THN Recap: Prime Cybersecurity Threats, Instruments, and Practices (Nov 11 – Nov 17)

Nov 18, 2024Ravie LakshmananCybersecurity / Infosec

What do hijacked web sites, pretend job affords, and sneaky ransomware have in frequent? They’re proof that cybercriminals are discovering smarter, sneakier methods to use each methods and other people.

This week makes one factor clear: no system, no particular person, no group is actually off-limits. Attackers are getting smarter, sooner, and extra inventive—utilizing every part from human belief to hidden flaws in expertise. The true query is: are you prepared?

💪 Each assault holds a lesson, and each lesson is a chance to strengthen your defenses. This is not simply information—it is your information to staying protected in a world the place cyber threats are all over the place. Let’s dive in.

⚡ Risk of the Week

Palo Alto Networks Warns of Zero-Day: A distant code execution flaw within the Palo Alto Networks PAN-OS firewall administration interface is the latest zero-day to be actively exploited within the wild. The corporate started warning about potential exploitation considerations on November 8, 2024. It has since been confirmed that it has been weaponized in restricted assaults to deploy an online shell. The crucial vulnerability has no patches as but, which makes it all of the extra essential that organizations restrict administration interface entry to trusted IP addresses. The event comes as three completely different crucial flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have additionally seen lively exploitation makes an attempt. Particulars are sparse on who’s exploiting them and the dimensions of the assaults.

SANS Cyber Defense Initiative 2024

SANS Cyber Defense Initiative 2024

8 Advantages of a Backup Service for Microsoft 365

Modernize your information safety options with an as-a-service answer. Learn this e‑e-book, “8 Benefits of a Backup Service for Microsoft 365”, to grasp what makes cloud‑primarily based backup providers so interesting for firms utilizing Microsoft 365 — and why it could be simply the factor to maintain your small business working.

Obtain NOW

🔔 Prime Information

  • BrazenBamboo Exploits Unpatched Fortinet Flaw: A threat-actor referred to as BrazenBamboo has exploited an unresolved safety flaw in Fortinet’s FortiClient for Home windows to extract VPN credentials as a part of a modular framework known as DEEPDATA. Volexity described BrazenBamboo because the developer of three distinct malware households DEEPDATA, DEEPPOST, and LightSpy, and never essentially one of many operators utilizing them. BlackBerry, which additionally detailed DEEPDATA, stated it has been put to make use of by the China-linked APT41 actor.
  • About 70,000 Domains Hijacked by Sitting Geese Assault: A number of menace actors have been discovered benefiting from an assault method known as Sitting Geese to hijack reputable domains for utilizing them in phishing assaults and funding fraud schemes for years. Sitting Geese exploits misconfigurations in an online area’s area identify system (DNS) settings to take management of it. Of the practically 800,000 weak registered domains over the previous three months, roughly 9% (70,000) have been subsequently hijacked.
  • Obtained a Dream Job Supply on LinkedIn? It Might Be Iranian Hackers: The Iranian menace actor referred to as TA455 is concentrating on LinkedIn customers with engaging job affords supposed to trick them into working a Home windows-based malware named SnailResin. The assaults have been noticed concentrating on the aerospace, aviation, and protection industries since not less than September 2023. Apparently, the techniques overlap with that of the infamous North Korea-based Lazarus Group.
  • WIRTE Targets Israel With SameCoin Wiper: WIRTE, a Center Japanese menace actor affiliated with Hamas, has orchestrated cyber espionage operations towards the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, in addition to carried out disruptive assaults that solely goal Israeli entities utilizing SameCoin wiper. The damaging operations had been first flagged firstly of the 12 months.
  • ShrinkLocker Decryptor Launched: Romanian cybersecurity firm Bitdefender has launched a free decryptor to assist victims get better information encrypted utilizing the ShrinkLocker ransomware. First recognized earlier this 12 months, ShrinkLocker is notable for its abuse of Microsoft’s BitLocker utility for encrypting recordsdata as a part of extortion assaults concentrating on entities in Mexico, Indonesia, and Jordan.

🔥 Trending CVEs

Current cybersecurity developments have highlighted a number of crucial vulnerabilities, together with: CVE-2024-10924, CVE-2024-10470, CVE-2024-10979, CVE-2024-9463, CVE-2024-9465, CVE-2024-43451, CVE-2024-49039, CVE-2024-8068, CVE-2024-8069, CVE-2023-28649, CVE-2023-31241, CVE-2023-28386, CVE-2024-50381, CVE-2024-7340, and CVE-2024-47574. These safety flaws are severe and will put each firms and common folks in danger. To remain protected, everybody must preserve their software program up to date, improve their methods, and continually be careful for threats.

📰 Across the Cyber World

  • The Prime Routinely Exploited Vulnerabilities of 2023 Revealed: Cybersecurity businesses from the 5 Eyes nations, Australia, Canada, New Zealand, the U.Ok., and the U.S., have launched the record of high 15 vulnerabilities menace actors have been noticed routinely exploiting in 2023. This consists of safety flaws from Citrix NetScaler (CVE-2023-3519, CVE-2023-4966), Cisco (CVE-2023-20198, CVE-2023-20273), Fortinet (CVE-2023-27997), Progress MOVEit Switch (CVE-2023-34362), Atlassian (CVE-2023-22515), Apache Log4j (CVE-2021-44228), Barracuda Networks ESG (CVE-2023-2868), Zoho ManageEngine (CVE-2022-47966), PaperCut MF/NG (CVE-2023-27350), Microsoft Netlogon (CVE-2020-1472), JetBrains TeamCity (CVE-2023-42793), Microsoft Outlook (CVE-2023-23397), and ownCloud (CVE-2023-49103). “More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks,” the U.Ok. NCSC stated. The disclosure coincided with Google’s announcement that it’ll start issuing “CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching” to spice up vulnerability transparency. It additionally got here because the CVE Program just lately turned 25, with over 400 CVE Numbering Authorities (CNAs) and greater than 240,000 CVE identifiers assigned as of October 2024. The U.S. Nationwide Institute of Requirements and Know-how (NIST), for its half, stated it now has a “full team of analysts on board, and we are addressing all incoming CVEs as they are uploaded into our system” to handle the backlog of CVEs that constructed up earlier this calendar 12 months.
  • GeoVision Zero-Day Beneath Assault: A brand new zero-day flaw in end-of-life GeoVision units (CVE-2024-11120, CVSS rating: 9.8), a pre-auth command injection vulnerability, is being exploited to compromise and enlist them right into a Mirai botnet for seemingly DDoS or cryptomining assaults. “We observed a 0day exploit in the wild used by a botnet targeting GeoVision EOL devices,” the Shadowserver Basis stated. Customers of GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, and GVLX 4 V3 are advisable to interchange them.
  • New Banking Trojan Silver Shifting Yak Targets Latin America: A brand new Home windows-based banking trojan named Silver Shifting Yak has been noticed concentrating on Latin American customers with the aim of stealing info from monetary establishments resembling Banco Itaú, Banco do Brasil, Banco Bandresco, Foxbit, and Mercado Pago Brasil, amongst others, in addition to credentials used to entry Microsoft portals resembling Outlook, Azure, and Xbox. The preliminary assault phases of the malware are believed to be initiated by phishing emails that lead the victims to malicious .ZIP archives hosted on pretend web sites. The event comes because the menace actor referred to as Hive0147 has begun to make use of a brand new malicious downloader known as Picanha to deploy the Mekotio banking trojan. “Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud,” IBM X-Drive stated.
  • Tor Community Faces IP Spoofing Assault: The Tor Mission stated the Tor anonymity community was the goal of a “coordinated IP spoofing attack” beginning October 20, 2024. The attacker “spoofed non-exit relays and other Tor-related IPs to trigger abuse reports aimed at disrupting the Tor Project and the Tor network,” the undertaking stated. “The origin of these spoofed packets was identified and shut down on November 7, 2024.” The Tor Mission stated the incident had no impression on its customers, however stated it did take just a few relays offline quickly. It is unclear who’s behind the assault.
  • FBI Warns About Criminals Sending Fraudulent Police Knowledge Requests: The FBI is warning that hackers are acquiring non-public consumer info from U.S.-based tech firms by compromising U.S. and overseas authorities/police e-mail addresses to submit “emergency” information requests. The abuse of emergency information requests by malicious actors resembling LAPSUS$ has been reported previously, however that is the primary time the FBI has formally admitted that the authorized course of is being exploited for legal functions. “Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request,” the company stated.
  • New Traits in Ransomware: A financially-motivated menace actor referred to as Lunar Spider has been linked to a malvertising marketing campaign concentrating on monetary providers that employs search engine optimisation poisoning to ship the Latrodectus malware, which, in flip, is used to deploy the Brute Ratel C4 (BRc4) post-exploitation framework. On this marketing campaign detected in October 2024, customers trying to find tax-related content material on Bing are lured into downloading an obfuscated JavaScript. Upon execution, this script retrieves a Home windows Installer (MSI) from a distant server, which installs Brute Ratel. The toolkit then connects to command-and-control (C2) servers for additional directions, permitting the attacker to manage the contaminated system. It is believed that the top aim of the assaults is to deploy ransomware on compromised hosts. Lunar Spider can also be the developer behind IcedID, suggesting that the menace actor is continuous to evolve their malware deployment method to counter regulation enforcement efforts. It is not simply Lunar Spider. One other notorious cybercrime gang known as Scattered Spider has been performing as an preliminary entry dealer for the RansomHub ransomware operation, using superior social engineering techniques to acquire privileged entry and deploy the encryptor to impression a crucial ESXi setting in simply six hours.” The disclosure comes as ransomware assaults, together with these aimed toward cloud providers, proceed to be a persistent menace, at the same time as the amount of the incidents is starting to witness a drop and there’s a regular decline within the ransom cost charges. The looks of recent ransomware households like Frag, Interlock, and Ymir however, one of many noteworthy developments in 2024 has been the rise of unaffiliated ransomware actors, the so-called “lone wolves” who function independently.

🔥 Sources, Guides & Insights

🎥 Skilled Webinar

  • Methods to be Prepared for Speedy Certificates Substitute — Is certificates revocation a nightmare for your small business? Be part of our free webinar and learn to substitute certificates with lightning velocity. We’ll share secrets and techniques to attenuate downtime, automate replacements, grasp crypto agility, and implement finest practices for final resilience.
  • Constructing Tomorrow, Securely—AI Safety in App Growth — AI is revolutionizing the world, however are you ready for the dangers? Learn to construct safe AI functions from the bottom up, defend towards information breaches and operational nightmares, and combine strong safety into your improvement course of. Reserve your spot now and uncover the important instruments to safeguard your AI initiatives.

🔧 Cybersecurity Instruments

  • Grafana — Grafana is an open-source monitoring and observability platform that permits cybersecurity groups to question, visualize, and alert on safety metrics from any information supply. It affords customizable dashboards with versatile visualizations and template variables, permitting for real-time menace monitoring, intrusion detection, and incident response. Options resembling ad-hoc queries and dynamic drill-downs facilitate the exploration of metrics associated to community visitors, consumer habits, and system logs. Seamless log exploration with preserved filters helps forensic investigations, whereas visible alert definitions guarantee well timed notifications to safety operations facilities via integrations with instruments like Slack and PagerDuty. Moreover, Grafana’s capacity to combine completely different information sources—together with customized ones—gives complete safety monitoring throughout various environments, enhancing the group’s capacity to take care of a strong cybersecurity posture.
  • URLCrazy is an OSINT instrument designed for cybersecurity professionals to generate and take a look at area typos or variations, successfully detecting and stopping typo squatting, URL hijacking, phishing, and company espionage. By creating 15 varieties of area variants and leveraging over 8,000 frequent misspellings throughout greater than 1,500 top-level domains, URLCrazy helps organizations defend their model by registering well-liked typos, figuring out domains diverting visitors supposed for his or her reputable websites, and conducting phishing simulations throughout penetration exams.

🔒 Tip of the Week

Use Canary Tokens to Detect Intrusions — Hackers depend on staying hidden, however canary tokens make it easier to catch them early. These are pretend recordsdata, hyperlinks, or credentials, like “Confidential_Report_2024.xlsx” or a pretend AWS key, positioned in spots hackers like to snoop—shared drives, admin folders, or cloud storage. If somebody tries to entry them, you get an prompt alert with particulars like their IP handle and time of entry.

They’re straightforward to arrange utilizing free instruments like Canarytokens.org and do not want any superior expertise. Simply preserve them practical, put them in key locations, and examine for alerts. Be sure you take a look at your tokens after setup to make sure they work and keep away from overusing them to forestall pointless noise. Place them strategically in high-value areas, and monitor alerts intently to behave rapidly if triggered. It is a sensible, low-effort technique to spot hackers earlier than they will do injury.

Conclusion

That is it for this week’s cybersecurity updates. The threats might sound sophisticated, however defending your self does not should be. Begin easy: preserve your methods up to date, practice your group to identify dangers, and all the time double-check something that appears off.

Cybersecurity is not simply one thing you do—it is the way you suppose. Keep curious, keep cautious, and keep protected. We’ll be again subsequent week with extra ideas and updates to maintain you forward of the threats.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.

Recent articles

Postman Workspaces Leak 30000 API Keys and Delicate Tokens

SUMMARY 30,000 Public Workspaces Uncovered: CloudSEK identifies large information leaks...

What’s CRM? A Complete Information for Companies

Buyer relationship administration software program is a gross sales...