January 11, 2025 - Red Dot Security

Hello all,

It has been a busy news week with quite a few critical items, some of which are already being exploited. One item that jumped out at me was a report from Guru Baran, the co-founder of Cyber Security News. His article’s headline reads, 40,000+ CVEs Published In 2024, Marking A 38% Increase From 2023. Let those numbers sink in for a moment. Did your budget or staff scale up proportionally? Baran reported that 108 new vulnerabilities showed up daily on average, with May 3rd seeing 824 of them. Additionally, 231 of the 2024 defects received a Common Vulnerabilities and Exposure (CVE) score of a perfect 10.0. All I can say is bring on the AI, there’s no way that we humans can keep up with this onslaught. There’s a lot more that happened in the last week, so onward.

As usual, my commentary is followed by a plethora of links to other items that are worth skimming to see if they interest you or pertain to your particular environment or of those you support.

Headline NEWS:

Google Chrome and Mozilla Firefox both received updates this past week. For Chrome’s part, it would appear that yet another cylinder of the V8 JavaScript Engine was misfiring and needed repair. Both vendors fixed several flaws, so update them if you’ve got them.
GFI Keri Control Firewall has an unpatched vulnerability that has an available Proof of Concept (PoC) exploit. This defect exists in versions 9.2.5 through 9.4.5. So far there has been no response from GFI.
Ivanti has yet another zero-day that is under active exploitation, and as a result their Ivanti Connect Secure appliances are rather insecure right now with threat actors installing malware called ‘Dryhook’ and ‘Phasejam’ on them. Google’s Mandiant believes that the exploitation began in mid-December and is the work of Chinese based attackers. Ivanti urges that you run their Integrity Checker Tool, and perform a factory reset and then upgrade to the latest versions. Several other of their products, apparently sharing a codebase, have a similar defect and require updating. If you use this, you may already be compromised. Quickly take the appropriate measures.
License Plate Readers from Motorola are leaking data and video in real time. Motorola responded that the issue is due to misconfigurations and will be fixed quickly and upcoming firmware will include additional security hardening. It is bad enough that the government is tracking my every move, I’ve pretty much resigned myself to that reality, but for any script-kiddie out there have the same ability is a bit much.
SonicWALL revealed a new critical vulnerability in their SSL-VPN this past week. They urge immediate updates to the latest SonicOS firmware versions. The new firmware also addresses several other less critical defects.
Robot Vacuums Hack to Spy on their Owners. I have to say it, this sucks. Not only is my vehicle travel being spied on, now my vacuum cleaner is a double-agent? Dirtbags have taken control of formerly well-behaved cleaners and reprogrammed them to chase pets and spew racial slurs from their microphones. Couple this with the newest dirt-suckers that were just revealed at the Las Vegas Consumer Electronic Showcase (CES), that have robotic arms attached to them so they can move objects out of their way, and you have the makings of a Hollywood horror movie.

In Ransomware, Malware, and Vulnerabilities News:

PowerSchool is a hosted platform for K-12 schools that offers tools that encompass the gamut of the execution of learning and management of education. Sadly, they experienced a breach in their PowerSchool Student Information System (SIS) platform that resulted in the exfiltration of a massive amount of data. They have over 18,000 customers in more than 90 countries, serving 60 million students. For their part, PowerSchool says that they’ve paid the ransom demand and that the enterprising criminals behind this massive attack cooperated and the “data has been deleted without any further replication or dissemination.” Uh huh. Nice political statement, but what part of “criminal” did they miss? I have no doubt that their purloined data will be sold and disseminated – a lot.

In Other News Events of Note and Interest:

New HIPAA rules coming this year. Recognizing that many of the voluntary portions of the Health Insurance Portability and Accountability Act of 1996 and the 2003 HIPAA Security Rule protections set forth around Electronic Protected Health Information (ePHI) are not being implemented, or are ineffective, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has proposed modifications to HIPAA protections, which are now under a 60-day public comment period at regulations.gov. If enacted, this will bring sweeping changes and significant hardening, mandatory encryption, enhanced controls, regulatory oversight, and massive updates to what has been shown to be a toothless law – up to now. If enacted, this new rule will require that HIPAA regulated entities such as healthcare providers, health plans, clearinghouses, business associates, and vendors, comply with all security standards, with very limited exceptions. Once enacted, HIPAA entities will be given 180 days to become compliant. Let the mad scramble begin.

Musings:

The Los Angeles fires are truly tragic in their scope, seeing the devastation is heartbreaking. In security there is a holy triad of Confidentiality, Integrity, and Availability. I can’t help but wonder how many of the businesses that have been scrubbed from the face of the earth by the massive conflagration had an Incident Response Plan that foresaw this eventuality, a Disaster Recovery Plan that tells them what to do in this scenario, and a Business Continuity Plan that will enable them to survive and somehow be available to employees and customers. Don’t wait until you smell smoke.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Like this: