Nov 18, 2024Ravie LakshmananCybersecurity / Infosec

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people.

This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative—using everything from human trust to hidden flaws in technology. The real question is: are you ready?

💪 Every attack holds a lesson, and every lesson is an opportunity to strengthen your defenses. This isn’t just news—it’s your guide to staying safe in a world where cyber threats are everywhere. Let’s dive in.

⚡ Threat of the Week

Palo Alto Networks Warns of Zero-Day: A remote code execution flaw in the Palo Alto Networks PAN-OS firewall management interface is the newest zero-day to be actively exploited in the wild. The company began warning about potential exploitation concerns on November 8, 2024. It has since been confirmed that it has been weaponized in limited attacks to deploy a web shell. The critical vulnerability has no patches as yet, which makes it all the more crucial that organizations limit management interface access to trusted IP addresses. The development comes as three different critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have also seen active exploitation attempts. Details are sparse on who is exploiting them and the scale of the attacks.

8 Benefits of a Backup Service for Microsoft 365

Modernize your data protection solutions with an as-a-service solution. Read this e‑book, “8 Benefits of a Backup Service for Microsoft 365”, to understand what makes cloud‑based backup services so appealing for companies using Microsoft 365 — and why it may be just the thing to keep your business running.

Download NOW

🔔 Top News

• BrazenBamboo Exploits Unpatched Fortinet Flaw: A threat-actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet’s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA. Volexity described BrazenBamboo as the developer of three distinct malware families DEEPDATA, DEEPPOST, and LightSpy, and not necessarily one of the operators using them. BlackBerry, which also detailed DEEPDATA, said it has been put to use by the China-linked APT41 actor.
• About 70,000 Domains Hijacked by Sitting Ducks Attack: Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. Sitting Ducks exploits misconfigurations in a web domain’s domain name system (DNS) settings to take control of it. Of the nearly 800,000 vulnerable registered domains over the past three months, approximately 9% (70,000) have been subsequently hijacked.
• Got a Dream Job Offer on LinkedIn? It May Be Iranian Hackers: The Iranian threat actor known as TA455 is targeting LinkedIn users with enticing job offers intended to trick them into running a Windows-based malware named SnailResin. The attacks have been observed targeting the aerospace, aviation, and defense industries since at least September 2023. Interestingly, the tactics overlap with that of the notorious North Korea-based Lazarus Group.
• WIRTE Targets Israel With SameCoin Wiper: WIRTE, a Middle Eastern threat actor affiliated with Hamas, has orchestrated cyber espionage operations against the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, as well as carried out disruptive attacks that exclusively target Israeli entities using SameCoin wiper. The destructive operations were first flagged at the start of the year.
• ShrinkLocker Decryptor Released: Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. First identified earlier this year, ShrinkLocker is notable for its abuse of Microsoft’s BitLocker utility for encrypting files as part of extortion attacks targeting entities in Mexico, Indonesia, and Jordan.

🔥 Trending CVEs

Recent cybersecurity developments have highlighted several critical vulnerabilities, including: CVE-2024-10924, CVE-2024-10470, CVE-2024-10979, CVE-2024-9463, CVE-2024-9465, CVE-2024-43451, CVE-2024-49039, CVE-2024-8068, CVE-2024-8069, CVE-2023-28649, CVE-2023-31241, CVE-2023-28386, CVE-2024-50381, CVE-2024-7340, and CVE-2024-47574. These security flaws are serious and could put both companies and regular people at risk. To stay safe, everyone needs to keep their software updated, upgrade their systems, and constantly watch out for threats.

📰 Around the Cyber World

• The Top Routinely Exploited Vulnerabilities of 2023 Revealed: Cybersecurity agencies from the Five Eyes nations, Australia, Canada, New Zealand, the U.K., and the U.S., have released the list of top 15 vulnerabilities threat actors have been observed routinely exploiting in 2023. This includes security flaws from Citrix NetScaler (CVE-2023-3519, CVE-2023-4966), Cisco (CVE-2023-20198, CVE-2023-20273), Fortinet (CVE-2023-27997), Progress MOVEit Transfer (CVE-2023-34362), Atlassian (CVE-2023-22515), Apache Log4j (CVE-2021-44228), Barracuda Networks ESG (CVE-2023-2868), Zoho ManageEngine (CVE-2022-47966), PaperCut MF/NG (CVE-2023-27350), Microsoft Netlogon (CVE-2020-1472), JetBrains TeamCity (CVE-2023-42793), Microsoft Outlook (CVE-2023-23397), and ownCloud (CVE-2023-49103). “More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks,” the U.K. NCSC said. The disclosure coincided with Google’s announcement that it will begin issuing “CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching” to boost vulnerability transparency. It also came as the CVE Program recently turned 25, with over 400 CVE Numbering Authorities (CNAs) and more than 240,000 CVE identifiers assigned as of October 2024. The U.S. National Institute of Standards and Technology (NIST), for its part, said it now has a “full team of analysts on board, and we are addressing all incoming CVEs as they are uploaded into our system” to address the backlog of CVEs that built up earlier this calendar year.
• GeoVision Zero-Day Under Attack: A new zero-day flaw in end-of-life GeoVision devices (CVE-2024-11120, CVSS score: 9.8), a pre-auth command injection vulnerability, is being exploited to compromise and enlist them into a Mirai botnet for likely DDoS or cryptomining attacks. “We observed a 0day exploit in the wild used by a botnet targeting GeoVision EOL devices,” the Shadowserver Foundation said. Users of GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, and GVLX 4 V3 are recommended to replace them.
• New Banking Trojan Silver Shifting Yak Targets Latin America: A new Windows-based banking trojan named Silver Shifting Yak has been observed targeting Latin American users with the goal of stealing information from financial institutions such as Banco Itaú, Banco do Brasil, Banco Bandresco, Foxbit, and Mercado Pago Brasil, among others, as well as credentials used to access Microsoft portals such as Outlook, Azure, and Xbox. The initial attack stages of the malware are believed to be initiated by phishing emails that lead the victims to malicious .ZIP archives hosted on fake websites. The development comes as the threat actor known as Hive0147 has begun to use a new malicious downloader called Picanha to deploy the Mekotio banking trojan. “Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud,” IBM X-Force said.
• Tor Network Faces IP Spoofing Attack: The Tor Project said the Tor anonymity network was the target of a “coordinated IP spoofing attack” starting October 20, 2024. The attacker “spoofed non-exit relays and other Tor-related IPs to trigger abuse reports aimed at disrupting the Tor Project and the Tor network,” the project said. “The origin of these spoofed packets was identified and shut down on November 7, 2024.” The Tor Project said the incident had no impact on its users, but said it did take a few relays offline temporarily. It’s unclear who is behind the attack.
• FBI Warns About Criminals Sending Fraudulent Police Data Requests: The FBI is warning that hackers are obtaining private user information from U.S.-based tech companies by compromising U.S. and foreign government/police email addresses to submit “emergency” data requests. The abuse of emergency data requests by malicious actors such as LAPSUS$ has been reported in the past, but this is the first time the FBI has formally admitted that the legal process is being exploited for criminal purposes. “Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request,” the agency said.
• New Trends in Ransomware: A financially-motivated threat actor known as Lunar Spider has been linked to a malvertising campaign targeting financial services that employs SEO poisoning to deliver the Latrodectus malware, which, in turn, is used to deploy the Brute Ratel C4 (BRc4) post-exploitation framework. In this campaign detected in October 2024, users searching for tax-related content on Bing are lured into downloading an obfuscated JavaScript. Upon execution, this script retrieves a Windows Installer (MSI) from a remote server, which installs Brute Ratel. The toolkit then connects to command-and-control (C2) servers for further instructions, allowing the attacker to control the infected system. It’s believed that the end goal of the attacks is to deploy ransomware on compromised hosts. Lunar Spider is also the developer behind IcedID, suggesting that the threat actor is continuing to evolve their malware deployment approach to counter law enforcement efforts. It’s not just Lunar Spider. Another infamous cybercrime gang called Scattered Spider has been acting as an initial access broker for the RansomHub ransomware operation, employing advanced social engineering tactics to obtain privileged access and deploy the encryptor to impact a critical ESXi environment in just six hours.” The disclosure comes as ransomware attacks, including those aimed at cloud services, continue to be a persistent threat, even as the volume of the incidents is beginning to witness a drop and there is a steady decline in the ransom payment rates. The appearance of new ransomware families like Frag, Interlock, and Ymir notwithstanding, one of the noteworthy trends in 2024 has been the rise of unaffiliated ransomware actors, the so-called “lone wolves” who operate independently.

🔥 Resources, Guides & Insights

🎥 Expert Webinar

• How to be Ready for Rapid Certificate Replacement — Is certificate revocation a nightmare for your business? Join our free webinar and learn how to replace certificates with lightning speed. We’ll share secrets to minimize downtime, automate replacements, master crypto agility, and implement best practices for ultimate resilience.
• Building Tomorrow, Securely—AI Security in App Development — AI is revolutionizing the world, but are you prepared for the risks? Learn how to build secure AI applications from the ground up, protect against data breaches and operational nightmares, and integrate robust security into your development process. Reserve your spot now and discover the essential tools to safeguard your AI initiatives.

🔧 Cybersecurity Tools

• Grafana — Grafana is an open-source monitoring and observability platform that enables cybersecurity teams to query, visualize, and alert on security metrics from any data source. It offers customizable dashboards with flexible visualizations and template variables, allowing for real-time threat monitoring, intrusion detection, and incident response. Features such as ad-hoc queries and dynamic drill-downs facilitate the exploration of metrics related to network traffic, user behavior, and system logs. Seamless log exploration with preserved filters supports forensic investigations, while visual alert definitions ensure timely notifications to security operations centers through integrations with tools like Slack and PagerDuty. Additionally, Grafana’s ability to mix different data sources—including custom ones—provides comprehensive security monitoring across diverse environments, enhancing the organization’s ability to maintain a robust cybersecurity posture.
• URLCrazy is an OSINT tool designed for cybersecurity professionals to generate and test domain typos or variations, effectively detecting and preventing typo squatting, URL hijacking, phishing, and corporate espionage. By creating 15 types of domain variants and leveraging over 8,000 common misspellings across more than 1,500 top-level domains, URLCrazy helps organizations protect their brand by registering popular typos, identifying domains diverting traffic intended for their legitimate sites, and conducting phishing simulations during penetration tests.

🔒 Tip of the Week

Use Canary Tokens to Detect Intrusions — Hackers rely on staying hidden, but canary tokens help you catch them early. These are fake files, links, or credentials, like “Confidential_Report_2024.xlsx” or a fake AWS key, placed in spots hackers love to snoop—shared drives, admin folders, or cloud storage. If someone tries to access them, you get an instant alert with details like their IP address and time of access.

They’re easy to set up using free tools like Canarytokens.org and don’t need any advanced skills. Just keep them realistic, put them in key places, and check for alerts. Make sure you test your tokens after setup to ensure they work and avoid overusing them to prevent unnecessary noise. Place them strategically in high-value areas, and monitor alerts closely to act quickly if triggered. It’s a smart, low-effort way to spot hackers before they can do damage.

Conclusion

That’s it for this week’s cybersecurity updates. The threats might seem complicated, but protecting yourself doesn’t have to be. Start simple: keep your systems updated, train your team to spot risks, and always double-check anything that seems off.

Cybersecurity isn’t just something you do—it’s how you think. Stay curious, stay cautious, and stay protected. We’ll be back next week with more tips and updates to keep you ahead of the threats.