November 24, 2024 at 08:37PM
Volexity reported a “nearest neighbor attack” by Kremlin-backed hackers APT28, compromising networks via neighboring organizations’ Wi-Fi without MFA. Cisco warns of an expiring internal certificate risking device management. Microsoft seized 240 phishing sites linked to a suspect. Helldown ransomware targets Linux, and Jupyter Notebooks are hijacked for illegal sports streaming.
### Meeting Takeaways
1. **APT28 “Nearest Neighbor Attack”**:
– APT28, a Kremlin-backed threat actor, utilized a new attack vector termed “nearest neighbor attack.”
– The attack began by password-spraying the victim’s web portals and connected through compromised neighboring organizations’ Wi-Fi networks due to the lack of multifactor authentication (MFA).
– Recommendation: Implement MFA on all Wi-Fi networks and isolate network segments to prevent lateral movement.
2. **Cisco Firepower Management Center Vulnerability**:
– Cisco reported a critical vulnerability in versions 6 and 7 of its Firepower Management Center software due to an expiring internal self-signed root certificate.
– Administrators should inspect their systems and apply hotfixes immediately to avoid management loss.
3. **Critical Exploit Reported (CVE-2024-1212)**:
– Progress Software’s LoadMaster has a critical exploit (CVSS 10.0) that allows unauthenticated access via the management interface, enabling arbitrary command execution.
4. **Phishing Operation Bust**:
– Microsoft seized 240 fraudulent websites associated with a phishing operation led by Abanoub Nady, also known as ‘MRxC0DER.’
– The operation sold phishing kits and posed a risk to online users; legal actions from Microsoft and the Linux Foundation are ongoing.
5. **DoD CCI Handling Report**:
– The Department of Defense’s inspector general released a report indicating no compliance issues with the handling of controlled cryptographic items, but full details remain confidential due to controlled unclassified information guidelines.
6. **Helldown Ransomware Expansion**:
– The Helldown ransomware, initially targeting Windows, has begun to attack Linux and VMware systems.
– It employs double extortion tactics and relies on undocumented vulnerabilities for access, implying a relatively low level of sophistication.
7. **Jupyter Notebooks Exploitation**:
– Threat actors are hijacking misconfigured Jupyter Notebooks to illegally stream UEFA matches using tools like ffmpeg.
– Vulnerabilities and weak passwords are the main infiltration points; organizations should secure Jupyter environments to prevent unauthorized access.
### Action Items:
– Enhance network security measures, including MFA on all access points.
– Ensure timely updates and patching for Cisco Firepower Management Center and other critical software.
– Monitor for indicators of compromise related to the Helldown ransomware and Jupyter exploitation.
– Stay informed about ongoing legal actions related to phishing operations to understand emerging threats.