Welcome to the Cyber Watch series for today, February 9, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
Fortinet Discloses Critical Flaw in FortiOS SSL VPN Amidst Active Exploitation
Fortinet has revealed a critical security vulnerability, CVE-2024-21762, in its FortiOS SSL VPN, warning of potential exploitation in the wild. The flaw, with a CVSS score of 9.6, allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests.
Acknowledging the active exploitation, Fortinet issued recommendations for affected versions, urging users to upgrade to patched releases. This disclosure follows Fortinet’s recent patching of CVE-2024-23108 and CVE-2024-23109 in FortiSIEM supervisor, addressing unauthorized command execution risks.
The Netherlands government recently reported a cyber intrusion by Chinese state-sponsored actors targeting its armed forces’ computer network, exploiting known Fortinet FortiGate flaws to deliver a backdoor named COATHANGER. Fortinet’s report indicated ongoing exploitation of N-day vulnerabilities by various threat clusters, emphasizing the critical importance of addressing these vulnerabilities.
CISA, NSA, FBI Warn of China’s Cyber Pre-positioning on Critical Infrastructure for Potential Attacks During Crises
In a joint advisory, U.S. agencies, including CISA, NSA, and FBI, have issued a stark warning about China’s state-sponsored cyber group, Volt Typhoon, actively positioning itself on U.S. critical infrastructure networks. The assessment indicates a concerning strategy, with China preparing for disruptive or destructive cyberattacks in the event of a major crisis or conflict involving the United States. The collaborative effort involves international partners, recognizing the global implications of the threat.
Volt Typhoon, known for its sophisticated “living off the land” techniques and prolonged persistence, has targeted key sectors such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems. The advisory provides detailed mitigations for IT and OT administrators in critical infrastructure organizations to disrupt the Volt Typhoon’s accesses and minimize potential risks.
CISA Launches Election Security Adviser Program to Safeguard Voting Systems Amid Growing Threats
In response to escalating threats and challenges faced by state and local election officials, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced an Election Security Adviser Program. Unveiled at the National Association of State Election Directors and the National Association of Secretaries of State meetings, the initiative aims to fortify election security ahead of the upcoming presidential elections.
With a focus on addressing potential cyberattacks by foreign entities, criminal ransomware gangs, and persistent misinformation campaigns, CISA’s program features ten seasoned advisers strategically positioned nationwide. These experts, including former state election directors and cybersecurity professionals, will collaborate with local election offices to conduct comprehensive cyber and physical security reviews.
The move comes as recent incidents, such as AI-generated robocalls and cyberattacks on local governments, underscore the evolving threats faced by election systems. The new program emphasizes the complexity of each state’s election landscape, tailoring support to meet specific security needs. State election officials have welcomed the collaboration, recognizing the importance of a united front in safeguarding the integrity of the U.S. election process.
Ransomware Payments Soar to Record $1.1 Billion in 2023, Surpassing 2022
In a disheartening turn of events, 2023 has proven to be the worst year for ransomware attacks, with payments surpassing a staggering $1.1 billion, as revealed by cryptocurrency-tracing firm Chainalysis.
Despite a brief dip in payments in 2022, the ransomware landscape experienced a resurgence, marked by a record-breaking number of attacks, totaling 4,399 incidents. Notably, the increase in ransom amounts and a strategic focus on “big game hunting” contributed to this alarming trend.
Chainalysis attributes the relative decline in payments in 2022 to geopolitical factors such as the war in Ukraine, international sanctions, and law enforcement actions. However, 2023 saw the rise of new threats, exemplified by groups like Cl0p exploiting vulnerabilities to amass over $100 million through mass exploitation.
US State Department Offers $15M Bounty to Dismantle Hive Ransomware Gang
The US State Department has announced a $15 million reward for information leading to the identification, location, arrest, and/or conviction of key members within the notorious Hive ransomware gang. The Hive group has wreaked havoc globally, targeting over 1,500 victims in more than 80 countries, causing disruptions across critical sectors, including healthcare and infrastructure.
This reward follows a previous $10 million bounty issued in February, which resulted in the FBI’s successful seizure of Hive servers and their dark web platform. The Hive gang’s ransomware attacks have forced hospitals to resort to analog methods, impacting patient care during the COVID-19 pandemic.
Funded by the US Department of State’s Transnational Organized Crime Rewards Program, the recent reward reflects the government’s commitment to dismantling cybercriminal networks and ensuring accountability for their actions.
ResumeLooters Launch Large-Scale Cyber Attack Targeting APAC Job Seekers, Exploiting SQL Injection and XSS Vulnerabilities
The hacking group ResumeLooters has orchestrated a major cyber attack with a focus on the Asia-Pacific (APAC) region, specifically targeting job seekers. Cybersecurity firm Group-IB uncovered the campaign, revealing that ResumeLooters compromised 65 websites during November and December 2023.
Employing SQL injection and Cross-Site Scripting (XSS) as their primary attack vectors, the hackers aimed to pilfer user databases containing sensitive information such as names, phone numbers, emails, and employment details. The majority of victims, over 70%, are situated in APAC countries, including India, Taiwan, Thailand, and Vietnam.
ResumeLooters’ modus operandi involved injecting malicious scripts using various penetration testing tools, posing a significant threat to data confidentiality. The group’s attempt to load phishing forms on legitimate resources highlights the sophistication of their tactics.
OT and IoT Environments Face Escalating Sophisticated Attacks, Warns Nozomi Networks
Operational technology (OT) and Internet of Things (IoT) environments are becoming prime targets for increasingly sophisticated cyber attacks, according to Nozomi Networks’ latest report. Covering the second half of 2023, the report reveals a staggering 230% rise in ICS-CERT vulnerabilities affecting 74 vendors, with the “critical manufacturing” sector being the hardest hit.
“Network anomalies and attacks” constituted the largest share of threats, emphasizing the urgency for enhanced security measures. Authentication and password issues were the second-highest threat category, indicating persistent challenges in identity and access management.
Nozomi Networks reported an average of 712 unique attacks daily on its IoT honeypots. The findings come amid global concerns, with the US and its allies warning of Chinese state actors covertly positioning themselves in critical infrastructure sectors for potential destructive attacks during military conflicts.
Deepfake Attacks Surged by 704% in 2023
Deepfake attacks utilizing “face swap” technology witnessed a staggering 704% surge in 2023, as revealed by identity verification company iProov. The proliferation of free and easily accessible face swap tools, virtual cameras, and mobile emulators has empowered threat actors to create highly convincing deepfakes, posing a substantial risk to remote identity verification systems.
Face swap apps like SwapFace, DeepFaceLive, and Swapstream emerged as common tools leveraged in attacks against these systems. The report highlights a 255% increase in injection attacks targeting mobile identity verification platforms and a 353% rise in emulator use during the second half of 2023.
Additionally, the number of threat groups sharing information about attacks on biometric and video identification systems nearly doubled during this period. Notably, deepfake attackers exhibit a preference for targeting manual or hybrid identity verification systems, exploiting the perceived vulnerability of human decision-makers compared to computerized facial recognition systems.
Blocked IP Addresses Increased by 116.42%, Report Finds
In a recent report by Qrator Labs, a significant escalation in cyber threats is unveiled, showcasing a surge in blocked IP addresses linked to malicious activities. The United States emerges as a key player in this landscape, contributing to the global cyber threat scenario with over 5.6 million blacklisted IP addresses.
Notable participants include China, Germany, Indonesia, and Singapore, while countries like Israel, Poland, and Bangladesh make their debut on the list. The report sheds light on a noteworthy trend observed since Q2, indicating a strategic shift by cyber attackers who are increasingly leveraging localized traffic sources to outsmart geo-blocking measures.
Furthermore, the study delves into the locations of major botnets, with India leading the pack hosting 10,671 devices, closely followed by Indonesia, Russia, and the United States.
Verizon Data Breach Exposes Personal Info of 63,000 Employees
Telecom giant Verizon Communications discloses a data breach affecting over 63,000 employees, discovering unauthorized access by an employee to sensitive personal information. This breach, detected on December 12, 2023, traces back to an incident around September 21, 2023, where a Verizon staff member inappropriately handled a file containing employee data, breaching company policies. The compromised information includes names, addresses, dates of birth, Social Security numbers, and compensation details.
Verizon is responding by reinforcing technical controls to prevent future breaches, and regulators are being informed. While the company asserts no evidence of external sharing or malicious intent, affected employees are offered identity protection and credit monitoring services.
That’s all for today. Stay tuned for our next episode. See you next week!