Information Security News 11-18-2024

Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs

Article Link: https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html

• Microsoft’s November 2024 Patch Tuesday includes fixes for 90 vulnerabilities, notably two critical zero-day flaws in Windows NT LAN Manager (NTLM) and Task Scheduler.
• The NTLM vulnerability (CVE-2024-43451) allows attackers to disclose NTLMv2 hashes, facilitating unauthorized authentication, while the Task Scheduler flaw (CVE-2024-49039) enables privilege escalation through specially crafted applications.
• Businesses can mitigate risks from the latest vulnerabilities by immediately applying Microsoft’s patches, disabling NTLM where possible, monitoring logs for unusual activity, enforcing least-privilege access, and using tools like Microsoft Defender and Sysinternals Suite for detection and remediation.

FBI Issues Warning as Crooks Ramp Up Emergency Data Request Scams

Article Link: https://www.theregister.com/2024/11/11/fraudulent_edr_emails/

• The FBI issued a warning that cybercrooks are exploiting compromised government email accounts to send fraudulent Emergency Data Requests (EDRs) to U.S. businesses, aiming to illicitly obtain sensitive personal information. This surge in fraudulent EDRs has been observed throughout 2023 and 2024, with incidents reported across the U.S.
• By leveraging genuine government email addresses, attackers craft convincing EDRs that bypass standard verification processes, acquiring personal data for purposes such as extortion, social engineering, or resale to other criminals.
• Companies can combat fraudulent EDRs by verifying requests directly with agencies, using secure communication, and training employees to identify scams. Enhanced information security tools and collaboration with law enforcement further strengthen defenses.

Windows Machines Are Being Targeted with ZIP File Workaround

Article Link: https://www.techradar.com/pro/security/windows-machines-are-being-targeted-with-zip-file-workaround

• In recent global phishing campaigns, cybercriminals are exploiting a ZIP file concatenation technique to bypass security measures and deliver malware to Windows machines.
• Attackers merge multiple ZIP archives, one benign and one malicious, into a single file. Depending on the archiving software used, the malicious content may go undetected, allowing malware to infiltrate the system.
• This tactic exploits the inconsistencies of how different archiving tools handle ZIP files, potentially leading to undetected malware infections and compromised systems.
• Businesses can quickly counter ZIP concatenation malware by using free security tools for detection, enforcing email filtering and file handling policies, isolating affected systems, running malware scans, and providing employee phishing awareness training all at a minimal cost.

Social Engineering Scams Sweep Through Financial Institutions

Article Link: https://www.helpnetsecurity.com/2024/11/13/financial-institutions-scams/

• North American financial institutions have faced a tenfold increase in social engineering scams throughout 2024, with this alarming trend affecting a wide range of financial entities across the region.
• The advanced tactics, techniques, and procedures (TTPs) include the use of generative AI and deepfakes to structure sophisticated scams that deceive both customers and financial institutions, leading to substantial financial losses.
• The escalation of these scams stresses urgent action for businesses to implement countermeasures such as AI-driving detection, multi-factor authentication (MFA), employee training, and behavioral intelligence to preserve customer trust and prevent financial losses.
• Link to BioCatch’s Report: https://www.biocatch.com/resources/white-paper/digital-banking-fraud-trends-nam-2024

Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware

Article Link: https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html

• A campaign discovered earlier this month identified cybercriminals targeting users via a known Microsoft Office vulnerability (CVE-2017-0199), which deploys a stealthy, fileless variant of the Remote Control and Surveillance Trojan (Remcos Remote Access Trojan (RAT)).
• The attack begins with malicious Excel attachments that download a HyperText Application (HTA) file, executing obfuscated PowerShell commands directly into the computer’s memory. The shell command launches the fileless RAT to steal data and enables remote surveillance while evading detection.
• Victims face significant risks, including stolen system data, unauthorized remote access, and potential audio/video recordings. The fileless malware approach makes detection and removal challenging since it requires a combination of proactive monitoring, updated security tools, and careful manual inspection.
• Utilize updated antivirus or EDR tools to detect unusual system behavior or malicious activity (e.g., PowerShell misuse), terminate suspicious processes, scan and remove malware, and reformat the system (if necessary), while preventing future infections through software updates, phishing awareness, and restricted PowerShell access.

Microsoft Visio Files Used in Sophisticated Phishing Attacks

Article Link: https://www.infosecurity-magazine.com/news/microsoft-visio-files-phishing/

• These sophisticated phishing attacks are conducted by embedding malicious URLs within Microsoft Visio (.vdsx) files, exploiting users’ trust in familiar business tools.
• Identified in November 2024, these attacks have been observed across different organizations, particularly targeting environments where Visio is commonly used for business diagrams.
• Attackers compromise email accounts by sending authentic-looking messages containing Visio attachments. When recipients open these files and click embedded links, they are redirected to spoofed Microsoft login pages to harvest the credentials.
• This attack can be detected and blocked by using updated security tools to scan for malicious Viso files, monitor for unusual login attempts, and quarantine affected systems. These threats can be perpetually removed by scanning and purging all malicious files, enforcing password resets, and layering defenses with multi-factor authentication, employee training, and regular security updates.

Maximizing Cybersecurity ROI: Best Practices for CISOs Today

Article Link: https://www.techradar.com/pro/maximizing-cybersecurity-roi-best-practices-for-cisos-today

• Chief Information Security Officers (CISOs) are striving to increase the return on investment (ROI) from their information security expenditures by adopting integrated security frameworks and automation tools.
• Organizations worldwide are recognizing and applying these strategies to optimize their information security budgets and posture.
• By consolidating multiple security tools into unified platforms and leveraging automation for continuous monitoring and real-time threat detection, CISOs aim to reduce complexity, enhance operational efficiency, and effectively mitigate risks.
• Businesses can strengthen their defenses at no cost by using free security tools, focusing on high-risk areas, automating processes, consolidating resources, and training employees without greatly impacting the budget.

Cybercriminals Hijack DNS to Build Stealth Attack Networks

Article Link: https://www.helpnetsecurity.com/2024/11/15/sitting-ducks-attack/

• “Sitting Ducks” attacks exploit DNS hijacking to compromise over 70,000 domains, including those of governments, nonprofits, and major brands, with over 1 million domains at risk daily, according to researchers at Infoblox.
• Hijacked domains are used by threat actors like Vacant Viper to distribute malware, including DarkGate and AsyncRAT, while groups like Horrid Hawk focus on phishing, fraud, and spoofing global brands.
• Attackers leverage hijacked domain reputations to bypass security filters and evade detection using advanced antibot tools that filter bots based on IPs and user profiles.
• Infoblox recommends proactive DNS security measures, including DNSSEC, regular audits, trusted providers, multi-factor authentication (MFA), and staff training to counter these growing but under-recognized threats.

Alleged Snowflake Attacker Gets Busted by Canadians – Politely, We Assume

Article Link: https://www.theregister.com/2024/11/11/infosec_in_brief/

• In November 2024, Canadian authorities arrested Alexander “Connor” Moucka, the alleged Snowflake hacker who breached 165 accounts, including AT&T and Ticketmaster, in what could be called unsolicited penetration testing.
• Operating as “Judishe” and “Waifu,” Moucka exploited the lack of two-factor authentication, proving that a single password is like locking your front door but leaving the key under the mat.
• The breach exposed sensitive data, reminding organizations that their greatest vulnerability is hoping attackers won’t notice their weak spots—spoiler: they always do. As for Moucka, his aliases might have been anonymous, but his mistakes screamed “traceable.”
• To avoid being the next cautionary tale and stay out of the headlines, organizations need to implement multi-factor authentication (MFA), audit systems like they’re hunting Easter eggs, and train employees to treat and report suspicious emails.