Apple’s urgent patch: Are you safe?

CybersecurityHQ News

Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

What additional SaaS solution would you find most valuable for us to develop next to complement the AI Resume Builder in our premium membership?

Login or Subscribe to participate in polls.

Pentagon, Microsoft Probe Major Cloud Breach

The US Defense Department and Microsoft are investigating a major security lapse that exposed at least a terabyte of sensitive military emails stored on Microsoft’s Azure cloud service. The data, which included personal information, conversations between Pentagon officials, and completed SF-86 security clearance forms, was accessible without a password due to a configuration error. The source of the error remains unclear, with blame potentially lying with either Microsoft or a Pentagon employee.

The Pentagon’s Cyber Command is leading the investigation alongside Microsoft, but there is no evidence yet that the data was accessed maliciously. The incident has raised concerns about the security of the Pentagon’s ongoing transition to commercial cloud-computing systems. A recent report from the Pentagon Inspector General warned of vulnerabilities associated with cloud storage.

This breach could impact Microsoft’s standing in future government contracts, including a $9 billion cloud-computing deal it is currently vying for against Alphabet, Oracle, and Amazon. Microsoft’s reputation has taken several recent hits—including Congress’s recent rejection of a $400 million Army contract for combat goggles due to performance issues.

Critical Cyber Risks in Water

More than 300 drinking water systems in the US are affected by cyber vulnerabilities, according to an Environmental Protection Agency (EOA) report (PDF). The assessment looked at 1,062 drinking water systems, which serve a combined 193 million people. They found that nearly a third were wide open to denial-of-service issues, functionality loss, and data breaches.

The report looked at five different security categories: IT hygiene, vulnerabilities, adversarial threats, email, and malicious activity.

97 of the water systems (serving 27 million people) surveyed were found to have critical and high-severity issues, while 211 more (serving 83 million) had issues of a lower order.

Making matters more precarious, while the EPA overlooks the safety of water systems, it does not have a cybersecurity incident reporting system in place for water and wastewater systems. Instead, the EPA relies on the Cybersecurity and Infrastructure Security Agency to gather these complaints—but there isn’t even a document set of policies and procedures to coordinate between the two agencies.

Critical Infrastructure Faces Cyber Crisis

In other infrastructure news, the Australian Signals Directorate (ASD) released a report on Wednesday stating that over 11% of cybersecurity incidents in the country last year targeted critical infrastructure. That includes electricity, gas, water, education, and transportation services.

The ASD also included a few other staggering stats. The number of security hotline calls has jumped 12% since 2022-23, and the average cost of cybersecurity incidents have risen 8% for small businesses and 17% for individuals.

This is the landscape in which the Australian government is pumping AUD 20 billion over the course of the coming decade. It’s all part of the 2024 Defence Integrated Investment Program.

Minister for Defence Richard Marles referred to the report, saying, “[It] comes amid a continued deterioration in Australia’s strategic environment. In this context, ASD plays a key role in countering threats in the cyber domain. The continued cooperation of Australian businesses and individuals is also crucial to defending our country from cyber threats.”

Chinese Hacks Threaten U.S. Telecoms

The story of Chinese hacking American telecoms continues. The US Senate Judiciary Subcommittee on Technology, chaired by Senator Richard Blumenthal, will hold a hearing addressing the growing threat of Chinese hacking, particularly recent breaches involving telecommunications companies. The hearing will examine the impact on national security, democracy, and the economy, with expert testimonies from cybersecurity leaders like Adam Meyers of CrowdStrike and David Stehlin of the Telecommunications Industry Association.

The session also raises concerns about Elon Musk's potential conflicts of interest with China, given his business ties and increasing involvement in government affairs. Musk’s ventures, including Tesla and SpaceX, have drawn scrutiny over his activities in China, including proposals to deploy Tesla’s driver-assistance technology in the country.

The hearing follows revelations of China-linked hackers infiltrating U.S. telecom networks, intercepting sensitive surveillance data, and targeting call records of individuals involved in government and political activity. These breaches include alleged attempts to monitor political figures like Donald Trump and JD Vance. The FBI and CISA confirmed the incidents, warning of vulnerabilities in U.S. telecom infrastructure.

Beijing denies the allegations, but bipartisan lawmakers have demanded accountability from major US telecom providers, including AT&T, Verizon, and Lumen Technologies, as concerns mount over cybersecurity risks tied to foreign adversaries.

Leadership Shift Ahead for CISA

New leadership is coming to CISA in the US. Its current director, Jen Easterly, is leaving after a 3-year tenure in her position. Her departure, along with deputy director Nitin Natarajan, will occur on January 20, with the beginning of the new Trump administration.

Easterly is only the second person to hold the office. She was brought in by the Biden Administration in 2021, after then-President Trump fired its first holder, Chris Krebs, for debunking claims about the 2020 election. The seat was left open for eight months.

That’s made Easterly an important early leader in CISA’s short history (the agency was only established in 2018). She launched initiatives like the Joint Cyber Defense Collaborative (JCDC) to foster public-private partnerships for collective defense. And her Secure by Design Initiative promoted security-first development in technology in the private sector.

She helped promulgate the Cross-Sector Cybersecurity Performance Goals (CPGs) to reduce risks across critical infrastructure and established the Known Exploited Vulnerabilities (KEV) catalog to track active threats. In 2024, Easterly launched the Vulnrichment program, enhancing vulnerability management with contextual data.

Finastra Data Breach Exposes 400GB

Finastra, a leading financial software provider serving major global banks, is investigating a data breach involving its internal Secure File Transfer Platform (SFTP). Detected on November 7, the breach reportedly led to the exfiltration of 400GB of data, including client files and internal documents, as claimed by a hacker on a cybercrime forum. Finastra confirmed the breach to customers on November 8 but has not disclosed how many clients or what data types were affected.

The stolen data is alleged to have originated from IBM Aspera, a file-transfer software. Finastra suspects the breach was enabled by compromised credentials, though it’s unclear if multi-factor authentication was in place. The company is working to identify impacted customers and products while continuing its investigation into the breach’s root cause.

Apple Urgently Patches Exploited Vulnerabilities

Apple’s latest security updates are urgently “recommended for all users.” The update fixes two major vulnerabilities that “may have been actively exploited on Intel-based Mac systems.”

The updates cover Macs, iPhones, and iPads running iOS 17 and older. The solve issues in WebKit and JavaScriptCore, which are essential for Apple’s Safari browser.

There are no details yet about who has been affected and if any systems were compromised. We only know that it was discovered by Google’s Trheat Analysis Group. Because that team typically focuses on government-backed threat actors, some analysts are assuming that a state-sponsored hacking group was behind the zero-day exploitation.

Zero-Day Fixes: Urgent Action Needed

Apple isn’t the only company working hard to fix zero-day vulnerabilities that are being exploited in the wild. The other major names dropping fixes this week are Oracle, Palo Alto Networks, and Fortinet.

Oracle recently patched a high-severity zero-day vulnerability (CVE-2024-21287) in its Agile Product Lifecycle Management (PLM) software, which allows unauthenticated attackers to remotely access critical data. This flaw, exploited in the wild, underscores the urgency for customers to apply security updates immediately. Agile PLM, nearing its end-of-life support in 2027, remains a critical target for cyber threats.

Palo Alto Networks, tracking "Operation Lunar Peek," addressed two zero-days in its PAN-OS firewalls: a critical authentication bypass (CVE-2024-0012) and a privilege escalation flaw (CVE-2024-9474). These vulnerabilities allowed attackers to tamper with configurations and gain root access, primarily targeting exposed management interfaces. Organizations are advised to restrict interface access to internal IPs and apply updates promptly.

Fortinet faces exploitation of an unpatched zero-day in its Windows VPN client by the China-linked APT group "BrazenBamboo," using the DeepData malware framework. This sophisticated spyware steals credentials and sensitive data while maintaining multi-platform capabilities. BrazenBamboo’s tactics include leveraging LightSpy malware across various operating systems, reflecting their extensive resources and operational expertise.

Upgrade your subscription for exclusive access to member-only insights and services.

Interesting Read

[Source: Bill Napier]

Bill Napier’s latest piece on Medium looks at Zero Trust and Attribute-Based Encryption (ABE). Included with the article is a podcast episode where he sits down to speak with the co-inventor of ABE.

The post explains how Zero Trust principles and ABE can work together to enhance security. And he does this by first explaining exactly how ABE works. Basically, ABE grants access based on specific user attributes, so only authorized individuals can access sensitive data. 

Napier explains how these strategies can be applied together to secure environments like cloud systems and hybrid workplaces. 

Cybersecurity Career Opportunities

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team

Reply

or to participate.