This Month in Cybersecurity - November Edition
Progress Kemp Loadmaster and VMWare Under Exploitation
Two major security vulnerabilities, now patched, are being actively exploited by cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical flaw (CVE-2024-1212) in the Progress Kemp LoadMaster, a device used for load balancing. This vulnerability allows attackers to remotely execute commands on the system through its management interface, potentially giving them full access. Although it was patched in February 2024, CISA has now added it to its list of actively exploited vulnerabilities, urging quick remediation, especially by government agencies.
In addition, security issues have been identified in VMware's vCenter Server. Two flaws (CVE-2024-38812 and CVE-2024-38813) were revealed, one allowing remote code execution and the other enabling attackers to gain higher privileges on the system. These vulnerabilities were initially fixed in September 2024, but VMware had to release additional patches after realizing the first ones didn't fully resolve the problems. Both issues are now being targeted in real-world attacks, with cybercriminals exploiting them for malicious purposes.
Updates to Security Coming to Microsoft in 2025
Last summer, a flaw in a CrowdStrike security update caused major disruptions, damaging millions of PCs and servers worldwide. The incident exposed serious weaknesses in Windows' architecture, as fixing the problem required manual intervention on every affected device. In response, Microsoft announced new security measures designed to prevent similar issues in the future. These include new Safe Deployment Practices that ensure security updates are tested and deployed gradually, rather than all at once, allowing vendors to detect and fix problems before they cause widespread damage.
Microsoft is also introducing a feature called Quick Machine Recovery, which will help IT teams fix machines stuck in reboot loops due to faulty updates or drivers, without needing physical access to the devices. This feature, available for testing in early 2025, will allow remote fixes through Windows Update. Additionally, Microsoft is making a major change to allow security products to operate in user mode instead of kernel mode, improving security at a foundational level, though this change won’t be widely available until 2025 or later.
For Windows 11, Microsoft is rolling out new features to enhance security, such as preventing malware by limiting which apps can run. The new Smart App Control feature will block unknown and potentially harmful apps from running on personal PCs and will also stop scripts, including PowerShell, used by malware. This feature will be on by default for consumers and can be managed by IT teams in business environments. These updates aim to address key security vulnerabilities and make it harder for malware to exploit administrative privileges on user systems.
Malicious QR Codes Delivered by Mail
Cybercriminals have come up with a new way to spread malware by sending physical letters with malicious QR codes. In Switzerland, letters disguised as coming from the Swiss Federal Office of Meteorology encourage recipients to scan a QR code, claiming it will install a weather app on their Android smartphones. However, the QR code actually links to a malicious app called Coper, which can steal sensitive information from over 380 apps, including banking apps, and give hackers remote access to the device to spy on users.
This kind of attack is unusual because it uses the postal system, which is more costly compared to digital methods, but it can be effective since people are less suspicious of physical mail. Many people are also used to scanning QR codes in everyday situations without double-checking if the link is safe. The Swiss National Cyber Security Centre (NCSC) is warning recipients not to scan the QR code and to report any suspicious letters. Those who have already downloaded the malicious app are advised to reset their phones and change any compromised login details.
Defensible Strategies
Learn from those who have been attacked
Ford Launches Investigation of Potential Breach
Ford is investigating a claim by hackers who allege they stole customer information from the company. The hackers, known as IntelBroker and EnergyWeaponUser, posted on a cybercrime forum on November 17, claiming to have stolen 44,000 records, which include names, addresses, and details about product purchases. However, a sample of the stolen data released by the hackers shows mostly public information, such as car dealership addresses from around the world, rather than sensitive customer details. It’s unclear if the hackers have access to more sensitive data.
Ford confirmed that it is investigating the breach but has not yet confirmed the specifics of the stolen data. While IntelBroker is known for leaking data from high-profile companies, some of their previous claims have been exaggerated, and many victims have downplayed the extent of the breaches. Ford has not indicated whether any personal customer data has been compromised in this case.
Spotify Playlists Being Used as a Tool for Malicious Agents
Cybercriminals are abusing Spotify playlists and podcasts to promote pirated software, game cheat codes, and spam links, taking advantage of the platform's visibility on search engines like Google. By embedding targeted keywords such as "crack" or "warez" in playlist names and podcast descriptions, they boost the search engine rankings of their shady websites, making them more likely to appear in search results when people look for free software downloads. This tactic allows them to drive traffic to websites that often contain malware, scams, or unwanted programs hidden in "cracked" software.
One example of this scam involved a playlist titled "Sony Vegas Pro 13 Crack," which linked to dubious sites offering "free" software. While users might download the software they expect, they are often unknowingly putting their devices at risk, as these pirated versions can contain viruses or lead to scam websites. The real danger comes from the malware and deceptive ads often bundled with such pirated downloads. Spotify has removed the specific playlist and podcast after it was reported, but this type of abuse highlights the growing issue of spam and scam tactics on popular platforms like Spotify.