2024.12.31.News You Should Know

December 31, 2024 - 13 mins read

One Offs

Microsoft flags Windows 11 24H2 install media issue • The Register - If you used a USB stick with October or November’s updates installed, your system won’t accept any additional updates. Make sure to re-write your USB stick using December 24’s

Critical Apache Struts bug under active exploit • The Register - Guess who’s back, back again. Apache Struts, in-famous for being the source of the Equifax breach in 2017, is back with CVE-2024-53677 a rehash of a vulnerability discovered in Dec 2023. Struts File Upload component features the 9.5 out of 10 CVSS CVE

Interpol: Stop calling it ‘pig butchering’ • The Register - “Interpol argues that the term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities.”

Google Calendar invites spoofed in phishing campaign • The Register - Malicious ICS files or calendar file links may come with Google Forms or Google Drawing links leading to financial scams. Users can protect themselves with the “Known Senders” feature in Google Calendar: The “known senders” feature in Google Calendar prevents spam events from appearing in your calendar by only automatically adding invites from known sources: People in your contacts list, People you’ve interacted with before, People in your company domain, and Anyone you’ve interacted with through Workspace

Microsoft won’t let customers opt out of passkey push • The Register - Microsoft has adopted the Apple mantra and will be forcing users into passkeys, one way or another. Users have seen high adoption with Windows Hello biometrics and pin sign-ins, but Passkeys are less understood, less manageable and less utilized…for now.

US mulls TP-Link routers ban on national security concerns • The Register - TP-Link may be banned over concerns of Chinese based routers. This would be a huge hit to the consumer and small business market as as TP-Link holds around 65% market share and coordinates with over 300 ISPs to provide routers for SOHO installations.

ICO puts foot down on Google’s planned fingerprinting change • The Register - If you care about online privacy, you may be familiar with ‘Browser Fingerprinting’. What was once an unfortunate side-effect of Java-script in browsers now may become a feature for Google’s advertising customers. UK’s Information Commissioners Office is fighting back.

One third of adults can’t delete device data • The Register - UK ICO has also provided a survey showing around 30% of adults don’t know how to actually delete device data and the Kids are Not Alright. One in five said they didn’t bother or see a need in wiping data on old devices.

Volkswagen leak exposed precise location data on thousands of vehicles across Europe for months | TechCrunch - US concerns over vehicle data safety may have been realized this week after researchers spoke at the Chaos Computer Club in Germany. Over 800k vehicles were trackable online with 500k trackable within a centimeter of their location. (That’s about a quarter of a banana for American readers)

Feds

CISA orders federal agencies to secure Microsoft 365 tenants - Federal agencies have 6 months to run SCUBA (the CISA produced baseline assessment tool) and to complete the effective mitigations: BOD 25-01: Implementing Secure Practices for Cloud Services Required Configurations | CISA

U.S. Judge Rules Against NSO Group in WhatsApp Pegasus Spyware Case - NSO loses over failures to participate in discovery, and because WhatsApp could prove NSO used WA as a distribution platform for the malware. Case now moves to trial. NSO claims it only provides the software to gov/LEO to tackle crimes like terrorism, CSAM, money laundering, etc… But a trail of dead activist, politicians, and journalists says otherwise.

New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy - Citizens personal data can’t go to China, HK, Macau, Cuba, Iran, N.Korea, Russia or Venezuela under new rules. Its likely impossible to stuff this genie back in the bottle however.

FTC orders Marriott and Starwood to implement strict data security - FTC gives Marriott 6 months to meet specific guidelines that will stay in place for 20 years. Including specific security controls, logging and monitoring controls, and practice comprehensive data deletion. Its likely that if Marriott doesn’t fight the orders, this will set a precedent for how other breached companies may be treated in the future. Its the hope of this author that Mark Meador, incoming FTC chair will continue Lina Khan’s fairly popular campaign of using the full powers of the FTC to enforce secure computing and data privacy protections.

Healthcare

Ascension: Health data of 5.6 million stolen in ransomware attack - May of 2024 saw Ascension health lose access to a number of systems, and saw the loss of 5.6m users personal data. Users MyChart data was stolen, likely by BlackBasta ransomware group. Ascension manages 140 hospitals and 40 senior care facilities in the US. It’s unknown to the author how a company hacked in May could wait til December to disclose.

How the ransomware attack at Change Healthcare went down: A timeline | TechCrunch - No MFA, No network segmentation. Change Healthcare is the classis story of too much growth, too fast, with no concern for security. State of Nebraska has filed suit against the company.

Massive healthcare breaches prompt US cybersecurity rules overhaul - HHS has proposed updates to HIPAA (Health Insurance Portability and Accountability Act of ‘96) that would among other things, enforce Technology asset inventories, risk assessments, patching policies, multi-factor, data encryption, etc… 2024-30983.pdf

Crypto in the Hermit Kingdom

North Korea-linked hackers accounted for 61% of all crypto stolen in 2024 | TechCrunch - the UN Security Council estimates N. Korean hackers stole $3bn in crypto between 2017 and 2023 (roughly $5m a year). However, in 47 cases in 2024, N.K. managed to swipe $1.34bn. A 200% increase, and around $28m per case.

North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin - Attack likely caused by DreamJob-like lures, in which N.Korea targeted developers at DeFi companies, solicited them for interviews where they were to download a malicious Python script, and upon execution, allowed the threat actors access into the network. Details of the attack chain are included in this Bleeping Computer article

China

Privileged Access

CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List - BeyondTrust, offers a remote access service and remote support service that currently hold a 9.8 CVSS score. These are being used by threat actors in the wild and have been added to CISA’s Known Exploited Vulnerabilities (KEV) list.

BeyondTrust says hackers breached Remote Support SaaS instances - BeyondTrust says that the SaaS offering of their remote support service has been breached, with customer systems being effected. This software is used by government agencies, healthcare orgs, utility services, etc… The SaaS offering has been patched but On-prem or self-hosted versions are still up for grabs.

US Treasury Department breached through remote support platform - BeyondTrust breaches saw some clarity this morning as US Treasury Department disclosed access by Chinese state-sponsored threat actors. Tech crunch says the threat actors have been removed from Treasury systems and only gained access to unclassified documents and communications.