CybersecurityHQ News Roundup - November 19, 2024

News By Daniel Michan Published on November 19


Apple Confirms Zero-Day Attacks Hitting macOS Systems

Apple has issued urgent macOS and iOS updates to patch two zero-day vulnerabilities being actively exploited. These vulnerabilities, reported by Google's Threat Analysis Group (TAG), impact Intel-based macOS systems.

The vulnerabilities are:

  • CVE-2024-44308: A flaw in JavaScriptCore that could enable arbitrary code execution through maliciously crafted web content.
  • CVE-2024-44309: A WebKit vulnerability that may lead to cross-site scripting attacks through maliciously crafted web content.

Apple released updates for iOS (18.1.1 and 17.7.2) and macOS Sequoia (15.1.1) and encouraged all users to apply the patches promptly. Details about the exploits and indicators of compromise (IOCs) were not disclosed, adhering to Apple's standard practice.

Vulnerable Jupyter Servers Targeted for Sports Piracy

Threat actors are exploiting misconfigured JupyterLab and Jupyter Notebook servers for sports piracy, according to research from Aqua Security. These data science environments, often left unprotected, have become a target for cybercriminals seeking to hijack server resources for illegal activities.

Researchers found attackers gaining access to unprotected Jupyter servers, installing FFmpeg to record and stream live sports events, and redirecting the streams to their servers. These pirated streams generate profits through advertising while causing financial losses to legitimate broadcasters.

Approximately 15,000 Jupyter servers are exposed to the internet, with 1% allowing remote code execution. Aqua Security’s Assaf Morag highlighted that while the immediate impact might seem minor, the broader risks include data theft, denial of service, and corruption of AI/ML processes. Organizations using Jupyter environments are advised to review their configurations and secure their systems to prevent exploitation.

Employee Data Compromised in Hacker Attack on Maxar

Maxar Space Systems disclosed a data breach that compromised employees' personal information. Discovered on October 11, the breach allowed hackers to access Maxar’s network for a week. Affected data includes names, addresses, Social Security numbers, and employment details, though bank account information and birthdates were not included.

The attack was linked to a hacker using a Hong Kong-based IP address, but Maxar has not disclosed the number of affected individuals. Impacted employees are being offered free identity protection services, though former employees only receive one year of coverage. Maxar assured stakeholders that vulnerabilities enabling the breach have been resolved. However, the incident underscores the risks organizations face in securing sensitive employee data.

CISA Director Jen Easterly to Step Down

Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA), will step down on January 20, alongside deputy director Nitin Natarajan, as part of a transition tied to the new presidential administration.

Easterly has led CISA since 2021, advancing initiatives like Secure by Design principles, the Known Exploited Vulnerabilities (KEV) catalog, and the Shields Up campaign. Her tenure has positioned CISA as a key player in federal incident response and cybersecurity strategy, despite criticism over the agency's multi-billion-dollar budget.

Easterly’s departure comes at a critical juncture as CISA addresses significant threats, including a Chinese cyber-espionage campaign targeting U.S. telecommunications companies. A recent joint statement from CISA and the FBI confirmed ongoing investigations into compromises by Chinese government-backed hackers, known as Salt Typhoon. This campaign involves theft of customer call data and private communications from individuals involved in government or political activities.

As CISA transitions leadership, maintaining its momentum and focus on defending critical infrastructure against nation-state threats remains imperative.

Russian Phobos Ransomware Operator Extradited to the US

A major breakthrough in the fight against ransomware occurred when Evgenii Ptitsyn, a 42-year-old Russian national, was extradited from South Korea to the United States. Ptitsyn, allegedly a key figure in the development and operations of the Phobos ransomware, faces multiple charges, including wire fraud and computer hacking.

The Allegations Against Ptitsyn

According to an indictment unsealed by the US Department of Justice (DoJ), Ptitsyn was instrumental in the creation and distribution of Phobos ransomware as part of a Ransomware-as-a-Service (RaaS) model. This model allowed affiliates to use the ransomware to encrypt victims’ data and extort payments, targeting over 1,000 organizations worldwide and collecting more than $16 million in ransom payments.

The indictment alleges Ptitsyn oversaw a Tor-based platform used to sell and distribute the ransomware. Affiliates would infiltrate victim networks, often through stolen credentials, exfiltrate sensitive data, and then encrypt systems with Phobos. Victims faced dual extortion: pay for decryption keys or risk public exposure of stolen data.

Charges and Potential Sentencing

Ptitsyn faces serious penalties, including:

  • Wire Fraud: Up to 20 years per count
  • Computer Hacking: Up to 10 years
  • Extortion: Up to 5 years

This case underscores the US government’s commitment to prosecuting cybercriminals globally, leveraging international cooperation to bring perpetrators to justice.

Learn more about the DoJ's indictment here.

Phobos: A Persistent Threat

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and MS-ISAC, issued a joint alert in March 2024 highlighting the ongoing threat Phobos poses to critical infrastructure sectors, including healthcare and education. The ransomware continues to adapt, leveraging stolen credentials and exploiting vulnerabilities in unpatched systems.

For organizations seeking guidance on mitigating ransomware risks, CISA offers comprehensive resources.

The Urgent Need to Prioritize Mobile Security

As enterprises embrace mobile-first strategies, the need to secure mobile ecosystems has become critical. Trends like Bring Your Own Device (BYOD) and hybrid work environments are reshaping corporate security landscapes, exposing organizations to evolving mobile threats.

Mobile Security by the Numbers

  • 55% of organizations report increased mobile device users in the past year.
  • 70% of employees use smartphones for work-related tasks.
  • 144 interactions per day: The average smartphone user’s engagement with apps.

While these trends improve productivity, they introduce a range of cybersecurity risks.

Top 5 Mobile Threats

1. Mobile Phishing ("Mishing")

Phishing campaigns are increasingly targeting mobile users via SMS (smishing), voice (vishing), QR codes (quishing), and social media platforms. A staggering 82% of phishing websites are mobile-optimized, making detection more challenging on small screens.

2. Mobile Malware

Malicious apps, often downloaded from unofficial sources, infect devices with spyware, ransomware, and banking trojans. Researchers identified 200 malicious apps on Google Play, collectively downloaded over 8 million times.

3. Side-loaded Apps

An estimated 18% of users sideload apps from unofficial sources, dramatically increasing the risk of malware infections. With regulations like the Digital Markets Act promoting sideloading, vigilance is paramount.

4. Platform Vulnerabilities

Many users fail to update their devices, leaving them exposed. Forbes reports 500 million outdated Android devices are vulnerable to exploitation, while 40% of users run devices with known weaknesses.

5. Poor Application Vetting

Third-party and in-house applications often lack robust security measures, posing risks like insecure data storage and susceptibility to reverse engineering.

Explore Zimperium’s mobile threat research (PDF).

Why Mobile Risks Persist

Unlike desktops, mobile devices blur personal and professional boundaries, complicating IT oversight. Users often resist security measures like antivirus software or OS updates, leaving devices exposed. Additionally, the vast diversity in hardware and operating systems challenges standardized security protocols.

Mitigating Mobile Security Risks

Organizations can adopt best practices, including:

  • User Education: Train employees to recognize phishing attempts and secure their devices.
  • Cybersecurity Tools: Deploy mobile threat defense (MTD) systems for real-time threat detection.
  • Network Access Control: Restrict outdated or unpatched devices from accessing corporate networks.
  • Strong Authentication: Use phishing-resistant multi-factor authentication (MFA).
  • Application Vetting: Evaluate app permissions and developer reputations before approval.

For actionable insights, visit Verizon’s Mobile Threat Intelligence page.

Threat Actor Exploits IoT Devices as Residential Proxies

The adversary Water Barghest has compromised over 20,000 Internet-of-Things (IoT) devices, turning them into residential proxies for cybercriminals. The threat actor monetizes these devices by listing them on specialized proxy marketplaces within minutes of exploitation, reports Trend Micro.

How Water Barghest Operates

Water Barghest leverages:

  • IoT Vulnerabilities: Exploiting both known and zero-day vulnerabilities in devices from major brands like Cisco, Netgear, and Zyxel.
  • Automation: Using virtual private servers (VPS) to continuously scan for weaknesses and deploy malware.
  • Anonymity: Accepting cryptocurrency payments to evade detection.

Trend Micro observed that newly compromised devices are listed as proxies on marketplaces in as little as 10 minutes.

The Role of Ngioweb Malware

The Ngioweb malware, initially designed for Windows, now targets Linux and IoT devices. Water Barghest uses this malware to infect routers, NAS devices, and other IoT systems, creating a botnet optimized for anonymity and espionage.

Read Trend Micro’s detailed report.

Why IoT Botnets Persist

The longevity of IoT botnets like Water Barghest’s stems from:

  • Automation: Streamlining exploitation and deployment processes.
  • Refinement: Regular updates to evade detection.
  • Demand: Growing use by Advanced Persistent Threats (APTs) and financially motivated groups for espionage and anonymization.

Addressing IoT Risks

As IoT adoption surges, securing these devices is imperative. Best practices include:

  • Patch Management: Regularly updating firmware to close known vulnerabilities.
  • Network Segmentation: Isolating IoT devices from sensitive systems.
  • Monitoring: Deploying intrusion detection systems (IDS) to flag suspicious activities.

For organizations looking to bolster IoT security, CISA offers comprehensive guidance.

Hackers Redirect $250,000 Payment in iLearningEngines Cyberattack

iLearningEngines, an AI-powered learning automation firm, disclosed on Monday a cybersecurity breach that resulted in the theft of $250,000.

The company informed the SEC that a threat actor accessed its systems, deleted some emails, and redirected a wire payment intended for another recipient. The stolen funds remain unrecovered. iLearningEngines, based in Maryland, specializes in leveraging AI to provide personalized learning and workflow automation solutions for enterprises.

“The Company has incurred, and may continue to incur, certain expenses related to its response to this incident,” iLearningEngines stated in its SEC filing. Despite this, it anticipates the incident will not significantly impact its full-year 2024 financial results, although the quarterly performance ending December 31, 2024, might see a material effect.

The details of the attack suggest it could be a case of business email compromise (BEC). According to the FBI, BEC attacks resulted in losses of $2.9 billion in 2023 alone, making it a prominent cybercrime tactic.

Interestingly, no known ransomware group has claimed responsibility for the attack. For more about BEC schemes and their impact, visit the FBI Internet Crime Report.

Akira Ransomware Drops 30 Victims on Leak Site in One Day

The Akira ransomware group, active since March 2023, leaked data from 32 victims in a single day, according to a report from cyber risk firm Cyberint. This marks a record spike in Akira’s criminal activities, with over 350 organizations impacted globally.

In April 2024, U.S. government estimates suggested Akira had compromised 250 victims, including critical infrastructure entities in North America, Europe, and Australia, amassing approximately $42 million in ransoms. Akira employs a ransomware-as-a-service (RaaS) model, allowing affiliates to use its tools in exchange for a cut of the proceeds.

Cyberint revealed that on November 13 and 14, Akira added 32 victims to its Tor-based leak site. The leaks included businesses from the U.S., Canada, and several European countries, primarily targeting the business services sector but extending to construction, manufacturing, and retail industries.

“These findings align with trends observed over the past two years, where the United States remains Akira’s primary target, and business services continue to lead as the most targeted sector globally,” Cyberint noted.

The scale of these leaks may reflect escalating operations akin to those of other ransomware groups, such as LockBit, which leaked data from 60 victims over two days in May 2024. For detailed insights on ransomware trends, read more at Cyberint.

Ford Investigating Potential Breach After Hackers Claim Data Theft

Ford Motor Company is investigating claims of a data breach after hackers alleged they had stolen customer information. The claims surfaced on BreachForums on November 17, with hackers IntelBroker and EnergyWeaponUser asserting they obtained 44,000 customer records, including names, addresses, and purchase details.

The hackers also shared a sample dataset showing addresses of car dealerships, suggesting the stolen data might pertain to dealerships rather than individual customers. While the leaked data seems to be from an internal database, it does not appear sensitive, as dealership addresses are generally public information.

“Ford is aware and is actively investigating the allegations that there has been a breach of Ford data. Our investigation is active and ongoing,” the company told SecurityWeek.

IntelBroker, a notorious hacker, has previously targeted high-profile companies, often exaggerating claims. This incident highlights the ongoing risks businesses face from both data breaches and the public disclosure of alleged breaches. Learn more about cybercrime forums and their impact at SecurityWeek.

Palo Alto Patches Firewall Zero-Day Exploited in Operation Lunar Peek

Palo Alto Networks has released critical patches for two firewall zero-day vulnerabilities exploited in an operation dubbed Operation Lunar Peek. The company first became aware of the zero-days in early November and confirmed active exploitation on November 15.

The critical vulnerability, CVE-2024-0012, is an authentication bypass flaw allowing unauthenticated attackers to gain administrative access to PAN-OS management interfaces. Once exploited, attackers could perform administrative actions or leverage other vulnerabilities, such as CVE-2024-9474, which escalates admin privileges to root.

Both vulnerabilities have been addressed with updates for PAN-OS versions 11.2, 11.1, 11.0, 10.2, and 10.1. Palo Alto has advised customers to restrict access to management interfaces to trusted internal IP addresses to minimize the risk of exploitation.

The Shadowserver Foundation reported a drop in internet-exposed PAN-OS interfaces from 11,000 to 6,600 IPs within a week of the vulnerabilities' discovery, signaling heightened awareness and mitigation efforts.

The Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog and urged federal organizations to patch by December 9. For detailed technical insights, visit CISA's KEV Catalog.

Palo Alto is tracking the threat actor behind these attacks but has not disclosed their identity. Indicators of compromise (IoCs), including IP addresses and hashes, have been shared with customers to assist in threat detection and prevention.

For more about the importance of patching and securing firewalls, check out Palo Alto Networks’ advisory.

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

The cybersecurity community is closely monitoring a new development: the emergence of a Linux variant of the Helldown ransomware strain. This marks a significant shift in tactics by the threat actors behind Helldown, as they broaden their attack scope to include virtualized infrastructures and Linux environments.

According to a report by Sekoia, Helldown's Windows ransomware shares code with the infamous LockBit 3.0. The group's recent activity suggests a strategic evolution to target VMware environments, exploiting the widespread adoption of virtualized infrastructure in critical industries such as IT services, healthcare, telecommunications, and manufacturing.

Background of Helldown

First documented by Halcyon in August 2024, Helldown quickly earned a reputation as an aggressive ransomware group. It employs double extortion tactics, threatening victims with the publication of stolen data to pressure them into paying ransoms. Within just three months, Helldown is estimated to have attacked at least 31 companies.

Exploitation Tactics

Helldown's attack chains often begin with exploiting vulnerabilities in Zyxel firewalls. Once inside a network, the attackers engage in credential harvesting, lateral movement, and defense evasion before deploying the ransomware payload. The Windows variant deletes system shadow copies, terminates critical processes, and leaves a ransom note before shutting down the compromised machine.

The Linux variant, however, exhibits a more straightforward design. It kills active virtual machines (VMs) before encrypting files, likely to ensure access to critical VM image files. Interestingly, Sekoia's analysis found no evidence of network communication or encryption key exchange mechanisms, suggesting the variant may still be under development.

Possible Connections to Other Groups

The Helldown ransomware strain shares significant similarities with DarkRace, a ransomware group that rebranded as DoNex in 2023. Both strains derive their code from LockBit 3.0. Although Helldown's exact relationship with these groups remains speculative, the overlaps in behavior raise questions about whether Helldown represents another rebranding effort.

Emerging Threats in the Ecosystem

The rise of Helldown coincides with other new ransomware entrants:

  • Interlock: Targeting U.S. healthcare, technology, and government sectors, Interlock leverages fake Google Chrome updates to distribute ransomware. The group also claims its actions are motivated by holding companies accountable for poor cybersecurity practices.
  • SafePay: This group has targeted 22 companies so far, using LockBit 3.0 as its base. SafePay attackers exploit VPN gateways with stolen credentials to gain initial access.

These developments highlight how the LockBit 3.0 code leak has fueled the proliferation of ransomware variants.

Dell Unveils AI and Cybersecurity Solutions at Microsoft Ignite 2024

At the Microsoft Ignite 2024 conference, Dell introduced several innovations aimed at simplifying AI adoption and enhancing cybersecurity resilience. These announcements underscore Dell's commitment to integrating advanced technologies into Microsoft ecosystems.

Dell APEX File Storage for Azure

Dell's APEX File Storage for Azure has been available as a customer-managed service. Starting in 2025, customers will have the option for Dell to fully manage this service. This integration will simplify the deployment and management of file storage within Azure environments, making it easier for enterprises to scale their storage needs.

Additionally, Dell will offer APEX Protection Services as an add-on for Azure. This solution incorporates Zero Trust principles, machine learning, and forensic tools to safeguard critical data against ransomware.

AI Solutions: Copilot and Azure AI Studios

Dell has expanded its offerings to support Microsoft's Copilot AI assistant. Key highlights include:

  • Dell Services for Microsoft Copilot Studio: Designed for low-code AI development, this service helps customers identify use cases and deploy bespoke AI solutions.
  • Dell Accelerator Services for Copilot+ PCs: Provides optimized usage recommendations and insights into how neural processing units (NPUs) impact workloads.

These services aim to simplify AI adoption and maximize the potential of Microsoft's AI PCs.

Enhanced Security Offerings

Dell unveiled new cybersecurity services integrated with its APEX and Managed Detection and Response (MDR) offerings:

  • Dell APEX Protection Services for Microsoft Azure: Offers encryption, MFA, AI analytics for threat detection, and a secure digital vault.
  • Integration with Microsoft Defender XDR: Dell's MDR services now support Microsoft Defender, providing comprehensive breach detection and response capabilities.

Support for CMMC Certification

Dell has also introduced services to help U.S. federal contractors align with the Cybersecurity Maturity Model Certification (CMMC) standards. With CMMC 2.0 set to roll out in 2025, these services will assist contractors in meeting the Department of Defense's stringent cybersecurity requirements.

Takeaways

Dell's announcements at Microsoft Ignite highlight its strategic focus on AI and cybersecurity. By integrating seamlessly with Microsoft ecosystems, Dell is positioning itself as a key partner for enterprises navigating the challenges of modern IT infrastructure and security.

For more insights on Dell’s new offerings, visit the official blog.

Semperis HIP Conference Tackles Healthcare Cybersecurity Challenges

Identity Complexities in Healthcare

The Semperis Hybrid Identity Protection (HIP) conference in New Orleans addressed key cybersecurity challenges, with healthcare identity protection taking center stage. Henrique Teixeira, SVP of strategy at Saviynt, described healthcare as an "identity nightmare," citing complexities like doctors working across multiple entities. For instance, patients at New York-Presbyterian Hospital receive separate bills from the hospital and Weill Cornell Medicine, underscoring identity fragmentation.

James Bowie, CISO at Tampa General Hospital, shared how his team manages visiting physicians: “They get Active Directory accounts, but they must be vetted and follow the same rules.” This results in user bases doubling employee counts, adding layers of complexity.

Simulating Hospital Ransomware Attacks

A tabletop exercise highlighted vulnerabilities in hospital networks. Attackers bypassed EDR protections by targeting legacy imaging systems and exploited MFA by social-engineering the help desk. They even disabled TLS/SSL certificates, causing chaos. Despite the blue team’s efforts, the hospital network had to be shut down to stop the attack, showing the devastating potential of such breaches.

Securing Password Resets

To prevent social engineering, Tampa General Hospital’s help desk no longer resets passwords directly. Instead, requests are escalated through a ticketing system, ensuring cybersecurity teams verify requests and mitigate risks.

Protecting Medical Records

Electronic medical records remain a prime target due to their rich personal information. Bowie emphasized robust data cataloging and identity security: “It all comes down to the user and identity.”

Future Solutions: Passwordless Authentication

Panelists from CDW proposed passwordless authentication as a game-changer for healthcare, promising faster workflows and enhanced security. However, challenges like tech debt and incompatible systems remain. Innovations like facial recognition for masked users and potential wristband-based authentication may bridge the gap.

Building Cyber Resilience

Heather Costa from Mayo Clinic defined cyber resilience as minimizing disruptions during incidents. The ultimate goal? Seamless business continuity where patients remain unaffected.

For more, visit Semperis HIP Conference.

Hackers Are Using Snail Mail to Deliver Cyber Attacks—Here’s What You Need to Know

Cybercriminals are turning to old-school methods to launch new-age cyber attacks. According to the Swiss National Cyber Security Centre (NCSC), hackers have started using snail mail to distribute malware. This method exploits unsuspecting recipients through printed QR codes masquerading as legitimate sources. Here’s a detailed look at this novel approach and its implications.

QR Codes Delivered by Mail: The New Attack Vector

The Swiss NCSC issued a warning about letters delivered through the postal service that appear to come from MeteoSwiss, Switzerland’s meteorology office. These fraudulent letters contain QR codes directing recipients to download a fake severe weather warning app. Instead of delivering helpful updates, the app installs malware known as Coper (or Octo2), which aims to steal sensitive data from the victim's smartphone.

The fake app mimics the legitimate Alertswiss app, tricking users into believing it's from the Swiss Federal Office for Civil Protection. Scanning the QR code leads to the installation of the malware, which targets personal data, including banking credentials.

Learn more about the Swiss National Cyber Security Centre's warning here.

Why Snail Mail Works in Phishing Attacks

Mike Britton, Chief Information Officer at Abnormal Security, highlights that these physical letters bypass traditional email phishing filters and capitalize on the trust people place in official-looking mail. Unlike web-based phishing, this approach depends on the individual recipient’s vigilance.

"By pretending to be a trusted source, threat actors are banking on the lack of caution that recipients may have," Britton explained.

This tactic echoes other recent phishing campaigns, like the Winter fuel payment scams in the UK. Both rely on imitating trusted entities to exploit victims during critical moments.

Targeting Android Users in Switzerland

Currently, these snail mail attacks are limited to Switzerland and target only Android users. Swiss iPhone users appear safe for now, as the malware is not designed for iOS. For victims who have already installed the malicious app, the Swiss NCSC advises resetting their devices to factory settings.

Could This Attack Method Spread Internationally?

Given its success in Switzerland, similar methods might emerge elsewhere. The universal advice remains clear: only download apps from official app stores and remain cautious of unsolicited mail, even if it looks legitimate.

For more tips on avoiding phishing attacks, visit Google’s phishing protection guide.

Thames Water: A Case Study in Cyber Vulnerability

While snail mail phishing attacks represent a new frontier, traditional infrastructure is also at risk. Thames Water, the UK’s largest water provider, faces mounting cybersecurity threats due to outdated IT systems. Reports suggest the company relies on decades-old technology, leaving critical systems exposed.

Aging IT Infrastructure Under Threat

Thames Water’s infrastructure includes systems running on Lotus Notes software from the 1980s and hardware that predates many employees. Sources within the company reveal that attempts to modernize have been minimal, making these systems prime targets for cybercriminals.

One insider stated:

“We’re keeping machines running by cannibalizing parts from other old systems. If we turn them off, there’s a risk we won’t be able to turn them back on.”

This underinvestment in IT has led to vulnerabilities that sophisticated hackers—often state-aligned actors—can exploit. Learn more about the risks of outdated IT systems from the Guardian's report on Thames Water here.

Cyber Attacks on National Infrastructure

Thames Water has reportedly been targeted by groups linked to Russia, China, and North Korea, highlighting the vulnerability of critical infrastructure. Although the company claims there have been no breaches, insiders report otherwise. These attacks have occasionally disrupted operations, underscoring the urgent need for modernization.

The UK’s National Cyber Security Centre (NCSC) has warned about increasing threats to water utilities, particularly in light of geopolitical tensions. Their advice to utility providers is clear: update legacy systems to ensure cybersecurity and operational resilience.

For NCSC recommendations on securing critical infrastructure, visit their site.

Regulatory Oversight and Accountability

While Thames Water has made requests for billions in investment to modernize its systems, the Office of Water Services (Ofwat) and other regulators continue to push for accountability. These vulnerabilities not only risk service disruption but also compromise customer safety.

A spokesperson for Ofwat stated:

“We’ve been pushing Thames Water to improve operational performance and financial resilience. Essential services must be secure and reliable.”

Explore Ofwat's role in water company oversight here.

Fortinet Lays Out Medium-Term Financial Targets, Expects Firewall Rebound

Fortinet (FTNT) outlined its financial ambitions for the next three to five years during an investor day on Monday. The company highlighted its optimistic outlook for firewall sales, Secure Access Service Edge (SASE), and billings growth, despite uncertainty about 2025 projections. Following the announcement, multiple Wall Street analysts raised their price targets on the cybersecurity giant, even as Fortinet's stock dipped slightly amidst a broader Nasdaq retreat.

Fortinet Eyes Firewall Sales Recovery in 2026

As the leading vendor in global firewall shipments, Fortinet expects a significant rebound in its firewall appliance sales by 2026. This growth will stem from customers upgrading to new software versions, addressing the 25% of Fortigate devices expected to reach end-of-service by then. UBS analyst Roger Boyd estimated that this refresh cycle could contribute $400 million to $450 million in additional revenue.

TD Cowen analyst Shaul Eyal noted, "Fortinet’s new medium-term targets slightly exceed Wall Street expectations and solidify its position as a market leader poised to gain market share from legacy firewall providers."

Fortinet competes directly with major players like Palo Alto Networks (PANW) and Check Point Software Technologies (CHKP) in the network security market, particularly in the critical firewall segment.

Billings Growth Exceeds Market Projections

Fortinet also highlighted its projected 12% compound annual growth rate (CAGR) for billings and revenue over the next three to five years, surpassing the cybersecurity market's average growth rate. Analysts have responded positively to this forecast.

Susquehanna analyst Shyam Patil commented, "Fortinet’s revenue growth is expected to outpace the market, though the company anticipates a slight contraction in gross margins from 81% year-to-date to a range of 79% to 80%, primarily due to increased product sales related to firewall refreshes."

Fortinet's recent stock performance reflects a 54% gain in 2024. However, the stock has retreated slightly from its peak of $100.59, recorded on November 13. Despite the lack of guidance for 2025, Bank of America analyst Tal Liani emphasized the strength of Fortinet’s medium-term targets, stating, "We see potential upside compared to Street estimates."

Secure Access Service Edge (SASE): A Growth Driver

Fortinet is also betting on Secure Access Service Edge (SASE), a rapidly expanding cybersecurity market segment. SASE solutions enable enterprises to secure branch offices and remote workers cost-effectively. With the increasing adoption of hybrid work environments, Fortinet’s investment in SASE could fuel sustained growth.

Learn more about Fortinet’s SASE solutions.

Sitting Duck Cyber Attacks Put 1 Million Websites at Risk

A cybersecurity threat known as "sitting duck exploits" has left over a million websites vulnerable to malicious attacks. Infoblox security researchers revealed that hackers are actively exploiting Domain Name System (DNS) misconfigurations to hijack internet domains. Despite its prevalence, this attack methodology remains underreported and largely unaddressed by major vulnerability tracking systems.

Understanding Sitting Duck Attacks

Sitting duck cyberattacks exploit incorrect DNS configurations where domain servers point to the wrong authoritative name servers. This vulnerability, formally termed "lame delegation," enables attackers to assume full control over a domain. The compromised domain can then be weaponized for phishing, malware distribution, or other malicious purposes.

Infoblox researchers described these attacks as “easy to execute for attackers but difficult to detect for security teams.” This lack of visibility has allowed hackers to exploit the vulnerability on a massive scale, often flying under the radar.

For a deeper dive into the mechanics of these attacks, visit Infoblox’s threat intelligence blog.

Mitigation Strategies

Fortunately, sitting duck cyberattacks can be mitigated through proper DNS and domain registrar configurations. Infoblox recommends domain owners:

  • Regularly audit and correct DNS settings.
  • Use registrars and DNS providers with advanced security features.
  • Avoid saving sensitive information directly on vulnerable websites.

By implementing these measures, organizations can prevent hijacks and reduce their attack surface.

Hannaford Network Outage Raises Data Security Concerns

Hannaford Supermarkets recently resolved a 12-day network outage that disrupted its website, online ordering system, and pharmacy services. While Hannaford confirmed a cybersecurity issue as the root cause, details about the incident remain sparse, leaving customers concerned about potential data breaches.

The Incident and Customer Impact

The outage began on November 7, affecting pharmacies first. Customers were unable to fill prescriptions, while Hannaford To Go services remained offline for over a week. Although the company resumed normal operations by November 18, it did not confirm whether customer data, including credit card information, had been compromised.

Dr. Lori Sussman, a cybersecurity expert, warned, "Even small amounts of personal information, such as a name or phone number, can be leveraged for identity theft."

Steps to Protect Personal Information

In light of the incident, experts advise Hannaford customers to take proactive steps to safeguard their data:

  1. Remove saved payment details from the Hannaford app.
  2. Replace credit or debit cards used with the platform.
  3. Use a password manager for secure transactions instead of saving data on websites.

For more advice on protecting yourself from potential data breaches, read this cybersecurity guide.

Ongoing Investigation

Hannaford’s parent company, Ahold Delhaize, confirmed that investigations into the cybersecurity issue are still underway. A spokesperson assured customers, “We deeply value our customer relationships and appreciate their patience as we resolve this matter.” However, questions linger, particularly as the holiday season heightens cybersecurity risks.

For updates on Hannaford’s cybersecurity investigation, visit NEWS CENTER Maine.

Zero Networks Partners with Alchemise to Advance Zero Trust Adoption

Simplifying Zero Trust for Businesses of All Sizes

Zero Networks, a leader in zero trust security, has teamed up with Alchemise, a UK-based cybersecurity services provider, to simplify and scale zero trust implementations for businesses. This partnership aims to address the challenges of securing hybrid cloud environments, where traditional network defenses fall short.

The collaboration integrates Zero Networks' zero trust network access (ZTNA) technology with Alchemise's end-to-end cybersecurity offerings. This enables organizations to strengthen access controls, reduce attack surfaces, and improve protection against unauthorized intrusions.

Revolutionizing Network Security with Adaptive Technology

Zero Networks’ platform features adaptive microsegmentation and autonomous policy enforcement. These tools create and enforce identity-based access controls, adjusting policies in real-time based on user behavior. This automation replaces traditional manual segmentation, making zero trust more practical for businesses of all sizes.

Adam Hofeler, VP of Channel at Zero Networks, stated, “Our partnership with Alchemise establishes a new standard for intelligent security. By combining adaptive technology with Alchemise’s extensive expertise, we’re enabling scalable zero trust security for industries like financial services and legal sectors across the UK, Ireland, and Africa.”

Key Benefits of the Partnership

Through this collaboration, Alchemise customers gain access to:

  • Automated Zero Trust Access Control: Reducing manual adjustments and simplifying network security.
  • Robust Endpoint Protection: Enhanced access management and real-time threat response.
  • Scalable Security Solutions: Meeting evolving security demands while supporting business operations.

Ben Gandy, UK Sales Director at Alchemise, highlighted, “Zero Networks’ automation and adaptability align perfectly with our mission to deliver innovative cybersecurity solutions. This partnership comes at a critical time, as businesses increasingly adopt hybrid work models.”

Recognition and Industry Impact

In 2024, Zero Networks earned a 5-star rating in the CRN Partner Program Guide and was featured on the Fortune Cyber 60 list of fastest-growing cybersecurity startups. Learn more about their partner program and offerings here.

EPA Highlights Cybersecurity Risks in US Water Systems

Vulnerabilities Found in Over 300 Water Systems

A report by the Environmental Protection Agency (EPA) revealed critical vulnerabilities in 97 U.S. drinking water systems, affecting over 26 million people. Medium- to low-risk issues were found in another 211 systems serving 83 million individuals. These include exposed portals and poor cybersecurity practices, leaving systems susceptible to disruptions or attacks.

Growing Cyber Threats in the Water Sector

The report underscores rising threats to water utilities, with attacks from ransomware groups and state-linked adversaries. Recent incidents, like the intrusion targeting American Water Works, highlight the urgency of improving water infrastructure security.

Sean O’Donnell, EPA Inspector General, stated, “The EPA must prioritize water system resilience and address the vulnerabilities outlined in this report.”

Key Findings and Recommendations

  • Lack of Incident Reporting Systems: The EPA currently relies on the Cybersecurity and Infrastructure Security Agency (CISA) for reporting.
  • Cyber Hygiene Gaps: Issues like default passwords and lack of multifactor authentication increase risks.
  • Passive Scanning Limitations: The study covered only 1,062 systems out of tens of thousands nationwide.

CISA and the EPA are collaborating to provide technical assistance, training, and funding to water utilities. Learn more about these efforts on the EPA’s website.

Lamar University Secures $1.4M Grant for Industrial Cybersecurity

New Course Combines Cybersecurity with Industry Operations

Lamar University has been awarded $1.4 million by the Department of Energy to develop a course merging cybersecurity with industrial operations. The course will train students to tackle emerging threats in the power and chemical sectors.

Bridging Engineering and Cybersecurity

The program aims to prepare students for real-world challenges, including protecting critical infrastructure from hackers. Dr. Helen Lou, Director of Lamar’s Center for Data Analytics and Cybersecurity, emphasized the importance of integrating cybersecurity into industrial systems.

“By addressing software security and control systems together, we’re equipping students with skills to protect vital infrastructure,” Dr. Lou explained.

Key Highlights

  • Focus on AI and Cybersecurity: Students will explore how AI enhances plant security while addressing new cyber threats.
  • Industry Collaboration: The grant supports a cybersecurity hub for critical manufacturing.
  • Future-Proof Skills: Graduates will receive an enterprise cybersecurity certificate, preparing them for careers in industrial cybersecurity.

This initiative follows the 2021 Colonial Pipeline ransomware attack, which underscored the vulnerabilities in energy infrastructure. The new course is set to launch in January 2025. Learn more about Lamar University’s programs here.