‘Bitcoin Jesus’ and Sheboygan face problems.
Federal agencies and Five Eyes partners list the past year’s most exploited vulnerabilities. U.S. authorities hand down indictments in the Snowflake customer breach. Patch Tuesday updates. Zoom discloses multiple vulnerabilities. A China-linked hacker group has compromised Tibetan media and university websites. A cyberattack on a Dutch company affects over 2,000 U.S. grocery stores. Sheboygan suffers a ransomware attack. The White House plans to support a controversial UN cybercrime treaty. On today’s CertByte segment, N2K’s Chris Hare is joined by Dan Neville to break down a question from the CompTIA® Security+ certification Practice Test. Bitcoin Jesus faces $48 million in tax fraud charges.
Today is November 13th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Federal agencies and Five Eyes partners list the past year’s most exploited vulnerabilities.
CISA, the FBI, NSA, and Five Eyes intelligence agencies have identified the top 15 most exploited security vulnerabilities from last year, urging organizations to patch these flaws immediately. In a joint advisory, they emphasized the critical need for effective patch management to reduce network exposure.
The report highlights an increase in zero-day exploits in 2023 compared to 2022, noting that the majority of frequently targeted vulnerabilities were zero-days, which allowed attackers to infiltrate high-value targets more effectively. Twelve of the top 15 vulnerabilities had patches released last year, underscoring the importance of swift patch deployment as cybercriminals continue targeting unpatched flaws.
Leading the list is CVE-2023-3519, a code injection vulnerability in NetScaler ADC/Gateway. This vulnerability, exploited by state actors, enabled remote code execution on unpatched servers, compromising U.S. critical infrastructure. By mid-August, hackers had used this flaw to backdoor over 2,000 Citrix servers worldwide.
The advisory also mentions 32 additional vulnerabilities frequently exploited in 2023, offering guidance on minimizing risk. Meanwhile, MITRE recently updated its list of dangerous software weaknesses, underscoring ongoing challenges. Jeffrey Dickerson, NSA’s cybersecurity director, warned that exploitation of known vulnerabilities will persist, urging network defenders to remain vigilant and proactive through 2024 and beyond.
U.S. authorities hand down indictments in the Snowflake customer breach.
U.S. authorities have indicted Connor Moucka and John Binns, suspected cybercriminals accused of hacking into cloud platforms of major firms, the Snowflake customer breach,including AT&T, in a scheme targeting over 10 organizations. Moucka and Binns allegedly stole sensitive data and demanded ransoms totaling $2.5 million in digital currency.
Moucka, a Canadian, was arrested by Canadian authorities on October 30, while Binns, also charged in a 2021 T-Mobile breach, was detained by Turkish authorities. Though the indictment doesn’t name specific victims, it aligns with earlier reports of breaches involving Snowflake clients like Ticketmaster and Santander.
Researchers suggest Moucka and Binns are linked to “The Com,” a group tied to various criminal activities, including cyber extortion and violent crimes.
Patch Tuesday updates.
Microsoft has released patches for 89 vulnerabilities in Windows and other software, addressing two critical zero-day threats actively exploited by attackers. The first, CVE-2024-49039, impacts Windows Task Scheduler, allowing attackers to elevate privileges; Google’s Threat Analysis Group identified it. The second, CVE-2024-43451, enables attackers to spoof and expose NTLMv2 hashes, used for authentication, raising the risk of “pass-the-hash” attacks, which let attackers act as legitimate users without needing passwords.
Additional updates include CVE-2024-49019, a privilege escalation flaw in Active Directory, and CVE-2024-49040, a spoofing vulnerability in Exchange Server. A notable threat, CVE-2024-43602, affects the Kerberos protocol in Windows domains, potentially allowing attackers to gain domain controller access. Microsoft also patched CVE-2024-43498, a critical flaw in .NET and Visual Studio, and 29 memory-related issues in SQL server.
Siemens, Schneider Electric, CISA, and Rockwell Automation have issued November 2024 Patch Tuesday advisories, addressing multiple critical vulnerabilities in industrial systems. Siemens released fixes for numerous products, notably a deserialization flaw in TeleControl Server Basic allowing unauthenticated code execution. Sinec INS received updates for roughly 60 vulnerabilities, many involving third-party components, while Sinec NMS and Scalance M-800 addressed over a dozen issues each. High-severity patches target code execution risks in Engineering Platforms and stored XSS in OZW Web Servers, among others.
Schneider Electric issued four advisories, including a critical EcoStruxure IT Gateway flaw enabling system control and sensitive data access. PowerLogic PM5300 and Modicon controllers were also patched for DoS and code execution risks.
CISA’s advisories include critical flaws in Subnet PowerSystem Center and Hitachi TRO600 radios, plus a Rockwell FactoryTalk View ME remote code execution vulnerability. Rockwell additionally addressed severe issues in FactoryTalk Updater, including authentication bypass and privilege escalation.
Zoom discloses multiple vulnerabilities.
Zoom disclosed multiple vulnerabilities in its applications, including a critical buffer overflow flaw (CVE-2024-45421) with a CVSS score of 8.5, allowing authenticated users to execute remote code. Another significant issue (CVE-2024-45419) involves improper input validation, which could lead to unauthorized information disclosure. Affected products include the Workplace App, Rooms Client, Video SDK, and Meeting SDK across Windows, macOS, iOS, Android, and Linux.
Users are advised to update to the latest versions (6.2.0 or later) to mitigate risks.
A China-linked hacker group has compromised Tibetan media and university websites.
A China-linked hacker group, TAG-112, has compromised Tibetan media and university websites in an espionage campaign to gather intelligence for Beijing. TAG-112 targeted the Tibet Post and Gyudmed Tantric University sites, exploiting vulnerabilities in the Joomla CMS to deploy Cobalt Strike, a cybersecurity tool repurposed for hacking. Researchers suggest TAG-112 may be a subgroup of the Chinese state-sponsored group Evasive Panda, which also targets the Tibetan community. Both groups use hacked websites to prompt downloads of malicious files disguised as security certificates, aiming to monitor Tibetan and other ethnic minority groups that China deems subversive.
A cyberattack on a Dutch company affects over 2,000 U.S. grocery stores.
A cyberattack on Ahold Delhaize, the Dutch parent of U.S. grocery chains like Stop & Shop, Hannaford, and Food Lion, has disrupted online services, affecting over 2,000 stores. Customers faced issues with online orders, and some websites and pharmacy operations went offline. While in-store credit card transactions still work, delivery orders were canceled. The company is investigating with law enforcement and cybersecurity experts, taking some systems offline as a precaution. No hacking group has claimed responsibility, but similar incidents often involve ransomware targeting retail operations for quick payouts.
Sheboygan suffers a ransomware attack.
The Wisconsin city of Sheboygan reported a ransomware attack that disrupted its computer network. Officials discovered the issue in late October and began working with cybersecurity experts to secure the network. An external party gained unauthorized access and issued a ransom demand, which the city reported to law enforcement. Officials do not believe sensitive personal data was compromised but will notify affected individuals if necessary. City phone lines remain operational, and the investigation is ongoing. Sheboygan thanked residents for their patience and emphasized its commitment to security.
The White House plans to support a controversial UN cybercrime treaty.
The Biden administration plans to support a UN cybercrime treaty aimed at establishing global cooperation on cybercrime, despite concerns it could empower authoritarian regimes to surveil dissidents. While it would be the UN’s first binding agreement on cybersecurity, critics worry it could be misused to target political opponents or censor internet users. U.S. officials argue the treaty would help criminalize child exploitation and expand access to electronic evidence, facilitating extradition of cybercriminals. Advocacy groups and six Democratic senators warn the treaty risks legitimizing censorship and human rights abuses. To address these concerns, U.S. officials assure that human rights safeguards will be enforced, and the Department of Justice will scrutinize assistance requests. Although the treaty is likely to pass the UN vote, it may face ratification challenges in the U.S. unless human rights protections are enhanced.
We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Dan Neville to break down a question from the CompTIA® Security+ certification Practice Test. We’ll be right back.
Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Dan talked about.
Bitcoin Jesus faces $48 million in tax fraud charges.
And finally, Roger Ver, a.k.a. “Bitcoin Jesus,” is facing U.S. tax fraud charges over $240 million in token sales, with accusations of evading over $48 million in taxes. Known for his crypto evangelism, Ver claims he’s being targeted for his political views and insists he followed professional advice amid IRS crypto tax ambiguity. Arrested in Spain, Ver spent a stint in jail and now awaits a ruling on possible extradition to the U.S.
The indictment alleges he hid substantial Bitcoin holdings when renouncing U.S. citizenship in 2014, underreporting assets and crypto sales. While Ver continues living in Mallorca, practicing jiujitsu, and hosting friends, his supporters are rallying behind him, decrying what they call “unjust prosecution.” If extradited, Ver’s case could set a precedent as the first crypto-only tax case to go to trial.
Bitcoin Jesus might not be walking on water, but he’s definitely skating on thin ice with the IRS.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.