Cyber Threat Intelligence 08 January 2025
-
Healthcare Sector
- FDA Warns Of Cyber Risks In Guidance For AI-Enabled Devices
"Manufacturers are eager to incorporate artificial intelligence and machine learning technologies into a wide range of medical devices, from cardiac monitors that can spot developing heart problems to medical imaging systems that can find malignancies a radiologist might miss. The Food and Drug Administration FDA has approved more than 1,000 devices that incorporate AI and ML - most within the past five years – and in new draft guidance released Tuesday, the agency emphasized the need to address cybersecurity issues in both pre-market submissions to the agency and in the lifecycle management of AI-enabled medical products."
https://www.bankinfosecurity.com/fda-warns-cyber-risks-in-guidance-for-ai-enabled-devices-a-27236
https://www.fda.gov/media/184856/download
Industrial Sector
- ABB ASPECT-Enterprise, NEXUS, And MATRIX Series Products
"Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01 - Nedap Librix Ecoreader
"Successful exploitation of this vulnerability could result in remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-02 - The Overlooked Risks Of Open-Source Software In Industrial Security
"Open-source software (OSS) has become an indispensable component in many industrial environments. Just last year, 95% of companies said they increased or maintained their use of OSS. According to the Linux Foundation, 70-80% of all code in any modern solution has been directly plucked from OSS solutions. Cost-efficiency, flexibility, and expansive development community make OSS an attractive option for many organizations looking to innovate while managing budgets. It's also a boon for anyone looking for transparency over pure performance. However, these apparent strengths can mask significant risks, particularly when OSS is used in critical infrastructure without sufficient oversight."
https://www.tripwire.com/state-of-security/overlooked-risks-open-source-software-industrial-security - MyCERT Advisory Recommends Cybersecurity Practices For Water Systems
"The water sector is experiencing a rise in cyber threats, with critical infrastructure, including both IT and operational technology (OT) systems, becoming primary targets for malicious actors. These attacks, which exploit vulnerabilities in internet-facing OT systems and industrial control systems (ICS), pose cybersecurity risks to public health, business continuity, and national security. MyCERT, the Malaysian Computer Emergency Response Team, has issued MA-1228.012025, an advisory aimed at raising awareness of cybersecurity risks in the water sector and providing recommendations to mitigation stratergies. While there have been no cyber incidents reported in Malaysia’s water systems, the MyCERT advisory stresses the importance of vigilance and proactive defense strategies."
https://cyble.com/blog/mycert-advisory-shares-cybersecurity-facts-for-water-systems/
https://www.mycert.org.my/portal/advisory?id=MA-1228.012025
New Tooling
- Cyberbro: Open-Source Tool Extracts IoCs And Checks Their Reputation
"Cyberbro is an open-source application that extracts IoCs from garbage input and checks their reputation using multiple services."
https://www.helpnetsecurity.com/2025/01/07/cyberbro-open-source-extract-iocs-check-reputation/
https://github.com/stanfrbd/cyberbro
Vulnerabilities
- CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-41713 Mitel MiCollab Path Traversal Vulnerability
CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability
CVE-2020-2883 Oracle WebLogic Server Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-adds-three-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-oracle-mitel-flaws-exploited-in-attacks/ - Android Patches Several Vulnerabilities In First Security Update Of 2025
"Android has released its first security update of the year, disclosing several critical and high-severity vulnerabilities that affect a wide range of Android devices. The bulletin identifies five critical remote code execution (RCE) vulnerabilities affecting what Android categorizes as the “system,” which encompasses Android’s core components and underlying architecture. These vulnerabilities could allow attackers to execute code without needing additional privileges. Devices receiving a security patch level dated January 5, 2025, or later are protected from these vulnerabilities."
https://cyberscoop.com/android-security-update-january-2025/ - New Research Highlights Vulnerabilities In MLOps Platforms
"Security researchers have identified multiple attack scenarios targeting MLOps platforms like Azure Machine Learning (Azure ML), BigML and Google Cloud Vertex AI, among others. According to a new research article by Security Intelligence, Azure ML can be compromised through device code phishing, where attackers steal access tokens and exfiltrate models stored in the platform. This attack vector exploits weaknesses in identity management, allowing unauthorized access to machine learning (ML) assets."
https://www.infosecurity-magazine.com/news/vulnerabilities-mlops-platforms/ - Dell, HPE, MediaTek Patch Vulnerabilities In Their Products
"Hardware makers MediaTek, HPE and Dell on Monday released advisories to inform customers about potentially serious vulnerabilities found and patched in their products. Taiwanese semiconductor company MediaTek announced patches for a dozen vulnerabilities, including a critical-severity flaw in the modem component of tens of chipsets that could lead to remote code execution (RCE). Tracked as CVE-2024-20154, the issue is described as an out-of-bounds write that could be exploited when a device is connected to a rogue base station controlled by the attacker, without user interaction."
https://www.securityweek.com/dell-hpe-mediatek-patch-vulnerabilities-in-their-products/
Malware
- New Mirai Botnet Targets Industrial Routers With Zero-Day Exploits
"A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices. Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks. One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20."
https://www.bleepingcomputer.com/news/security/new-mirai-botnet-targets-industrial-routers-with-zero-day-exploits/ - Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
"Eclypsium’s research team has identified BIOS/UEFI vulnerabilities in a popular DNA gene sequencer made by Illumina, a leading genomics and healthcare technology vendor. More specifically, we found that the Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM mode and without Secure Boot or standard firmware write protections. This would allow an attacker on the system to overwrite the system firmware to either “brick” the device or install a firmware implant for ongoing attacker persistence."
https://eclypsium.com/blog/genetic-engineering-meets-reverse-engineering-dna-sequencers-vulnerable-bios/
https://www.bleepingcomputer.com/news/security/bios-flaws-expose-iseq-dna-sequencers-to-bootkit-attacks/
https://thehackernews.com/2025/01/researchers-uncover-major-security-flaw.html
https://therecord.media/dna-sequencer-vulnerabilities-iseq100-eclypsium
https://www.bankinfosecurity.com/report-flaws-in-illumina-dna-sequencer-devices-allows-hacks-a-27228 - Brand Impersonation Scam Hijacks Travel Agency Accounts
"Recently, within the span of a week, a new and extensive phishing campaign compromised more than 7,300 businesses and 40,000 individuals around the world. The most heavily impacted regions are the United States (75%) and the European Union (10%). The hackers are impersonating brands and presenting fake email-based offers. Hackers’ objectives center around driving malicious downloads and collecting harvested credentials that they can exploit for their own financial gain."
https://blog.checkpoint.com/security/brand-impersonation-scam-hijacks-travel-agency-accounts/ - AI-Supported Spear Phishing Fools More Than 50% Of Targets
"One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective. Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes. The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year."
https://www.malwarebytes.com/blog/news/2025/01/ai-supported-spear-phishing-fools-more-than-50-of-targets
Breaches/Hacks/Leaks
- Casio Says Data Of 8,500 People Exposed In October Ransomware Attack
"Japanese electronics manufacturer Casio says that the October 2024 ransomware incident exposed the personal data of approximately 8,500 people. The affected individuals are primarily Casio employees and business partners, but there was a small set of customer personal information in the exposed data."
https://www.bleepingcomputer.com/news/security/casio-says-data-of-8-500-people-exposed-in-october-ransomware-attack/ - UN Aviation Agency Investigating 'potential' Security Breach
"On Monday, the United Nations' International Civil Aviation Organization (ICAO) announced it was investigating what it described as a "reported security incident." Established in 1944 as an intergovernmental organization, this United Nations agency works with 193 countries to support the development of mutually recognized technical standards. "ICAO is actively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations," ICAO said in a statement."
https://www.bleepingcomputer.com/news/security/un-aviation-agency-investigating-potential-security-breach/
https://therecord.media/united-nations-icao-investigating-data-breach
https://www.helpnetsecurity.com/2025/01/07/icao-un-aviation-agency-data-breach-security-incident/
https://www.theregister.com/2025/01/07/icao_data_theft_investigation/ - Green Bay Packers' Online Store Hacked To Steal Credit Cards
"The Green Bay Packers American football team is notifying fans that a threat actor hacked its official online retail store in October and injected a card skimmer script to steal customers' personal and payment information. The National Football League team says it immediately disabled all checkout and payment capabilities after discovering on October 23 that the packersproshop.com website was breached."
https://www.bleepingcomputer.com/news/security/green-bay-packers-online-store-hacked-to-steal-credit-cards/ - Two Ransomware Groups Claimed They Attacked Rutherford County Schools. One Leaked Sensitive Records.
"On October 19, the Black Suit ransomware group announced that they had attacked Rutherford County Schools in Tennessee. Their listing, posted on their dark web site, included what appears to be an indication of what data and how much data they were able to exfiltrate. It did not indicate whether they encrypted the district’s files, or what any ransom demand amount was."
https://databreaches.net/2025/01/07/two-ransomware-groups-claimed-they-attacked-rutherford-county-schools-one-leaked-sensitive-records/ - Hackers Claim Massive Breach Of Location Data Giant, Threaten To Leak Data
"Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly."
https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/
General News
- Statistical Report On Malware Targeting Linux SSH Servers In Q4 2024
"AhnLab SEcurity intelligence Center (ASEC) uses a honeypot to respond to and classify brute-force attacks and pre-attacks targeting Linux SSH servers that are being inappropriately managed. This article covers the status of the attack sources identified in the logs from the fourth quarter of 2024 and provides statistics on the attacks launched from these sources. Additionally, it classifies the malware used in each attack and compiles detailed statistics for each attack."
https://asec.ahnlab.com/en/85547/ - Statistical Report On Malware Targeting MS-SQL Servers In Q4 2024
"The AhnLab SEcurity intelligence Center (ASEC) analysis team responds to and classifies attacks targeting vulnerable MS-SQL servers by utilizing the AhnLab Smart Defense (ASD) infrastructure. This document covers the damage status of MS-SQL servers that have become attack targets and statistics on attacks that have occurred on these servers, based on the logs identified in the fourth quarter of 2024. It also classifies the malware used in each attack and compiles detailed statistics. The malware is classified by type, such as CoinMiner, Backdoor, Trojan, Ransomware, and HackTool, and for each type, detailed statistics are provided for the known malware."
https://asec.ahnlab.com/en/85556/ - Statistical Report On Malware Targeting Windows Web Servers In Q4 2024
"AhnLab SEcurity intelligence Center (ASEC) responds to and classifies attacks that target inappropriately managed Windows web servers by utilizing the AhnLab Smart Defense (ASD) infrastructure. This post covers the damage status of Windows web servers that have been targeted in attacks and provides statistics on the attacks based on the logs identified in the fourth quarter of 2024. Additionally, it classifies the malware used in each attack and compiles detailed statistics."
https://asec.ahnlab.com/en/85524/ - Making The Most Of Cryptography, Now And In The Future
"Enterprise cryptography faces risks beyond just the advent of quantum computers. For starters, there is no guarantee that the traditional algorithms have not been broken. Though we believe that it is “unlikely” they can be, the reality is that in a conventional computing world, compute power advances and older cryptographic techniques have been revealed to be insecure."
https://www.helpnetsecurity.com/2025/01/07/cryptography-risks/ - eBay CISO On Managing Long-Term Cybersecurity Planning And ROI
"In this Help Net Security interview, Sean Embry, CISO at eBay, discusses key aspects of cybersecurity leadership. He shares insights on balancing long-term strategic planning with immediate threat response, evaluating the ROI of new technologies, and addressing employee cybersecurity fatigue."
https://www.helpnetsecurity.com/2025/01/07/sean-embry-ebay-enterprise-cybersecurity-planning/ - US Govt Launches Cybersecurity Safety Label For Smart Devices
"Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST."l
https://www.bleepingcomputer.com/news/security/us-govt-launches-cybersecurity-safety-label-for-smart-devices/
https://therecord.media/consumer-products-cyber-trust-white
https://cyberscoop.com/us-cyber-trust-mark-launches-white-house-nist/ - Malicious Browser Extensions Are The Next Frontier For Identity Attacks
"The recent attack campaign targeting browser extensions shows that malicious browser extensions are the next frontier for identity attacks. More than 2.6 million users across thousands of organizations worldwide learned this the hard way, just before the New Year, when they found out that their cookies and identity data were exposed as part of an attack campaign exploiting browser extensions. The attack initially came to light when data security company Cyberhaven disclosed that an attacker had compromised its browser extension and injected it with malicious code to steal users’ Facebook cookies and authentication tokens."
https://www.bleepingcomputer.com/news/security/malicious-browser-extensions-are-the-next-frontier-for-identity-attacks/
https://go.layerxsecurity.com/the-complete-guide-to-protecting-against-malicious-browser-extensions/ - Cybercriminals Don't Care About National Cyber Policy
"In 1998, President Bill Clinton published the first White House national cyber policy. Since then, cyberattacks have evolved alongside the explosive growth of the digital world, as have laws, policies, and regulations. Although there's been continuous federal activity around cyber since the early days of the Internet, the level of seriousness and attitudes toward how much control government should exercise over technology and cybersecurity fluctuates, with debates continuing to rage over how free or controlled the tech markets should be."
https://www.darkreading.com/vulnerabilities-threats/cybercriminals-dont-care-national-cyber-policy - Getting The Board On Board With Cybersecurity
"As threat actors advance their tactics, the ramifications of falling victim to a breach are growing more severe. According to the Fortinet 2024 Cybersecurity Skills Gap Report, nearly 90% of enterprises experienced a cyber incident last year, with 63% saying it took longer than a month to recover from an attack. Leaders within organizations are increasingly being held accountable when a breach does occur, with 51% of respondents indicating that their directors or executives have faced fines, jail time, loss of position, or loss of employment following a cyberattack."
https://www.fortinet.com/blog/industry-trends/getting-the-board-on-board-with-cybersecurity - Phishing Click Rates Triple In 2024
"The rate at which enterprise users clicked on phishing lures nearly trebled in 2024, according to new research by Netskope. More than eight out of every 1000 users clicked on a phishing link each month in 2024, up by 190% compared to 2023. The researchers said that this rise has been caused by a combination of cognitive fatigue, with users being bombarded with increased phishing attempts, and attackers becoming more creative in delivering harder-to-detect phishing lures."
https://www.infosecurity-magazine.com/news/phishing-click-rates-triple/ - Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents
"Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia. SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000. The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant."
https://www.securityweek.com/universitys-critical-infrastructure-ransomware-attack-tracker-reaches-2000-incidents/ - China Protests US Sanctions For Its Alleged Role In Hacking, Complains Of Foreign Hacker Attacks
"China has slammed a decision by the U.S. Treasury to sanction a Beijing-based cybersecurity company for its alleged role in multiple hacking incidents targeting critical U.S. infrastructure, while the Chinese cyber security agency complained Monday of attacks on Chinese networks. Asked about the sanctions against Beijing-based Integrity Technology Group, Chinese Foreign Ministry spokesperson Guo Jiakun said the country has cracked down on cyber attacks and that Washington was using the issue to “defame and smear China.”"
https://www.securityweek.com/china-protests-us-sanctions-for-its-alleged-role-in-hacking-complains-of-foreign-hacker-attacks/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- FDA Warns Of Cyber Risks In Guidance For AI-Enabled Devices
