SEC Breach Reports Could Be More Useful; Class Action Over Photobucket Images in AI Training; Microsoft Addresses MFA Bypass Issue; and Lots of Security Updates

According to a report from BreachRX, the US Securities and Exchange Commission's (SECÕs) breach reporting rules are not doing much to improve incident transparency. The rules, which took effect late last year, require public companies to disclose 'material' cyber incidents within four days of detection, and to include information about their cybersecurity strategies in their annual reports. BreachRX examined 71 8-K filings and 400 10-K filings; they 'found confusion and caution on whether and when to file and a general failure to provide enough information that could effectively protect companies from future SEC enforcement actions.'

Photobucket is facing a class-action lawsuit that seeks to prevent the company from selling users' photographs to AI companies without first obtaining written consent. The complaint states 'The photos at issue, amounting to over 13 billion images, were entrusted to Photobucket over the course of almost two decades beginning in the early aughts - years before technologies like generative AI and biometrics existed outside of science fiction.' The litigation seeks to protect both people who uploaded photos to Photobucket as well as people in those photographs. The lawsuit seeks damages not only from Photobucket, but also from the unknown AI companies that purchased the data.

Researchers at Oasis Security developed a way to bypass Microsoft multi-factor authentication (MFA) that could have been exploited to 'gain unauthorized access to the user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.' Oasis reported the issue to Microsoft in late June, and a temporary fix was released in early July. Microsoft released a permanent fix in early October.

On Tuesday, December 10, Microsoft released updates to address more than 70 vulnerabilities, 16 of which are considered critical. One of the vulnerabilities, a high-severity elevation of privilege issue in Windows Common Log File System Driver, was previously disclosed and is being actively exploited. Also on Tuesday, December 10, Adobe released updates to address more than 160 vulnerabilities across their product lines, including Adobe Experience Manager, Connect, Adobe Animate, and Acrobat and Reader.

A zero-day flaw in secure file transfer products managed by B2B software provider Cleo was observed under exploit in the wild by researchers since early December, and received a patch on December 11. Cleo serves "more than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution ... Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global." This new vulnerability, which "allows unrestricted file upload and downloads [and] leads to remote code execution," has a CVE designation pending, and its exploitation constitutes a bypass of Cleo's October patch for CVE-2024-50623, "an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21." Researchers at Huntress observed over 1,700 affected servers, but estimate the actual number is likely much higher, affecting at least ten of Cleo's customers in the US and North America. The flaw and malware payloads involved are currently being analyzed by researchers. Cleo urges customers to upgrade to the patched release: Harmony, VLTrader, and LexiCom version 5.8.0.24, and "advises those who cannot immediately upgrade to disable the Autorun feature by going into the System Options and clearing out the Autorun directory (this will not block incoming attacks but will reduce the attack surface)."

In Ivanti's December Security Update on Tuesday, December 10, the company disclosed vulnerabilities affecting a handful of their products including three notably high and critical-severity flaws in the Cloud Service Application (CSA) in versions older than 5.0.3. CVE-2024-11639 is rated CVSS 10.0, and is "an authentication bypass in the admin web console ... allow[ing] a remote unauthenticated attacker to gain administrative access." CVE-2024-11772 is rated CVSS 9.1, and involves "command injection in the admin web console ... allow[ing] a remote authenticated attacker with admin privileges to achieve remote code execution." CVE-2024-11773 is also rated CVSS 9.1, and employs "SQL injection in the admin web console ... allow[ing] a remote authenticated attacker with admin privileges to run arbitrary SQL statements." These flaws are fixed in CSA 5.0.3. Ivanti has not observed any of the newly disclosed vulnerabilities being exploited. The update mentions that the company is ramping up "internal scanning, manual exploitation and testing capabilities," predicting "a natural and intended increase in disclosure."

Apple has released updates to address at least 46 vulnerabilities in iOS and iPadOS, macOS, watchOS, tvOS, visionOS, and Safari. Users are urged to update to iOS iPadOS 18.2; iPadOS 17.7.3; macOS Sequoia 15.2; macOS Sonoma 14.7.2; macOS Ventura 13.7.2; watchOS 11.2; tvOS 18.2; and visionOS 2.2.

Cyber attackers are exploiting a critical flaw in the Hunk Companion plugin for WordPress to install other plugins with known vulnerabilities. The issue, which 'allows unauthenticated POST requests to install and activate plugins directly from the WordPress.org repository' was detected by WPScan, who reported their findings to Hunk Companion developers in late November. A fix was released on December 10. The flaw affects the Hunk Companion plugin prior to version 1.9.0.

In a move Ars Technica characterizes as "more symbolic than practical," Mozilla has announced that in Firefox version 135, set to release February 4, 2025, the browser's feature for sending websites a "Do Not Track" request will be removed. "Do Not Track" is not a direct block, but a standard developed in 2011 by the World Wide Web Consortium by which users may register their preference not to be tracked. After more than a decade of opposition from advertisers, lack of policy or enforcement, and unrelenting evolution of tracking technology, Mozilla's support page notes that "many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy." Another checkbox will remain, labeled, "Tell websites not to sell or share my data." This option invokes 2020's Global Privacy Control (GPC), a similar mechanism that aligns with privacy laws in the EU and California, and with certain provisions in other US states. Neither Google Chrome nor Chromium support GPC communication without extensions.

A cyberattack disclosed by Romanian power supplier Electrica on December 9 has now been acknowledged as the work of LYNX ransomware. The Romanian National Directorate of Cybersecurity (DNSC) published an IoC advisory on December 11 confirming the statement from Electrica's CEO that critical systems remain unaffected and functional, also providing guidance for any energy sector systems affected by ransomware attacks. The text of the advisory includes a YARA script that the DNSC suggests energy providers use to scan for malware. Guidance includes a strong recommendation to never pay ransoms, as well as a list of mitigation measures: identify and isolate affected systems; keep on file any messages from attackers and any logs for analysis and examination; communicate promptly with employees, customers, and business partners; investigate decryption tools; sanitize and restore systems from a backup if possible; and ensure systems and applications are up to date.

Krispy Kreme has been suffering an ongoing cyberattack discovered on November 29. The company's 8-K filing with the Securities and Exchange Commission (SEC) states that "unauthorized activity" and subsequent operational disruptions to online ordering are "reasonably likely to have a material impact on the Company's business operations." Stores remain open, and retail and restaurant deliveries are not affected. Krispy Kreme holds cybersecurity insurance, but only "a portion of the costs" may be covered during ongoing remediation, mitigation, and investigation by cybersecurity experts.