Windows Kernel Vulnerability, Massive Data Breach, Facebook Malvertising Malware – Cybersecurity News [October 28, 2024]
This week, we are once again back, providing you with an all-in-one platform to read news pieces freshly curated from authentic sources. Firstly, we will discover how the Microsoft Windows kernel is vulnerable to attack, and other following sources will highlight incidents like the Biggest data breach in US history, the circulation of malvertisements exploiting victims, Opera browser patching its critical vulnerability, and lastly, the first-ever release of the strategic plan by CISA. Let’s delve deep!
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
Recently, experts have found an attack tactic that can positively bypass patched or unpatched versions of Microsoft’s Driver Signature Enforcement (DSE). This unauthorized attempt to intrusion means that malicious threat actors can easily deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and whatnot. Earlier similar analyses have uncovered two privilege escalation flaws in the Windows update process that could be weaponized to roll back up-to-date Windows software to an older version (CVE-2024-21302 and CVE-2024-38202, already addressed).
The exploit materialized in the form of a tool dubbed Windows Downdate. Windows Downdate is a sophisticated tool with premium attack techniques that could be used to hijack the Windows Update process. It allows actors to craft fully undetectable, persistent, and irreversible downgrades on critical OS components. With this, attackers can lavishly enjoy a better alternative to Bring Your Own Vulnerable Driver (BYOVD) attacks, permitting them to downgrade first-party modules, including the OS kernel itself.
100 Million Records Reportedly Compromised in Significant Data Breach
Recently, there has been news revolving around the data breach portal of The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services (HHS), updating the total number of people affected by the United Health data breach attack on October 24. The figures suggested close enough to 100 million, the largest healthcare data exposure in US history. The ransomware group named ALPHV/BlackCat is positively identified as the main culprit for this cybersecurity incident.
The CEO (Chief Executive Officer) of UnitedHealth, Andrew Witty, revealed in May that potentially a third of Americans’ health information was potentially exposed. The breach affected individuals directly and indirectly by stealing family records and other relevant sensitive information. After the attack, UnitedHealth and the alleged group proposed and signed an agreement stating that the group shall decrypt its critical information assets after the ransom payment is made.
The organization agreed and paid a $22 million ransom to prevent further leaks, but the attackers took the payment without honoring the agreement. This breach emphasizes the need for high investments in healthcare data protection, as medical data holds some of the most sensitive personal information.
Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware
Cybersecurity researchers have discovered and identified ongoing malvertising campaigns (malicious advertisements) that abuse Meta’s advertising platform. They hijacked Facebook accounts to distribute malicious software coined by ‘SYS01stealer’. The ill-intent actors use trusted brand names to advertise and expand their reach among the targeted, innocent mob.
The campaign leveraged nearly a hundred malicious domains to deploy and distribute the malware on trusted networks, conduct live command and control (C2) operations, and allow them to manage the attack in real-time. The SYS01stealer group meticulously researched and chose its targets of business accounts, games, and other enticing content to lure victims into interacting with malicious ads displayed on the target’s screen.
The deployment of malware uses the following procedure.
- After interaction with these ads, the target is redirected to deceptive sites (likely impersonating legitimate brands).
- After this, a fully functional executable file is intentionally downloaded to the system’s background.
- This happens to sideload a malicious DLL responsible for stealing sensitive data, including browsing history and login credentials.
This ongoing campaign outlines the nature of attack techniques being updated by potential hackers to evade detection mechanisms and exploit unsuspecting users.
Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information
There has been positive news in the cyber world, too. A critical and severe vulnerability identified in the Opera web browser system has been patched. If intentionally or unintentionally exploited, this flaw could have enabled a malicious downloaded extension or add-in to gain unauthorized, privileged access to private APIs.The attack was codenamed CrossBarking and could have allowed unintended actions like capturing screenshots, modifying browser settings, account hijacking, and various other illegal operations. Opera addressed this on September 24 this year, publically disclosing the fact responsibly and notifying us about yet another web browser-related cybersecurity incident.
This issue stemmed from misconfigurations in the access controls systems, wherein several Opera-owned subdomains were allowed privileged access to private APIs (Application Programming Interfaces). By exploiting this flaw, attackers could inject malicious JavaScript. Following which they could easily hijack user accounts and execute potent adversary-in-the-middle (AitM) attacks. News readers should learn a lesson from this study and always exercise extra caution while downloading browser extensions by installing only those that are authentic and presented via trusted sources.
CISA Releases Its First-Ever International Strategic Plan
As we all know, CISA is at an all-time, tirelessly devoted to strengthening the cybersecurity infrastructure of the nation’s interests and always coming up with practical solutions to seemingly daunting security problems; this time, CISA released its 2025-2026 Edition International Strategic Plan. Why is it so special? This was the agency’s first comprehensive strategic initiative. CISA Director Jen Easterly firmly stated that in order to mitigate identified risks effectively, the global infrastructure necessitates and is in dire need of mutual collaboration between public and private entities. The main highlights of the International Strategic Plan include:
- Goals to bolster foreign infrastructure
- Strengthen contemporary cyber defense mechanisms, and
- Make efforts to unify both national and international on one platform for global operations.
With this initiative, CISA has proved its commitment to enhancing cybersecurity posture on a global scale. The agency knows that security threats are on an exponential increase, and tackling them is a never-ending job. The nature of threat execution is bound to get sophisticated with the passing of time.