SonicWall VPN Firewall VPNS Exposed to Critical Flaws

Over 25,000 SonicWall SSLVPN devices are vulnerable to serious security flaws, according to a recent analysis by cybersecurity firm Bishop Fox. These devices, used to provide secure remote access for businesses, are exposed to the internet and are targeted by attackers, including ransomware groups. Many of the vulnerable devices are running outdated or unsupported firmware, with around 20,000 using software versions that the company no longer supports.

Bishop Fox used internet scanning tools to identify over 430,000 SonicWall devices exposed online, meaning attackers can easily access them and search for weaknesses. Some of the devices are running older Series 4 and 5 firmware, which have reached the end of life and are no longer receiving security updates. Many other devices are using unsupported versions of Series 6 firmware, leaving them open to known exploits.

While improvements have been made since earlier in the year, with fewer vulnerable devices, over 119,000 devices are still at risk. The majority of these are running Series 7 firmware but have not been updated to fix critical security flaws. The findings show that many organizations are slow to patch their devices, leaving them exposed to potential attacks.

CISA Updates KEV with Microsoft and Adobe Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. One is in Microsoft Windows Kernel-Mode Driver (CVE-2024-35250), which can allow attackers to gain high-level system privileges with low effort, making it a serious risk for Windows users. The second is in Adobe ColdFusion (CVE-2024-20767), where an attacker can gain unauthorized access to files, particularly if the admin panel is exposed. Both vulnerabilities have high severity ratings, with scores of 7.8 and 7.4, respectively.

CISA has ordered federal agencies to address these vulnerabilities by early 2025 to prevent potential exploitation. While there have been no reports of active ransomware attacks using these specific flaws, CISA’s guidance is also directed at private organizations, urging them to review and fix any vulnerabilities listed in the catalog. This ongoing effort is part of a broader initiative to strengthen cybersecurity across U.S. infrastructure.

Okta Support Warns of Increased Phishing Attacks

Okta, a major provider of identity and authentication solutions, has warned organizations about a rise in phishing attacks impersonating its support team. These attacks aim to steal Okta credentials, which can allow cybercriminals to access sensitive systems. Okta's own security team, as well as its customers, are frequently targeted by bad actors due to the widespread use of Okta across many large enterprises.

The company has advised users to be vigilant for support-related phishing emails or calls, stressing that legitimate Okta support staff will never ask for passwords or multi-factor authentication (MFA) tokens. Okta has provided customers with a list of legitimate contact details and tips for spotting suspicious messages, such as unusual email addresses, urgent language, and misspelled content. The evolving tactics of these phishing attacks, enhanced by AI tools like ChatGPT, have made it harder to detect traditional phishing signs.

This warning comes after Okta faced a major data breach last year, which compromised information about its customer support system users, underscoring the importance of vigilance against such social engineering attacks.

Defensible Strategies

Learn from those who have been attacked

Large Data Breach Impact Texas Tech University

Texas Tech University has announced that a ransomware attack on its Health Sciences Center and Health Sciences Center El Paso compromised the personal information of over 1.4 million individuals. The cyberattack, which occurred between September 17 and September 29, 2024, resulted in the theft of sensitive data, including names, addresses, Social Security numbers, health insurance details, medical diagnoses, and financial account information. The attack was discovered when the university experienced disruptions to its systems and applications.

While the university has not explicitly confirmed the use of ransomware, the Interlock ransomware group has claimed responsibility, stating they stole around 2.5 terabytes of data, including patient records and medical research. Interlock is known for targeting organizations in healthcare and other sectors using double-extortion tactics, where they encrypt data and demand ransom while also threatening to release it. The university is offering free credit monitoring to affected individuals and has reported the breach to the U.S. Department of Health and Human Services.

This breach is not the only cyberattack targeting Texas Tech University. Earlier in July, another ransomware group, Meow, claimed to have stolen sensitive data from the university, including emails and passwords, and was attempting to sell this information. Despite these ongoing attacks, Texas Tech University is working to secure its systems and assist those affected by the breaches.

A new phishing campaign has been spreading rapidly, using Google Calendar invites to trick users into revealing sensitive information. Attackers spoof Google Calendar notifications, making them appear as legitimate invites from trusted sources. Initially, the phishing attempts included malicious .ics files, but to avoid detection by email security systems, the attackers have now embedded links to Google Drawings and Google Forms. The aim of the attack is to steal user credentials and defraud victims through financial scams, such as credit card fraud or unauthorized transactions.

The campaign targets a massive user base, as Google Calendar is used by over 500 million people worldwide. Researchers have observed over 4,000 phishing emails over a four-week period, with fake invites referencing about 300 well-known brands to make them seem more authentic. Once users click on a disguised link, they are directed to a fraudulent page that mimics a cryptocurrency or bitcoin support site, where they are prompted to enter personal and payment details.

To protect against these types of attacks, experts recommend enabling Google's "known senders" setting in Google Calendar, which alerts users when they receive invites from unfamiliar sources. Additionally, businesses should use advanced email security tools, such as attachment scanning and URL checks, and encourage employees to use multifactor authentication (MFA) and be aware of sophisticated phishing tactics. These steps can help reduce the risk of falling victim to these types of financial scams.

As always, if you have any questions or would like to take a look at phishing training, please reach out to us!

Progress Kemp Loadmaster and VMWare Under Exploitation

Two major security vulnerabilities, now patched, are being actively exploited by cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical flaw (CVE-2024-1212) in the Progress Kemp LoadMaster, a device used for load balancing. This vulnerability allows attackers to remotely execute commands on the system through its management interface, potentially giving them full access. Although it was patched in February 2024, CISA has now added it to its list of actively exploited vulnerabilities, urging quick remediation, especially by government agencies.

In addition, security issues have been identified in VMware's vCenter Server. Two flaws (CVE-2024-38812 and CVE-2024-38813) were revealed, one allowing remote code execution and the other enabling attackers to gain higher privileges on the system. These vulnerabilities were initially fixed in September 2024, but VMware had to release additional patches after realizing the first ones didn't fully resolve the problems. Both issues are now being targeted in real-world attacks, with cybercriminals exploiting them for malicious purposes.

Updates to Security Coming to Microsoft in 2025

Last summer, a flaw in a CrowdStrike security update caused major disruptions, damaging millions of PCs and servers worldwide. The incident exposed serious weaknesses in Windows' architecture, as fixing the problem required manual intervention on every affected device. In response, Microsoft announced new security measures designed to prevent similar issues in the future. These include new Safe Deployment Practices that ensure security updates are tested and deployed gradually, rather than all at once, allowing vendors to detect and fix problems before they cause widespread damage.

Microsoft is also introducing a feature called Quick Machine Recovery, which will help IT teams fix machines stuck in reboot loops due to faulty updates or drivers, without needing physical access to the devices. This feature, available for testing in early 2025, will allow remote fixes through Windows Update. Additionally, Microsoft is making a major change to allow security products to operate in user mode instead of kernel mode, improving security at a foundational level, though this change won’t be widely available until 2025 or later.

For Windows 11, Microsoft is rolling out new features to enhance security, such as preventing malware by limiting which apps can run. The new Smart App Control feature will block unknown and potentially harmful apps from running on personal PCs and will also stop scripts, including PowerShell, used by malware. This feature will be on by default for consumers and can be managed by IT teams in business environments. These updates aim to address key security vulnerabilities and make it harder for malware to exploit administrative privileges on user systems.

Malicious QR Codes Delivered by Mail

Cybercriminals have come up with a new way to spread malware by sending physical letters with malicious QR codes. In Switzerland, letters disguised as coming from the Swiss Federal Office of Meteorology encourage recipients to scan a QR code, claiming it will install a weather app on their Android smartphones. However, the QR code actually links to a malicious app called Coper, which can steal sensitive information from over 380 apps, including banking apps, and give hackers remote access to the device to spy on users.

This kind of attack is unusual because it uses the postal system, which is more costly compared to digital methods, but it can be effective since people are less suspicious of physical mail. Many people are also used to scanning QR codes in everyday situations without double-checking if the link is safe. The Swiss National Cyber Security Centre (NCSC) is warning recipients not to scan the QR code and to report any suspicious letters. Those who have already downloaded the malicious app are advised to reset their phones and change any compromised login details.

Defensible Strategies

Learn from those who have been attacked

Ford Launches Investigation of Potential Breach

Ford is investigating a claim by hackers who allege they stole customer information from the company. The hackers, known as IntelBroker and EnergyWeaponUser, posted on a cybercrime forum on November 17, claiming to have stolen 44,000 records, which include names, addresses, and details about product purchases. However, a sample of the stolen data released by the hackers shows mostly public information, such as car dealership addresses from around the world, rather than sensitive customer details. It’s unclear if the hackers have access to more sensitive data.

Ford confirmed that it is investigating the breach but has not yet confirmed the specifics of the stolen data. While IntelBroker is known for leaking data from high-profile companies, some of their previous claims have been exaggerated, and many victims have downplayed the extent of the breaches. Ford has not indicated whether any personal customer data has been compromised in this case.

Spotify Playlists Being Used as a Tool for Malicious Agents

Cybercriminals are abusing Spotify playlists and podcasts to promote pirated software, game cheat codes, and spam links, taking advantage of the platform's visibility on search engines like Google. By embedding targeted keywords such as "crack" or "warez" in playlist names and podcast descriptions, they boost the search engine rankings of their shady websites, making them more likely to appear in search results when people look for free software downloads. This tactic allows them to drive traffic to websites that often contain malware, scams, or unwanted programs hidden in "cracked" software.

One example of this scam involved a playlist titled "Sony Vegas Pro 13 Crack," which linked to dubious sites offering "free" software. While users might download the software they expect, they are often unknowingly putting their devices at risk, as these pirated versions can contain viruses or lead to scam websites. The real danger comes from the malware and deceptive ads often bundled with such pirated downloads. Spotify has removed the specific playlist and podcast after it was reported, but this type of abuse highlights the growing issue of spam and scam tactics on popular platforms like Spotify.

JetPack Plugin Patches After Affecting 27 Million Sites

The Jetpack WordPress plugin, used on millions of sites, has released a critical security update to fix a vulnerability that allowed logged-in users to view others' submitted forms. This issue was discovered during an internal audit and has existed since 2016. Jetpack, part of Automattic, collaborated with the WordPress.org Security Team to ensure that users receive the update automatically, addressing the flaw in numerous versions of the plugin.

In related news, a dispute has emerged between WordPress founder Matt Mullenweg and WP Engine regarding the security of the Advanced Custom Fields (ACF) plugin. WordPress has taken control of ACF to create a fork called Secure Custom Fields, which has been updated to fix a security issue. While WP Engine disputes the manner of this takeover, WordPress emphasizes its responsibility to ensure the safety of its plugins and users.

CISA Adds New Vulnerabilities to the KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Notably, a severe flaw (CVE-2024-23113) in Fortinet’s products allows attackers to execute unauthorized commands through specially crafted packets, with a high severity score of 9.8. Additionally, Ivanti's Cloud Service Appliance has been flagged for two vulnerabilities (CVE-2024-9379 and CVE-2024-9380) that enable attackers to exploit SQL injection and command injection attacks, scoring 6.5 and 7.2, respectively.

Ivanti recently reported that these vulnerabilities, particularly when combined with a previously addressed zero-day vulnerability (CVE-2024-8963), are being actively exploited in real-world attacks. The company confirmed that some customers using outdated versions of its software have already been targeted by these exploits. They emphasized that no other Ivanti products are affected by these vulnerabilities.

CISA has mandated that federal agencies must address these vulnerabilities by October 30, 2024, to secure their networks against potential attacks. Experts also advise private organizations to review the KEV catalog and take necessary actions to protect their systems from these identified vulnerabilities.

The Internet Archive Experiences DDoS Attack

The Internet Archive has partially restored its services after facing a DDoS attack on October 9, followed by a data breach that exposed users' information. For several days, the site struggled to load properly, showing a basic page instead of its usual content. As of October 14, the Archive's digital librarian, Brewster Kahle, announced that the Wayback Machine service, which preserves web pages, was functioning again, although other features were still being gradually restored.

Experts from Netscout analyzed the DDoS attack, which lasted about three hours and directed significant traffic toward the Archive's servers. They noted that the attack likely originated from a modern variant of Mirai malware, which turns devices into a botnet, with most of the traffic coming from devices in Korea, China, and Brazil. While the Archive has been busy getting back online, many users whose data was compromised are eagerly awaiting more information about the incident and how the organization plans to enhance security in the future.

Defensible Strategies

Learn from those who have been attacked

Cisco Investigates Breach After Stolen Data Surfaces

Cisco is currently investigating claims of a data breach after a hacker known as "IntelBroker" announced on a hacking forum that he, along with two associates, accessed and stole a significant amount of developer data from the company. Cisco has confirmed awareness of these allegations and is actively assessing the situation. The stolen data reportedly includes sensitive materials such as source code, project files, customer documents, and various credentials.

The hacker claims to have stolen this information on October 6, 2024, and has shared samples of the alleged data, including databases and customer management screenshots. While the full extent of the breach is still under investigation, it's noteworthy that IntelBroker has previously leaked data from other major companies, raising concerns about the security of third-party vendors connected to these firms. Cisco has not yet confirmed if this incident is related to earlier breaches involving other companies.

Gryphon Healthcare Discloses Breach that Exposed 400,000 Individuals

Gryphon Healthcare, a Houston-based company that provides services to healthcare organizations, has reported a significant data breach that may have exposed the personal information of up to 400,000 individuals. The compromised data could include sensitive details such as patients' names, Social Security numbers, and medical information, like treatment histories and insurance details. Gryphon stated that they take the security of this information very seriously and have begun offering affected individuals credit monitoring and identity protection services.

The breach was detected on August 13, with Gryphon finishing its review of the affected data by September 3, while unauthorized access reportedly began on July 6. The company has implemented measures to improve security following the incident but has not disclosed specific details about how the breach occurred. Legal action is already in motion, as a law firm is seeking to represent victims of the breach in a proposed class-action lawsuit.

Data breaches in the healthcare sector often lead to legal repercussions, as seen in previous cases where companies faced numerous lawsuits after their data was compromised. For example, Med-Data settled a similar case for $7 million earlier this year, while another company faced a $65 million settlement following a significant breach. The healthcare industry remains vulnerable to such incidents, emphasizing the importance of protecting patient information.

Windows Vulnerability Exploited as Zero-Day

Microsoft has recently highlighted a significant security vulnerability in Windows, known as CVE-2024-43461, which affects the retired Internet Explorer browser. Although Internet Explorer is no longer actively used, the underlying platform it utilized remains part of Windows and can still pose risks. This vulnerability allows attackers to run malicious code if a user inadvertently visits a harmful webpage or opens a tainted file. The flaw, which can mislead users about the true nature of a downloaded file, was exploited in the wild prior to its patching in September 2024.

The issue was reported by Trend Micro’s Zero Day Initiative, which explained that the vulnerability tricks users by concealing the actual file extension, making a harmful file seem harmless. Microsoft has linked this flaw to a previous vulnerability, CVE-2024-38112, which was exploited in attacks by a sophisticated group known as Void Banshee.

To safeguard against these threats, Microsoft advises users to ensure they have installed both the July and September 2024 security updates, as these patches address the vulnerabilities and help protect against potential exploits.

WhatsApp View Once Fix Fails in One Week

Meta's attempt to secure WhatsApp's "View Once" feature, which allows users to send photos, videos, and voice recordings that disappear after being viewed, has been quickly undermined by white-hat hackers. Originally introduced in August 2021 as a privacy measure, the feature was intended to prevent recipients from saving or sharing content. However, hackers from the crypto wallet startup Zengo discovered a way to recover these supposedly self-destructing messages, leading to a public disclosure of the flaw after Meta failed to respond to their earlier reports through its bug bounty program.

In response to the security breach, WhatsApp modified its code to make it harder to exploit the vulnerability, initially appearing successful as some users reported their content-saving extensions no longer worked. However, Zengo's co-founder noted that the core issue remains unresolved: the View Once messages are still being sent to servers that can access them, which allows the exploits to continue.

Although Meta has indicated that a more comprehensive solution is in progress, the vulnerability persists, raising concerns about the effectiveness of the current measures and the company's communication with those who reported the issue.

Spyware Case Dropped Against NSO by Apple

Apple has decided to voluntarily dismiss its lawsuit against NSO Group, a company that creates commercial spyware, due to concerns about exposing sensitive security information. Originally filed in November 2021, the lawsuit aimed to hold NSO accountable for using its Pegasus tool to target users illegally.

Apple noted that while its efforts and those of others have weakened NSO, the emergence of new malicious actors in the spyware industry poses additional risks. The company believes that continuing the lawsuit could jeopardize vital intelligence that helps protect users from such threats.

The decision to withdraw the lawsuit reflects broader changes in the spyware landscape, with various new companies emerging and existing ones adapting to avoid detection. For example, NSO Group has faced challenges from both Apple and other organizations, yet the spyware market continues to evolve, complicating efforts to combat it.

Apple remains committed to fighting against spyware, but it recognizes the potential risks involved in the legal process, which could inadvertently reveal valuable information to malicious actors.

Defensible Strategies

Learn from those who have been attacked

Access Sports Data Breach Impacts 88,000

Access Sports Medicine & Orthopaedics is notifying over 88,000 individuals that their personal and health information has been compromised following a cyberattack. The New Hampshire-based organization detected suspicious activity on its network on May 10, 2024, leading to an investigation that revealed unauthorized access to files containing sensitive data. The attack was attributed to a ransomware group known as Inc Ransom, which has targeted various sectors, including healthcare, and is known for encrypting data and stealing valuable information to extort ransom payments.

The breach has exposed a range of personal information, including names, Social Security numbers, dates of birth, financial details, and medical records. Although Access Sports has stated that there is currently no evidence of misuse of this information, they are offering fraud protection services to those affected. The situation is concerning, as Inc Ransom has claimed responsibility for the attack and has leaked significant amounts of data, including contracts and confidential documents, further complicating the issue for the affected individuals.

Class-Action Breach Suit Settled by 23andMe

Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit related to a significant data breach that occurred in 2023. The breach affected about 6.4 million customers in the U.S., with hackers stealing sensitive data that was later found for sale on the dark web.

As part of the settlement, 23andMe will provide three years of privacy and medical monitoring services to those impacted. The breach specifically targeted Ashkenazi Jewish and Chinese customers, with the attacker gaining access to the company's systems for five months before the issue was discovered.

The settlement reflects 23andMe's challenging financial situation, exacerbated by the breach and ongoing litigation. The company has seen its stock value plummet and reported substantial losses, including a 34% drop in revenue year-over-year and a $69 million loss in a recent quarter. Despite these financial strains, 23andMe expects that around $25 million of the settlement will be covered by insurance, helping to mitigate the impact on its reserves.