Russia's Daisy-Chained Network Attack Demonstrates Necessity of Wi-Fi Security; Deny Outdated Antivirus Drivers to Prevent Kernel-Level Exploit

Researchers from Volexity found that a Russian APT gained access to a targeted network by finding nearby vulnerable networks and “daisy-chaining” access to breach the targeted organization’s Wi-Fi network. The attackers used credential stuffing attacks to find passwords to the targeted organization's web service platform accounts, but MFA prevented them from accessing those accounts. Once they gained access through the nearby organizations’ Wi-Fi however, the attackers found that the purloined credentials worked on the neighboring Wi-Fi network because it had no MFA. Beyond monitoring and detection tools, mitigation suggestions from Volexity include “creat[ing] separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources [and] … hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.” Volexity’s Steven Adair presented the company’s findings at the Cyberwarcon security conference last week.

In a November 20 blog post, researchers at Trellix describe a malware campaign that abuses an outdated but authentic trusted Avast anti-rootkit driver and "manipulates it to terminate security processes, disable protective software, and seize control of an infected system." The driver in question is a kernel-mode driver, which interacts directly with the core of an operating system. The attack leverages the kernel-level position "to terminate security processes [and] disable protective software"; a list of 142 process names from major software vendors is hardcoded into the malware. Preventing a Bring Your Own Vulnerable Driver (BYOVD) attack like this involves implementing rules to "identify and block specific vulnerable drivers based on their unique signatures or hashes," according to Trellix.

In a November 20 press release, The University of Chicago Harris School of Public Policy's Cyber Policy Initiative (CPI) announced its collaborative effort with the National Rural Water Association (NRWA) and volunteers from the DEF CON Franklin Project to pair experts with vulnerable US water utilities in the wake of rising cybersecurity attacks in the water sector. The Franklin project states two key tasks: the first is collecting information on "pressing cyber policy gaps" from participating DEF CON villages, synthesizing it into informed recommendations and a "Hackers' Almanack" resource; the second is connecting volunteers from the DEF CON community to sectors and organizations in need of cybersecurity expertise. Already six water utilities in Indiana, Oregon, Utah, and Vermont have been identified to pair with volunteers. CPI's press release highlights the overwhelming majority of US water systems that serve small communities, but lack the resources and staff to secure their systems, whom the Franklin project aims to serve by "deploying volunteers as a free, scalable solution to help secure water systems nationwide."

While British critical national infrastructure suffered an unprecedented number of "cyber incidents" in 2024 -- possibly as much as a 50% increase from 2023, -- under UK law providers must report any significant incidents to the government but are not required to disclose them publicly. Recorded Future News discovered through a UK Freedom of Information (FOI) Act request that drinking water systems experienced at least six significant cyber incidents this year that “directly impact[ed] on the production and delivery of wholesome water, irrespective of whether or not customers are directly affected,” rising from a previous yearly record of two. The information request was initially denied, but successfully appealed when the Department for Environment, Food, & Rural Affairs "could not demonstrate how [disclosing] statistical data might make services more vulnerable." The Cyber Security and Resilience bill, to be introduced in Parliament in 2025, aims to redefine thresholds and requirements for reporting, and to establish a balance between secrecy and transparency, prioritizing citizens' informed confidence in infrastructure alongside the security of critical details.

On November 22, 2024, the Supreme Court of the United States (SCOTUS) issued a per curiam decision in the case of Facebook, Inc. v. Amalgamated Bank, dismissing Meta's petition for writ of certiorari as "improvidently granted." Granting the writ would have brought the case to SCOTUS for review; this dismissal leaves the case under a District Court's appellate ruling, "allow[ing] a securities fraud class action against Meta to go forward." The "multibillion-dollar" suit stems from investors' complaints that when the Cambridge Analytica scandal came to light, stock prices plunged because Meta had "improperly downplayed the risks of a data breach." In 2019 the Federal Trade Commission fined Meta an unprecedented $5 billion over the company's culpability in misleading customers while their personal information was collected, purchased, and used by Cambridge Analytica in 2016 US political campaigns. A separate class-action suit over the same breach settled in 2022 for $725 million.

The US Federal Communications Commission (FCC) has proposed a fine of nearly $735,000 against Hong Kong-based smart device manufacturer Eken. Specifically, the FCC alleges that Eken has violated an FCC requirement that foreign companies designate an agent within the US. Additionally, the FCC’s enforcement bureau is investigating allegations of security issues with Eken video doorbells. A Consumer Reports investigation found “serious security and privacy vulnerabilities with these devices” that could have been exploited to gain control of affected doorbells and to view images from the doorbell’s camera. The devices also leaked WiFi network names and home IP addresses. Eken released fixes for the vulnerabilities after meeting with Consumer Reports engineers.

Roughly 2,000 Palo Alto Networks devices have been compromised via a pair of recently-disclosed vulnerabilities, according to data gathered by The Shadowserver Foundation. The flaws, an authentication bypass vulnerability (CVE-2024-0012) and a command injection vulnerability (CVE-2024-9474), affect Palo Alto Networks PAN-OS Management Interface. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to their Known Exploited Vulnerabilities catalog on November 18; Federal Civilian Executive Branch agencies have until December 9 to address the issues.

QNAP has pulled a firmware update, QTS 5.2.2.2950, build 20241114, that was reportedly breaking some network attached storage (NAS) features and capabilities, and in some cases preventing users from logging into their devices. In a community announcement, QNAP wrote that “the issue caused by this update only affected limited models of TS-x53D series and TS-x51 series: HS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2." QNAP provides instructions for downgrading the update.

"We're having issues, but we're working on it," reads the service status page for Microsoft's software products, as Microsoft 365 (Consumer) "continu[es] to incrementally recover" from an outage starting in the morning on Monday, November 25. Throughout the day, customers reported problems or complete outages in Exchange Online, Microsoft Teams, SharePoint Online, OneDrive, Purview, Copilot, Microsoft Fabric, Microsoft Bookings, Microsoft Defender for Office365, and Outlook Web and Desktop. At 6:25pm EST, Microsoft updated the status of the outage, adding an explanation: "We identified a change that caused an influx of retry requests routed through servers, impacting service availability. To address this, we implemented optimizations to enhance the infrastructure's processing capabilities. These changes have provided incremental relief, and we are closely monitoring the service to ensure stability. Our team is actively performing follow-up actions and will initiate additional workstreams as needed to fully resolve the issue."