November’s Cyber Tempest
Max-Severity Flaws, Next-Gen Phishing, and Rebuilt Botnets
Cyberespionage campaigns, next-gen phishing attacks, and maximum-severity vulnerabilities dominated the digital landscape in November 2024. Exploits of critical flaws in VMware and Kemp LoadMaster highlighted the increasing severity of attacks. Meanwhile, cyberespionage campaigns targeting critical infrastructure and government agencies reached alarming levels. In this newsletter, you'll find a comprehensive roundup of the incidents shaping this volatile cybersecurity landscape.
Volt Typhoon, the Chinese state-sponsored hacking group, has been observed rebuilding its "KV-Botnet". This persistent threat targets critical infrastructure, including energy, transportation, and government sectors.
Volt Typhoon compromised 30% of Cisco legacy routers on a SOHO botnet
Volt Typhoon primarily targets network devices like routers and firewalls from vendors such as Cisco RV320s, Netgear ProSAFE firewalls, and SOHO. By compromising these devices, the group can establish covert backdoors, enabling persistent access to targeted networks. The botnet's command servers are registered on Digital Ocean, Quadranet, and Vultr, to achieve a more diverse and resilient network. These compromised devices serve as proxies, routing traffic between Asia-Pacific and America, making it difficult to trace the attacks.
Despite the FBI's efforts to disrupt the botnet in January 2024, Volt Typhoon has demonstrated its resilience. The group continues to refine its techniques and expand its operations.
To mitigate the risk of a Volt Typhoon attack, organizations should:
☑️ Keep all devices, especially routers and firewalls, updated with the latest security patches.
☑️ Use strong passwords and enable multi-factor authentication.
☑️ Isolate critical systems and limit network access to authorized users.
☑️ Use network monitoring tools to detect unusual activity and potential threats.
☑️ Conduct regular security audits to identify and address vulnerabilities. Leverage the Cytex Risk Assessment to uncover blind spots, get real-time remediation steps, and strengthen your security posture. Perform a 15min interactive risk assessment now: Cytex Risk Assessment
Maximum-Severity CVSS 10 Alert
Critical VMware & Kemp LoadMaster Vulnerabilities Exploited
🚨 CVE-2024-1212 (10.0) Progress Kemp LoadMaster OS Command Injection Vulnerability
🚨 CVE-2024-38812 (9.8) VMware vCenter Server heap-overflow vulnerability
The high-severity flaws allow attackers to gain unauthorized access to systems and execute malicious code. Progress Kemp LoadMaster has an OS command injection vulnerability enabling unauthenticated, remote attackers to execute arbitrary commands through the management interface.
This Kemp flaw coincides with a critical RCE bug in VMware vCenter Server, which is currently being exploited. VMware by Broadcom has confirmed that these vulnerabilities are actively exploited.
Successful exploitation of these vulnerabilities could lead to:
🔴 System compromise where attackers could gain control over vulnerable systems.
🔴 Sensitive data could be theft or exfiltration.
🔴 Critical services disruption.
To mitigate these risks, it is imperative to:
☑️ Apply the latest security patches for VMware vCenter Server and Progress Kemp LoadMaster, as there is no workaround.
☑️ Isolate vulnerable systems from the broader network.
☑️ Conduct regular security assessments to identify and address vulnerabilities.
☑️ Use network monitoring tools to detect and respond to suspicious activity.
CVSS 9.9 Alert - Two critical vulnerabilities were actively exploited in Palo Alto Networks Expedition.
🚨 CVE-2024-9463 (9.9) - OS command injection vulnerability
🚨 CVE-2024-9465 (9.2) - SQL injection vulnerability
These flaws could allow attackers to gain unauthorized access to sensitive information and execute arbitrary commands on affected systems. Successful exploitation of these vulnerabilities could have severe consequences, including:
🔴 Data exposure of sensitive information such as passwords, API keys, and device configurations.
🔴 Attackers could gain unauthorized access to systems and execute malicious code.
🔴 Critical network services could be disrupted or compromised.
CISA has issued a directive for federal agencies (FCEB) to patch affected systems by December 5th. Organizations using Palo Alto Networks Expedition should prioritize updating their software to the latest version.
Mitigation Strategies:
☑️ Limit access to Expedition servers to authorized users and systems.
☑️ Change all passwords and API keys associated with Expedition.
☑️ Continuously monitor networks for signs of suspicious activity.
☑️ Apply the latest security patches to address the vulnerabilities.
Cybercriminals are increasingly leveraging Scalable Vector Graphics (SVG) files to bypass security measures and deliver malicious payloads. These seemingly harmless image files can contain embedded JavaScript code, allowing attackers to execute malicious scripts and steal sensitive information.
SVG, and concatenated ZIP files deliver malware
SVG files can be used to create interactive elements, such as buttons and forms. But in this case, SVG files are used to display HTML code, using the <foreignObject> element, and execute JavaScript when the graphic is loaded. By exploiting this capability, attackers can craft phishing emails that appear legitimate but, when opened, redirect victims to malicious websites or download malware.
79% of cyber-espionage incidents are enabled by phishing - CISA
In another next-gen phishing attack, hackers used a concatenated ZIP file to distribute a Trojan disguised as a legitimate shipping document. This method allows the malware to bypass traditional security measures, making it more difficult to detect and prevent.
Trojan malware in ZIP bombs targets Windows users
The attackers create multiple ZIP archives, one containing the malicious payload and the others with harmless content. These archives are then concatenated into a single file, often disguised as a RAR file. By leveraging the behavior of different ZIP readers, the attackers can ensure that the malicious payload is executed.
To protect yourself from phishing attacks, follow these tips:
☑️ Be wary of unsolicited emails containing SVG or ZIP attachments, especially those that seem unexpected or suspicious.
☑️ Refrain from clicking on links within SVG attachments, even if they appear legitimate.
☑️ Ensure that your antivirus and security software is up-to-date to detect and block malicious content.
☑️ Regularly train employees to recognize phishing attempts and avoid clicking on suspicious links or downloading attachments. Cytex offers FREE Gamified Phishing & Security Training to make your employees a cyber-security asset, not a liability. Transform your first line of defense into a resilient Human Firewall and reduce your risk of falling victim to these sophisticated attacks.
No hidden terms—get started for FREE today: Cytex Gamified Phishing and Security Training
Bojangles, the beloved chicken chain, has found itself in a sticky situation. A recent data breach has exposed sensitive information of over 33,000 individuals including SSN and medical info. Ransomware gang Hunters International claimed responsibility for the breach, saying it stole 295 GB of data.
In 2024, over 21 food and beverage companies have fallen victim to ransomware attacks, with average ransom demands exceeding $2.5 million.
Ransomware attacks on food and beverage companies can encrypt computer systems until a ransom is paid, disrupting operations and stalling supply chains, which leads to product loss, delays, and missed deliveries. In 2024 alone, over 21 food and beverage companies have fallen victim to ransomware attacks, with average ransom demands exceeding $2.5 million.
Bojangles' network was breached, but it's unclear if a ransom was paid, the amount demanded, or how the breach occurred. Bojangles is providing affected individuals with 12 to 24 months of free credit monitoring and identity restoration services.
Organizations in the food and beverage industry must prioritize cybersecurity by implementing phishing and security training, updating software regularly, and investing in strong cybersecurity solutions to prevent attacks.
Claim Free Access to MIT-Endorsed Security Tools from Cytex
🛡️ Cyber Risk Assessment
Take the first step to secure your organization through Cytex Cyber Risk Assessment. Uncover cybersecurity blind spots & enhance security with data-driven decisions using the 15min Cytex Risk Assessment for FREE. Get real-time remediation steps tailored to your environment to reduce risk & save time. Perform an interactive risk assessment now: Cytex Risk Assessment
🛡️ Gamified Phishing Simulator and Security Training
At Cytex, we believe that strong cyber-defense is not only an enterprise necessity but also a societal responsibility. By providing our Gamified Phishing Simulation & Security Training modules for FREE, we aim to help state and local governments, organizations, and vendors enhance cybersecurity and resilience.
With Cytex, you can transform your first line of defense into a powerful Human Firewall. No hidden terms—secure your access now: Cytex Gamified Phishing and Security Training
Cytex provides AI powered cybersecurity, risk management, and compliance operations in a unified resilience platform.
Interested? Find out more at → https://cytex.io
insightful
👌🏻👌🏻