Cyber Daily 12/12: Water Treatment Facilities at Risk, Windows 0Day Attack, China Denies Telco Attacks, WordPress Plugin Flaw, Microsoft's Patch Tuesday
Welcome to the ONSEC Cyber Daily for December 12th. Today, we're diving into a chilling tale of cyberattacks on water treatment facilities, revealing how a cyberattacker tried to poison a Florida city's water supply by remotely accessing internal systems. We're also discussing the new Windows 0Day attack confirmed by Homeland Security and the urgent need for users to update their systems. In other news, the FBI has issued a warning to iPhone and Android users to change their WhatsApp, Facebook Messenger, and Signal Apps due to ongoing cyberattacks. We'll also be looking at the exploitation of the Hunk Companion vulnerability in WordPress sites and the urgent need to patch this flaw. In the world of tech giants, Microsoft and Apple have released critical patches to address various vulnerabilities, with Microsoft warning millions to update now due to a new 0Day attack. Meanwhile, Google has paid $55,000 for a high-severity Chrome browser bug. Finally, we're excited to share some new cybersecurity podcasts that have launched recently, including "Code and Country" by Plurilock and the EU-Startups Podcast. Stay tuned for these stories and more in today's issue of ONSEC Cyber Daily. Stay safe and stay updated!
Exploits Alert
- Drowning in Danger: The Vulnerability of Water Treatment Facilities: In 2021, a cyberattacker attempted to poison a Florida city's water supply by remotely accessing and manipulating the system's lye levels. This incident underscores the critical vulnerability of water treatment facilities to cyber threats. Source: Manufacturing.net.
- New Windows 0Day Attack Confirmed—Homeland Security Says Update Now: A new zero-day attack on Windows has been confirmed by the U.S. Cybersecurity and Vulnerability Catalog. The agency has warned that this exploit poses significant risks and urges users to update their systems immediately. Source: Forbes.
- FBI Warns iPhone, Android Users—Change WhatsApp, Facebook Messenger, Signal Apps: The FBI has issued a warning to iPhone and Android users to change their messaging apps, including WhatsApp, Facebook Messenger, and Signal, due to ongoing cyberattacks on U.S. telco networks. China, accused of involvement, has denied these allegations. Source: Forbes.
Vulnerabilities & Patches
- WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins: Attackers are exploiting the Hunk Companion vulnerability (CVE-2024-11972) to install flawed plugins, enabling RCE attacks on over 10,000 WordPress sites. A patch has been released to address this issue. Source: The Hacker News
- New Windows 0Day Attack Strikes—Microsoft Warns Millions To Update Now: The CVE-2024-49138 threat to Windows users has been addressed in the December round of Patch Tuesday vulnerability fixes released by Microsoft. Users are urged to update their systems immediately. Source: Forbes
- Malichus Malware Exploiting Cleo 0-Day Vulnerability In Wild: The Cleo 0-Day vulnerability is being exploited by Malichus malware. Cleo has released a patch in October and expects to release a new patch mid-week. Source: Cyber Security News
- Galaxy S24 users need to install the December security update ASAP: Galaxy S24 users are urged to patch CVE-2024-49415 as soon as possible. If the vulnerability is exploited, it could allow an attacker to execute malicious code. Source: Phone Arena
- Apple Just Patched These 20 Security Vulnerabilities With iOS 18.2: Apple has addressed 20 security vulnerabilities, including libexpat (CVE-2024-45490), with improved memory handling in its iOS 18.2 update. Source: Lifehacker
Podcasts
- "Code and Country" by Plurilock: Plurilock has launched a new cybersecurity podcast named "Code and Country". The first episode is available now, with future episodes planned to explore international cybersecurity policy and democratic institution protection. Source: Stock Titan, Newsfile Corp.
- EU-Startups Podcast Episode 99: The latest episode of the EU-Startups Podcast features Jan Lozek, founder and managing partner of Future Energy Ventures. The episode is sponsored by Vanta and discusses ETHIACK's AI-driven cybersecurity solutions. Source: EU-Startups.
- The Daily Scoop Podcast: The Daily Scoop Podcast's latest episode features Sonny Wescott, CISA ISD Chief Meteorologist at the U.S. Department of Homeland Security, providing insights on extreme weather, AI, and infrastructure resilience. Source: FedScoop.
- CyberWire Daily Podcast: The CyberWire Daily Podcast's latest episode discusses the race against time when exploits go wild and patches are urgently needed. Source: CyberWire.
- AI Talk With Juliana Neelbauer: The second episode of AI Talk With Juliana Neelbauer discusses cybersecurity insurance as the new frontier of risk management. Source: JD Supra.
Final Words
As we wrap up today's edition of ONSEC Cyber Daily, we can't help but reflect on the importance of staying vigilant in our digital world. From the vulnerability of water treatment facilities to the relentless cyberattacks on our devices and systems, the need for robust cybersecurity measures has never been more apparent. Remember, the cyber world is a shared space, and we all have a role to play in keeping it safe. So, let's not keep this information to ourselves. Share this newsletter with your friends and colleagues, and let's spread the word about the importance of cybersecurity. In the meantime, keep your systems updated, stay informed, and most importantly, stay safe out there. Until tomorrow, this is your ONSEC Cyber Daily, signing off.