SAN MATEO, CA, December 16, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Critical flaw in WordPress Hunk Companion plugin
Threat actors have been discovered exploiting a critical flaw within the WordPress Hunk Companion plugin to install even more vulnerable plugins to pave the way for “Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors” according to a report from WPScan. The flaw, CVE-2024-11972, affects all versions of Hunk Companion before 1.9.0. If exploited, the flaw could also allow attackers to “leverage outdated or abandoned plugins to circumvent security measures, tamper with database records, execute malicious scripts, and seize control of the sites.” WPScan’s Daniel Rodriguez goes on to say that “the chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.” Read more.
$5M reward for info on North Korean IT worker farms
Illegal remote work has generated more than $88 million for the North Korean government over the last six years. The U.S. State Department is getting serious about identifying the front companies responsible by offering $5 million for information that could help disrupt them. Two of these companies, Chinese-based Yanbian Silverstar and Volasys Silverstar from Russia, facilitated hiring North Korean IT workers worldwide. “Yanbian Silverstar and Volasys Silverstar together employ more than 130 DPRK IT workers, who refer to themselves as ‘IT warriors,'” the State Department said. “These IT workers use the fraudulently acquired identities of hundreds of U.S. persons to gain remote employment and generate tens of millions of dollars which are laundered and sent back to the North Korean regime.” The DOJ has also indicted 14 North Korean “IT warriors” linked to Yanbian Silverstar and Volasys Silverstar for their involvement in violating U.S. sanctions as well as identity theft, wire fraud, and money laundering. When uncovered and fired, some workers weaponize their insider knowledge to extort the companies that hired them. Read more.
Snowflake to require MFA by late 2025
In response to an avalanche of cyberattacks against more than 100 Snowflake customer environments that were not protected with MFA (multi-factor authentication), the company has changed its policy to block and no longer allow customers access to them via single-factor authentication by November 2025. The policy, presented as a way to comply with the company’s commitment to CISA’s secure by design pledge, will unroll in phases. Phase one will see users without MFA required to implement it the next time they sign into their accounts. Phase two will see MFA as a requirement for all password-based sign-ins by human users. Phase three will block all login attempts that use single-factor authentication. “Our goal is to help drive the improvement of our customers’ security posture by providing strong authentication options and ultimately sunsetting the legacy authentication methods — raising the bar for the industry,” Snowflake CISO Brad Jones said Monday via email. Read more.
New zero-day bug in Windows allows system takeover
A zero-day bug within Windows that can allow a full system takeover is under active attack, according to Microsoft and CISA. CVE-2024-49138 is currently clouded in mystery regarding how it is exploited and by whom. However, known details indicate that “it’s a heap-based buffer overflow vulnerability, a memory security issue, in the Microsoft Windows Common Log File System driver. We also know that it is a very widespread vulnerability impacting millions of Windows users.” Chris Goettl, vice president of security product management at Ivanti, said that the issue “affects all Windows OS editions back to Server 2008.” Windows Common Log File System exploits are favored among ransomware attackers and Adam Barnett, lead software engineer at Rapid7, said to “expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.” Read more.
New bill to bolster telecom cybersecurity
A new bill proposed by U.S. Senator Ron Wyden of Oregon suggests significant changes for how telecoms handle cybersecurity following Salt Typhoon’s massive espionage campaign. The bill, called the Secure American Communications Act, “will order the Federal Communications Commission (FCC) to issue binding cybersecurity rules and implement the security requirements demanded since 1994 by legislation that instructs telecom providers to secure their phone and wireless networks from breaches.” The bill would require telecoms to test their systems for security issues annually and document their results for yearly audits with the FCC. “It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” said Wyden. “Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.” Read more.
Chinese hacker charged with 2020 Sophos firewall hacks
A Chinese national has been charged with hacking into thousands of Sophos firewall devices in 2020. The unsealed charges reveal that the individual, Guan Tianfeng, is accused of conspiracy to commit computer fraud and conspiracy to commit wire fraud, as well as developing and testing vulnerabilities to use against the firewalls he targeted. According to the FBI, Tianfeng’s exploit was “used to infiltrate approximately 81,000 firewalls.” The U.S. Department of Justice goes on to say that “Guan and his co-conspirators registered and used domains designed to look like they were controlled by Sophos, such as sophosfirewallupdate[.]com” to hide their hacking activity. Sichuan Silence Information Technology Company, Limited, the company that Tianfeng worked for, has also been sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control because many affected by the activity were companies in charge of critical infrastructure. Read more.
Heart surgery device maker hit with ransomware attack
Artivion, a major heart surgery medical device manufacturer, had its systems disrupted due to a November 21 ransomware attack. “Artivion’s response measures included taking certain systems offline, initiating an investigation, and engaging external advisors, including legal, cybersecurity, and forensics professionals, to assess, contain, and remediate the incident,” the company revealed in a Monday 8-K filing with the U.S. Securities and Exchange Commission (SEC). The company said that the threat actors encrypted some of its systems and made off with data but that disruptions to its operations and shipping have been remedied. No ransomware group has taken credit for the attack at this time. Read more.
U.S. law for TikTok ban upheld by federal appeals court
The TikTok ban in its current form marches closer to reality as a federal appeals court has upheld the law that threatens to block the app’s usage in the U.S. unless parent company ByteDance divests ownership. According to the court’s ruling, the law signed by President Biden does not violate the U.S. Constitution’s free speech protections. ByteDance has until January 19th to divest the app or face removal from app stores. TikTok plans to challenge the ruling in the Supreme Court. President-elect Donald Trump, previously a vocal supporter of the app’s ban, has reversed his opinion, making it difficult to predict how the political environment may affect TikTok’s future in the U.S. Read more.
Fake AI video conferencing apps used to steal data
Researchers at Cado Security have identified a new scam campaign that delivers an info-stealing malware called Realst via fake video conferencing apps. Dubbed “Meeten” by the company, the activity targets users working in Web3 through Telegram under the guise of investment opportunities. Victims are urged to join a video call to discuss the details, and those who click a provided link are prompted to download an OS-specific version of the malicious app. Once downloaded, victims are prompted to update their system password to allow the app to operate. The criminals carrying out these scams are using AI to create fake companies to “increase legitimacy,” said Cado Security researcher Tara Gould. “Threat actors are increasingly using AI to generate content for their campaigns. Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it more difficult to detect suspicious websites.” Read more.
FCC may expand cybersecurity rules for telecoms
Following the Salt Typhoon cyberattack on America’s telecoms, the FCC proposes more stringent security requirements to mitigate their risks. If adopted, communication firms could be “subject to an annual certification requirement to create, update, and implement cybersecurity risk management plans.” Also, “a Declaratory Ruling that would clarify that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) creates a legal obligation for telecommunications carriers to secure their networks against unlawful access and interception” has been proposed by FCC Chairwoman Jessica Rosenworcel. The FCC has invited the public to comment on the expansion of the rules and make any suggestions for further security. If they are accepted, the rules are set to take effect immediately. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
