Cyber Briefing: 2024.11.26

👉 What’s the latest in the cyber world today?

RomCom, Firefox, Windows, Zero-Day, SpyLoan Apps, Social Engineering, Data Theft, WordPress, Anti-Spam, Plugin, Remote Hacking, CISA, Array Networks, Critical Flaw, QNAP, Remote Code Execution, Blue Yonder, Ransomware, Starbucks, HDFC Life Insurance, Breach, Sensitive Information, Arrowe Park Hospital, Cyberattack, Disruption, IT Systems, Australia, ATF Services, INC Ransomware, Data Leak, JR West Hotel, Hack, Phishing Attacks, Intel, CHIPS Act, US, Domestic, Chip Manufacturing, UK, Businesses, £44B, Australian Banks, Lag, Email Scam Protection, New York, Geico, Travelers, Driver’s Licenses, Former Employee, Verizon, Chinese Government, Espionage

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.

🚨 Cyber Alerts

1. RomCom Exploits Zero-Day Flaws in Firefox

A Russia-aligned threat actor known as RomCom has exploited two zero-day vulnerabilities, one in Mozilla Firefox and the other in Microsoft Windows, to launch sophisticated cyberattacks aimed at delivering its backdoor malware. The attack, which does not require user interaction, targets a use-after-free vulnerability in Firefox’s Animation component (CVE-2024–9680) and a privilege escalation flaw in the Windows Task Scheduler (CVE-2024–49039). The exploit, triggered when a victim visits a malicious website, allows RomCom to bypass browser security, escalate privileges, and deploy the RomCom RAT.

2. SpyLoan Apps Exploit Users to Steal Data

SpyLoan apps, a rapidly growing threat, exploit social engineering techniques to deceive users into granting excessive permissions, allowing attackers to steal sensitive data. These apps, often promoted through fake ads on social media, primarily target users in South America, Southern Asia, and Africa. Once installed, SpyLoan apps request access to contacts, SMS messages, device storage, and other personal information, which is then transmitted to attacker-controlled servers via encrypted HTTP requests.

3. WordPress Plugin Flaw Exposes 200,000 Sites

A critical vulnerability in the Anti-Spam by CleanTalk WordPress plugin, affecting over 200,000 active installations, was discovered on October 30, 2024. Tracked as CVE-2024–10542 and CVE-2024–10781, these flaws allow unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution. The first vulnerability, an authorization bypass via reverse DNS spoofing, allows attackers to exploit IP address resolution mechanisms, while the second flaw, caused by missing checks on empty API key values, enables unauthorized access.

4. CISA Urges Patching Array Networks Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies to patch a critical vulnerability in Array Networks AG and vxAG secure access gateways, citing active exploitation. Tracked as CVE-2023–28461 with a CVSS score of 9.8, the flaw allows remote code execution via unauthenticated access, exploiting a vulnerable URL. Array Networks released fixes in March 2023 with version 9.4.0.484, but the flaw remains a significant risk as it is being actively targeted by the China-linked Earth Kasha group, also known as MirrorFace.

5. Critical QNAP Vulnerability Allows RCE

A critical vulnerability has been discovered in QNAP’s QuRouter, affecting version 2.4.x, that allows remote attackers to execute arbitrary commands through command injection. Tracked as CVE-2024–48860 and CVE-2024–48861, these flaws have been classified with an “Important” severity rating, posing significant security risks. If exploited, the vulnerabilities could enable attackers to gain unauthorized access, potentially leading to data breaches and system compromises.

💥 Cyber Incidents

6. Blue Yonder Hit by Ransomware Attack

Starbucks was impacted by a ransomware attack on its third-party software supplier, Blue Yonder, on November 21, 2024. The breach forced the company to revert to manual processes for employee scheduling and payroll management, though customer service and store operations remained unaffected. The attack also caused disruptions for major UK retailers, including Morrisons and Sainsbury’s, impacting their warehouse management systems. Blue Yonder has engaged external cybersecurity firms to assist with recovery, but there is no timeline yet for full restoration.

7. HDFC Life Insurance Suffers Data Breach

HDFC Life Insurance has confirmed a data breach after receiving a communication from an unknown source that shared customer data with malicious intent. In response, the insurer has launched an information security assessment and data log analysis to identify the root cause of the breach. The company assured its customers that their interests remain a top priority and that necessary actions will be taken to safeguard their data and prevent future incidents.

8. Arrowe Park Hospital Faces Major Cyberattack

Arrowe Park Hospital, part of the Wirral University Teaching Hospital Trust (WUTH) in England, has declared a “major incident” following a suspected cyber attack that began on November 25, 2024. The hospital’s emergency department has been impacted, with longer wait times expected as the Trust works to manage the disruption. Patients are advised to attend the emergency department only for genuine emergencies, and non-urgent cases are encouraged to seek care through other channels such as walk-in centers, GPs, or pharmacies.

9. Australian ATF Services Hit by Ransomware

ATF Services, an Australian fencing and site security firm, has confirmed a cyber attack after the INC Ransom ransomware gang claimed to have stolen one terabyte of data from the company. The gang, which first announced the breach on November 23, 2024, posted proof-of-hack documents, including internal contact lists, customer data, and financial records. While ATF Services acknowledged the breach and engaged cybersecurity experts to investigate, the company reported that only a limited set of corporate information was affected.

10. Japan’s JR West Hotel Hit With Data Breach

On November 25, 2024, the Via Inn Prime Nihonbashi Ningyocho, operated by JR West Group, fell victim to a cyberattack that compromised its Booking.com reservation management system. The breach resulted from a phishing email that targeted the hotel’s staff, enabling attackers to steal login credentials and access the system. As a result, phishing messages were sent to some customers through the system’s chat feature, directing them to malicious websites. Additionally, customer data, including names, addresses, and phone numbers for reservations made between November 26, 2023, and September 30, 2025, may have been exposed. JR West has confirmed the incident and is working on enhancing its security measures to prevent future breaches.

📢 Cyber News

11. Intel Secures $7B for US Chip Manufacturing

Intel has been awarded $7.865 billion in funding by the U.S. Department of Commerce as part of the CHIPS and Science Act, aimed at boosting domestic semiconductor manufacturing. The funding will support projects related to chip manufacturing and advanced packaging at Intel’s facilities across Arizona, New Mexico, Ohio, and Oregon. This investment is part of Intel’s transition to a foundry model, where it will manufacture chips for other organizations. The award underscores the U.S. government’s commitment to reducing its reliance on foreign chip production, fostering economic growth, and strengthening national security.

12. UK Businesses Lose £44B Due to Cyberattacks

New research from Howden reveals that UK businesses have suffered a staggering £44 billion in revenue losses over the past five years due to cyberattacks. A survey of 905 senior IT decision-makers found that 52% of companies experienced at least one cyber incident during this period, with larger businesses particularly affected. Common threats included email compromises and data theft, which cost companies an average of £2 million each. Despite the financial impact, many businesses still lack basic cybersecurity measures such as antivirus software and network firewalls.

13. Australian Banks Laggin in Scam Protection

A recent analysis by cybersecurity firm Proofpoint reveals that Australian banks are lagging behind their U.S. counterparts in email-based fraud protections. The research highlights that 66% of Australian banks have not implemented the highest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which is crucial in preventing phishing attacks. This is in stark contrast to the U.S., where only 58% of banks have failed to adopt this level of protection. While 75% of Australian banks have some form of DMARC protection, one-quarter still lack any implementation at all.

14. New York Fines Geico and Travelers Breaches

New York state has imposed significant fines on two major insurers, Geico and Travelers, totaling $11.3 million for failing to protect customers’ driver’s license numbers during cyberattacks in 2021. Geico was fined $9.75 million, while Travelers faced a $1.55 million penalty. The breaches occurred when hackers exploited vulnerabilities in the companies’ systems, accessing unencrypted personal data, including driver’s license numbers. These stolen credentials were then used to file fraudulent unemployment claims amid the COVID-19 pandemic.

15. Ex Verizon Employee Sentenced for Espionage

Ping Li, a former Verizon employee, was sentenced to four years in prison for conspiring to act as an agent of the Chinese government’s Ministry of State Security (MSS). Li, a U.S. citizen, shared sensitive cybersecurity information, including data about hacking events and the SolarWinds cyberattack, with the MSS over the course of his two-decade career in the tech industry. He provided information about Chinese dissidents, pro-democracy advocates, and members of the Falun Gong religious movement while working for Verizon and Infosys. Li also sent personal and biographical data of individuals living in the U.S. to MSS officers.

Subscribe and Comment.

Copyright © 2024 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.