THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 18 - Nov 24)

We hear terms like "state-sponsored attacks" and "critical vulnerabilities" all the time, but what's really going on behind those words? This week's cybersecurity news isn't just about hackers and headlines—it's about how digital risks shape our lives in ways we might not even realize.

For instance, telecom networks being breached isn't just about stolen data—it's about power. Hackers are positioning themselves to control the networks we rely on for everything, from making calls to running businesses. And those techy-sounding CVEs? They're not just random numbers; they're like ticking time bombs in the software you use every day, from your phone to your work tools.

These stories aren't just for the experts—they're for all of us. They show how easily the digital world we trust can be turned against us. But they also show us the power of staying informed and prepared. Dive into this week's recap, and let's uncover the risks, the solutions, and the small steps we can all take to stay ahead in a world that's moving faster than ever. You don't need to be a cybersecurity pro to care—just someone who wants to understand the bigger picture. Let's explore it together!

⚡ Threat of the Week

New Liminal Panda Group Goes After the Telecom Sector: A previously undocumented China-nexus cyber espionage group, Liminal Panda, has orchestrated a series of targeted cyber attacks on telecom entities in South Asia and Africa since 2020. Using sophisticated tools like SIGTRANslator and CordScan, the group exploits weak passwords and telecom protocols to harvest mobile subscriber data, call metadata, and SMS messages. This development coincides with U.S. telecom providers, including AT&T, Verizon, T-Mobile, and Lumen Technologies, becoming targets of another China-linked hacking group, Salt Typhoon. The U.S. Cyber Command has stated that these efforts aim to establish footholds in critical U.S. infrastructure IT networks, potentially preparing for a major clash with the U.S.

🔔 Top News

• Palo Alto Networks Flaws Exploited to Compromise About 2,000 Devices: The newly disclosed security flaws impacting Palo Alto Networks firewalls – CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9) – have been exploited to breach roughly 2,000 devices across the world. These vulnerabilities could allow an attacker to bypass authentication and escalate their privileges to perform various malicious actions, including executing arbitrary code. The network security vendor told The Hacker News that the number "represents less than half of one percent of all Palo Alto Networks firewalls deployed globally that remain potentially unpatched." The company also said it had been proactively sharing information since November 8, 2024, urging customers to secure their device management interfaces and mitigate potential threats. The guidance, it added, has been effective in mitigating threat activity to a great extent.
• 5 Alleged Scattered Spider Members Charged: The U.S. unsealed charges against five members of the infamous Scattered Spider cybercrime crew, including a U.K. national, for their role in orchestrating social engineering attacks between September 2021 to April 2023 to steal credentials and siphon funds from cryptocurrency wallets. If convicted, each of the U.S.-based defendants face up to 27 years in prison for all the charges.
• Ngioweb Botnet Malware Fuels NSOCKS Proxy Service: The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as other services such as VN5Socks and Shopsocks5. The attacks primarily target vulnerable IoT devices from various vendors like NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO, using automated scripts in order to deploy the Ngioweb malware.
• Russian Threat Actors Unleash Attacks Against Central Asia: A Russian threat activity cluster dubbed TAG-110 has primarily targeted entities in Central Asia, and to a lesser extent East Asia and Europe, as part of a broad campaign that deploys malware known as HATVIBE and CHERRYSPY for information gathering and exfiltration purposes. TAG-110 is assessed to be affiliated with a Russian state-sponsored hacking group called APT28.
• North Korea's IT Worker Scheme's Chinese Links Uncovered: A new analysis has revealed that the fake IT consulting firms set up North Korean threat actors to secure jobs at companies in the U.S. and abroad are part of a broader, active network of front companies originating from China. In these schemes, the IT workers who land employment under forged identities have been observed funneling their income back to North Korea through the use of online payment services and Chinese bank accounts.
• Cybercriminals Use Ghost Tap Method for Cash-Out: A legitimate near-field communication (NFC) research tool called NFCGate is being abused by cybercriminals to cash out funds from victim's bank accounts via point-of-sale (PoS) terminals. One crucial caveat here is that the attack hinges on the threat actors previously compromising a device and installing some sort of a banking malware that can capture credentials and two-factor authentication (2FA) codes.

‎️‍🔥 Trending CVEs

Recent cybersecurity developments have highlighted several critical vulnerabilities, including: CVE-2024-44308, CVE-2024-44309 (Apple), CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-11003, CVE-2024-10224 (needrestart), CVE-2024-51092 (LibreNMS), CVE-2024-10217, CVE-2024-10218 (TIBCO), CVE-2024-50306 (Apache Traffic Server), CVE-2024-10524 (wget), CVE-2024-34719 (Android), CVE-2024-9942 (WPGYM), CVE-2024-52034 (mySCADA myPRO), and CVE-2024-0138 (NVIDIA). These security flaws are serious and could put both companies and regular people at risk.

📰 Around the Cyber World

• A New Way to outsmart Fortinet's Logging Mechanism: Thanks to a quirk in Fortinet VPN server's logging mechanism, which only captures failed login events during authentication attempts against the server, a malicious attacker could conceal the successful verification of credentials during a brute-force attack without tipping off incident response (IR) teams of compromised logins. While a log entry for the successful login is created during the authorization phase, the attacker could devise a method that stops at the authentication step, and confirm if the credentials are legitimate. "This discovery was surprising, as it indicated that IR teams monitoring Fortinet VPN usage, cannot differentiate between a failed and a successful brute-force attempt," Pentera said. "This means that if an attacker were to use the technique we discovered, the successful login could go undetected, potentially leaving their network compromised."
• Cross-Site Scripting (XSS) Flaw Uncovered in Bing: A newly disclosed XSS flaw in Microsoft Bing could have been abused to execute arbitrary code in the context of the website by taking advantage of an API endpoint in Bing Maps Dev Center Portal. This could allow an attacker to render a specially-crafted map within the www.bing[.]com context and trigger code execution by bypassing a Keyhole Markup Language (KML) HTML/XSS blocklist. Following responsible disclosure on August 26, 2024, the issue was addressed by Microsoft as of September 30.
• CWE Top 25 Most Dangerous Software Weaknesses for 2024 Released: Speaking of XSS flaws, the vulnerability class has topped the list of top 25 Dangerous Software Weaknesses compiled by MITRE based on an analysis of 31,770 Common Vulnerabilities and Exposures (CVE) records from the 2024 dataset. Out-of-bounds writes, SQL injections, Cross-Site Request Forgery (CSRF) flaws, and path traversal bugs round up the remaining four spots. "Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place — benefiting both industry and government stakeholders," MITRE said.
• Millions of Data Records Exposed Due to Power Pages Misconfigurations: Missing or misconfigured access controls in websites built with Microsoft Power Pages are exposing private organizations and government entities' sensitive data to outside parties, including full names, email addresses, phone numbers, and home addresses, leading to potential breaches. "These data exposures are occurring due to a misunderstanding of access controls within Power Pages, and insecure custom code implementations," AppOmni said. "By granting unauthenticated users excessive permissions, anyone may have the ability to extract records from the database using readily-available Power Page APIs." What's more, some sites have been found to grant even anonymous users "global access" to read data from database tables and fail to implement masking for sensitive data.
• Meta Fined $25.4 million in India Over 2021 WhatsApp Privacy Policy: India's competition watchdog, the Competition Commission of India (CCI), slapped Meta with a five-year ban on sharing information collected from WhatsApp with sister platforms Facebook and Instagram for advertising purposes. It also levied a fine of ₹213.14 crore (about $25.3 million) for antitrust violations stemming from the controversial 2021 privacy policy update, stating the updated privacy policy is an abuse of dominant position by the social media giant. The policy update, as revealed by The Hacker News in early January 2021, sought users' agreement to broader data collection and sharing with no option to refuse the changes. "The policy update, which compelled users to accept expanded data collection and sharing within the Meta group on a 'take-it-or-leave-it' basis, violated user autonomy by offering no opt-out option," the Internet Freedom Foundation (IFF) said. "The ruling reinforces the need for greater accountability from tech giants, ensuring that users' rights are protected, and the principles of fair competition are upheld in digital markets." Meta said it disagrees with the ruling, and that it intends to challenge CCI's decision.
• Alleged Russian Phobos ransomware administrator extradited to U.S.: A 42-year-old Russian national, Evgenii Ptitsyn (aka derxan and zimmermanx), has been extradited from South Korea to the U.S. to face charges related to the sale, distribution, and operation of Phobos ransomware since at least November 2020. Ptitsyn, who is alleged to be an administrator, has been charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking. More than 1,000 public and private entities in the U.S. and around the world are estimated to have been victimized by the ransomware group, earning them more than $16 million dollars in extorted ransom payments. Ptitsyn and his co-conspirators have been accused of advertising the Phobos ransomware for free through posts on cybercrime forums, and charging their affiliates around $300 to receive the decryption key to access the data. Describing it as a "lower-profile but highly impactful threat," Trellix said, "Phobos' approach focused on volume rather than high-profile targets, allowing it to maintain a steady stream of victims while remaining relatively under the radar." It also helped that the ransomware operation lacked a dedicated data leak site, enabling it to avoid drawing the attention of law enforcement and cybersecurity researchers.
• Jailbreaking LLM-Controlled Robots: New research from a group of academics from the University of Pennsylvania has found that it's possible to jailbreak large language models (LLMs) used in robotics, causing them to ignore their safeguards and elicit harmful physical damage in the real world. The attacks, dubbed RoboPAIR, have been successfully demonstrated against "a self-driving LLM, a wheeled academic robot, and, most concerningly, the Unitree Go2 robot dog, which is actively deployed in war zones and by law enforcement," security researcher Alex Robey said. "Although defenses have shown promise against attacks on chatbots, these algorithms may not generalize to robotic settings, in which tasks are context-dependent and failure constitutes physical harm."

🎥 Expert Webinar

• 🤖 Building Secure AI Apps—No More Guesswork — AI is taking the world by storm, but are your apps ready for the risks? Whether it's guarding against data leaks or preventing costly operational chaos, we've got you covered. In this webinar, we'll show you how to bake security right into your AI apps, protect your data, and dodge common pitfalls. You'll walk away with practical tips and tools to keep your AI projects safe and sound. Ready to future-proof your development game? Save your spot today!
• 🔑 Protect What Matters Most: Master Privileged Access Security — Privileged accounts are prime targets for cyberattacks, and traditional PAM solutions often leave critical gaps. Join our webinar to uncover blind spots, gain full visibility, enforce least privilege and Just-in-Time policies, and secure your organization against evolving threats. Strengthen your defenses—register now!
• 🚀 Master Certificate Replacement Without the Headache — Is replacing revoked certificates a total nightmare for your team? It doesn't have to be! Join our free webinar and learn how to swap out certificates like a pro—fast, efficient, and stress-free. We'll reveal how to cut downtime to almost zero, automate the entire process, stay ahead with crypto agility, and lock in best practices that'll keep your systems rock-solid. Don't let certificates slow you down—get the know-how to speed things up!

🔧 Cybersecurity Tools

• Halberd: Multi-Cloud Security Testing Tool — Halberd is an open-source tool for easy, proactive cloud security testing across Entra ID, M365, Azure, and AWS. With a sleek web interface, it lets you simulate real-world attacks, validate defenses, and generate actionable insights—all at lightning speed. From attack playbooks to detailed reports and smart dashboards, Halberd makes tackling cloud misconfigurations a breeze.
• BlindBrute: Your Go-To Tool for Blind SQL Injection — BlindBrute is a powerful and flexible Python tool designed to simplify blind SQL injection attacks. It detects vulnerabilities using status codes, content length, keywords, or time-based methods and adapts to various scenarios with customizable payloads. With features like database and column detection, data length discovery, and multiple extraction methods (character-by-character, binary search, or dictionary attack), BlindBrute ensures efficient data retrieval. Plus, it supports multithreading, customizable HTTP requests, and all major HTTP methods, making it a versatile solution for tackling complex SQL injection tasks with ease.

🔒 Tip of the Week

Neutralize Threats with DNS Sinkholing — Ever wish you could cut off malware and phishing attacks before they even reach your systems? That's exactly what DNS sinkholing does—and it's simpler than you think. By redirecting traffic headed to known malicious domains (used by botnets, phishing, or malware) to a "sinkhole" IP, this technique blocks threats right at the source. All you need is a DNS server, a feed of real-time threat data from sources like Spamhaus or OpenPhish, and a controlled sinkhole server to stop bad actors in their tracks.

But here's the kicker: DNS sinkholing doesn't just block threats—it's a detective, too. When infected devices try to reach sinkholed domains, their activity gets logged, giving you a clear view of which endpoints are compromised. This means you can pinpoint the issue, isolate the infected devices, and fix the problem before it spirals out of control. Want to take it a step further? You can even set it up to alert users when threats are blocked, raising awareness and curbing risky behavior.

The best part? Pair DNS sinkholing with automated tools like SIEM systems, and you'll get instant alerts, detailed threat reports, and a real-time look at your network security. It's low-cost, high-impact, and incredibly effective—a modern, proactive way to turn your DNS into your first line of defense. Ready to level up your threat management game? DNS sinkholing is the tool you didn't know you needed.

Conclusion

This week's news shows us one thing loud and clear: the digital world is a battleground, and everything we use—our phones, apps, and networks—is in the crossfire. But don't worry, you don't need to be a cybersecurity expert to make a difference.

Staying sharp about threats, questioning how secure your tools really are, and doing simple things like keeping software updated and using strong passwords can go a long way.