Teixeira Sentenced to Fifteen Years for Damaging National Security Leak
Five Eyes release top 15 exploited vulnerabilities, Microsoft issued 89 Patch Tuesday fixes, Volt Typhoon returns, Lazarus Group embeds malware in macOS apps, Chinese state hackers launch new Tibet spy campaign, Trump taps Musk for DOGE, Trump to halt TikTok ban, much more
Sponsor Message
In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.
Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."
Jack Teixeira, a Massachusetts Air National Guardsman accused of sharing classified government records online, was sentenced to fifteen years for one of the most damaging national security leaks in history.
“You are young and you have a future ahead of you, but it is such a serious crime,” the judge, Indira Talwani of Federal District Court in Massachusetts, told Airman Teixeira, who is 22.
Airman Teixeira, an information technology specialist at an air base in Cape Cod, shared classified material he had obtained on Discord, a popular social media platform among gamers. At one point, he acknowledged he had disclosed material that “I’m not supposed to.”
Airman Teixeira’s disclosures included details about supplying equipment to Ukraine, including how it would be transported and used. He posted a report on Russian and Ukrainian troop movements that American officials said might have compromised how the United States gathers intelligence.
According to court documents, shortly before his arrest, a friend told him that some of the disclosures were being shared on a pro-Russian Telegram channel. Airman Teixeira then asked his contact to delete his messages.
An assistant US attorney, arguing that the airman face a term of just under 17 years, pointed to the fallout of the leak. “The damage he caused is historic,” the prosecutor, Jared Dolan, said, later adding, “His conduct and his offenses are unparalleled in breadth, in depth and in quality of the information.”
The airman apologized for the wide-ranging leak. “I’m sorry for all the harm that I’ve wrought and that I’ve caused,” he said. “I understand all the responsibility and consequences falls on my shoulders alone. And I accept whatever that may bring.” (Maya Shwayder and Eileen Sullivan / New York Times)
Related: NBC News, US Department of Justice, Washington Post, The Register, Wall Street Journal, Engadget, New York Post, Al Jazeera, ABC News, Cybernews, Air & Space Forces Magazine, The Indian Express, Reuters, UPI, USA Today, Forbes, Associated Press, The Sun, The Verge, Washington Examiner, The Guardian, Engadget
The FBI, the NSA, and cybersecurity authorities of the Five Eyes intelligence alliance have released a list of the top 15 routinely exploited vulnerabilities throughout last year, calling for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
The agencies warned, "In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets."
"In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."
As they also revealed, 12 out of the top 15 vulnerabilities routinely abused in the wild were addressed last year, lining up with the agencies warning that threat actors focused their attacks on zero-days (security flaws that have been disclosed but are yet to be patched).
The advisory also highlights 32 other vulnerabilities exploited last year to compromise organizations and provides information on how defenders can decrease their exposure to attacks that abuse them in the wild. (Sergiu Gatlan / Bleeping Computer)
Related: NSA, CISA, The Cyber Express, The Record, Cybernews, Digit, Australian Cybersecurity Magazine
Complete list of last year's most exploited vulnerabilities and relevant links to the National Vulnerability Database entries via NSA as published in Bleeping Computer
CVE | Vendor | Product | Type |
CVE-2023-3519 | Citrix | NetScaler ADC/Gateway | Code Injection |
CVE-2023-4966 | Citrix | NetScaler ADC/Gateway | Buffer Overflow |
CVE-2023-20198 | Cisco | IOS XE Web UI | Privilege Escalation |
CVE-2023-20273 | Cisco | IOS XE | Web UI Command Injection |
CVE-2023-27997 | Fortinet | FortiOS/FortiProxy SSL-VPN | Heap-Based Buffer Overflow |
CVE-2023-34362 | Progress | MOVEit Transfer | SQL Injection |
CVE-2023-22515 | Atlassian | Confluence Data Center/Server | Broken Access Control |
CVE-2021- 44228 (Log4Shell) | Apache | Log4j2 | Remote Code Execution |
CVE-2023-2868 | Barracuda Networks | ESG Appliance | Improper Input Validation |
CVE-2022-47966 | Zoho | ManageEngine Multiple Products | Remote Code Execution |
CVE-2023-27350 | PaperCut | MF/NG | Improper Access Control |
CVE-2020-1472 | Microsoft | Netlogon | Privilege Escalation |
CVE-2023-42793 | JetBrains | TeamCity | Authentication Bypass |
CVE-2023-23397 | Microsoft | Office Outlook | Privilege Escalation |
CVE-2023-49103 | ownCloud | graphapi | Information Disclosure |
In its November Patch Tuesday update, Microsoft issued fixes to plug at least 89 security holes in its Windows operating systems and other software, including fixes for two zero-day vulnerabilities that attackers are already exploiting and two other flaws that were previously publicly disclosed.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine—Microsoft credits Google’s Threat Analysis Group with reporting the flaw.
The second bug fixed this month that is already being exploited in the wild is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes used for authentication in Windows environments.
Microsoft patched two other publicly disclosed weaknesses this month: CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS), and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.
Finally, at least 29 of the updates released today tackle memory-related security issues involving SQL servers, each earning a threat score of 8.8. If an authenticated user connects to a malicious or hacked SQL database server, any one of these bugs could be used to install malware. (Brian Krebs / Krebs on Security)
Related: Bleeping Computer, Zero Day Initiative, SANS Internet Storm Center, Dark Reading, HackRead, Infosecurity Magazine, Cyber Daily, The Stack, Crowdstrike, AskWoody, Tenable, Help Net Security, Cyber Kendra, The Register, Security Week
Researchers at Security Scorecard report that Volt Typhoon, the notorious China-linked hackers known for burrowing deep into US infrastructure, are back.
The researchers noticed Volt Typhoon moving traffic through a set of compromised routers in New Caledonia, an island nation off the coast of Australia, as recently as September.
Global law enforcement disrupted a significant portion of Volt Typhoon's botnet in January, but the group quickly set up new servers. However, actual movement across these servers didn't occur until September.
Routing through New Caledonia gives the hackers a "silent bridge" to hide traffic between Asia-Pacific and the Americas.
Investigators are still probing the extent of the Salt Typhoon group's latest hacks into U.S. politicians' phones, including those belonging to President-elect Donald Trump and VP-elect JD Vance. (Sam Sabin / Axios)
Related: Security Scorecard, The Register, Bleeping Computer, CSO Online, Cyber Daily, Security Week, Tech Radar
According to researchers at mobile device management company Jamf, hackers associated with North Korea's Lazarus Group were discovered embedding malware inside macOS applications built with an open-source software development kit.
The malware was discovered on VirusTotal, a popular online file analysis tool, in late October. While the code was malicious, the online scanning platform gave the samples a clean bill of health. Jamf found three malware versions. Two used the programming languages Golang and Python.
The third was built using Flutter, which heavily obfuscates the code by default. Flutter is an open-source programming framework developed by Google for developers to build, design, and maintain applications across iOS, Android, Linux, macOS, Windows, and the web. The development kit is also great at obfuscating malicious code, which makes it harder to reverse engineer.
“There is nothing inherently malicious about this app architecture; it just so happens to provide a good avenue of obfuscation by design,” the report notes.
Researchers said the techniques and domains associated with the malware “align closely” with North Korean techniques. North Korea typically has financial motivations in mind for cyber operations.
Both campaigns were aimed at cryptocurrency-related intrusions and contained similar infrastructure used by North Korea’s Lazarus Group. (Christian Vasquez / Cyberscoop)
Related: Jamf, Infosecurity Magazine, Bleeping Computer, Apple Insider, Neowin, r/cybersecurity, PC Mag, Neowin
Researchers at Recorded Future’s Insikt Group report that a China-linked state hacker group TAG-112 has compromised Tibetan media and university websites in a new espionage campaign that is part of a series of attacks targeting the Tibetan community to collect intelligence for Beijing.
The websites of the digital news outlet Tibet Post and Gyudmed Tantric University were hacked in late May and remain compromised.
TAG-112 has several overlaps with another Chinese state-sponsored group, Evasive Panda, which has been described as “highly skilled and aggressive.”
Evasive Panda is also interested in targeting the Tibetan community and previously compromised the Tibet Post. Both threat actors have also manipulated hacked websites to prompt visitors to download a malicious file disguised as a “security certificate.”
Despite these similarities, Insikt Group analysts believe TAG-112 is a separate hacker group, as it lacks Evasive Panda’s sophistication and hasn’t deployed custom malware. Instead, the group used Cobalt Strike, a legitimate cybersecurity tool designed to help security professionals simulate cyberattacks. Hackers have widely adopted the Cobalt Strike Beacon payload for real attacks.
The researchers said TAG-112 is likely a subgroup of the Evasive Panda, working toward the same or similar intelligence requirements. (Daryna Antoniuk / The Record)
Related: Recorded Future, Recorded Future, The Independent, Associated Press
Tens of thousands of exposed D-Link routers that have reached their end-of-life are vulnerable to a critical security issue that allows an unauthenticated remote attacker to change any user's password and take complete control of the device.
Security researcher Chaio-Lin Yu (Steven Meow) discovered the vulnerability in the D-Link DSL6740C modem and reported it to Taiwan’s computer and response center (TWCERTCC).
The device was not available in the US and reached the end-of-service (EoS) phase at the beginning of the year.
D-Link announced that it won't fix the issue and recommends "retiring and replacing D-Link devices that have reached EOL/EOS." (Bill Toulas / Bleeping Computer)
Web3 bug bounty platform Immunefi issued a 90-day suspension on white hat security firm Trust Security after Trust Security accused Immunefi of unjust denial of bug bounty payment for discovering a critical bug that could potentially lead to the theft of funds.
On Nov. 12, Trust Security revealed on X that its bounty team identified a critical theft-of-funds vulnerability on a forked mainnet of an unidentified project.
The proof-of-concept of the vulnerability was shared with Immunefi, which acts as a mediator between the white hats and projects to ensure bounty payments are made on credible bug identifications.
However, the project claimed that Trust Security detected an out-of-scope bug, which would effectively disqualify the white hats from earning bounty rewards.
According to Trust, Immunefi wrongly sided with the project’s “nonsense argument” and offered a “tiny goodwill bounty” instead of the full reward for identifying critical bugs.
Immunefi rebutted Trust’s claims of unjust payout and issued a 90-day suspension for “mischaracterizing the issues at hand.” The bug bounty platform also threatened to ban Trust permanently if it repeated the infraction. (Arijit Sarkar / Cointelegraph)
Related: Cryptonews
Researchers at ClearSky Cyber Security have observed a complex phishing campaign attributed to the Iranian-linked threat actor TA455 that uses sophisticated techniques to impersonate job recruiters on LinkedIn and other platforms.
The campaign, active since at least September 2023, begins with a spear phishing approach in which TA455 lures individuals with fake job offers. Using LinkedIn to gain trust, the attackers prompt victims to download a ZIP file titled “SignedConnection.zip,” which was flagged as malicious by five antivirus engines.
This ZIP file contains an EXE file designed to load malware into the victim’s system through DLL side-loading, where a malicious DLL file called “secur32[.]dll” is loaded instead of a legitimate one, allowing the attacker to run undetected code within a trusted process.
To increase the likelihood of infection, the attackers also include a detailed PDF guide within the phishing materials. This guide instructs the victim on how to “safely” download and open the ZIP file and warns against actions that might prevent the attack from succeeding.
Once the ZIP file is accessed and the highlighted EXE file inside is executed, the malware initiates an infection chain. This process leads to deploying SnailResin malware, activating a secondary backdoor called SlugResin. ClearSky attributes SnailResin and SlugResin to a subgroup of Charming Kitten, another Iranian threat actor. (Alessandro Mascellino / Infosecurity Magazine)
Related: ClearSky Cyber Security, ClearSky Cyber Security, Help Net Security
Researchers at SlashNext uncovered a tool called GoIssue aimed at targeting GitHub users, distributed on a cybercrime forum offering bulk developer credential theft and the ability to conduct further malicious activities, including supply chain attacks.
Potentially linked to a previous GitHub repository extortion campaign called Gitloker, GoIssue allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes.
GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features and protects the operator's identity through proxy networks. (Elizabeth Montalbano / Dark Reading)
Related: SlashNext, Security Week, HackRead, Silicon Angle, Security Magazine, Techopedia
Sources say Donald Trump is expected to try to halt a potential US ban on TikTok next year after he promised to save the popular social media app.
Under a law passed in April with bipartisan support, the video-sharing app faces a January deadline to find a new owner not based in China or lose access to US users.
The deadline in the law for TikTok’s China-based owner ByteDance to divest is Jan. 19, the day before Trump’s inauguration. However, the firm has challenged the ban as unconstitutional, and even if TikTok doesn’t win, the litigation could push the question into Trump’s second term, giving him more latitude. (Jeff Stein, Drew Harwell, and Jacob Bogage / Washington Post)
Related: New York Times, New York Magazine, Music Business Worldwide, Axios, Platformer, Default, Gizmodo, Cryptopolitan, New York Post, Bloomberg, Associated Press
Donald Trump announced that Elon Musk and Vivek Ramaswamy, the former Republican presidential candidate, will lead the newly created Department of Government Efficiency.
Trump announced that the department will not be a government agency. In a statement, Trump said Musk and Ramaswamy will work from outside the government to offer the White House “advice and guidance” and will partner with the Office of Management and Budget to “drive large-scale structural reform and create an entrepreneurial approach to government never seen before.”
He added that the move would shock government systems. Posting on X, the social media platform he owns, Musk pledged to document all actions of the department online for “maximum transparency." (Daniel Trotta and Eric Beech / Reuters and Philip Wen and agencies / The Guardian)
Related: Wired, Donald J. Trump on Truth Social, Associated Press, CNN, Metro.co.uk, crypto.news, CCN.com, Business Today, Fox News, Washington Post, HuffPost, Crypto Briefing, Deadline, The Verge, The Block, The Indian Express, The Hill, Wall Street Journal, Benzinga, Axios, Tech Policy Press, Variety, NPR, TechCrunch, Watcher Guru, The Information, Mediaite, Cryptonews, Electrek, Fox News, Space, Financial Times
Set Forth, Inc., a company that provides online account administration services to consumers enrolled in debt relief programs, disclosed a significant data incident affecting 1.5 million people.
Names, Social Security Numbers, addresses, and dates of birth may have been affected after the breach at Set Forth, Inc. (formerly DebtPayPro and Debt Pay Gateway), a financial services company founded in 2009 and dedicated to helping consumers exit debt.
The incident was identified on May 21st, 2024. Set Forth claims it immediately implemented incident response protocols and engaged independent computer forensic specialists.
On November 8th, the firm disclosed to the Maine Attorney General’s office that 1.5 million people, including 3,285 Maine residents, are affected. Unauthorized attackers gained access to the documents stored on the company’s systems. (Ernestas Naprys / Cybernews)
Related: Maine Attorney General, Tom's Guide, Cyber Daily, SC Media
Microsoft disclosed a high-severity Exchange Server vulnerability that allows attackers to forge legitimate senders on incoming emails and make malicious messages much more effective.
The security flaw (CVE-2024-49040) impacts Exchange Server 2016 and 2019. Solidlab security researcher Vsevolod Kokorin discovered it and reported it to Microsoft earlier this year.
"The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing," Kokorin said in a May report.
Microsoft also warned today that the flaw could be used in spoofing attacks targeting Exchange servers and released several updates during this month's Patch Tuesday to add exploitation detection and warnings banners. (Sergiu Gatlan / Bleeping Computer)
Related: Microsoft
Embargo, a relative newcomer group to the ransomware scene, threatened to begin publishing 1.15 terabytes of data belonging to Memorial Hospital and Manor, a small rural Georgia hospital and nursing home attacked last week, unless a ransom was paid yesterday.
The cybercrime group on its dark web site ticked off a countdown in hours and minutes for leaking the trove of data allegedly stolen from Memorial Hospital and Manor, which is owned and operated by the Hospital Authority of the City of Bainbridge and Decatur County.
Besides Memorial Hospital and Manor, Embargo's blog site lists at least eight other alleged victims, including one other healthcare sector organization, Weiser Memorial Hospital in Idaho, claiming it has 200 gigabytes of the community medical center and family medical practice's data "available" for purchase. (Marianne Kolbasuk McGee / Bank Info Security)
Related: HealthExec, Becker's Health IT
Managed services provider Trustwave and cybersecurity software company Cybereason announced a merger with the hopes of expanding market share and using each company’s product portfolio to boost the others’ offerings.
Terms of the deal were not disclosed. The transaction is supposed to close in early 2025, pending customary closing conditions and regulatory approvals. (Greg Otto / Cyberscoop)
Related: Cybereason, Trustwave, Data Breach Today, MSSP Alert, CRN, IT Wire, The Insurer
Cybersecurity giant Snyk purchased Problely, a Portuguese dynamic application security testing company led by a longtime Portugal Telecom security manager, to address the rising demand for API security.
Snyk said the merger will protect applications using APIs due to the increased use of large language models in generative AI.
The deal will combine Probely's low false-positive rates and usability with Snyk's current application security offerings to provide more comprehensive security coverage across the software development lifecycle. (Michael Novinson / Data Breach Today)
Related: The Stack, FinTech Global, FinSMEs
Best Thing of the Day: Publicly Available Data Is Valuable
Examining a breach of data aggregator DemandScience, which combines publicly available identity data from multiple locations, HaveIBeenPwned's Troy Hunt explains why, despite the publicly available nature of the data, you should care about these kinds of leaks.
Worst Thing of the Day: All Your Apps Data Belong to Us
According to hundreds of pages of internal Secret Service emails, some officials at the agency believe that citizens have agreed to be tracked with data harvested from smartphone apps because they accepted those apps' terms of service, despite those apps often not saying their data may end up with the authorities