Dear reader,

As 2024 came to a close, we want to take a moment to express our heartfelt gratitude to you, our valued readers. Your support, engagement, and curiosity drive our passion for sharing insights into the ever-evolving world of cybersecurity.

This holiday season, may your days be filled with joy, peace, and security—both online and offline. Here’s to a prosperous, safe, and innovative 2025 ahead!

Stay vigilant, stay informed, and as always, stay secure.

China’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) has published a short notice on its website that describes two cybersecurity incidents that it says are the work of the “US intelligence agency.”

The incidents, one of which occurred in August 2024, targeted an organization involved in advanced material design and research. The attackers are said to have exploited a vulnerability to gain access to a server used to deliver software updates. This resulted in over 270 infected computers within the organization, which were then used to steal information.

Another incident that began in May 2023 targeted a large company in the smart energy sector using unspecified Microsoft Exchange vulnerabilities to gain access to the company’s mail server where the attackers established persistent access and used it to pivot to other computers in the network. This attack resulted in the theft of large amounts of data and emails from the targeted company.

These counter-accusations come amid a torrent of accusations by U.S. authorities against China-linked threat actors hacking wholesale into U.S. organizations and infrastructure. Recent egregious incidents include the work of the Salt Typhoon actor who hacked into numerous telcos in the U.S. and eavesdropped on key U.S. officials in the run-up to the 2024 presidential election.

A sophisticated attack technique that weaponizes Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows machines.

WDAC, a technology introduced with Windows 10 and Windows Server 2016, was designed to give organizations fine-grained control over executable code on their Windows devices.

However, security experts have discovered that malicious actors can exploit this feature to their advantage, potentially leaving entire networks vulnerable to attack.

The technique, which falls under the MITRE ATT&CK framework’s “Impair Defenses” category (T1562), allows attackers with administrative privileges to craft and deploy specially designed WDAC policies.

These policies can effectively block EDR sensors from loading during system boot, rendering them inoperative and allowing adversaries to operate without the constraints of these critical security solutions.

The attack can be executed in various ways, from targeting individual machines to compromising entire domains. In the most severe scenarios, an attacker with domain admin privileges could distribute malicious WDAC policies throughout an organization, systematically disabling EDR sensors on all endpoints.

In a sophisticated cyberattack campaign that began in mid-December, hackers have compromised at least 16 Chrome browser extensions, exposing over 600,000 users to potential data theft.

The breach, which came to light through a series of reports and statements from affected companies, has raised significant concerns about the security of browser extensions.

Cyberhaven, a California-based data protection company, was among the first to confirm the breach. The company disclosed that on Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).

A critical 7-Zip zero-day exploit has been allegedly leaked by a hacker who is an individual operating under the alias “NSA_Employee39” on X, which allows attackers to execute arbitrary code on a victim’s machine when opened or extracted with the latest version of 7-Zip.

This disclosure poses significant cybersecurity risks, particularly in the context of Infostealer malware proliferation and potential supply chain attack vectors.

Cyber Security News recently reported a severe security vulnerability, CVE-2024-11477, which has been discovered in 7-Zip, the popular file compression utility, allowing remote attackers to execute malicious code through specially crafted archives.

Cisco has confirmed the authenticity of a 4.45GB data leak posted online by the hacker known as IntelBroker.

The leaked files, released on December 25, 2024, via BreachForums, are part of a larger dataset that IntelBroker claims to have exfiltrated from Cisco’s publicly accessible DevHub platform in October 2024.

Despite the leak, Cisco has reiterated that its internal systems and enterprise environments remain uncompromised.

The data leak follows an earlier release by IntelBroker in mid-December, which included 2.9GB of files. The latest release contains additional sensitive materials such as Java binaries, source code, cloud server disk images, cryptographic signatures, and internal project archives.

These files were reportedly obtained due to a misconfiguration in the DevHub platform that inadvertently made certain files publicly accessible.

Cisco has since corrected the configuration error and restored access to DevHub after temporarily disabling it for investigation purposes.