CybersecurityHQ News Roundup - November 26, 2024

News By Daniel Michan Published on November 26


Interpol Clamps Down on Cybercrime with Over 1,000 Arrests in Africa

In a sweeping two-month operation, Interpol has arrested 1,006 suspects across 19 African nations, targeting cybercrime networks responsible for ransomware, business email compromise, digital extortion, and online scams. Dubbed Operation Serengeti, the initiative ran from September 2 to October 31 in collaboration with Afripol, the African Union's police agency. Authorities identified over 35,000 victims and linked the cases to nearly $193 million in financial losses worldwide.

Key arrests include:

  • Kenya: Nearly two dozen arrested for online credit card fraud causing $8.6 million in damages.
  • Senegal: Eight individuals detained for running a $6 million online Ponzi scheme.
  • Cameroon: A group dismantled for human trafficking through a multi-level marketing scam.

Afripol’s Executive Director, Jalel Chelba, emphasized a focus on emerging threats such as AI-driven malware and advanced cyberattacks. The operation reflects a significant increase in arrests compared to the mere 25 made across Africa in previous years.

More details about Interpol's fight against cybercrime can be found on their official site.

VMware Patches High-Severity Vulnerabilities in Aria Operations

VMware has issued critical security updates for Aria Operations, addressing five vulnerabilities that could lead to privilege escalation and cross-site scripting (XSS) attacks. Affected products include VMware Aria Operations 8.x and VMware Cloud Foundation 4.x and 5.x.

Notable CVEs:

  • CVE-2024-38830 and CVE-2024-38831: Local privilege escalation flaws (CVSS 7.8) enabling root access.
  • CVE-2024-38832, 38833, 38834: Stored XSS vulnerabilities allowing malicious script injection.

These vulnerabilities, detailed in VMware's security advisory, underline the urgency of applying the patches, as VMware products remain a frequent target for cyberattacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains several VMware flaws in its Known Exploited Vulnerabilities (KEV) catalog.

IBM Fixes RCE Vulnerabilities in Key Cybersecurity Products

IBM has patched multiple vulnerabilities across its product suite, including two high-severity remote code execution (RCE) issues:

  1. CVE-2024-52899 (CVSS 8.5): Impacts Data Virtualization Manager for z/OS, allowing RCE via malicious JDBC URL parameters.
  2. CVE-2024-45801 (CVSS 7.3): Found in Security SOAR, involving prototype pollution in the DOMPurify component.

Additional fixes address flaws in Watson Speech Services, Engineering Lifecycle Management, and Db2 Big SQL. No active exploitation of these vulnerabilities has been reported, but users are urged to update immediately. Find IBM’s advisories on their security bulletins page.

Chinese Hackers Exploiting Critical Array Networks Gateway Vulnerability

CISA has warned about active exploitation of CVE-2023-28461, a critical RCE vulnerability in Array Networks AG and vxAG secure access gateways. The flaw, with a CVSS score of 9.8, allows attackers to execute remote code on vulnerable systems.

Threat Actor Activity:

  • The vulnerability has been exploited by Earth Kasha, a threat group associated with China-linked APT10 (a.k.a. Cicada or Stone Panda). Attacks have targeted organizations in Japan, Taiwan, and India, using this vulnerability alongside others in Fortinet and Proself products.

Array Networks issued a patch in March 2023. However, CISA has included the flaw in its KEV catalog and mandates remediation for federal agencies by December 16.

Learn more about Earth Kasha's campaign in Trend Micro’s report here.

Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Two severe vulnerabilities in the popular anti-spam plugin CleanTalk for WordPress are putting over 200,000 websites at risk of remote code execution (RCE) attacks. Security firm Defiant disclosed that the flaws, tracked as CVE-2024-10542 and CVE-2024-10781, both score a critical 9.8 on the CVSS scale.

The flaws allow remote attackers to bypass authorization protocols, install arbitrary plugins, and activate vulnerable extensions, leading to potential site takeovers. These vulnerabilities were first identified in late October 2024. The initial patch, released on November 1, failed to address all issues, prompting a secondary patch on November 14.

Despite the release of version 6.45, WordPress data shows roughly half of the active installations remain unpatched, exposing these websites to potential exploitation. Website owners are strongly advised to update to the latest version immediately.

➡️ Read more on the importance of patching vulnerabilities in plugins on Wordfence.

Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack

Blue Yonder, a major provider of supply chain management software, suffered a ransomware attack that disrupted operations for key clients, including Starbucks and UK supermarket chains Morrisons and Sainsbury’s.

The attack targeted Blue Yonder’s managed services hosted environment, halting operations across its network. The company is working with a cybersecurity firm to investigate the breach and restore systems but has not disclosed when full functionality will return.

Impacted businesses are feeling the ripple effects. Starbucks reported challenges with employee scheduling and payroll systems. Morrisons switched to manual processes for warehouse management, affecting product deliveries. Sainsbury’s assured customers that backup procedures are mitigating further disruptions.

Blue Yonder’s extensive client base, including Albertsons, Kroger, and Ford, raises concerns about the broader implications of this attack. The incident highlights vulnerabilities in critical supply chain software amid rising ransomware threats.

➡️ Learn more about ransomware impacts on global supply chains from CNN.

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

The Russia-linked threat actor RomCom exploited two zero-day vulnerabilities—one in Mozilla Firefox and another in Microsoft Windows—to deliver their eponymous backdoor malware. These flaws allowed attackers to achieve remote code execution with no user interaction.

The vulnerabilities include:

  • CVE-2024-9680: A use-after-free flaw in Firefox’s animation component (CVSS 9.8).
  • CVE-2024-49039: A privilege escalation issue in Windows Task Scheduler (CVSS 8.8).

RomCom used a fake website to redirect users to malicious payloads, chaining both flaws to escape browser sandboxing and execute the backdoor malware, RomCom RAT. Most victims were located in Europe and North America, with telemetry suggesting targeted espionage efforts.

This marks RomCom’s second known use of zero-day exploits in a year, showcasing its growing sophistication. The group’s capability to chain multiple vulnerabilities highlights the importance of patching software immediately after updates are available.

➡️ Get deeper insights into RomCom’s operations on The Hacker News.

Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries

China-linked threat actor Earth Estries has been observed deploying a newly discovered backdoor called GHOSTSPIDER in a series of cyberattacks targeting telecommunications companies in Southeast Asia. Trend Micro, which labeled the group as an advanced persistent threat (APT), noted that the campaign also involves a cross-platform backdoor known as MASOL RAT (aka Backdr-NQ) on Linux systems tied to government networks.

The attacks have compromised over 20 entities spanning telecommunications, technology, consulting, chemical, transportation industries, government agencies, and NGOs. Victims have been identified across 12+ countries, including Afghanistan, India, Indonesia, the U.S., and Taiwan.

Earth Estries has been linked to other clusters tracked as FamousSparrow and Salt Typhoon and has been operational since at least 2020. The group exploits vulnerabilities in widely-used platforms like Ivanti Connect Secure and Microsoft Exchange (ProxyLogon).

GHOSTSPIDER, a sophisticated backdoor, communicates with attacker-controlled infrastructure via a custom TLS-protected protocol, enabling long-term espionage. This campaign underscores the evolving complexity of Chinese cyber operations targeting critical infrastructure worldwide. Read more at Trend Micro.

CISA Urges Agencies to Patch Critical “Array Networks” Flaw Amid Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Array Networks AG and vxAG secure access gateways (CVE-2023-28461) to its Known Exploited Vulnerabilities (KEV) catalog. Rated with a CVSS score of 9.8, the flaw allows remote attackers to execute arbitrary code due to missing authentication mechanisms.

This comes after reports of active exploitation by China-linked group Earth Kasha (aka MirrorFace), which has also been targeting vulnerabilities in products like Fortinet FortiProxy and Proself. Earth Kasha has focused its campaigns on Japanese entities, with recent activity extending to Taiwan and Europe.

CISA has recommended federal agencies patch this vulnerability by December 16, 2024, to mitigate potential threats. As per VulnCheck, over 440,000 internet-facing hosts remain vulnerable, amplifying the need for urgent action. Learn more at CISA.

Will 2025 Be the Turning Point for Cybersecurity in Finance?

With cyber threats becoming increasingly sophisticated, 2025 may mark a transformative year for the financial services industry. Emerging technologies like AI and quantum computing are reshaping cybersecurity, forcing financial institutions to rethink traditional approaches.

  • Global Cybercrime Costs to Reach $10.5 Trillion by 2025
  • According to Cybersecurity Ventures, global cybercrime costs are projected to grow 15% annually, reaching $10.5 trillion by 2025. This surge necessitates a fundamental shift in strategies, including the adoption of Zero Trust Architecture (ZTA) and quantum-resistant cryptography.
  • AI and the Escalating Threat Landscape
  • Cybercriminals are leveraging AI to bypass traditional defenses, while financial institutions use it for advanced threat detection. As AI-driven attacks increase, proactive defense mechanisms will become critical. Explore AI's role in cybersecurity at Checkpoint Research.
  • Regulatory Changes: DORA and Beyond
  • The Digital Operational Resilience Act (DORA), coming into effect in January 2025, aims to bolster risk mitigation across the financial sector. Gartner estimates cybersecurity spending in financial services will rise to $212 billion by 2025 in response to such regulations.
  • Quantum Computing’s Impact on Encryption
  • Quantum computing poses a significant threat to current encryption standards, with experts predicting quantum attacks by the late 2020s. The industry must accelerate the adoption of quantum-resistant cryptography to secure sensitive data. Learn more about quantum computing risks at Deloitte.

Financial institutions must act decisively, integrating robust cybersecurity measures to navigate this rapidly evolving threat landscape. Discover McKinsey’s insights.

CrowdStrike Raises Annual Forecast on Steady Cybersecurity Demand

Cybersecurity powerhouse CrowdStrike has raised its annual revenue and profit forecasts, underscoring steady demand for its robust cybersecurity services amidst an ever-growing online threat landscape (Reuters). This announcement follows a strong third-quarter performance where the company reported revenue growth of 29%, reaching $1.01 billion and surpassing analyst expectations of $982.4 million.

However, shares dipped by 2% in after-hours trading as CrowdStrike's fourth-quarter forecast fell slightly short of investor expectations.

CrowdStrike CFO Burt Podbere noted, "Despite expected headwinds from the July 19th incident, we saw incredible success with our customer commitment packages as customers chose to deepen their relationship with CrowdStrike."

The company revised its annual revenue expectations to $3.92 billion–$3.93 billion, up from $3.89 billion–$3.90 billion previously. Similarly, its annual adjusted profit per share outlook increased to $3.74–$3.76.

This news comes as rival Palo Alto Networks also exceeded earnings expectations, highlighting robust cybersecurity spending trends across the industry.

Reboot Your iPhone or Android Weekly to Mitigate Attacks—NSA Advises

The National Security Agency (NSA) has reiterated its advice for smartphone users to reboot their devices weekly as a security measure. Originally issued in 2020, this recommendation aims to combat threats like malware and zero-click exploits (Forbes).

While some experts question its relevance in 2024, the advice still serves as a basic layer of protection. Security evangelist Jake Moore from ESET commented, "Regular reboots won’t harm, but updating devices and maintaining physical security is far more critical."

The NSA’s guidance includes other mobile best practices such as avoiding suspicious email attachments, using strong PINs, and keeping software up to date. While not a "magic bullet" for cybersecurity, a weekly reboot remains a simple precaution.

NachoVPN Attack Exploits Rogue VPN Servers to Install Malicious Updates

A newly discovered vulnerability set, dubbed NachoVPN, has brought to light the risks posed by unpatched VPN clients connecting to rogue servers. The flaws, identified in Palo Alto Networks GlobalProtect and SonicWall NetExtender VPN clients, allow attackers to install malicious updates, steal credentials, and execute privileged code (AmberWolf GitHub).

Cybersecurity researchers at AmberWolf highlighted the potential for attackers to use phishing techniques to lure users into connecting to these rogue VPN servers. Both SonicWall and Palo Alto have released patches to address the vulnerabilities, but delayed response times have drawn criticism.

AmberWolf also unveiled an open-source tool, NachoVPN, designed to simulate rogue VPN attacks and test system vulnerabilities. The tool supports various popular VPN clients, encouraging community contributions to strengthen defenses.

For organizations using affected VPN clients, AmberWolf recommends immediate updates to patched versions or enabling additional security measures, such as FIPS-CC mode for Palo Alto GlobalProtect.

Additional Reading:

U.S. Strengthens Cybersecurity Partnership with Paraguay

In a significant step towards bolstering regional cybersecurity, the U.S. Southern Command (SOUTHCOM) collaborated with Paraguay for a joint cybersecurity review. This effort uncovered infiltrations by Flax Typhoon, a China-based cyber-espionage actor, into Paraguayan government systems.

This initiative underscores the growing need for international cooperation in securing critical infrastructure, particularly in light of increasing cyber threats to telecommunications and governmental networks. Both nations plan to enhance their cybersecurity capabilities through ongoing collaborations.

For a deeper dive into these efforts, visit the U.S. Department of Defense’s website.

SBU Researchers Uncover Blockchain Cyber Risks, Win eCrime Medal

Researchers at Stony Brook University (SBU) have exposed vulnerabilities in blockchain naming systems that could lead to substantial cryptocurrency losses. The team, led by Professor Nick Nikiforakis, earned a bronze medal at the eCrime 2024 conference for their groundbreaking paper on “Typosquatting 3.0.”

This study revealed how cybercriminals exploit human errors, like typos, to redirect users to malicious blockchain addresses. PhD student Muhammad Muzammil, the study’s lead author, warned these attacks could compromise digital assets worth thousands of dollars.

Learn more about their findings here.

Is Your Router in the Matrix? 35 Million Devices Under Blue Pill Attack

Aqua Security researchers have sounded the alarm on a large-scale cyberattack involving over 35 million routers worldwide. Dubbed the "Matrix" campaign, this distributed denial-of-service (DDoS) operation targets vulnerabilities in IoT and enterprise systems.

Threat actor Matrix leverages weak credentials, public scripts, and brute-force attacks to create a massive botnet. The campaign illustrates how even low-skilled attackers, known as script kiddies, can execute large-scale operations using open-source tools.

Protect your devices by updating firmware and securing router credentials. Read Aqua Security’s full report here.

Harnessing Gen AI: Navigating the New Cybersecurity Landscape

The Capgemini Research Institute has released a report, New Defenses, New Threats: What AI and Gen AI Bring to Cybersecurity, highlighting how AI is transforming the threat landscape.

Key findings include:

  • 40% of organizations reported financial losses due to AI-driven attacks, such as deepfakes.
  • 97% have faced security incidents facilitated by AI.
  • 60% believe Gen AI will enhance threat detection.

Recommendations include integrating AI into SOC operations, maintaining robust incident response plans, and investing in AI-driven tools for autonomous threat detection.

Explore the full report on Capgemini’s website.

83% of Organizations Report Insider Attacks in 2024

A startling 83% of organizations faced insider attacks in 2024, as revealed by the 2024 Insider Threat Report by Cybersecurity Insiders. This figure marks a significant rise in such incidents, with companies reporting 11-20 attacks increasing fivefold from 4% in 2023 to 21% in 2024.

As insider threats grow more sophisticated, businesses must implement effective strategies to combat this evolving menace.

The Rising Concern of Insider Attacks

The shift to hybrid work models and cloud adoption has complicated insider threat management. Cybersecurity Insiders surveyed 413 IT and cybersecurity professionals to understand the dynamics of insider risks. Alarmingly, 48% of respondents said insider threats had grown substantially in the past year.

Key factors driving this increase include:

  • Complex IT environments: Hybrid work and widespread cloud adoption create harder-to-manage ecosystems.
  • Outdated security measures: Companies lag in adopting modern security protocols.
  • Insufficient employee training: Many insider threats result from unintentional mistakes due to inadequate awareness.
  • Weak enforcement policies: While 93% emphasized the need for strict visibility and control, only 36% had unified solutions in place.

Breaking Down the Financial Impact of Insider Threats

The financial consequences of insider attacks are sobering:

  • 32% of organizations reported recovery costs ranging from $100,000 to $499,000.
  • 21% faced costs between $1 million and $2 million.

Beyond monetary losses, companies suffer reputational damage and erosion of customer trust.

Best Practices for Insider Threat Management

To minimize insider threats, businesses should adopt these strategies:

  1. Advanced Monitoring Solutions
  2. Tools like User and Entity Behavior Analytics (UEBA) employ machine learning to detect anomalies and flag suspicious activities.
  3. Leverage Non-IT Data Sources
  4. Integrating HR records, legal data, and public sources like social media can help identify potential risks early.
  5. Automated Threat Detection and Response
  6. Automated solutions streamline data analysis, expedite responses, and enhance threat detection efficiency.
  7. Zero Trust Frameworks
  8. Implement Zero Trust to enforce strict access controls, assuming every user or device is a potential threat.
  9. Employee Training and Awareness
  10. Regular training helps staff recognize and report suspicious activities. Alarmingly, 32% of companies admitted lack of training contributed to attacks.
  11. Routine Security Audits
  12. Regular evaluations of security policies, access controls, and response plans ensure defenses stay effective.
  13. Incident Response Planning
  14. A clear response plan is critical to minimize downtime and recovery costs during an attack.

For more actionable insights, explore cybersecurity best practices.

HIPAA Audits Failing to Improve Cybersecurity: OIG Report

The U.S. Office for Civil Rights (OCR)’s HIPAA audit program, designed to enforce privacy and security rules, is falling short, according to a report by the Office of Inspector General (OIG).

Limited Scope and Effectiveness

The OIG found that the audits assessed only 8 out of 180 HIPAA requirements, focusing narrowly on administrative safeguards. Critical areas, such as physical and technical defenses against cyber threats, were overlooked.

The report also noted:

  • Audits failed to require corrective actions for identified issues.
  • OCR lacked proper metrics to evaluate audit effectiveness.
  • Limited resources constrained OCR’s ability to conduct audits more frequently or extensively.

Regulatory and Resource Constraints

OCR’s stagnant budget of $38 million from 2018 to 2020, coupled with a 30% drop in investigative staff since 2010, hampers its capacity to enforce HIPAA effectively. OCR Director Melanie Fontes Rainer highlighted the need for additional funding to expand auditing activities and enhance enforcement.

Despite agreeing with most recommendations, OCR resisted suggestions to enforce corrective measures due to its resource constraints and its mandate to provide technical assistance rather than punitive corrections.

For more on HIPAA and its enforcement challenges, visit the HHS Office for Civil Rights.

The Way Forward for Insider Threats and Healthcare Cybersecurity

Both insider threats and healthcare data security require proactive measures:

  • Businesses must implement robust frameworks to curb insider risks.
  • Policymakers should address resource gaps in agencies like OCR to ensure compliance audits effectively bolster cybersecurity.

CISA’s Future Uncertain Amid Disinformation Efforts

President-elect Donald Trump faces a complex cybersecurity landscape, forcing his administration to balance national security with a push for deregulation. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), pivotal in the Biden administration's efforts, is at the center of debates about its future role, especially as election disinformation prevention becomes a polarizing issue.

Michael Daniel, president of the Cyber Threat Alliance, highlighted the potential "tensions" in the administration's approach to cybersecurity. Some Republican-led proposals suggest moving CISA under the Department of Transportation, raising concerns about its authority.

Learn more about CISA’s responsibilities.

CISA’s Cyber Incident Reporting Act (CIRCIA)

CISA is yet to finalize rules under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which mandates reporting of cyber incidents. Industry players and lawmakers have pushed back, citing concerns over regulatory overreach. The Trump administration may approach oversight differently, according to experts at Paul Hastings.

Jen Easterly, CISA’s director, announced her resignation effective Inauguration Day, leaving uncertainty about Trump’s pick for her successor. Critics argue cutting back CISA’s initiatives could hinder critical infrastructure protection.

Industry-Specific Cyber Regulations Under Scrutiny

The Biden administration’s focus on cybersecurity regulations for critical sectors—water, aviation, and transportation—is likely to face resistance. For example:

  • The Transportation Security Administration proposed cyber risk rules for surface service operators, sparking industry criticism.
  • The Federal Aviation Administration drafted guidelines to address cybersecurity threats to airplanes and engines.
  • The Environmental Protection Agency withdrew its water system cybersecurity mandates following a court challenge.

A reduction in regulatory oversight could ease administrative burdens but risks weakening systemic protections.

Global Cyber Trends: Nigeria’s Alarming Cyber Threat Statistics

Nigeria reports over 18,872 cyberattacks monthly, according to Check Point Software Technologies' African Perspectives on Cyber Security Report 2024. Key findings include:

  • Financial institutions are the primary targets, with fraud losses surpassing ₦59.33 billion from 2019 to 2023.
  • Nigeria ranks 19th globally in cyberattacks, with banking trojans recently compromising 100,000 accounts.

Other African nations, such as South Africa and Kenya, face increasing attacks on government and financial sectors. Experts stress the need for AI-driven threat detection and global standards alignment.

Read Check Point’s full report.

Australia’s Digital ID Initiative: Strengthening Cybersecurity

Australia is preparing to launch its national Digital ID system to enhance security across sectors like financial services, healthcare, and telecommunications. However, critics warn of new vulnerabilities. Key impacts include:

  • Enhanced identity verification in banking and healthcare systems.
  • Reduced fraud through multi-factor authentication (MFA).
  • Stricter controls on access to critical infrastructure data.

Advanced encryption and stringent privacy regulations are central to the initiative, aiming to build trust in digital interactions while fostering a secure online environment.

Learn about Australia’s Digital ID efforts.

US Senators Introduce Bipartisan Bill to Strengthen Healthcare Cybersecurity

A coalition of U.S. senators unveiled The Health Care Cybersecurity and Resiliency Act of 2024, a bipartisan initiative aimed at bolstering cybersecurity across the healthcare sector to protect Americans' sensitive health data. Spearheaded by Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH), the legislation seeks to address escalating cyber threats that jeopardize healthcare operations and patient safety. Learn more about the bill here.

The proposed act mandates collaboration between the Secretary of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to enhance the sector’s resilience. Key provisions include:

  • Grants for Cybersecurity Readiness: Healthcare entities will receive funding to prevent and respond to cyberattacks.
  • Training on Best Practices: Focused support for rural clinics and smaller providers to improve breach prevention and recovery strategies.
  • Incident Response Plan: Within a year of enactment, HHS must implement a comprehensive cybersecurity response plan.
  • Updated Regulations: HIPAA-covered entities will be required to adopt advanced cybersecurity practices like multi-factor authentication, encryption, and regular audits.

Rising Healthcare Cyber Threats

The urgency of the legislation stems from alarming statistics. In 2023, over 89 million Americans had their health data breached—more than double the 2022 figure, according to HHS reports. These breaches cost healthcare providers an average of $10 million per incident, disrupting operations and delaying critical care.

In Louisiana alone, nearly 270,000 personal records, including medical information, were compromised last year, underscoring the widespread vulnerability of the sector.

Senators Speak Out

“Cyberattacks on our healthcare systems not only threaten sensitive data but can also delay life-saving care,” said Senator Cassidy. Senator Warner echoed the sentiment, emphasizing the life-and-death stakes of even brief service interruptions. Senator Hassan highlighted the unique challenges faced by under-resourced rural providers.

Addressing Federal Coordination Gaps

A recent GAO report criticized HHS’s cybersecurity leadership, identifying operational challenges and calling for stronger coordination. The new legislation answers this need by requiring closer collaboration between HHS, CISA, and private sector partners.

With cyber threats to critical infrastructure on the rise, the Health Care Cybersecurity and Resiliency Act could set a precedent for safeguarding other sectors. For healthcare providers and patients alike, the stakes couldn’t be higher.

Stay updated on this and other cybersecurity developments at CybersecurityHQ.