing history, and data from approximately 100 browser plugins across browsers such as Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari.
• Cryptocurrency Wallets: Targeting wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

145,000 ICS Systems Exposed Online, Targeting Industrial Firms

Censys and Kaspersky have released new reports analyzing the exposure and cyberattacks faced by industrial organizations worldwide.

Censys Report Highlights

The latest “State of the Internet” report by Censys reveals that exposed ICS (Industrial Control System) devices are distributed across 175 countries, with 38% located in North America, 35% in Europe, and 22% in Asia. In the United States alone, there are 48,000 exposed ICS systems—a rise from the 40,000 previously reported by Censys.

Censys noted that these exposed ICS devices are accessible through common protocols such as Modbus, Fox, BACnet, WDBRPC (Wind River), EIP, S7 (Siemens), and IEC 60870-5-104. The report also observed regional differences: North America tends to use Fox, BACnet, ATG, and C-More (AutomationDirect), whereas Modbus, S7, and IEC 60870-5-104 are more prevalent in Europe.

Kaspersky Report Insights

In a separate report published on Thursday, Kaspersky highlighted that nearly 90% of industrial companies in the UK have experienced cyberattacks, based on a survey of over 400 individuals conducted in August. Almost half of these incidents resulted in major disruptions.

Additionally, 72% of respondents indicated that they consider their connected and automated supply chains vulnerable to cyberattacks.

Microsoft Unveils ‘Quick Machine Recovery’ Post CrowdStrike Outage

Microsoft has introduced the Quick Machine Recovery tool, enabling IT administrators to remotely apply fixes to unbootable machines without requiring physical access. This initiative is a direct response to the July 2024 incident where a faulty CrowdStrike Falcon sensor update caused widespread system crashes, leaving millions of Windows devices inoperable and necessitating manual repairs.

The Quick Machine Recovery feature allows administrators to deploy targeted fixes via Windows Update, even when systems cannot boot properly. This capability significantly reduces downtime and accelerates recovery processes during critical system failures.

In tandem with this tool, Microsoft has enhanced security features in new Windows 11 PCs, including Copilot+ PCs. These enhancements, now enabled by default, aim to minimize attack vectors and bolster system integrity. Key security features include:

• Credential Guard: Protects against credential theft by isolating secrets.
• Vulnerable Driver Block List: Prevents the loading of drivers known to have security vulnerabilities.
• Local Security Authority (LSA) Protection: Enabled by default on new consumer devices to safeguard against unauthorized access.
• BitLocker: Provides full disk encryption, now activated by default on most modern systems.

VMware Patches Critical Vulnerabilities in Aria Operations

VMware has issued a high-severity security bulletin, VMSA-2024-0022, addressing five vulnerabilities in its Aria Operations product, a cloud IT operations platform. The company warns that these vulnerabilities could allow attackers to elevate privileges or carry out cross-site scripting (XSS) attacks.

Details of the Vulnerabilities:

• CVE-2024-38830 (CVSS 7.8): A local privilege escalation vulnerability that allows attackers with local administrative access to gain root privileges on the appliance.
• CVE-2024-38831 (CVSS 7.8): Another local privilege escalation issue that lets attackers execute malicious commands through properties file modifications, leading to root access.
• CVE-2024-38832 (CVSS 7.1): A stored XSS vulnerability that allows script injection by users with access to edit views.
• CVE-2024-38833 (CVSS 6.8): A stored XSS flaw enabling malicious script injection through email templates.
• CVE-2024-38834 (CVSS 6.5): A stored XSS vulnerability targeting the cloud provider editing functionality, allowing attackers to inject scripts.

Threat Actor Compromises 20,000+ IoT Devices for Proxy Botnet

A threat actor known as Water Barghest has compromised over 20,000 Internet of Things (IoT) devices, monetizing them as residential proxies. Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments.

The group employs a highly automated process to identify and exploit vulnerabilities in IoT devices. They utilize public internet-scanning databases like Shodan to locate susceptible devices and deploy proprietary malware, such as Ngioweb, to register these devices as proxies.

Water Barghest’s botnet includes devices from various manufacturers, including Cisco, DrayTek, Fritz!Box, Linksys, Netgear, Synology, Tenda, Western Digital, and Zyxel. The compromised devices are rented out to other threat actors seeking to anonymize their activities, facilitating malicious operations such as credential-stuffing attacks and cyber espionage.

The group’s meticulous operational security measures such as log file deletion and exclusive use of cryptocurrency for transactions have enabled it to evade detection and maintain its botnet over an extended period. The demand for such proxy botnets is expected to rise, as both state-sponsored and financially motivated groups continue to utilize them for anonymization and espionage purposes.

Remote Hacking Risk: Vulnerabilities Found in mySCADA myPRO Systems

mySCADA has patched critical vulnerabilities in its myPRO HMI/SCADA product that could allow remote, unauthenticated system takeover. Cybersecurity researcher Michael Heinzl discovered flaws in the Manager and Runtime components, including OS command injection, missing authentication, and path traversal.

CISA coordinated the disclosure, and mySCADA released patches in myPRO Manager 1.3 and myPRO Runtime 9.2.1. Four of the five vulnerabilities are rated as ‘critical,’ with one classified as ‘high severity.’ Users are urged to update immediately to mitigate risks.

Man Who Stole $1B in Bitcoin Sentenced to 5 Years in Prison

Bitfinex hacker Ilya Lichtenstein, responsible for stealing bitcoin now worth billions, has been sentenced to five years in prison. In August 2016, Lichtenstein breached the Hong Kong-based virtual currency exchange Bitfinex, stealing approximately 120,000 bitcoin. Valued at roughly $71 million at the time, the stolen bitcoin is now worth over $7.6 billion, according to prosecutors.

Lichtenstein pleaded guilty to one count of money laundering conspiracy in August 2023, and prosecutors recommended a five-year prison sentence. His accomplice, Morgan, also pleaded guilty to the same charge and was recommended for an 18-month prison term.

Prosecutors emphasized that the crime was premeditated, noting Lichtenstein spent months infiltrating Bitfinex’s infrastructure to obtain the necessary accesses for the hack. Despite the theft, over 96% of the stolen funds have been recovered, largely with Lichtenstein’s cooperation. Defense attorney Samson Enzer noted that most of the stolen funds were never spent.

Zyxel Firewall Flaw Exploited in Ransomware Attacks

A ransomware group has been observed exploiting a recently patched command injection vulnerability in Zyxel firewalls for initial access.

A ransomware group has been exploiting a recently patched command injection vulnerability in Zyxel firewalls, identified as CVE-2024-42057. This flaw allows unauthenticated remote attackers to execute operating system commands on affected devices. Zyxel addressed the issue in firmware version 5.39, released on September 3, 2024.

Users are strongly advised to update to the latest firmware or disable remote access to unpatched firewalls to mitigate potential risks.

Blue Yonder Ransomware Attack Disrupts Starbucks and Grocery Stores

Supply chain management software provider Blue Yonder has been targeted by a ransomware attack, causing significant disruptions for several of its customers. The company quickly launched an investigation and began efforts to restore affected services. As of November 24, Blue Yonder has reported steady progress in recovery but has not provided a timeline for full restoration.

Blue Yonder, which offers an end-to-end supply chain platform, serves over 3,000 customers across 76 countries, including major retailers, manufacturers, and logistics providers. Some high-profile clients have confirmed being impacted by the disruptions:

• Morrisons: The UK supermarket, which uses Blue Yonder’s solutions for warehouse management, has had to revert to a manual backup system, affecting deliveries and the availability of some products.
• Sainsbury’s: Also affected, though the company noted that it has procedures in place to mitigate the impact.
• Starbucks: Confirmed to be among the impacted customers.

Cybersecurity Funding Surge: Halcyon Raises $100M, Trustero Secures $10M, Cyera Gains $300M

• Halcyon: The anti-ransomware company raised $100 million in a Series C funding round, elevating its valuation to $1 billion.
• Trustero: Specializing in AI-driven security and compliance solutions, Trustero closed a $10.35 million Series A funding round to enhance its governance, risk, and compliance platform.
• Cyera: The data security firm secured $300 million in Series D funding, bringing its valuation to $3 billion.

Data Breaches Impact 1.7M OPPC, 120,000 Geico and Travelers, and 44,000 Ford Customers

• OnePoint Patient Care Data Breach Impact Doubles: The recent data breach at OnePoint Patient Care has affected twice as many individuals as initially reported.
• New York Fines Geico and Travelers $11 Million Over Data Breaches: The State of New York has imposed an $11 million fine on auto insurance companies Geico and Travelers following data breaches that compromised the personal information of more than 120,000 individuals.
• Ford Blames Third-Party Supplier for Data Breach Claims: Ford has completed its investigation into claims of a recent data breach, concluding that no customer data was compromised within its systems. The investigation followed a post by hackers named IntelBroker and EnergyWeaponUser on the BreachForums cybercrime forum on November 17, claiming to have obtained 44,000 Ford customer records, including names, addresses, and acquisition details.