Microsoft fixed over 70 CVEs in its final Patch Tuesday update of the year

Microsoft’s December 2024 Patch Tuesday delivers 71 security fixes, including a Windows zero-day vulnerability (CVE-2024-49138) actively exploited for privilege escalation. This brings Microsoft’s yearly patch count to 1,020, its second highest after 2020.

The critical CVE-2024-49112 in Windows LDAP, rated CVSS 9.8, allows unauthenticated remote code execution, risking domain controller compromise. Microsoft suggests disconnecting domain controllers from the Internet, though experts recommend swift patching instead.

Another urgent issue, CVE-2024-49117 in Hyper-V, permits cross-VM attacks with basic authentication. Nine critical bugs target Remote Desktop Services, including a use-after-free flaw (CVE-2024-49132) enabling remote code execution.

Additional risks include privilege escalation in the Windows Resilient File System (CVE-2024-49093) and an RCE vulnerability (CVE-2024-49063) in Musik, an AI project.

We urge organisations to patch immediately, especially for vulnerabilities affecting remote services, to avoid exploitation and ensure robust system security. Read more HERE

Malichus malware exploits Cleo Zero-Day to steal sensitive data

Cyber security researchers have identified a critical zero-day vulnerability in Cleo's file transfer software, actively exploited by the Malichus malware to facilitate data theft. The flaw allows attackers to execute arbitrary code remotely, compromising sensitive information. Malichus, a sophisticated malware strain, leverages this vulnerability to infiltrate systems, exfiltrate data, and establish persistent access.

Cleo has released patches to address the issue, and users are strongly advised to update their systems immediately to mitigate potential risks. This incident underscores the importance of timely software updates and robust security measures to protect against emerging threats.

Lynx ransomware targets Electrica Group in major attack

Romania's National Cyber security Directorate (DNSC) has confirmed that the Lynx ransomware gang breached Electrica Group, a leading electricity supplier serving over 3.8 million users across Muntenia and Transylvania. Electrica, listed on the London and Bucharest stock exchanges, reported the ongoing attack, assuring investors that critical systems, including SCADA, were unaffected.

Lynx ransomware has been active since mid-2024, targeting over 78 victims, including U.S. energy and industrial sectors. Using an encryptor tied to INC Ransom malware, Lynx leverages ransomware-as-a-service tactics to breach entities globally.

DNSC, collaborating with Electrica, provided a YARA script to help organisations detect malware traces and urged all entities to scan their systems, especially in the energy sector. The agency warned against paying ransoms and stressed vigilance amidst rising cyber threats.

This attack follows a series of high-profile incidents in Romania, including a Backmydata ransomware assault on hospitals and cyberattacks targeting election infrastructure.

Krispy Kreme cyberattack disrupts online orders, investigation underway

Krispy Kreme has revealed a cyberattack on 29 November that significantly disrupted its online ordering system in parts of the United States, though physical stores and daily deliveries remain unaffected. Online sales accounted for 15.5% of the company’s Q3 2024 revenue, amplifying the impact.

The breach, disclosed via an 8-K SEC filing, prompted Krispy Kreme to engage cyber security experts and notify federal law enforcement. The company continues to assess the scope and impact, anticipating material losses from halted digital sales and cyber security expenses, partially offset by insurance.

Experts speculate the attack highlights vulnerabilities in interconnected systems.

Krispy Kreme reassured stakeholders that long-term impacts on its financial condition remain unlikely as recovery efforts progress.

Operation PowerOFF disrupts DDoS-for-hire platforms, arrests made

Law enforcement agencies from 15 countries have dismantled 27 DDoS-for-hire platforms, arrested three administrators, and identified 300 customers as part of Operation PowerOFF, an international crackdown on distributed denial-of-service (DDoS) cybercrime.

These platforms, also known as "booters" or "stressers," enable paying customers to launch attacks using botnets to disrupt online services. Such attacks, particularly during the holiday season, can lead to significant service outages and business losses.

Europol coordinated the operation, providing analytical and forensic support. Among the seized sites are zdstresser.net and orbitalstress.net, now displaying law enforcement notices. The Dutch police arrested four suspects responsible for thousands of attacks and identified 200 platform users, issuing warnings or initiating prosecutions.

Authorities continue to investigate, aiming to curtail these services and hold users accountable.

Termite ransomware group targets Blue Yonder, claims data theft

The Termite ransomware group has claimed responsibility for a cyberattack on U.S.-based supply chain technology provider Blue Yonder, stealing 680 GB of data. The Scottsdale, Arizona-based subsidiary of Panasonic serves over 3,000 clients, including Morrisons, Sainsbury’s, Tesco, and Starbucks.

Blue Yonder confirmed the attack disrupted its “managed services hosted environment” on November 21. External cyber security experts assisted in the investigation, revealing that threat actors infiltrated the network, injected malicious code, and encrypted critical systems.

The incident caused operational disruptions, with Starbucks reportedly managing pay manually. Termite claims to possess databases, email lists, documents, and insurance records. Blue Yonder stated it is working with cyber security firms to address the breach, strengthen defences, and support impacted customers.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.