Cyber Briefing: 2024.12.23
👉 What’s happening in cybersecurity today?
FlowerStorm, Rockstar2FA, NodeStealer Malware, Facebook, Craft, Content Management System, Remote Code Execution, WPA3, Network Security, Man In The Middle, Hail Cock, Botnet, DigiEver, IoT Devices, Mirai, Malware Variant, Duke Energy, Breach, Illinois, Department of Human Services, Customer Data, Rapido, Data Leak, Douglas County, Health Department, Leak, Christopher Newport University, Cyberattack, NSO Group, WhatsApp, Pegasus Spyware, Italy, OpenAI, ChatGPT, GDPR Violations, Ascension Health Systems, Ransomware Attack, US, Federal Trade Commission, Marriott, Strengthen, Data Security, LockBit, Rostislav Panev, Charged, Ransomware Attacks
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
1. FlowerStorm Rises After Rockstar2FA Collapse
The phishing-as-a-service platform Rockstar2FA experienced a technical failure on November 11, 2024, disrupting its operations and leaving a void in the cybercriminal ecosystem. This has led to a surge in activity from FlowerStorm, a similar service that has been active since mid-2024. Both platforms share similarities in phishing methods, suggesting possible links, but no definitive connection has been established.
2. Python NodeStealer Targets Facebook Business
NodeStealer, a sophisticated malware that began as a JavaScript-based threat, has evolved into a Python-based tool targeting Facebook Ads Manager accounts to steal sensitive data. Delivered through spear-phishing emails disguised as copyright infringement notices, the malware uses DLL sideloading and encoded PowerShell scripts for stealth. Upon infection, it exfiltrates login credentials, financial information, and browser data to Telegram channels via a bot API.
3. Craft CMS Vulnerability Enables RCE
A critical vulnerability in the popular PHP-based Craft CMS, identified as CVE-2024–56145, allows unauthenticated attackers to execute remote code on affected systems. The flaw, stemming from PHP’s register_argc_argv configuration, enables attackers to manipulate query string parameters and exploit Craft CMS’s template rendering process. Researchers demonstrated how malicious actors could force the CMS to load template files from an attacker-controlled FTP server, bypassing security measures and enabling full system compromise.
4. WPA3 Password Bypassed via MITM Attack
Researchers from the University of the West Indies have demonstrated a method for bypassing WPA3 security, exposing vulnerabilities in its transition mode, which allows compatibility with WPA2 devices. The attack leverages a downgrade approach to capture part of the WPA3 handshake, then uses social engineering to recover the network password. The researchers created a rogue access point with a captive portal, tricking users into entering their Wi-Fi credentials, which were verified against the captured handshake.
5. Hail Cock Botnet Exploits DigiEver Devices
A new Mirai-based botnet, known as the “Hail Cock Botnet,” has been exploiting vulnerabilities in IoT devices, particularly DigiEver DVRs and TP-Link routers, to deliver malware. The botnet, which has been active since September 2024, targets devices with known flaws, including the CVE-2023–1389 vulnerability, and uses sophisticated multi-layer encryption techniques to avoid detection. Researchers discovered that the botnet leverages command injection vulnerabilities in devices like the DigiEver DS-2105 Pro DVR and TP-Link routers to execute arbitrary code, enabling remote control and potential data theft.
đź’Ą Cyber Incidents
6. Duke Energy Suffers Customer Data Breach
Duke Energy has announced a potential data breach that may have impacted customer personal information in May 2024. The breach occurred when a third party accessed certain customer data from the company’s public website. While there is no indication that passwords, financial information, or access to online accounts were compromised, Duke Energy has assured customers that immediate actions have been taken to secure accounts.
7. Illinois Department of Human Services Hacked
The Illinois Department of Human Services (IDHS) recently revealed a significant privacy breach that occurred on April 25, 2024, impacting over 1.1 million customers. The breach, caused by a phishing attack, exposed the Social Security numbers (SSNs) of 4,701 individuals, including three employees. Additionally, public assistance account details — such as names, dates of birth, and contact information — were accessed for 1,118,993 customers, though SSNs were not included in this data.
8. Rapido Suffers Leak Exposing User Data
Rapido, a popular ride-hailing platform in India, recently addressed a security vulnerability that exposed personal information of users and drivers through a website feedback form. The issue, discovered by security researcher Renganathan P, involved an API linked to the feedback form, which unintentionally made sensitive data, such as full names, phone numbers, and email addresses, accessible. The exposed data included over 1,800 feedback responses, with many phone numbers belonging to drivers.
9. Douglas County Department of Health Breached
Douglas County Health and Human Services in Wisconsin recently notified patients of a privacy breach involving the unauthorized access of their personal health information (PHI) by a former employee. The breach, which was discovered in May 2024, involved the employee accessing PHI without legitimate authorization, though there is no indication that the information was disseminated beyond the employee. An investigation was conducted by the Superior Police Department in Wisconsin, confirming that the breach did not extend beyond the individual employee.
10. Christopher Newport University Hit by Breach
Christopher Newport University (CNU) in Newport News, Virginia, recently fell victim to a sophisticated cyberattack targeting its authentication systems. The breach exposed sensitive personal data, including names, ID numbers, email addresses, job titles, and contact information of staff members. The attack also compromised multifactor authentication methods used by the university. In response, CNU has mandated a password reset for all users, with those failing to do so by the deadline losing access to their accounts.
📢 Cyber News
11. US Rules Against NSO Group in WhatsApp Case
A U.S. federal judge has ruled in favor of WhatsApp in its legal battle against Israeli spyware vendor NSO Group. The case, which centers on the use of the Pegasus spyware, alleges that NSO exploited a vulnerability in WhatsApp’s system to deliver the malware to 1,400 devices in May 2019. Judge Phyllis J. Hamilton condemned NSO Group for failing to comply with court orders, including the non-production of the Pegasus source code, and ruled the company in breach of contract for using WhatsApp for malicious purposes.
12. Italy Fines OpenAI €15M for GDPR Violations
Italy’s data protection authority has fined OpenAI €15 million for violating the General Data Protection Regulation (GDPR) with its ChatGPT service. The fine stems from OpenAI’s failure to notify authorities about a security breach in March 2023, processing personal data without adequate legal basis, and not implementing age verification mechanisms to protect children under 13. Additionally, the company has been ordered to run a six-month public awareness campaign to inform users about data collection practices, rights to object, and how ChatGPT operates.
13. 6M People Affected by Ascension Attack
A ransomware attack on Ascension Health in May 2024 has impacted nearly 6 million people, compromising sensitive data including medical records, insurance details, government identification, and payment information. The breach forced the nonprofit healthcare organization, which operates 140 hospitals across 19 states, to switch to manual operations for weeks, severely disrupting services. Victims of the attack are being offered two years of free identity protection services and access to a $1 million fraud insurance policy.
14. FTC Orders Marriott to Boost Data Security
The Federal Trade Commission (FTC) has finalized an order requiring Marriott International and its subsidiary, Starwood Hotels & Resorts, to implement a comprehensive information security program to settle charges related to security failures. These failures resulted in three major data breaches, exposing the personal information of over 344 million customers globally. The FTC charged the companies with misleading consumers about the adequacy of their data protection measures.
15. LockBit Developer Charged for Ransomware
Rostislav Panev, a dual Russian and Israeli national, has been charged in the United States for his role as the developer of the infamous LockBit ransomware-as-a-service (RaaS) operation. Arrested in Israel in August 2024, Panev is accused of orchestrating cyberattacks that caused billions in damages globally. Between June 2022 and February 2024, he allegedly earned approximately $230,000 from the ransomware operation. LockBit, notorious for targeting over 2,500 entities worldwide, including multinational corporations, government agencies, and critical infrastructure, is believed to have netted over $500 million in illicit profits.
Subscribe and Comment.
Copyright © 2024 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.