Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw in Acclaim Systems USAHERDS to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2021-44207, with a high severity score of 8.1, involved hard-coded, static credentials allowing potential remote code execution. This flaw was actively exploited by China-linked APT41 in 2021 targeting U.S. state government networks. Though patched, the static ValidationKey and DecryptionKey in affected versions can be exploited to execute arbitrary code on servers. No new exploitation cases have been reported recently, but the flaw remains a concern for national cybersecurity. Federal agencies are urged to apply mitigation measures by January 2025 to protect against similar threats. Concurrently, Adobe has patched a critical flaw in ColdFusion, urging users to update promptly to safeguard against exploit risks.

The Apache Software Foundation (ASF) has issued updates to address a significant remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability is an incomplete fix of a previous critical flaw, CVE-2024-50379, which also allowed RCE attacks, both having a high CVSS score of 9.8. CVE-2024-56337 enables RCE through a TOCTOU (Time-of-check Time-of-use) race condition vulnerability, particularly affecting systems with case-insensitive file systems and writable default servlets. Both vulnerabilities are exploitable under specific conditions, such as concurrent file read and upload operations, which can bypass security checks treating certain files as executable. Apache Tomcat versions impacted by CVE-2024-56337 were not specified, but users are advised to apply configuration adjustments depending on the Java version used. Security researchers Nacl, WHOAMI, Yemoli, and Ruozhi, along with the KnownSec 404 Team, were credited with discovering and reporting these vulnerabilities. In related news, Zero Day Initiative disclosed a critical vulnerability (CVE-2024-12828) in Webmin that permits authenticated remote attackers to execute arbitrary code due to improper validation in CGI request handling.

U.S. authorities are contemplating a ban on TP-Link products due to the prevalence of security vulnerabilities in their firmware. Despite TP-Link's routers functioning well for everyday use, their firmware has been noted for possessing significant vulnerabilities such as buffer overflows. There are suspicions that TP-Link may be engaging in market dumping by selling products at a price below cost to dominate market share. Chinese law mandates all nationals cooperate secretly with state security, fueling concerns of intentional vulnerabilities for espionage. Comparative statistical analysis of TP-Link's products against competitors could potentially validate claims of distinctive susceptibility. Reflected on a larger scale, the issue of firmware vulnerabilities is pervasive, as seen with recent malicious attacks on U.S. and Israeli infrastructure by Iranian-linked agents. Companies find it challenging to identify discreetly embedded security flaws, often only discovering these vulnerabilities after significant breaches occur. The article stresses the urgency for the tech industry to address and scrutinize these covert risks, which pose substantial national and consumer security threats.

Adobe released emergency patches for a critical vulnerability in ColdFusion versions 2021 and 2023, identified as CVE-2024-53961. The vulnerability involves a path traversal flaw that could allow attackers to read arbitrary files on affected servers. Adobe has provided proof-of-concept (PoC) exploit code and assigned the vulnerability a "Priority 1" severity rating. The company urges administrators to apply the security updates within 72 hours and adjust settings according to the ColdFusion lockdown guides. Although there are no reports of active exploitation, Adobe advises reviewing protections against insecure Wddx deserialization attacks. CISA has previously emphasized the risks of path traversal bugs and urged enhancements in software security practices. This alert follows a series of ColdFusion vulnerabilities, some exploited as zero-days, stressing ongoing security challenges with Adobe products.

FTC has ordered Marriott International and Starwood Hotels to establish a comprehensive data security program following significant data breaches. The breaches affected 344 million customers worldwide due to inadequate security measures after Marriott acquired Starwood in 2016. The new security program must be implemented by June 17, 2025, and will be under FTC oversight for 20 years with potential for extension. Past breaches at Starwood and Marriott exposed sensitive customer information, including unencrypted passport numbers. The 2018 breach disclosed in 2020 revealed data of 5.2 million guests, highlighting prolonged vulnerability due to delayed detection and disclosure. In October 2024, Marriott agreed to a $52 million settlement with the FTC to resolve claims from these breaches affecting customers across 49 states.

Over 28,000 sales-impacted as critical vulnerabilities discovered in WordPress WPLMS theme plugins. Vulnerabilities allow unauthorized file uploads, code execution, privilege escalation, and SQL injections. WPLMS used widely by educational institutions, training corporations, and e-learning providers. Patchstack researchers identified 18 security issues across WPLMS and VibeBP plugins. Users urged to update to secure versions: WPLMS to version 1.9.9.5.3 and VibeBP to 1.9.9.7.7. Patchstack emphasizes the importance of secure file uploads, SQL sanitation, and role-based access controls. Vibe Themes collaboratively tested patches from April to November to resolve the identified vulnerabilities.

A U.S. federal judge found Israeli company NSO Group guilty of violating U.S. hacking laws through deploying Pegasus spyware via WhatsApp. WhatsApp, owned by Meta, initiated the lawsuit, which concluded after five years, citing violations of both federal and state hacking laws. NSO's Pegasus spyware was used to infiltrate at least 1,400 devices using zero-day exploits, enabling unauthorized data access and surveillance. Despite NSO's claims that they do not control client actions or access data collected by Pegasus, the court ruled in favor of WhatsApp. Meta CEO Mark Zuckerberg emphasized the company's commitment to privacy and encryption following the court's favorable decision. The court's decision marks a significant win for privacy rights, holding spyware companies like NSO accountable for their products. Final determination of damages owed by NSO to WhatsApp is slated for early next year. NSO continues to face global criticism and legal challenges, including a separate lawsuit by Apple and sanctions by the U.S. Commerce Department.

Large language models (LLMs) are now being utilized to generate thousands of new JavaScript malware variants that can evade modern detection methods. Researchers from Palo Alto Networks’ Unit 42 discovered the ability of LLMs to significantly alter malware without changing its functionality, deceiving machine learning (ML) based security systems. The novel JavaScript variants generated display a substantial reduction in detected malicious intent, tricking models such as Innocent Until Proven Guilty (IUPG) or PhishingJS up to 88% of the time. This technique employs multiple obfuscation strategies like variable renaming, junk insertion, and whole code reimplementation. Rewritten codes by LLMs appear more natural and are tougher to detect compared to those altered by traditional obfuscators like obfuscator.io. The adversaries are leveraging LLMs not only for JavaScript rewriting but also for crafting sophisticated phishing emails and potentially even more advanced cyber threats. Amid rising AI misuse, LLM providers like OpenAI have started to implement security measures to counteract unauthorized manipulation of their technologies. Efficiency of AI-driven obfuscation highlights the need for equally advanced detection capabilities and the potential use of similar AI innovations for defensive cybersecurity mechanisms.

Rostislav Panev, a dual Russian-Israeli national, has been arrested in Israel at the request of the U.S., facing extradition on 41 criminal counts including extortion and intentional computer damage. Panev is linked to LockBit, a ransomware group responsible for infecting over 2,500 targets globally, causing extensive financial losses estimated in billions, with $500 million in ransoms. Since its inception around 2019, LockBit has become notorious, peaking in activities until a major disruption by law enforcement in 2024. During his arrest, authorities discovered that Panev's computer held crucial LockBit operational tools and data, including source codes for various ransomware and a custom data exfiltration tool. Panev allegedly admitted to writing malicious code for LockBit, initially claiming unawareness of its unlawful nature, but later continued for monetary benefits. His role involved developing techniques to disable security measures on victim networks and manage ransomware deployment and operations.

Apache has released a security update for a critical vulnerability in the Tomcat web server, identified as CVE-2024-56337. The vulnerability stemmed from incomplete mitigation of a previous issue, CVE-2024-50379, allowing for potential remote code execution. Apache Tomcat is extensively used by enterprises, SaaS providers, and cloud services to host Java-based web applications. The affected versions include Apache Tomcat versions from 9.0.0.M1 to 9.0.97, 10.1.0-M1 to 10.1.33, and 11.0.0-M1 to 11.0.1. Recommended immediate upgrades to newer versions: 11.0.2, 10.1.34, and 9.0.98, which include fixes and additional security enhancements. Additional user actions involve setting configuration parameters correctly based on the Java version used to further secure the web server post-upgrade. Apache plans further enhancements in upcoming versions to improve security defaults and reduce vulnerabilities.

Rostislav Panev, associated with the LockBit ransomware-as-a-service group, was charged in the U.S. and is awaiting extradition from Israel. LockBit, despite disruptions, plans to launch a new version, LockBit 4.0, in February 2025. A series of critical vulnerabilities in popular software were highlighted, including issues in Sophos Firewall, Fortinet products, and BeyondTrust solutions among others. Users are advised to update their software immediately to counteract these vulnerabilities. The article emphasized the adaptability and persistent threat posed by cybercriminals using sophisticated techniques. Best practices for cloud security were outlined, including auditing settings, controlling access effectively, and encrypting data to prevent unauthorized access. The upcoming holiday season was noted as a peak period for increased cyber activity, urging heightened security measures and awareness.

Rockstar2FA PhaaS toolkit experienced a collapse, becoming inaccessible due to unidentified technical issues. A subsequent increase in phishing attacks linked to a new service named FlowerStorm was observed. Both Rockstar2FA and FlowerStorm services feature similar phishing portal designs and backend server connections for credential theft, suggesting possible related origins. The disruption on November 11, 2024, may signify a strategic shift, personnel change, or operational separation between the two phishing services. Most targeted nations by FlowerStorm include the USA, Canada, the UK, Australia, and several European and Asian countries. The primary sector affected involves service industries such as engineering, construction, real estate, legal services, and consulting. FlowerStorm and similar services demonstrate the trend of cybercriminals exploiting ready-made tools to conduct widespread attacks with minimal technical skill.

The cybersecurity landscape in 2025 is defined by complex, AI-driven threats, tighter regulations, and evolving technology. AI exploitation by cybercriminals is increasingly sophisticated, enabling them to evade detection and execute personalized attacks like advanced phishing and deepfake impersonation. The threat from zero-day vulnerabilities persists, necessitating improved detection systems and industry-wide threat intelligence sharing. Modern cybersecurity heavily relies on AI for threat detection and incident response, becoming essential for all cybersecurity aspects. Ongoing challenges in adhering to strict data privacy guidelines, like GDPR and potential new regulations, are pushing businesses towards decentralized and zero-trust security models. Supply chain vulnerabilities remain a significant risk, as showcased by incidents such as the attack on Ford, highlighting the need for rigorous third-party security assessments and AI-driven monitoring solutions. Balancing stringent security measures with user-friendly experiences remains crucial, with adaptive context-aware access management systems emerging as a solution. Insider threats are intensifying with the shift towards remote work and the advanced capabilities of AI, stressing the need for comprehensive cybersecurity strategies including regular staff training and strict AI usage regulations.

Google announces plans to implement user "fingerprinting" through its business services, allowing better targeted advertising by building profiles based on hardware and software information. The UK Information Commissioner's Office (ICO) criticizes the move, emphasizing that the lack of transparency and choice in fingerprinting violates UK privacy regulations. Stephen Almond of the ICO highlights continued oversight and potential actions against misuses of fingerprinting technologies. Google previously pledged to end third-party cookie support in Chrome, a promise now reneged, raising concerns over its commitment to user privacy. The article also mentions other cybersecurity issues: vulnerabilities in BeyondTrust products, the emergence of LockBit 4.0 ransomware, and the significant data breach affecting 5.6 million Ascension Healthcare patients. Lazarus Group enhances its malicious campaigns targeting professionals with deceptive job offers through a newly developed malware named CookiePlus. Patch updates are urged due to actively exploited vulnerabilities, particularly with the approach of holiday breaks, highlighting ongoing security management challenges.

U.S. District Judge in California ruled that NSO Group exploited WhatsApp to deliver Pegasus spyware. The court highlighted NSO Group's repeated failure to comply with discovery orders and refusal to provide the Pegasus source code. The ruling found NSO Group liable for violating WhatsApp's terms of service by using the platform for malicious activities. WhatsApp's lawsuit began in 2019 after Pegasus was used to infiltrate 1,400 devices via a zero-day vulnerability. The case will now proceed to trial on the issue of damages, focusing on the extent of the intrusion and potential reparations. NSO Group claims its spyware tools are meant for lawful government use, although misuse has been documented globally. The ruling bolsters privacy advocacy, setting a precedent for accountability in commercial spyware operations.