Increase in Zero-Day Exploits Targeting Edge Devices

Each week, Information Security Media Group compiles reports on cybersecurity incidents across the globe. This week’s highlights include a notable increase in zero-day exploits, a data breach impacting Baltimore public schools, recent vulnerabilities in software from Broadcom Brocade and Commvault, a malicious patch targeting WooCommerce, an attack on Hitachi Vantara, and the sentencing of an ex-Disney employee for hacking.

According to Google, 2024 saw 75 zero-day vulnerabilities exploited, with a concerning 44% directed at enterprise technologies—a rise from 37% the previous year. This data suggests that a broader range of vendors must enhance their security protocols. The majority of the zero-day exploits were associated with security and networking products, targeting systems such as Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, and Cisco Adaptive Security Appliance.

Edge devices have emerged as lucrative points of entry, drawing attention from state-sponsored entities, including Chinese cyber espionage groups. While cyber espionage activities accounted for over half of the tracked exploits, more than half of the zero-day vulnerabilities were attributed to commercial spyware vendors rather than state-sponsored actors. North Korean hacking groups also matched their Chinese counterparts in the number of exploits.

The data indicates a fluctuation in year-to-year zero-day exploit counts, with a decrease from 98 in 2023. Nonetheless, the ongoing trend suggests a gradual increase in exploitation rates. With decreases in browser and mobile device exploitation, the attacks on mobile users remain widespread, with major vendors like Microsoft and Google being primary targets, followed closely by Ivanti.

On Wednesday, Spanish authorities extradited Artem Stryzhak to the U.S. to face ransomware charges linked to the Nefilim ransomware-as-a-service operation. Stryzhak, 35, is a Ukrainian national apprehended in June 2024. Prosecutors allege that Stryzhak targeted major companies in the U.S., Canada, and Australia, exploiting vulnerabilities in Citrix systems and utilizing tactics including remote desktop protocol access.

The indictment details his involvement dating back to June 2021, where he agreed to ensure attacks on companies with revenues exceeding $200 million. Prosecutors are seeking to detain him without bail, and if convicted, he faces a maximum five-year prison sentence.

Baltimore City Public Schools has informed thousands of employees and students about a recent data breach stemming from a cyberattack in February. The incident resulted in the exposure of sensitive personal information, including Social Security numbers and student records, affecting around 31,000 individuals. Although the school district did not explicitly identify the perpetrating group, reports indicate that the Cloak ransomware group, responsible for over 130 similar attacks since late 2022, was involved.

The U.S. Cybersecurity and Infrastructure Security Agency has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog. One flaw affecting Broadcom’s Fabric OS allows local admin users to execute arbitrary code, while another impacts Commvault’s Web Server, providing authenticated attackers with the ability to create webshells. CISA has urged federal agencies to implement necessary patches by specified deadlines.

A large-scale phishing campaign targeting WooCommerce users has been uncovered, wherein attackers distribute fake security alerts urging victims to download a malicious patch. This bogus alert installs a backdoor, allowing remote access and administrative manipulation of affected systems. The malicious plugin’s payload can enable a range of malicious activities, including spam injection and DDoS attacks.

Recently, Hitachi Vantara fell victim to a ransomware attack that prompted the company to take its servers offline. The Akira ransomware gang claimed responsibility, allegedly breaching sensitive data, including information related to government projects. Hitachi is currently collaborating with cybersecurity experts on an investigation into the breach.

Michael Scheuer, a former manager at Disney, was sentenced to three years in prison for illegally accessing the company’s servers to alter restaurant menus, including falsifying allergen information. After being terminated in June 2023, Scheuer repeatedly breached Disney’s secure systems, resulting in significant operational disruptions and reputational damage.

The Darcula phishing platform has introduced generative AI features, allowing cybercriminals to craft tailored phishing pages effortlessly. This service targets users globally, often masquerading as legitimate organizations. The integration of AI into phishing kits signifies a troubling escalatory trend in cybercrime, enhancing the potential for successful attacks.

The FBI released details of 42,000 domains associated with the now-defunct phishing-as-a-service provider LabHost. Following a significant international law enforcement operation that arrested numerous individuals, the domains were disclosed to assist organizations in mitigating risks related to historical phishing attempts.

Overview of Recent Cybersecurity Events

This report is based on the latest findings from Information Security Media Group.