- nofluffsec
- Posts
- NoFluffSec Weekly
NoFluffSec Weekly
Issue #3
Welcome to another edition of NoFluffSecurity, the newsletter that cuts straight to the point—no hype, no fluff, just the cybersecurity insights you need. Whether you're a seasoned pro or new to the game, we’re here to help you stay ahead of threats and keep your clients, products, and services secure.
We don’t just serve up the facts; we dish out our unfiltered take on what’s happening in the industry. No sugar-coating, no scare tactics—just actionable advice that actually matters. What you do with it? That’s on you. But if you're here, you already know the stakes.
If you enjoyed this week’s dose of clarity, and don’t want to miss the next one, please make sure to click that subscribe button!
This Week’s Stories
Microsoft Windows Update Zero-Day Exploitation
Microsoft recently alerted users to an actively exploited critical flaw in Windows Update, CVE-2024-43491, which has a CVSS score of 9.8. This flaw allows attackers to rollback security fixes on Windows 10 version 1507 systems, rendering previously mitigated vulnerabilities exploitable again. Microsoft has provided a fix that requires installing the latest Servicing Stack Update and the September 2024 security update in a specific order. This is one of four zero-days actively being exploited this month.
NoFluff's Take: Fixing Patching with More Patches
The irony is palpable: to secure a broken patching system, Microsoft issues yet another patch. This cycle epitomizes the fundamental issue with current patch management practices. When the mechanism meant to provide security can be subverted and needs its own patches to function correctly, it underscores a deeper flaw in the system. It's a never-ending loop where the solution to a problem becomes another layer of the problem itself, making us question the reliability of the patching ecosystem as a whole.
CISO Takeaways
Beyond Patching: CISOs should emphasize a multi-layered defense approach. Patch management is crucial, but it should be complemented with continuous monitoring and advanced threat detection.
Proactive Measures: Implement anomaly detection systems that can identify unexpected changes, such as the rollback of patches, to catch such exploits early.
Security Engineer Thoughts
Immediate Action: Ensure that affected systems receive the latest Servicing Stack Update and the September 2024 Windows security update in the correct order.
Vulnerability Management: Regularly review your organization's vulnerability management process to include checks for potential downgrades and rollback attacks.
Indicator Monitoring: Although Microsoft hasn't provided specific IOCs, engineers should monitor for unusual activity that could indicate exploitation attempts.
#WindowsUpdate #ZeroDay #PatchManagement #CVE-2024-43491
References
Void Captures Over a Million Android TV Boxes
A new backdoor malware named Android.Vo1d has infected nearly 1.3 million Android TV boxes across 197 countries. The malware disguises itself as system programs and embeds into critical system files, enabling remote downloading and installation of third-party software. It targets devices running outdated Android versions, exploiting known vulnerabilities or unofficial firmware with root access. The infection's source remains unknown, but the malware is capable of persistent auto-launch through multiple anchoring methods.
NoFluff's Take: IoT Devices, the Silent Threat
This incident highlights a pervasive issue with IoT devices: they're often overlooked in security practices. TV boxes, frequently running outdated software, represent a larger trend where manufacturers prioritize low cost over security. Users and organizations need to treat these devices as potential entry points for attacks, not just innocuous consumer electronics. The convenience of smart devices often comes at the expense of security, leading to a growing attack surface that is difficult to manage.
CISO Takeaways
Asset Management: Implement an asset management strategy that includes IoT devices like smart TVs, ensuring they are tracked and monitored for potential vulnerabilities.
Supply Chain Security: Require vendors to provide up-to-date firmware and security patches for IoT devices, making this a criterion for procurement.
Security Engineer Thoughts
Network Segmentation: Isolate IoT devices on separate network segments to limit the potential impact of a compromise.
Firmware Validation: Regularly check for and apply firmware updates to IoT devices, ensuring they are free from known vulnerabilities and malware.
#IoTSecurity #AndroidMalware #FirmwareVulnerabilities #BackdoorThreat
References
Doctor Web: Void captures over a million Android TV boxes
Fortinet Admits Customer Data Breach in the Cloud
Fortinet confirmed that unauthorized access was gained to a limited number of customer files stored on a third-party cloud-based shared file drive. While the company claims less than 0.3% of its customers were affected and no malicious activity has been detected, a dark web user claims to possess 440GB of stolen Fortinet customer data from an open Amazon S3 bucket. Fortinet has terminated access, involved law enforcement, and stated the incident did not impact its core operations.
NoFluff's Take: The Cloud Conundrum
This breach raises questions about cloud data security, especially when managed by companies that specialize in cybersecurity. Fortinet's reliance on third-party cloud storage highlights the ongoing challenges even top-tier security companies face in securing cloud environments. It’s a reminder that outsourcing data storage doesn't absolve a company of the responsibility to ensure robust security measures and consistent monitoring.
CISO Takeaways
Third-Party Risk Management: Reevaluate and strengthen risk management practices around third-party cloud storage providers. Ensure they have rigorous security protocols and regular audits.
Incident Response Preparedness: Have a clear incident response plan specifically tailored for cloud breaches, including communication strategies for customers and stakeholders.
Security Engineer Thoughts
Cloud Security Practices: Implement strict access controls and encryption for cloud-stored data, ensuring that even if unauthorized access occurs, data remains protected.
Monitoring and Alerting: Enhance monitoring capabilities for cloud environments to detect unusual access patterns or unauthorized data movements promptly.
#DataBreach #CloudSecurity #ThirdPartyRisk #Fortinet
References
The Register: Some Fortinet customer data stolen from cloud storage
ID Scans Sold on Telegram
Scanned ID documents are being sold on Telegram for as little as $8, often obtained from platforms that require user verification. This exposes a dual problem: services demanding sensitive documents without offering better alternatives, and users' careless attitude toward securing their data. This environment has created a marketplace for identity theft, with sensitive personal information becoming a cheap commodity.
NoFluff's Take: A Two-Way Street of Risk and Responsibility
This situation reveals a systemic issue where both service providers and users contribute to the risk. Services requiring ID scans often lack secure handling and storage practices, pushing users into sharing sensitive documents without better options. On the other hand, users frequently overlook the risks, not realizing that uploading ID scans creates an attack surface ripe for exploitation. It's a wake-up call for stronger identity verification methods and user education on data protection.
CISO Takeaways
Data Minimization: Reevaluate the necessity of collecting sensitive documents, implementing alternatives such as biometric verification to reduce risk.
Vendor Security Assessment: Ensure third-party services handling user ID scans adhere to strict security standards for data protection and storage.
Security Engineer Thoughts
Data Handling Protocols: Implement secure data handling protocols for sensitive documents, ensuring encryption and limiting access to authorized personnel.
User Education: Provide guidance on how users should secure and share sensitive documents safely, including using secure communication channels for such submissions.
#IdentityTheft #DataProtection #UserAwareness #SecureVerification
References
How $20 and a Lapsed Domain Undermined Internet Integrity
Security researchers at watchTowr Labs discovered a critical flaw in the WHOIS protocol by purchasing a lapsed domain for $20. The expired domain, originally used for the .mobi TLD's WHOIS server, was still being queried by millions of systems, including cybersecurity firms, governments, and certificate authorities. This lapse could allow attackers to impersonate legitimate domains, compromising internet integrity and potentially issuing fraudulent certificates. The research emphasizes the risks of treating critical infrastructure as disposable.
NoFluff's Take: Trust Issues in Internet Infrastructure
This incident exposes a fundamental weakness in internet infrastructure management—critical systems relying on outdated or forgotten resources. The fact that so many systems still queried an expired domain points to a broader issue of trust and reliance on obsolete infrastructure. It raises questions about the diligence of organizations in maintaining their security posture and the internet's resilience to such trivial yet potentially devastating oversights.
CISO Takeaways
Infrastructure Review: Regularly audit and review dependencies on third-party infrastructure, ensuring that critical systems are not relying on outdated or abandoned services.
Domain Management: Implement strict domain management practices, including monitoring and renewing domains that are essential to your organization's operations.
Security Engineer Thoughts
Monitoring Tools: Deploy tools to monitor and alert on unusual WHOIS queries or changes in domain-related infrastructure to detect potential hijacking attempts.
Legacy System Awareness: Maintain awareness of legacy systems that might depend on outdated infrastructure, ensuring they are either updated or decommissioned.
#InternetIntegrity #WHOIS #DomainSecurity #InfrastructureRisk
References
If you’re not already one of our regulars then that Subscribe button below has your name on it ;) See you next week!