BankInfoSecurity.com

Proof-of-Concept Exploit 'LDAP Nightmare' Crashes 'Any Unpatched Windows Server'
Security experts are urging all organizations that use Microsoft Windows to ensure they install patches, released last month, to fix Lightweight Directory Access Protocol denial-of-service and remote code execution flaws. Researchers have released a proof-of-concept exploit for the latter flaw.

Reportedly Hacked: Charter Communications, Consolidated Communications, Windstream
The nine known victims of a "broad and significant cyberespionage campaign" the White House has tied to China reportedly include Charter Communications, Consolidated Communications and Windstream, as officials said the hackers' earliest known telecom network penetration began in mid-2023.

Flaw Enabled Signature Bypassing on Nuclei ProjectDiscovery
Open-source vulnerability scanner Nuclei patched a critical flaw in its open-source vulnerability management tool ProjectDiscovery. Security firm Wiz uncovered the flaw, a signature verification system flaw that could allow attackers to execute malicious code using custom code templates.

Yoran's Passing Comes 10 Months After Cancer Diagnosis, 1 Month After Taking Leave
Amit Yoran - a West Point graduate who founded NetWitness, sold the company to RSA and took Tenable public - died Friday. He was 54. Yoran was diagnosed in March 2024 with a treatable form of cancer, and in December temporarily stepped away from his role as Tenable's CEO to get additional treatment.

Plaintiffs Sued After Report that Apple Eavesdropped on Intimate Moments
Apple agreed to pay $95 million to settle a lawsuit accusing the smart device giant of illegally recording audio through its Siri virtual assistant and sharing extracts with human reviewers. Class members who purchased Siri-enabled devices could receive $20 per device.

Indiana Attorney General Fines Westend Dental $350K in 2020 Ransomware Hack
An Indiana dental practice agreed to pay the state $350,000 and implement a long list of data security improvements following an alleged 2020 ransomware breach "cover up" that came to light when state regulators investigated a patient complaint about unfulfilled requests for dental X-rays.

Access Management Leaders Remain Unchanged as Customer Identity Cases Proliferate
Advances in customer identity around better user experience, strong authentication, and centralized identity processes have driven rapid growth in the access management market. The space by grew 17.6% to $5.85 billion in 2023 as organizations increasing look to replace homegrown CIAM solutions.

Cyber Defense Agency Aims to Bolster Protections Against Chinese Intrusion
The Cybersecurity and Infrastructure Security Agency is issuing final rules to safeguard U.S. sensitive data from potential Chinese intrusions, requiring Americans involved in restricted transactions with Chinese entities to adopt stringent cybersecurity measures.

DDoS Attacks Primarily Target Logistics, Government and Financial Entities
A spate of distributed denial-of-service attacks during the end-of-year holiday season disrupted operations at multiple Japanese organizations, including the country's largest airline, wireless carrier and prominent banks. The effect of the attacks has been temporary.

Ken Palla on Lessons From U.K and Australia to Reduce Fraud and Scams
The U.S. Consumer Financial Protection Bureau's decision to file a lawsuit against Zelle is too late and too narrow to reduce scams, said Ken Palla, retired director with MUFG Bank. CFPB last month sued the operator of Zelle, as well as three banks for failing to protect consumers from fraud.

Developers Listed as Public Contact Points Targeted in Phishing Campaign
A supply chain attack that subverted legitimate Google Chrome browser extensions to inject data-stealing malware is more widespread than security researchers first suspected. So far researchers have identified 36 subverted extensions collectively used by 2.6 million people.

Integrity Technology Group Built Botnet for Chinese Hackers, US Treasury Says
The Department of Treasury blacklisted Integrity Technology Group, declaring transactions with the company to be off-limits for U.S. financial institutions and persons. The effect will likely have more symbolic than actual disruptive effect.

Data Protection, Firewall Stocks Surge as Vulnerability Management Stocks Struggle
Fortunes diverged for publicly-traded cybersecurity companies in 2024, as the technology category they played in and market share they held largely determined their fate. Investors last year looked favorably upon companies in the data protection space, with Commvault and Rubrik recording big gains.

Experts: New Mandates Could Be Difficult, Costly for Many Entities
The U.S. Department of Health and Human Services' proposed overhaul of the 20-plus-year-old HIPAA Security Rule aims to drastically improve the state of healthcare sector cybersecurity, but the potential new requirements could mean difficult and expensive heavy lifting for many regulated entities.

Hackers Reportedly Target Treasury Department Offices Overseeing Economic Sanctions
A Chinese hack of the U.S. Department of Treasury targeted offices tasked with overseeing economic sanctions and financial investigations, as experts warn Beijing is increasingly escalating attacks on American critical infrastructure while preparing for potential future conflict.

Flaw Bypasses Clickjacking Defenses, Enables Account Takeovers
Hackers are exploiting the split-second delay between two mouse clicks to carry out sophisticated clickjacking attacks, tricking victims into authorizing transactions or granting access they never intended. "DoubleClickjacking" manipulates users into granting OAuth and API permissions

Do Hyeong Kwon Extradited to US for Allegedly Defrauding Investors Out of Billions
Do Hyeong Kwon, former CEO of Terraform Labs, appeared in a Manhattan federal courtroom Thursday after facing extradition from Montenegro over allegations he defrauded investors out of billions of dollars while misrepresenting his company's cryptocurrency and other products.

The first 100 days of the next Trump administration and new Congress will be critical in showing signs of what's potentially in store for the healthcare sector cybersecurity, privacy and related regulatory and legislative issues in the new year, said Chelsea Arnone and Cassie Ballard of CHIME.