EXPLOITATION OF VULNERABILITIES ALMOST TRIPLED AS A SOURCE OF DATA BREACHES LAST YEAR BY TIM STARKS
Last year saw a 180% surge in attacks exploiting vulnerabilities, largely due to the MOVEit hack, according to Verizon's annual data breach report. The MOVEit breach, with a total of 1,567 identified notifications, was one of the most significant ransomware attacks of the past year, contrasting with the surprisingly underwhelming impact of the log4j vulnerability. MOVEit disproportionately affected the education sector, highlighting its vulnerability as one of the least equipped sectors to fend off attacks. The report also analyzed over 10,000 breaches and 30,000 incidents, revealing minimal impact from artificial intelligence-driven attacks. Existing methods remain effective, suggesting sophistication isn't always necessary for success.
CRITICAL INFRASTRUCTURE BLUEPRINT GETS LONG-AWAITED UPDATE BUT MAINTAINS STATUS QUO ON KEY SECTORS BY DAVID DIMOLFETTA
The White House has updated Presidential Policy Directive 21 (PPD-21), reaffirming 16 critical infrastructure sectors without adding new ones, despite previous recommendations. The update designates the Cybersecurity and Infrastructure Security Agency (CISA) as the national coordinator, requires the Office of the Director of National Intelligence to provide the White House with a critical infrastructure intelligence assessment within six months of the signing, and makes the Homeland Security Secretary responsible for sending a report to the president every other year that summarizes U.S. efforts to mitigate cyber risks to the sectors. Moreover, intelligence agencies will share information with infrastructure operators, who are often hackers' first targets. The rewrite aims to address evolving cyber threats, moving from counterterrorism to strategic competition and nation-state hacking.
ACCOUNT COMPROMISE OF “UNPRECEDENTED SCALE” USES EVERYDAY HOME DEVICES BY DAN GOODIN
Okta has issued a warning about a large-scale attack campaign that uses mobile devices and browsers of unsuspecting users to reroute fraudulent login attempts, with the attackers employing various methods -- including proxy services and TOR networks -- to disguise the origins of their actions. Attackers are then using affected devices for credential-stuffing attacks, which involve using stolen login credentials to gain unauthorized access to online accounts. Okta's advisory follows a similar report from Cisco's Talos security team that identified similar attacks. Okta's advisory advises users to be cautious of apps and services that may use their devices for malicious purposes, and network administrators are encouraged to implement strong password policies and multifactor authentication.
US GOVT WARNS OF PRO-RUSSIAN HACKTIVISTS TARGETING WATER FACILITIES BY LAWRENCE ABRAMS
The US government, along with several agencies and international partners, has issued a warning about pro-Russian hacktivists targeting unsecured operational technology (OT) systems, which control physical processes in various industries, such as water treatment plants. The hacktivists aim to disrupt operations or create disturbances using unsophisticated techniques, but they are also capable of more serious threats. Recent attacks in 2024 targeted water treatment facilities in Texas and Indiana, as well as infrastructure in Poland and France. The advisory outlines mitigation steps, including securing remote access, enabling multifactor authentication, and updating security measures to protect against these threats.
NEW CUTTLEFISH MALWARE INFECTS ROUTERS TO MONITOR TRAFFIC FOR CREDENTIALS BY BILL TOULAS
A new malware dubbed 'Cuttlefish' targets enterprise-grade and SOHO routers, enabling data monitoring and theft. It creates proxy or VPN tunnels to bypass security measures and performs DNS and HTTP hijacking, potentially introducing more payloads. Infections likely occur through vulnerabilities or credential brute-forcing and although it shares code with HiatusRat, attribution is challenging. Cuttlefish deploys a bash script to collect data and execute its payload, after which it monitors network traffic for credential data, logging and exfiltrating it to the attacker's server. Prevention measures include strong credentials, firmware updates, and monitoring for unusual logins.
