General Dynamics phished, Japan Airlines attack, Addiction Centers breach - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – December 27, 2024

Hosted by CISO Series

The latest episode of Cyber Security Headlines by CISO Series, hosted by Steve Prentiss, delves into significant cybersecurity incidents that have unfolded over the past few weeks. This detailed summary captures all key discussions, insights, and conclusions presented in the episode, providing a comprehensive overview for those who haven't listened.

1. General Dynamics Phishing Attack

At the outset of the episode, Steve Prentiss introduces a critical incident involving General Dynamics, a prominent aerospace and defense company.

Incident Overview:
- Date Discovered: October 10, 2024
- Method: A sophisticated phishing campaign disguised as a fraudulent advertising campaign.
- Impact: Dozens of employee accounts were compromised, specifically targeting employee benefits.
Details:
- The phishing site tricked employees into entering their usernames and passwords, resulting in unauthorized access.
- A total of 37 employees were affected, with attackers gaining access to Personally Identifiable Information (PII) and, in some cases, government ID numbers.
- Security Week reported that attackers went a step further by altering bank account information, escalating the severity of the breach.
Official Statement:
- Steve Prentiss notes, "General Dynamics told the impacted individuals that the threat actors accessed their Fidelity Net Benefits accounts via the Employee Self Service portal using compromised credentials obtained through the phishing website" (00:59).
Response:
- A copy of the breach notification was submitted to the Main Attorney General's office, ensuring regulatory compliance and transparency.

2. Japan Airlines Cyber Attack

The episode transitions to an incident affecting Japan Airlines, highlighting vulnerabilities in the aviation sector.

Incident Overview:
- Date of Attack: Thursday, December 26, 2024, at 7:24 am local time.
- Impact: The attack led to the shutdown of a critical router, causing system malfunctions and suspending both international and domestic ticket sales for flights departing on that day.
Recovery:
- By the following day, Steve Prentiss reports, "Japan Airlines systems are back to normal" (01:19), restoring regular operations without any leakage of customer data or registered damage.
Context:
- This attack follows a similar outage experienced by American Airlines on Christmas Eve, where technological issues with the flight operating system (FOS)—attributed to a vendor's technology—caused disruptions. Steve Prentiss emphasizes the recurring challenges in maintaining robust cybersecurity measures within major airlines (01:47).

3. American Addiction Centers Data Breach

A significant data breach at American Addiction Centers is discussed, shedding light on vulnerabilities within healthcare networks.

Incident Overview:
- Breach Date: September 2024
- Impacted Individuals: Over 400,000 people across multiple states including California, Florida, Texas, Nevada, Massachusetts, Mississippi, New Jersey, and Rhode Island.
- Stolen Data: Included Social Security numbers and health insurance information.
Perpetrators:
- The breach is attributed to the Raisida Ransomware Gang, known for targeting various healthcare networks in the U.S.
- Steve Prentiss mentions, "Raisida Ransomware Gang made a claim on November 16th regarding this attack" (02:45).
Organization's Response:
- American Addiction Centers began mailing breach notifications just before the Christmas break, aiming to inform and protect the affected individuals promptly.
- Representatives declined to confirm the involvement of ransomware, indicating a cautious approach in public communications.

4. Windows 11 Security Update Issue

The episode highlights a significant security update problem affecting Windows 11 installations.

Issue Details:
- Affected Versions: Windows 11 versions 24H2, particularly those with security updates released between October 8 and November 12, 2024.
- Problem: Copies of these versions may prevent the operating system from accepting any further security updates, posing a critical vulnerability.
Microsoft's Response:
- Steve Prentiss reports that Microsoft is "working on a fix" but recommends that users performing Windows 11 24H2 installations utilize the December 2024 security update released on December 10 to mitigate the issue (04:04).

5. Surge in Infostealer Malware

A notable increase in infostealer malware activity is examined, with a focus on Luma Infostealer.

Key Insights:
- According to ESET's H2 2024 threat report, Luma Infostealer has surged by nearly 400%, becoming the top threat.
- Detects a 369% increase in telemetry data in the second half of 2024, targeting two-factor authentication, browser extensions, user credentials, and cryptocurrency wallets.
Industry Impact:
- Steve Prentiss emphasizes, "Luma Infostealer is increasingly being sought after by cybercriminals" (04:16).
- The report also highlights Xloader (Formbook), a constantly evolving Malware-as-a-Service (MaaS) platform in high demand.
- The demise of Redline Stealer, taken down by international authorities in October, is unlikely to halt similar threats but will instead lead to the rise of alternative infostealers (05:06).
Resource Availability:
- A link to the ESET report is provided in the show notes for listeners seeking detailed information (05:10).

6. Adobe Cold Fusion Vulnerability

A critical vulnerability in Adobe Cold Fusion is addressed, highlighting the importance of timely security updates.

Vulnerability Details:
- CVE Number: Assigned to the flaw caused by a path traversal weakness, impacting Adobe Cold Fusion versions 2023 and 2021.
- Risk: Allows attackers to read arbitrary files on vulnerable servers, elevating it to a priority one severity rating due to the high risk of exploitation.
Exploitation:
- Proof of Concept (PoC) exploit code has already been reported, increasing the urgency for remediation.
Adobe's Response:
- Adobe issued out-of-band security updates on December 23, 2024, urging administrators to install the emergency patches immediately to safeguard against potential exploits (05:22).

7. TechCrunch on Poorly Handled Data Breaches

The episode reviews insights from TechCrunch on the most poorly handled data breaches of 2024, offering lessons for the cybersecurity community.

Highlighted Breaches:
- 23andMe: Criticized for attributing the breach to customers' insufficient account security.
- Change Healthcare: Faced backlash for delaying confirmation of a breach impacting most of America's health data due to a compromised basic user account lacking multi-factor authentication (MFA).
- Snowflake: Experienced a breach exacerbated by the absence of mandatory MFA, leading to significant data exposure.
- City of Columbus, Ohio: Notably sued a security researcher for responsibly reporting a ransomware attack, raising concerns about ethical disclosures.
Additional Cases:
- Steve Prentiss mentions that these stories, along with others like the Salt Typhoon attack, are detailed in the episode's show notes (06:11).

Upcoming Events and Additional Resources

The episode concludes with announcements for upcoming events and resources:

Week in Review Show:
- Scheduled for later the same day at 3:30 pm Eastern.
- Guest: Adam Glick, CISO at PSG Equity, will provide expert commentary on the week's cybersecurity news.
- Participation: Listeners are encouraged to join and engage via the YouTube live channel by registering through the events page at cisoseries.com (07:04).
Access to Full Stories:
- Listeners can visit cisoseries.com for comprehensive coverage and in-depth analysis behind each headline.

Notable Quotes:

"General Dynamics told the impacted individuals that the threat actors accessed their Fidelity Net Benefits accounts via the Employee Self Service portal using compromised credentials obtained through the phishing website." — Steve Prentiss [00:59]
"Japan Airlines systems are back to normal following a cyber attack that delayed some international and domestic flights." — Steve Prentiss [01:19]
"Raisida Ransomware Gang made a claim on November 16th regarding this attack." — Steve Prentiss [02:45]
"Luma Infostealer is increasingly being sought after by cybercriminals." — Steve Prentiss [04:36]
"Microsoft is working on a fix, but recommends that people performing Windows 11 24H2 installations use the December 2024 security update to avoid such problems." — Steve Prentiss [04:02]

For more detailed information and access to all stories discussed, visit cisoseries.com.

Loading summary

Transcript58 lines

[00:00]
CISO Series Host
From the CISO series, it's Cybersecurity Headlines.
[00:07]
Steve Prentiss
These are the cybersecurity headlines for Friday, December 27, 2024. I'm Steve Prentiss.
[00:17]
Cybersecurity Reporter
General Dynamics says employees Targeted in phishing Attack the aerospace and defence company says threat actors compromised dozens of employee benefits.
[00:27]
Steve Prentiss
Accounts after a successful phishing campaign targeting its personnel.
[00:32]
Cybersecurity Reporter
The activity was discovered on October 10 and took the form of a fraudulent advertising campaign that directed General Dynamics employees to a phishing site where they were.
[00:42]
Steve Prentiss
Deceived into entering their usernames and passwords.
[00:46]
Cybersecurity Reporter
A total of 37 people were affected and in addition to accessing PII and government ID numbers in some cases the.
[00:53]
Steve Prentiss
Attackers changed bank account information as quoted in Security Week in their notification letter.
[01:00]
Cybersecurity Reporter
A copy of which was submitted to the main Attorney General's General Dynamics told the impacted individuals that the threat actors accessed their Fidelity Net Benefits accounts via the Employee Self Service portal using compromised credentials obtained through the phishing website. Japan Airlines Systems are back to normal.
[01:20]
Steve Prentiss
After cyber Attack the airline announced yesterday.
[01:24]
Cybersecurity Reporter
Thursday that its systems have returned to.
[01:26]
Steve Prentiss
Normal following a cyber attack that delayed some international and domestic flights.
[01:31]
Cybersecurity Reporter
The attack occurred at 7:24am Thursday local time and shut down a router that caused malfunctions and which suspended ticket sales.
[01:40]
Steve Prentiss
For flights departing on Thursday.
[01:42]
Cybersecurity Reporter
Representatives said that no customer data was.
[01:45]
Steve Prentiss
Leaked and no damage was registered, and.
[01:48]
Cybersecurity Reporter
This event follows on the heels of a brief outage that affected flights for American Airlines on Tuesday evening, Christmas Eve. This particular outage was issued at the airline's request after it experienced trouble with its flight operating system fos. In this case, the airline blamed technology from one of its vendors.
[02:05]
Steve Prentiss
End Quote American Addiction Centers suffers Data.
[02:10]
Cybersecurity Reporter
Breach the organization, which runs a network of addiction rehab facilities across California, Florida, Texas, Nevada, Massachusetts, Mississippi, New Jersey and Rhode island, suffered the attack in September and started mailing breach notifications to more than 400,000 people just prior to the Christmas break. The stolen data includes Social Security numbers and health insurance information. Representatives from the organization declined to say whether ransomware was involved, but the Raisida Ransomware Gang, which is known for attacking numerous healthcare Networks in the US made.
[02:45]
Steve Prentiss
A claim on November 16th regarding this attack.
[02:51]
Cybersecurity Reporter
Thanks to today's episode's sponsor, ThreatLocker. Do zero day exploits and supply chain attacks keep you up at night?
[02:59]
Steve Prentiss
Well, worry no more. You can harden your security with ThreatLocker.
[03:03]
Cybersecurity Reporter
ThreatLocker helps you take a proactive, default deny approach to cybersecurity and provides a full audit of every action allowed or.
[03:11]
Steve Prentiss
Blocked for risk management and compliance.
[03:14]
Cybersecurity Reporter
Onboarding and operation are fully supported by.
[03:17]
Steve Prentiss
Their US based support team.
[03:19]
Cybersecurity Reporter
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is.
[03:28]
Steve Prentiss
T H R E A T L O c k e r.com Windows 11.
[03:35]
Cybersecurity Reporter
Installation media bug causes security update failures A warning from Microsoft yesterday regarding a problem that might occur when using physical.
[03:44]
Steve Prentiss
Media such as CDs or USB flash.
[03:47]
Cybersecurity Reporter
Drives to install Windows 11 version 24H2. Copies of this version of Windows 11 that include security updates released between October 8 and November 12 might cause the operating system to not accept any further security updates.
[04:02]
Steve Prentiss
Microsoft is working on a fix, but.
[04:04]
Cybersecurity Reporter
Recommends that people performing Windows 1124 H2 installations use the December 2024 security update.
[04:11]
Steve Prentiss
Which was released on December 10, to avoid such problems.
[04:16]
Cybersecurity Reporter
Luma Infosteeler takes the year's top spot with a near 400% surge, according to cybersecurity firm ESET in its H2 2024 threat report. The Lumasteeler Infosteeler is the one increasingly being sought after by Cybercriminals, with a 369% surge in detections in its telemetry.
[04:37]
Steve Prentiss
In the second half of 2024.
[04:40]
Cybersecurity Reporter
Lumasteelr is known for targeting two factor authentication, browser extensions, user credentials, and cryptocurrency wallets. ESET's report also highlights Xloader, which is also known as Formbook, a malware as a service in constant demand because it is under constant development. ESET also adds that the infostealer as a service redline stealer, having been taken down by international authorities in October, is unlikely to be resurrected, but will simply.
[05:07]
Steve Prentiss
Lead to the expansion of other similar threats.
[05:10]
Cybersecurity Reporter
A link to the ESET report is.
[05:12]
Steve Prentiss
Available in the show Notes to this episode.
[05:16]
Cybersecurity Reporter
Adobe warns of critical Cold Fusion bug.
[05:19]
Steve Prentiss
With proof of Concept exploit code as.
[05:23]
Cybersecurity Reporter
Reported in Bleeping Computer, Adobe has released out of band security updates to address a critical Cold Fusion vulnerability with proof of concept exploit code. An advisory was released on Monday which stated that the flaw, which has a CVE number, is caused by a path traversal weakness that impacts Adobe Cold Fusion versions 2023 and 2021 and can enable attack read arbitrary files on vulnerable servers. The company has assigned a priority one severity rating to the flaw because it has a higher risk of being targeted.
[05:58]
Steve Prentiss
By exploits in the wild.
[06:00]
Cybersecurity Reporter
The company also urges administrators to install emergency security patches that were released the.
[06:06]
Steve Prentiss
Same day, December 23rd.
[06:08]
Cybersecurity Reporter
TechCrunch lists the most badly handled data.
[06:12]
Steve Prentiss
Breaches of 2024 tech crunches out with.
[06:16]
Cybersecurity Reporter
Its annual summary of breaches whose behavior or response could at least be seen as a learning opportunity for others. This year's list includes 23andMe who blamed their customers for not sufficiently securing their accounts. Change Healthcare, who took months to confirm hackers stole most of America's health data by breaching a basic user account with.
[06:37]
Steve Prentiss
A lack of multi factor authentication.
[06:39]
Cybersecurity Reporter
Also on the list this year is Snowflake, whose breach was a result of a lack of mandated use of Multi.
[06:45]
Steve Prentiss
Factor Security, as well as the city.
[06:47]
Cybersecurity Reporter
Of Columbus, Ohio, which sued a security researcher for truthfully reporting on the ransomware attack. Details on these stories and four more, one of which is, of course Salt.
[06:58]
Steve Prentiss
Typhoon, are available through the link in the show notes to this episode.
[07:04]
Cybersecurity Reporter
Make sure to join us later today at 3:30pm Eastern for our Week in Review show. Adam Glick, CISO at PSG Equity, will be our guest providing his expert commentary on the news of the week and we encourage participation and comments through our YouTube live channel. Just go to the events page@cisoseries.com to.
[07:23]
Steve Prentiss
Register and we will see you there. I'm Steve Prentiss reporting for the CISO series.
[07:33]
CISO Series Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
[07:45]
CISO Series Outro
It.