Weekly Cybersecurity Roundup: Dec 30, 2024 — Jan 5, 2025

As the new year unfolds, the cybersecurity domain continues to see significant developments. Here’s a detailed roundup of key events from this week:

Critical Nuclei Vulnerability Allows Malicious Template Bypass

A recently discovered vulnerability in Nuclei, an open-source vulnerability scanner, could allow attackers to bypass signature verification and execute malicious code. Tracked as CVE-2024–43405, this flaw arises from discrepancies between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.
The flaw was responsibly disclosed to ProjectDiscovery on August 14, 2024, and was fixed in Nuclei v3.3.2 on September 4. Users are strongly advised to update to the latest version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately and ensure that only trusted, verified templates are executed

Sources: The Hacker News, Bleeping Computer, NVD

FireScam Android Malware Poses as Telegram Premium App to Steal Data

A new Android malware, dubbed ‘FireScam,’ is posing as a premium version of the Telegram app to steal sensitive user data. Distributed through phishing websites that mimic Russia’s RuStore app market, FireScam is designed to exfiltrate information such as notifications, messages, and other app data to a Firebase Realtime Database.

Key Features of FireScam:

• Deceptive Distribution: The malware is distributed via phishing sites that impersonate RuStore, Russia’s alternative to Google Play and Apple’s App Store.
• Data Exfiltration: FireScam monitors device activities, including screen state changes, e-commerce transactions, clipboard activity, and user engagement, to gather valuable information covertly.
• Persistence Mechanism: The malware designates itself as the primary app updater, preventing other installers from modifying it, ensuring a persistent presence on the device.

Sources: Bleeping Computer, Security Affairs

Tenable Plugin Issues Cause Worldwide Nessus Agent Outages

A recent issue with Tenable’s Nessus vulnerability scanner has caused widespread disruptions, taking Nessus agents offline globally. The problem stemmed from faulty plugin updates in versions 10.8.0 and 10.8.1, leading to agent outages across the Americas, Europe, and Asia.

• Affected Versions: Nessus Agent versions 10.8.0 and 10.8.1.
• Impact: Agents went offline during plugin updates, affecting users worldwide.
• Resolution: Tenable has released version 10.8.2 to address the issue.

Recommended Actions for Affected Users:

1. Upgrade or Downgrade: Manually update to Nessus Agent version 10.8.2 or downgrade to version 10.7.3.
2. Plugin Reset: If using agent profiles, perform a plugin reset to restore offline agents.
3. Use Provided Tools: Utilize the nessuscli reset command or the script provided in the release notes for assistance.

Sources: Bleeping Computer

U.S. Sanctions Chinese Firm Linked to Flax Typhoon Hackers

The U.S. Treasury Department has sanctioned Beijing-based cybersecurity firm Integrity Technology Group for its alleged involvement in cyberattacks attributed to the Chinese state-sponsored group known as Flax Typhoon. These attacks have targeted critical U.S. infrastructure sectors since at least 2021.

• Sanctioned Entity: Integrity Technology Group, Incorporated, a Beijing-based cybersecurity company.
• Alleged Activities: Providing infrastructure support to Flax Typhoon, facilitating cyber intrusions against U.S. entities.
• Scope of Attacks: Flax Typhoon has compromised computer networks across North America, Europe, Africa, and Asia, with a particular focus on Taiwan.
• U.S. Response: The sanctions block Integrity Tech’s access to U.S. property and finances, prohibiting business transactions with American entities.

This action underscores the U.S. government’s commitment to countering cyber threats and holding accountable those who facilitate malicious cyber activities.

Sources: Bleeping Computer, The Hacker News, Security Affairs

Malicious npm Packages Steal Ethereum Developers’ Private Keys

A recent cybersecurity threat has emerged targeting Ethereum developers through malicious npm packages. These packages impersonate legitimate Hardhat plugins to steal private keys and other sensitive data. Hardhat, developed by the Nomic Foundation, is a widely used Ethereum development environment for building, testing, and deploying smart contracts and decentralized applications (dApps).

• Malicious Packages: Twenty malicious npm packages have been identified, collectively downloaded over 1,000 times. These packages exploit typosquatting techniques to impersonate legitimate Hardhat plugins.
• Data Exfiltration: Upon installation, these packages collect sensitive information, including private keys, mnemonics, and configuration files, encrypt them with a hardcoded AES key, and exfiltrate them to attacker-controlled endpoints.

Sources: Bleeping Computer, The Hacker News, Security Affairs

Apple to Pay $95 Million for Siri Privacy Violation Settlement

Apple has agreed to a $95 million settlement to resolve a class-action lawsuit alleging that its Siri voice assistant recorded private conversations without user consent and shared these recordings with third parties, including advertisers. The lawsuit claimed that Siri was unintentionally activated and overheard confidential discussions. Apple denies any wrongdoing but agreed to settle the case. Tens of millions of class members may receive up to $20 per Siri-enabled device. The proposed settlement awaits judicial approval, with a hearing scheduled for February 14 in Oakland.

Sources: Bleeping Computer, The Hacker News, Security Affairs

New DoubleClickjacking Attack Hijacks Accounts via Double-Click Exploit

A new cybersecurity threat, termed “DoubleClickjacking,” has been identified, exploiting double-click actions to hijack user accounts. This attack circumvents traditional clickjacking defenses, including the X-Frame-Options header and SameSite cookies, by leveraging the timing between two consecutive clicks.

How DoubleClickjacking Works:

1. Malicious Overlay: The attacker creates a deceptive web page with an enticing button, such as “Click here for your reward.”
2. User Interaction: Clicking this button opens a new overlay window prompting the user to perform a seemingly harmless action, like solving a CAPTCHA.
3. Background Manipulation: While the user engages with the overlay, the underlying page dynamically changes to a legitimate website, aligning sensitive buttons or links with the user’s cursor.
4. Exploit Activation: The user’s second click, intended for the overlay, inadvertently activates a sensitive action on the underlying site, such as authorizing a transaction or granting permissions.

Implications:

• Bypassing Protections: This technique bypasses traditional clickjacking defenses, including restrictions like X-Frame-Options or SameSite cookies.
• Potential for Account Takeover: By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones, leading to unauthorized actions.

Recommendations:

• User Vigilance: Be cautious when interacting with unfamiliar web pages, especially those prompting multiple clicks or unexpected overlays.
• Website Security Measures: Implement client-side protections that disable critical buttons by default until explicit user gestures, such as mouse movements, are detected.

Sources: Bleeping Computer, The Hacker News, Security Affairs

New HIPAA Cybersecurity Rules Mandate Swift Action for Healthcare Data Security

The U.S. Department of Health and Human Services (HHS) has proposed new regulations to enhance cybersecurity protections under the Health Insurance Portability and Accountability Act (HIPAA). These proposed changes aim to bolster the security of electronic protected health information (ePHI) and address the increasing threat of cyberattacks targeting the healthcare sector.

Key Provisions of the Proposed HIPAA Security Rule Update:

• Mandatory Data Restoration: Healthcare organizations would be required to restore data from backups within 72 hours following a cyber incident, ensuring minimal disruption to patient care and operations.
• Annual Compliance Audits: The proposal mandates that covered entities and their business associates conduct annual audits to assess compliance with HIPAA Security Rule requirements, promoting continuous adherence to security standards.
• Enhanced Cybersecurity Measures: The proposed rule includes provisions for multifactor authentication, network segmentation, and data encryption to safeguard patient data, even if it is stolen.\

Sources: Bleeping Computer, The Hacker News, Security Affairs, Dark reading

Microsoft Issues Urgent Warning: .NET Installer Link Must Be Updated

Microsoft has issued an urgent advisory for .NET developers to update their applications and development pipelines to avoid using ‘azureedge.net’ domains for installing .NET components. This change is due to the impending shutdown of CDN provider Edgio, which will render the ‘azureedge.net’ domains unavailable.

• Immediate Action Required: Developers must promptly modify their applications and build processes to source .NET components from alternative domains to ensure uninterrupted functionality.
• Impact of Edgio Shutdown: The discontinuation of Edgio’s services will affect the availability of ‘azureedge.net’ domains, necessitating the transition to other distribution channels for .NET components.
• Official Guidance: Microsoft recommends updating to the latest .NET versions and utilizing the official download links provided on the .NET website to maintain compatibility and security.

Developers are advised to review their deployment configurations and make the necessary adjustments to prevent disruptions in their applications.

Sources: The Hacker News, Bleeping Computer

AT&T and Verizon Confirm Network Security After Salt Typhoon Hack

AT&T and Verizon have reassured their customers that their networks remain secure following a breach linked to the Chinese cyber espionage group, Salt Typhoon. The breach reportedly targeted telecommunication infrastructure, but both companies have confirmed that their systems have not been significantly impacted.

• Salt Typhoon Group: A Chinese state-sponsored hacker group known for its focus on espionage targeting critical infrastructure, including telecommunications and defense sectors.
• Investigation Results: Both AT&T and Verizon conducted thorough investigations after the breach was discovered. They confirmed that no customer data was compromised and no disruption in service occurred as a result of the attack.
• Ongoing Monitoring: The companies emphasized that they have strengthened their security measures and continue to monitor their networks closely to prevent any future incidents.
• Reassurance to Customers: Despite the breach’s discovery, both providers have assured customers that their communications and data are safe.

Sources: Bleeping Computer

LDAPNightmare Exploit Targets Critical Windows LDAP Vulnerability

A proof-of-concept (PoC) exploit, dubbed “LDAPNightmare,” has been developed to target a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP), identified as CVE-2024–49113. This vulnerability can cause Windows servers to crash and reboot, posing significant risks to network stability.

• Vulnerability Overview: CVE-2024–49113 is a denial-of-service (DoS) flaw in Windows LDAP that can lead to system crashes and reboots. It was discovered by independent security researcher Yuki Chen and reported in December 2024.
• PoC Exploit — LDAPNightmare: SafeBreach Labs has released a PoC exploit demonstrating how this vulnerability can be exploited. The exploit involves sending a specially crafted Connectionless Lightweight Directory Access Protocol (CLDAP) referral response packet to a vulnerable server, causing the Local Security Authority Subsystem Service (LSASS) to crash and the system to reboot.
• Impact: The exploit can affect any unpatched Windows Server, not just Domain Controllers. Organizations are advised to apply the December 2024 patches released by Microsoft to mitigate this vulnerability.

Sources: Safe Breach, Security Affairs, Trend Micro