NoFluffSec Weekly

Welcome to another edition of NoFluffSecurity, the newsletter that cuts straight to the point—no hype, no fluff, just the cybersecurity insights you need. Whether you're a seasoned pro or new to the game, we’re here to help you stay ahead of threats and keep your clients, products, and services secure.

We don’t just serve up the facts; we dish out our unfiltered take on what’s happening in the industry. No sugar-coating, no scare tactics—just actionable advice that actually matters. What you do with it? That’s on you. But if you're here, you already know the stakes.

If you enjoyed this week’s dose of clarity, and don’t want to miss the next one, please make sure to click that subscribe button!

This Week’s Stories

1. Microsoft Windows Update Zero-Day Exploitation

2. Void Captures Over a Million Android TV Boxes

3. Fortinet Admits Customer Data Breach in the Cloud

4. ID Scans Sold on Telegram

5. How $20 and a Lapsed Domain Undermined Internet Integrity

Microsoft Windows Update Zero-Day Exploitation

Microsoft recently alerted users to an actively exploited critical flaw in Windows Update, CVE-2024-43491, which has a CVSS score of 9.8. This flaw allows attackers to rollback security fixes on Windows 10 version 1507 systems, rendering previously mitigated vulnerabilities exploitable again. Microsoft has provided a fix that requires installing the latest Servicing Stack Update and the September 2024 security update in a specific order. This is one of four zero-days actively being exploited this month.

NoFluff's Take: Fixing Patching with More Patches

The irony is palpable: to secure a broken patching system, Microsoft issues yet another patch. This cycle epitomizes the fundamental issue with current patch management practices. When the mechanism meant to provide security can be subverted and needs its own patches to function correctly, it underscores a deeper flaw in the system. It's a never-ending loop where the solution to a problem becomes another layer of the problem itself, making us question the reliability of the patching ecosystem as a whole.

CISO Takeaways

• Beyond Patching: CISOs should emphasize a multi-layered defense approach. Patch management is crucial, but it should be complemented with continuous monitoring and advanced threat detection.

• Proactive Measures: Implement anomaly detection systems that can identify unexpected changes, such as the rollback of patches, to catch such exploits early.

Security Engineer Thoughts

• Immediate Action: Ensure that affected systems receive the latest Servicing Stack Update and the September 2024 Windows security update in the correct order.

• Vulnerability Management: Regularly review your organization's vulnerability management process to include checks for potential downgrades and rollback attacks.

• Indicator Monitoring: Although Microsoft hasn't provided specific IOCs, engineers should monitor for unusual activity that could indicate exploitation attempts.

#WindowsUpdate #ZeroDay #PatchManagement #CVE-2024-43491

References

1. SecurityWeek: Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes

Void Captures Over a Million Android TV Boxes

A new backdoor malware named Android.Vo1d has infected nearly 1.3 million Android TV boxes across 197 countries. The malware disguises itself as system programs and embeds into critical system files, enabling remote downloading and installation of third-party software. It targets devices running outdated Android versions, exploiting known vulnerabilities or unofficial firmware with root access. The infection's source remains unknown, but the malware is capable of persistent auto-launch through multiple anchoring methods.

NoFluff's Take: IoT Devices, the Silent Threat

This incident highlights a pervasive issue with IoT devices: they're often overlooked in security practices. TV boxes, frequently running outdated software, represent a larger trend where manufacturers prioritize low cost over security. Users and organizations need to treat these devices as potential entry points for attacks, not just innocuous consumer electronics. The convenience of smart devices often comes at the expense of security, leading to a growing attack surface that is difficult to manage.

CISO Takeaways

• Asset Management: Implement an asset management strategy that includes IoT devices like smart TVs, ensuring they are tracked and monitored for potential vulnerabilities.

• Supply Chain Security: Require vendors to provide up-to-date firmware and security patches for IoT devices, making this a criterion for procurement.

Security Engineer Thoughts

• Network Segmentation: Isolate IoT devices on separate network segments to limit the potential impact of a compromise.

• Firmware Validation: Regularly check for and apply firmware updates to IoT devices, ensuring they are free from known vulnerabilities and malware.

#IoTSecurity #AndroidMalware #FirmwareVulnerabilities #BackdoorThreat

References

1. Doctor Web: Void captures over a million Android TV boxes

Fortinet Admits Customer Data Breach in the Cloud

Fortinet confirmed that unauthorized access was gained to a limited number of customer files stored on a third-party cloud-based shared file drive. While the company claims less than 0.3% of its customers were affected and no malicious activity has been detected, a dark web user claims to possess 440GB of stolen Fortinet customer data from an open Amazon S3 bucket. Fortinet has terminated access, involved law enforcement, and stated the incident did not impact its core operations.

NoFluff's Take: The Cloud Conundrum

This breach raises questions about cloud data security, especially when managed by companies that specialize in cybersecurity. Fortinet's reliance on third-party cloud storage highlights the ongoing challenges even top-tier security companies face in securing cloud environments. It’s a reminder that outsourcing data storage doesn't absolve a company of the responsibility to ensure robust security measures and consistent monitoring.

CISO Takeaways

• Third-Party Risk Management: Reevaluate and strengthen risk management practices around third-party cloud storage providers. Ensure they have rigorous security protocols and regular audits.

• Incident Response Preparedness: Have a clear incident response plan specifically tailored for cloud breaches, including communication strategies for customers and stakeholders.

Security Engineer Thoughts

• Cloud Security Practices: Implement strict access controls and encryption for cloud-stored data, ensuring that even if unauthorized access occurs, data remains protected.

• Monitoring and Alerting: Enhance monitoring capabilities for cloud environments to detect unusual access patterns or unauthorized data movements promptly.

#DataBreach #CloudSecurity #ThirdPartyRisk #Fortinet

References

1. The Register: Some Fortinet customer data stolen from cloud storage

ID Scans Sold on Telegram

Scanned ID documents are being sold on Telegram for as little as $8, often obtained from platforms that require user verification. This exposes a dual problem: services demanding sensitive documents without offering better alternatives, and users' careless attitude toward securing their data. This environment has created a marketplace for identity theft, with sensitive personal information becoming a cheap commodity.

NoFluff's Take: A Two-Way Street of Risk and Responsibility

This situation reveals a systemic issue where both service providers and users contribute to the risk. Services requiring ID scans often lack secure handling and storage practices, pushing users into sharing sensitive documents without better options. On the other hand, users frequently overlook the risks, not realizing that uploading ID scans creates an attack surface ripe for exploitation. It's a wake-up call for stronger identity verification methods and user education on data protection.

CISO Takeaways

• Data Minimization: Reevaluate the necessity of collecting sensitive documents, implementing alternatives such as biometric verification to reduce risk.

• Vendor Security Assessment: Ensure third-party services handling user ID scans adhere to strict security standards for data protection and storage.

Security Engineer Thoughts

• Data Handling Protocols: Implement secure data handling protocols for sensitive documents, ensuring encryption and limiting access to authorized personnel.

• User Education: Provide guidance on how users should secure and share sensitive documents safely, including using secure communication channels for such submissions.

#IdentityTheft #DataProtection #UserAwareness #SecureVerification

References

1. Clubic: Si vous avez déjà scanné votre pièce d'identité sur Internet, elle pourrait se retrouver en vente sur Telegram (French)

How $20 and a Lapsed Domain Undermined Internet Integrity

Security researchers at watchTowr Labs discovered a critical flaw in the WHOIS protocol by purchasing a lapsed domain for $20. The expired domain, originally used for the .mobi TLD's WHOIS server, was still being queried by millions of systems, including cybersecurity firms, governments, and certificate authorities. This lapse could allow attackers to impersonate legitimate domains, compromising internet integrity and potentially issuing fraudulent certificates. The research emphasizes the risks of treating critical infrastructure as disposable​.

NoFluff's Take: Trust Issues in Internet Infrastructure

This incident exposes a fundamental weakness in internet infrastructure management—critical systems relying on outdated or forgotten resources. The fact that so many systems still queried an expired domain points to a broader issue of trust and reliance on obsolete infrastructure. It raises questions about the diligence of organizations in maintaining their security posture and the internet's resilience to such trivial yet potentially devastating oversights.

CISO Takeaways

• Infrastructure Review: Regularly audit and review dependencies on third-party infrastructure, ensuring that critical systems are not relying on outdated or abandoned services.

• Domain Management: Implement strict domain management practices, including monitoring and renewing domains that are essential to your organization's operations.

Security Engineer Thoughts

• Monitoring Tools: Deploy tools to monitor and alert on unusual WHOIS queries or changes in domain-related infrastructure to detect potential hijacking attempts.

• Legacy System Awareness: Maintain awareness of legacy systems that might depend on outdated infrastructure, ensuring they are either updated or decommissioned.

#InternetIntegrity #WHOIS #DomainSecurity #InfrastructureRisk

References

1. The Register: How $20 and a lapsed domain allowed security pros to undermine internet integrity

If you’re not already one of our regulars then that Subscribe button below has your name on it ;) See you next week!

All views and opinions expressed therein are solely the authors’ own and do not reflect those of any employers past or present.

NoFluffSec is a Bitsavant LLC publication