This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Steve Zalewski, CISO in Residence
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Microsoft 365 users hit by random product deactivation errors
Microsoft is looking into an issue in which customers using Microsoft 365 Office apps are encountering “Product Deactivated” errors. Specifically these are occurring when “moving users between licensing groups (including Azure Active Directory groups or synced on-premises security groups) or switching user subscriptions, such as changing from an Office 365 E3 license to a Microsoft 365 E3 license. Affected users should be able to click the “Reactivate” button on the error banner and sign in when prompted. Or, they can sign out of all Microsoft 365 apps, close them, and restart them before signing back in.
CISA adds BeyondTrust flaw to its Known Exploited Vulnerabilities catalog
Following up on a story we covered last week and which we discussed on last Friday’s episode of Cyber Security Headlines Week In Review, the issue afflicting security company BeyondTrust has now been added to its KEV catalog. According to its advisory, “a critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.” This vulnerability carries a CVSS score of 9.8, and federal agencies must now fix this vulnerability by December 27.
Using LLMs to generate malware variants
An analysis by Palo Alto Networks’ Unit 42 looked at the ability of threat actors to rewrite existing malware. The researchers used models to rewrite known malware samples iteratively, using techniques like variable renaming, string splitting, junk code insertion, removal of unnecessary whitespaces, and a complete reimplementation of the code. The idea is that these small changes could degrade the overall effectiveness of malware classification systems while also making the code look more “naturally” written when reviewed by a human. To combat this, Palo Alto generated tens of thousands of variants to train its own detection algorithms better, reporting it saw a 10% detection rate improvement.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
TechCrunch lists the most badly handled data breaches of 2024
TechCrunch is out with its annual summary of breaches whose behavior or response could at least be seen as a learning opportunity for others. This year’s list includes 23andMe, who blamed their customers for not sufficiently securing their accounts, Change Healthcare who “took months to confirm hackers stole most of America’s health data” by breaching a basic user account with a lack of multi-factor authentication. Also on the list, Snowflake, whose breach was a result of a ’s lack of mandated use of multi-factor security, and the City of Columbus, Ohio, sued a security researcher for truthfully reporting on a ransomware attack. Details on these stories and four more – one of which is, of course, Salt Typhoon, are available through the link in the show notes to this episode.
General Dynamics says employees targeted in phishing attack
The aerospace and defense company says threat actors “compromised dozens of employee benefits accounts after a successful phishing campaign targeting its personnel.” The activity was discovered on October 10, and took the form of a fraudulent advertising campaign that directed General Dynamics employees to a phishing site where they were deceived into entering their usernames and passwords. A total of 37 people were affected, and in addition to accessing PII and government ID numbers, in some cases the attackers changed bank account information.
Japan Airlines systems are back to normal after cyberattack
The airline announced yesterday, Thursday, that its systems have returned to normal following a cyberattack delayed some international and domestic flights. The attack occurred at 7:24 a.m. local time and shut down a router that was causing malfunctions and which suspended ticket sales for flights departing on Thursday. Representatives said no customer data was leaked, and no damage was registered. This event follows on the heels of a brief outage that affected flights for American Airlines on Tuesday evening, Christmas Eve. This particular outage was “issued at the airline’s request after it experienced trouble with its flight operating system, or FOS. The airline blamed technology from one of its vendors.”
Ruijie Networks’ cloud platform flaws could expose devices to remote attacks
Researchers at Claroty discovered the flaws that they say affect both the Ruijie platform, as well as Reyee OS network devices.” If exploited, they could “allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.” Of the 10 vulnerabilities discovered by Claroty, three are rated critical in severity with CVSS scores of 9.4, 9.8 and 9.8. Their research also found that it would be easy to break MQTT authentication by knowing a device’s serial number, which could subsequently exploit access to Ruijie’s MQTT broker in order to receive a full list of all cloud-connected devices’ serial numbers.