This Week in Cyber 15th November 2024

Analyst Insight

This week in cyber, a popular U.S. fashion retailer called "Hot Topic" suffered a data breach affecting 57 million people, adding them to the HaveIBeenPwned list of compromised websites. Meanwhile, a 45-year-old man in Idaho was sentenced to 10 years in prison for multiple hacking charges. The FBI and CISA also disclosed that telecom providers are being targeted by nation-state threat actors seeking to intercept private communications. On the patching front, Microsoft released their monthly Patch Tuesday, fixing 89 security flaws including 4 zero-days and 2 that were actively exploited, while Fortinet released a patch for a high-severity FortiClient vulnerability.

Hackers Compromise Telecoms Providers Targeting Government Officials

A joint statement from the FBI and CISA addresses a nation state threat actor targeting telecommunications infrastructure with the objective of intercepting private communications of government officials. Threat actors “compromised networks at multiple telecommunications companies to enable the theft of customer call records data” which affected a small number of individuals who are involved primarily in government or political activities. They also stole “certain information that was subject to U.S. law enforcement requests pursuant to court orders.”

57 Million People Affected by Hot Topic Data Breach

HaveIBeenPwned (HIBP) added the retailer “Hot Topic” to their list of affected websites. Discovered in October 2024, the breach contains 56,904,909 compromised accounts with Dates of birth, Email addresses, Genders, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases, Salutations.

The threat actor boasted on BreachForums that the data breach included 350 million customers information from Hot Topic, Torrid and Box Lunch and was attempting to sell the data for $20,000 as reported on BleepingComputer. But this proved to be an inflated number.

Idaho Hacker Sentenced to 10 Years for Extorting U.S. Healthcare Providers

Robert Purbeck, a 45-year-old from Idaho, was sentenced to ten years in prison for hacking 19 U.S. organisations and stealing personal data of over 132,000 people. Known online as "Lifelock" and "Studmaster," Purbeck bought access to servers on the darknet, stealing data from a medical clinic and a police department in Georgia. He extorted a Florida orthodontist in 2018, threatening to sell patient data. The FBI found data of over 132,000 people during a 2019 raid. Purbeck pleaded guilty to unauthorised computer access and will also serve three years of supervised release and pay over $1 million in restitution.

Microsoft November 2024 Patch Tuesday Addresses 89 Security Flaws

Microsoft has rolled out its monthly Patch Tuesday addressing 89 security flaws, including four zero-day vulnerabilities. Actively exploited vulnerabilities include a Windows Task Scheduler flaw (CVE-2024-49039) and an NTLM hash disclosure issue (CVE-2024-43451). Two zero-days were disclosed but not actively exploited in attacks including Microsoft Exchange Server Spoofing Vulnerability (CVE-2024-49040) and an Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019).

Fortinet Patch Vulnerability CVE-2024-47574

Shortly after critical vulnerability CVE-2024-47574 was discovered, FortiNet deployed patches to address it. The vulnerability has a high severity rating with a CVSSv3 score of 7.4, allowing potential remote code execution without authentication. This critical flaw has been actively exploited, so security teams should deploy the patches as soon as possible. In fact, CISA has required all federal agencies to install the patches by November 13th.