November 9, 2024

Hello all,

This past week has some nice wins from the cyber-defenders; 41 arrests of evil people, with more coming, over 22,000 malicious servers taken offline, the person responsible for the Snowflake breach behind bars, and scores of Nigerian scammers extradited and now serving lengthy prison sentences. Unfortunately, cyber criminals are like the mythical hydra, you cut off one head and two more grow from the stump. As long as the lure of easy money exists, so will they. And the number of vulnerabilities, defects, and holes continues to grow as new AI enhanced tools help both defenders and threat actors with their search for avenues of exploitation. That is why it is vital to stay aware of the threat landscape so that you’re able to make informed decisions and respond appropriately. So, onward to the news.

As usual, my commentary is followed by a plethora of links to other items that are worth skimming to see if they interest you or pertain to your particular environment or of those you support.

Headline NEWS:

• Cisco has a critical defect in their Ultra-Reliable Wireless Backhaul (UWRB) access point system. It scored a perfect 10 out of 10 on the CVSS. If you use any of the following, patch immediately, stop reading and go patch! Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients, Catalyst IW9167E Heavy Duty Access Points. Seriously, stop and go patch!
• HPE not wanting to let Cisco take all of the wireless news, announced their own critical defects in their Aruba Networking Access Points. They advise updating as soon as possible. There is no current evidence of exploitation, but it is only a matter of time. Some of the affected products are EOL and will not get updates. If you have those, follow HPE’s mitigation action recommendations and then quickly replace them with supported hardware.
• Microsoft released Windows 2025 Server last Saturday. Apparently, they are so proud of it that they decided that they’d upgrade Windows Server 2022 without warning to the new version. Well, not exactly. However, from what we can gather, a data-entry problem with a different Microsoft KB incorrectly triggered an update to run on servers that were managed by some third-party patch management systems. Admins are now scrambling to either restore back to Windows Server 2022 or obtain licenses for the newly installed Operating System. In this author’s opinion, since this was Microsoft’s error, they should give the affected organizations free upgrade licenses.
• NVIDIA released driver updates last week for their GeForce GPUs. There are eight high-risk defects that are being addressed. The video card maker is pleading with users to update, I suggest you take this vulnerability seriously and update as soon as possible.
• Opera Browser has received an update for a zero-day vulnerability dubbed “CrossBarking” that is tied to malicious extensions. If you use Opera, update now.
• Palo Alto Networks has potential Remote Code Execution (RCE) vulnerability in their Pan-OS that is under investigation. Palo Alto warns “customers to block access from the Internet to their firewalls’ PAN-OS management interface and only allow connections from trusted internal IP addresses.” That particular advice should be the standard for any firewall, either allow management access only from trusted addresses inside of the network, or from specific trusted public IP addresses, not the whole internet.

In Ransomware, Malware, and Vulnerabilities News:

• D-Link Network Attached Storage (NAS) devices have a critical defect where a threat actor can remotely inject commands, and it has a public exploit available. And this is on top of another similar vulnerability revealed in April of this year. For its part, D-Link has said that they no longer make NAS devices and they will not receive any updates. If you have one of the 60,000+ publicly exposed D-Link NAS devices, take it off network immediately and buy yourself a new NAS.
• Germany is finally decriminalizing researchers exposing defects, flaws, and vulnerabilities, provided that they do it within the confines of the new law. It looks like Ethischer Hackers can come out from hiding soon. The new law will also modernize penalties and definitions for illegal activity.

In Other News Events of Note and Interest:

• Microsoft is running a contest where they are giving away $1 million to help promote their search engine – Bing. With their Co-Pilot advances making inroads into Bing, maybe this time they’ll succeed.

In Cyber Insurance News:

• Cyber Insurance Demand Surges as Ransomware Targets Businesses of all Sizes is worth reading, if only to understand that threat actors rarely care who they attack, as long as there is money to be made. It is a crime of opportunity, generally not targeted.

Musings:

While the incessant assault of politically themed spam and worse are temporarily behind us, we cannot let our guards down. Threat actors are now gearing up for their favorite time of the year, the traditional Winter Holiday Season in most of the Western World. Expect unbelievable deals, amazing products, and missed package delivery notifications galore. Tis the season!

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

For the full listing of links in this week’s edition, visit https://reddotsecurity.news. You’ll also find past issues there.

Headline NEWS

• Cisco bug lets hackers run commands as root on UWRB access points
• Cisco scores a perfect CVSS 10 with critical flaw in its wireless system
• HPE warns of critical RCE flaws in Aruba Networking access points
• Multiple Vulnerabilities in HPE Aruba Access Points Let Attackers Execute Remote Code
• Microsoft blamed for Windows 11 KB5044284 automatically upgrading Server 2022 to 2025
• NVIDIA GeForce Users Must Update Their GPU Drivers As 8 High Risk Vulnerabilities Discovered
• Opera Browser 0-Day Flaw Allows Malicious Extensions
• Palo Alto Networks warns of potential PAN-OS RCE vulnerability 

Ransomware, Malware, and Vulnerabilities News

• Canadian authorities arrest suspect linked to Snowflake data breach and cybercrime ring
• Man Arrested for Snowflake Hacking Spree Faces US Extradition
• Canada orders TikTok to shut down its business operations in the country due to ‘national security risks’
• INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime
• Five-country attack on cybercrooks welcomed by security expert
• US Prison Sentences for Nigerian Cybercriminals Surge in Recent Months
• ESET Advanced Persistent Threat (APT) Activity Report Q2 2024–Q3 2024
• New MacOS Malware Linked to North Korean Hackers
• D-Link won’t fix critical flaw affecting 60,000 older NAS devices
• CISA warns of critical Palo Alto Networks bug exploited in attacks
• CISA Warns of PTZOptics Cameras Vulnerability Exploited to Escalate Privileges
• Dangerous new phishing campaign infects Windows devices with malicious Linux VM
• Google’s Big Sleep AI Tool Finds Zero-Day Vulnerability
• Germany drafts law to protect researchers who find security flaws
• FBI finds $8.3 million embezzled by ‘pure evil’ Kansas banker
• Researcher Discloses 36 Vulnerabilities Found in IBM Security Verify Access
• Unpatched Mazda Connect bugs let hackers install persistent malware
• Delaying Your Windows Updates? You Probably Shouldn’t
• Malicious PyPI package with 37,000 downloads steals AWS keys
• Cisco confirms cyber attack but says systems not breached
• Cisco notifies ‘limited set’ of customers after hacker accessed non-public files
• Nokia confirms data breach leaked third-party code, but its data is safe
• Hackers increasingly use Winos4.0 post-exploitation kit in attacks
• Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices
• Android Zero-Day Vulnerabilities Actively Exploited In Attacks, Patch Now!
• Okta: Vulnerability in Verify gives attackers access to passwords
• PfSense Stored XSS Vulnerability Leads To RCE Attacks, PoC Published
• Hundreds of code libraries posted to NPM try to install malware on dev machines
• LameDuck’s Skynet Botnet Launched 35,000+ DDoS Attacks
• Don’t open that ‘copyright infringement’ email attachment – it’s an infostealer
• Hackers Using AV/EDR Tool “EDRSandBlast” To Bypass Endpoints
• SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins
• Businesses Worldwide Targeted in Large-Scale ChatGPT Phishing Campaign
• This new phishing strategy utilizes GitHub comments to distribute malware
• DocuSign’s Envelopes API abused to send realistic fake invoices
• Kaspersky Uncovers Major Malicious Campaign via Telegram
• Custom “Pygmy Goat” malware used in Sophos Firewall hack on govt network
• New SteelFox malware hijacks Windows PCs using vulnerable driver
• Chinese Group Accused of Hacking Singtel in Telecom Attacks
• FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions
• Chinese hacking effort is far more pervasive than previously reported, sources say
• North Korean Hackers Abuse Cloud-Based Services to Deploy Malware
• South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertisers
• Schneider Electric confirms dev platform breach after hacker steals data
• Schneider Electric reports cyberattack, its third incident in 18 months
• Industrial companies in Europe targeted with GuLoader
• Supply Chain SMBs Urged to Address Vulnerabilities as Ransomware Attacks Soar
• Report Shows Ransomware is Still the Leading Cyber Threat, Despite Shakeups
• Scattered Spider, BlackCat claw their way back from criminal underground
• Microchip Technology Reports $21.4 Million Cost From Ransomware Attack
• Major Oilfield Supplier Hit by Ransomware Attack
• Suspected cyberattack outage continues at Port of Seattle, Washington courts
• Washington courts’ systems offline following weekend cyberattack
• Cyberattack disclosed by LA housing authority after Cactus ransomware claims
• Half a million Ohio citizens have personal data stolen following ransomware attack 

Other News Events of Note and Interest

• Cool Tool: PowerToys 0.86 is out with module grouping, new features for Advanced Paste, and more
• Cool Tool: Pale Moon Browser 33.4.1
• Cool Tool: GIMP 3.0 Finally Has A Release Candidate
• Google Cloud to make multi-factor authentication mandatory in 2025
• NSA Releases Trusted Platform Module Usage Guidance
• Mozilla Foundation crumbles as third of staff cast off
• Russia’s internet watchdog blocks thousands of websites that use Cloudflare’s privacy service
• Hotel Cyber Attack Prevention: Keeping Your Network & Guests Safe
• The FTC orders Sitejabber to stop faking product reviews
• Unofficial PowerShell script bypasses Windows 11 system requirements, Microsoft Account
• Microsoft Teams Adds Automatic Loop Workspace Creation for Recurring Meetings
• Microsoft OneDrive: The most common issues and fixes
• Microsoft: Windows 11 Mail & Calendar stops working after December 31, 2024
• Microsoft just learned its lesson about overcharging for AI features
• Microsoft Authenticator passkey support to be native in January
• Classic Outlook explodes when opening more than 60 emails
• Microsoft Updates Windows Hello with Modernized Design and Expanded Passkey Options
• Microsoft has reached $1M giveaway levels of desperation to attract users to Bing
• Microsoft confirms Azure Virtual Desktop black screen and Office app issues in Windows 10
• Microsoft added many new Intel CPUs to Windows 10 LTSC which is supported until 2027
• Microsoft quietly admits Windows 11 24H2 printer issues on Arm, no word on AMD or Intel
• Microsoft Windows 11 24H2 bug list grows again: 10 reasons to avoid this update for now
• Microsoft confirms Windows Server 2025 blue screen, install issues
• Microsoft confirms issues in Windows 11 23H2 KB5044285, KB5044380
• Microsoft Windows Server 2022 sometimes upgrades to 2025 without notice
• Microsoft still not said anything about unexpected Windows Server 2025 installs
• Microsoft releases free Windows Server 2025 security advice book for download 

Cyber Insurance News

• Cyber insurance demand surges as ransomware targets businesses of all sizes
• Lloyd’s and ABI look to help in defining major cyber event
• Why backups are key to driving down cyber insurance premiums