Daily Brief

Hackers target PTZOptics cameras exploiting two zero-day vulnerabilities, notably CVE-2024-8956 and CVE-2024-8957. CVE-2024-8956 involves weak authentication allowing unauthorized CGI API access, exposing sensitive data. CVE-2024-8957 allows command injection through insufficient input sanitization in the 'ntp.addr' field. Exploits could lead to complete camera control, bot infection, network pivoting, or video feed disruption. GreyNoise detected the vulnerabilities using AI-powered detection on honeypots, followed by a failed silent attack. PTZOptics has issued updates, but some older and newer models remain unpatched and vulnerable. GreyNoise and VulnCheck coordinated to notify PTZOptics for a responsible disclosure and to ascertain broader device impact. Users are urged to verify with vendors whether existing patches cover their camera models to mitigate risks.

Microsoft has introduced a $30 Extended Security Updates (ESU) option for Windows 10 home users to delay upgrading to Windows 11 for an additional year. This paid update opportunity allows users to receive crucial security patches even after the general support end date of October 14, 2025. Specialized versions such as Windows 10 IoT Enterprise LTSC and 2016 LTSB will continue receiving updates beyond the 2025 deadline, with support extending as far as January 2032. Microsoft plans to make the ESU program available to consumers closer to the 2025 end support date and will start offering Enterprise ESUs from November 2025. The company advises users whose systems meet upgrade requirements to transition to Windows 11 before support ends to ensure device security. Statcounter Global Stats data indicates that a significant majority (over 62%) of users still operate on Windows 10, compared to 33% on Windows 11. Microsoft emphasizes the importance of updating to Windows 11, promising to support users through the transition process.

A severe security vulnerability, CVE-2024-50550, was discovered in the LiteSpeed Cache WordPress plugin, affecting over six million sites. The flaw enables unauthenticated visitors to elevate privileges and gain admin rights through a weak hash check in the plugin's role simulation feature. Attackers could exploit the security gap to install arbitrary plugins or malware, access databases, and modify web pages. Security researcher Rafie Muhammad illustrated that the weakness in hash values could allow attackers to brute force them within one million possibilities. The vulnerability was identified by a Taiwanese researcher and reported to security firm Patchstack, who then informed LiteSpeed Technologies. LiteSpeed responded with an update (version 6.5.2) on October 17, which enhances hash randomness to prevent similar attacks. Despite the patch, approximately 4 million sites remain unpatched and at risk, as only two million websites have implemented the update to date. LiteSpeed Cache had multiple security issues this year, including previous vulnerabilities that attackers exploited to compromise WordPress sites.

qBittorrent, a popular open-source BitTorrent client, has patched a remote code execution vulnerability present for over 14 years. The flaw stemmed from DownloadManager's failure to properly validate SSL/TLS certificates, risking man-in-the-middle (MitM) attacks. Introduced in a commit from April 2010, the vulnerability was only rectified in the recent release of version 5.0.1 on October 28, 2024. The security lapse allowed any forged or illegitimate certificate to be accepted, enabling attackers to potentially intercept or alter user data. The issue was highlighted by Sharp Security in a blog post, noting that the qBittorrent team did not assign a CVE number or adequately inform users about the fix. Sharp Security outlined multiple risks from this flaw, emphasizing its impact particularly in areas subject to heavy surveillance. Users are urged to update to the latest version, 5.0.1, to mitigate these risks and ensure secure file sharing and downloading through the application.

Cybersecurity experts identified an updated version of LightSpy spyware affecting iOS devices. The new version includes extended surveillance features and the ability to render devices inoperable. LightSpy exploits WebKit vulnerabilities on iOS, utilizing a .PNG file that is actually a Mach-O binary to deploy its payload. The spyware's capabilities have expanded from 12 to 28 plugins, enabling extensive data harvesting including photos, browser history, and sensitive app data. Destructive new features allow the spyware to delete user data and even prevent devices from rebooting. The spyware checks internet connectivity and fetches command-and-control directions using a system based on a coordinate system unique to China, implying potential Chinese origin. Security experts highlight the necessity of regular system updates to protect against such threats and adapt to newly revealed vulnerabilities.

LottieFiles discovered that its "lottie-player" npm package was compromised through a supply chain attack. Malicious versions of the package (2.0.5, 2.0.6, 2.0.7) included code to connect to users' cryptocurrency wallets, potentially draining funds. Affected users were those using the library via third-party CDNs without a pinned version, automatically receiving the latest, compromised release. Compromised versions were published on npmjs.com using a stolen developer access token. LottieFiles has released an updated version, 2.0.8, and has removed the malicious versions from the npm repository. The company has activated its incident response plan and is working with an external team to investigate the breach.

LottieFiles' Lotti-Player project was compromised in a supply chain attack, injecting a crypto drainer into websites. An estimated $723,000 in Bitcoin was stolen from at least one victim due to the compromised library. Affected versions of the Lottie Web Player include 2.0.5, 2.0.6, and 2.0.7, with malicious code that drains cryptocurrency wallets. LottieFiles responded by releasing a clean version 2.0.8 and advised users to update or remain on the safe version 2.0.4. Users of the library through third-party CDNs received the compromised version as the latest release until the fix was published. The attack involved stolen developer authentication tokens used to upload the malicious versions. LottieFiles is investigating the breach with external experts and stated that other libraries and repositories were not affected. Crypto drainers pose a widespread problem in the cryptocurrency community, with increasing incidents and losses.

A phishing campaign named 'Phish n' Ships' has targeted over a thousand online stores since 2019, creating fake product listings. Unsuspecting consumers are redirected to fraudulent stores that steal personal data and payments, never delivering the promised products. The Satori Threat Intelligence team discovered the campaign, estimating it affected hundreds of thousands of victims and caused losses into the tens of millions. The attackers used SEO techniques on fake listings to attract traffic via Google search, enhancing the reach of their scam. Compromised sites, connected through fourteen identified IP addresses, engage victims in phony transactions to capture credit card details. Despite recent efforts to curb the scam by removing malicious listings and shutting down compromised payment accounts, the threat actors continue adapting. HUMAN and partners have actively worked to disrupt the scam by contacting affected organizations and cleaning up search results. Consumers are advised to remain vigilant about unusual redirects on e-commerce sites, verify URLs before purchases, and report any suspicious activities to their banks.

LottieFiles encountered a security breach when a highly privileged developer account was compromised by stolen session token access. Attackers injected malicious code into LottiePlayer, a popular website animation plugin, which prompted users to connect their crypto wallets to an external infrastructure. In a short span, three corrupted updates of LottiePlayer were pushed to the npmjs package manager, affecting websites using the latest automated version. Users reported unexpected popups while visiting websites employing LottiePlayer, asking them to connect their wallets to the attackers' setup. The malicious activity was identified and addressed on October 30th, with the release of a safe version (2.0.8) following an immediate incident response. External security experts helped in mitigating the attack, ensuring that other LottieFiles services and repositories remained unaffected. Although the exact number of victims is undisclosed, the popularity of LottiePlayer (94,000 weekly downloads) suggests a potentially wide impact. A related transaction spotted by Web3 security platform Scam Sniffer indicated a significant loss, with one user reportedly losing 10 Bitcoin due to the attack.

The Forrester Total Economic Impact™ Study, commissioned by Cynet, calculated a 426% return on investment for Cynet’s All-in-One Cybersecurity Platform, with total savings of $2.73 million. Cynet's cybersecurity solution replaced multiple standalone tools, saving users $280,000 by consolidating licensing and maintenance costs over three years. The integrated platform prevented data breaches, saving customers $933,000 by avoiding related losses through effective detection and response capabilities. The study highlighted a reduction in effort for investigation and incident reporting by 88%, translating into $349,000 in savings. Cynet’s seamless orchestration of cybersecurity components led to an additional $1.8 million in savings, eliminating the need for separate SOAR solutions. Beyond quantifiable savings, the platform provided intangible benefits such as improved work-life balance for IT staff, faster onboarding, and simplified training processes. The platform’s effectiveness was underscored by achieving 100% detection and analytic coverage in the latest MITRE ATT&CK Evaluations, a first for any vendor. The report encourages SMEs and managed service providers to consider Cynet for comprehensive, cost-effective cybersecurity solutions.

The "Enterprise Identity Threat Report 2024" indicates significant vulnerabilities in corporate identity management, based on unique data from the LayerX Browser Security platform. A key finding is that 2% of users cause the majority of identity-related security risks by using compromised credentials and appearing frequently in public data breaches. The report uncovers that 67.5% of corporate logins bypass Single Sign-On (SSO) protections, and 42.5% of SaaS application logins occur through personal accounts. It reveals a concerning statistic that 54% of corporate passwords are weak, potentially crackable in under 30 minutes with current tools. A staggering 66.6% of browser extensions are found to have high or critical risk permissions, posing a considerable threat to user data and corporate credentials. Traditional security tools, including Secure Web Gateways (SWGs), are becoming less effective against sophisticated techniques used by attackers to exploit browser vulnerabilities. The findings emphasize the urgent need for businesses to revise their approach to identity security, particularly in environments heavily reliant on browser-based and remote access.

A critical security flaw, designated as CVE-2024-50550, was identified in the LiteSpeed Cache plugin for WordPress, affecting over six million sites globally. The vulnerability allows unauthenticated users to escalate privileges potentially gaining administrator access, creating a risk for malicious activities such as uploading harmful plugins. This flaw is related to earlier issues, specifically referencing weak security hash checks that could be brute-forced, enabling unauthorized simulation of a logged-in administrator. LiteSpeed has issued a fix in version 6.5.2 of the plugin, addressing the flaw by removing the role simulation process and enhancing the hash generation mechanism. The issue underscores the crucial need for strengthening security measures in plugins, specifically around the unpredictability and strength of hash values. CVE-2024-50550 marks the third disclosed vulnerability in LiteSpeed's plugin within a two-month span, following two other significant security flaws. Ongoing legal issues between WordPress's parent company Automattic and WP Engine are causing concern over plugin management and updates, with a risk of plugins being abandoned or not updated. Patchstack emphasizes the importance for users to stay informed via reliable channels to ensure they download essential updates, particularly when plugins are removed from the WordPress.org repository.

LottieFiles identified malicious code in their npm package versions 2.0.5, 2.0.6, and 2.0.7, which were published recently. The compromised versions of the Lottie Web Player were prompting users to link their cryptocurrency wallets, facilitating unauthorized asset transfers. LottieFiles released a clean update (version 2.0.8) soon after discovery and advised users to install it immediately to avoid theft. Users of unpinned versions via third-party CDNs were exposed to the risk automatically but received the updated safe version once it was published. The developer account responsible for uploading the compromised versions has been blocked, and all associated tokens have been revoked. LottieFiles confirmed that their SaaS services, other open source libraries, code repositories, and Github were not affected by this incident. The company continues to investigate the compromise with external experts, and further details are expected to be released.

Australian Federal Police (AFP) and Australian Border Force (ABF) apprehended a Malaysian national in Sydney for importing PC tower cases filled with methamphetamine. The shipment, noticed for irregularities by the ABF and tested positive for drugs, arrived in Sydney by air on October 16. Approximately 100 kilograms of methamphetamine, equivalent to one million street deals, were concealed in the modified PC cases. Despite the drugs' detection, authorities allowed the shipment to be delivered as planned to facilitate the suspect's arrest upon collection. The man has been charged with attempting to possess a commercial quantity of border-controlled drugs. Acting AFP superintendent Stuart Millen emphasized that criminals often use innovative methods to hide illegal substances, though in this case, the choice of a PC case was not deemed particularly creative. The incident underscores continuing challenges in intercepting drug smuggling, even with seemingly obvious concealment methods.

Chinese state-backed cyber actors accessed Canadian government networks over five years, collecting valuable information aimed at high-level political and commercial objectives. The biennial National Cyber Threat Assessment by Canada's Communications Security Establishment labels China’s cyber activities as "second to none," focusing on espionage, intellectual property theft, and transnational repression. At least 20 Canadian government networks were compromised, though all known breaches have reportedly been resolved, showcasing the significant resources dedicated to these intrusions. Tensions between Canada and the People's Republic of China have intensified cyber operations, with China seeking intelligence on Canada’s diplomatic and strategic responses. Canada's private sector has also been targeted, with sensitive commercial data being stolen, likely to support China’s economic and military advancements. The report also reveals the emergence of India as a significant cyber threat, likely driven by recent diplomatic strains between Canada and India, including accusations against the Indian government by Canadian Prime Minister Justin Trudeau. Russian and Iranian cyber threats continue, while motivated hacktivism from various sources adds complexity and potential disruption to Canada's critical infrastructure.