👉 What’s going on in the cyber world today?
EC2 Grouper Hackers, AWS Tools, Compromised Credentials, Cloud, Nitrogen Ransomware, Organizations, Critical Sectors, DoubleClickjacking, Websites, Windows, LDAP, Zero-Click, Flaw, PoC Exploit, Command Injection, Vulnerability, DrayTek Devices, Remote Code Execution, DDoS Attack, NTT Docomo, Japan, Cyberattack, Thomas Cook, India, IT Systems, Shutdown, Sri Lanka, Police, Government, Attack, Mizuho, Resona Banks, Online Services, Pro-Russian Hackers, France, Websites, California, Addictive Feeds, Minors, Ban, Consumer Protection Laws, Data Privacy, WhatsApp, Cyber Scams, Telegram, Myanmar, Cybersecurity Law, Crypto Losses, $29M, December 2024.
Listen to the full podcast
🚨 Cyber Alerts
A sophisticated threat group known as EC2 Grouper has been actively exploiting AWS tools and compromised credentials to target cloud environments. Observed by Fortinet researchers, the group uses PowerShell scripts, unique user agent strings, and a distinctive naming convention for security groups, such as “ec2group” and its variants. Their tactics involve leveraging AWS APIs like DescribeInstanceTypes and DescribeRegions for reconnaissance and resource provisioning while avoiding typical inbound access configuration calls.
Nitrogen ransomware has been making significant strides since its emergence, affecting various sectors, including construction, financial services, manufacturing, and technology. The ransomware primarily spreads through malicious ads on search engines, redirecting users to fake software download sites. Once downloaded, the malware establishes persistence within the network and deploys further malicious actions. It encrypts files with the .NBA extension and drops a ransom note warning of data theft, threatening to publish stolen data if the ransom isn’t paid.
A newly disclosed vulnerability, DoubleClickjacking, takes advantage of a timing-based sequence to bypass clickjacking protections on major websites, allowing attackers to initiate account takeovers with minimal user interaction. This technique, coined by researcher Paulos Yibelo, exploits the gap between the first and second clicks in a double-click action, enabling attackers to manipulate UI elements and bypass security controls like X-Frame-Options and SameSite cookies.
A critical Windows LDAP vulnerability (CVE-2024-49112), disclosed in December 2024, exposes a severe remote code execution (RCE) flaw affecting Windows Server versions, including Domain Controllers (DCs). This vulnerability, caused by an integer overflow in LDAP-related code, enables unauthenticated attackers to send crafted RPC calls that trigger malicious LDAP queries, leading to server crashes or arbitrary code execution. The attack, demonstrated in a proof-of-concept exploit called “LDAPNightmare”, highlights the potential for attackers to compromise entire domain environments.
A critical command injection vulnerability has been discovered in DrayTek devices, specifically the Vigor2960 and Vigor300B models. The flaw, which affects over 66,000 internet-connected devices, resides in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint of the Web Management Interface. By manipulating the session parameter in a crafted HTTP request, attackers can inject arbitrary commands into the device, potentially leading to remote code execution, unauthorized access, and network compromise.
💥 Cyber Incidents
NTT Docomo has been grappling with significant disruptions caused by a Distributed Denial of Service (DDoS) attack that began on January 2, 2025. The cyberattack has heavily impacted several of the company’s services, including its search site, smartphone payment service, and web mail service. Users have reported severe network congestion, making it difficult to access these platforms. While efforts are underway to mitigate the damage, no clear timeline has been provided for full recovery.
Thomas Cook India recently experienced a cyberattack that disrupted its operations, leading the company to shut down affected IT systems as a precautionary measure. The company swiftly responded to the breach by initiating an investigation and working closely with cybersecurity experts to assess the extent of the damage. While the specifics of the attack have not yet been fully disclosed, Thomas Cook India has taken immediate steps to secure its systems and mitigate further risks.
Sri Lankan government institutions have recently fallen victim to multiple cyberattacks, resulting in disruptions to official websites and services. The Sri Lanka Police Department’s official YouTube channel was compromised, and the official website of the Sri Lanka Department of Government Printing was hacked, with its data being altered. Authorities, including the Sri Lanka Computer Emergency Readiness Team (SLCERT) and the police, have launched investigations into the incidents.
Mizuho Bank and Resona Bank in Japan experienced disruptions due to suspected Distributed Denial of Service (DDoS) attacks. Mizuho reported difficulties with its online banking systems on Tuesday morning, which were resolved by mid-morning. Resona Bank faced similar issues starting Saturday night, affecting its retail banking services. Both banks worked to restore operations, with Resona investigating the cause. No customer data breaches have been confirmed at either bank.
Pro-Russian hackers, known as the NoName collective, launched coordinated DDoS attacks targeting multiple French city websites on December 31, 2024. The attacks affected cities such as Marseille, Tarbes, and the Haute-Garonne department. These cyberattacks were described as retaliation for France’s support of Ukraine, and the hackers sought to disrupt digital infrastructure, creating a climate of insecurity. While some websites were temporarily inaccessible, the overall intent appeared to be propaganda rather than data theft, according to cybersecurity experts.
📢 Cyber News
A federal judge recently allowed California’s SB 976, a law designed to protect minors from addictive online content, to take effect. Starting January 3, 2025, companies will be prohibited from serving “addictive feeds” to users they know to be minors unless explicit parental consent is obtained. These addictive feeds are defined as algorithms that recommend content based on users’ behavior rather than their explicit preferences. The law aims to reduce the risk of addiction and harmful content consumption among young users.
New York has introduced six new laws aimed at enhancing consumer protections, with a focus on personal data privacy, cybersecurity, and transparency. Signed by Governor Kathy Hochul in December, these laws require social media companies to post terms of service, expand the definition of identity theft to include medical and health insurance information, and ensure quicker data breach notifications. The new legislation also mandates state agencies to follow cybersecurity standards to prevent cyberattacks and bans debt collectors from using social media to collect debts.
The Union Home Ministry’s Annual Report for 2023-24 highlights a concerning rise in the misuse of social media platforms for cyber scams, with WhatsApp emerging as the most exploited platform. The report details a staggering 43,797 complaints of cyber fraud recorded on WhatsApp in just the first three months of 2024, followed by 22,680 complaints on Telegram and 19,800 on Instagram. A prevalent scam, the “Pig Butchering Scam,” targets vulnerable individuals, luring them into fraudulent investment schemes.
Myanmar’s newly enacted cybersecurity law, effective January 1, 2025, introduces stringent regulations aimed at curbing cybercrime and protecting digital infrastructure. The law addresses a range of offenses, including the unauthorized establishment of VPN services, online gambling systems, and the misuse of cyber resources. Those found guilty of violating these provisions could face hefty fines and imprisonment, with penalties varying based on the severity of the offense.
In December 2024, crypto losses reached their lowest point of the year, totaling $29 million, as reported by blockchain security firms CertiK and PeckShield. This marked a significant decrease compared to previous months, with CertiK documenting $28.6 million in losses, primarily from exploits. Notable incidents included a $2.1 million exploit on the decentralized finance platform GemPad and a $1 million attack on the FEG token bridge. PeckShield recorded a similar decline, with $24.7 million in losses for the month, including the $12.3 million exploit involving LastPass users’ crypto.
Copyright © 2024 CyberMaterial. All Rights Reserved.
