Termite Exploits Cleo Zero-Day in Widespread Attacks

Introduction

Cleo’s popular file transfer software has fallen victim to a critical zero-day vulnerability, and the Termite ransomware group is wasting no time exploiting it. This flaw impacts Cleo’s Harmony, VLTrader, and LexiCom products—tools trusted by over 4,200 organizations in industries like logistics, manufacturing, and transportation.

Despite an earlier patch in October, the flaw (CVE-2024-50623) remains a serious threat, leaving businesses scrambling to protect their data and operations.

Cleo Zero Day Vulnerability
Credit: Huntress

What’s Happening with the Cleo Zero-Day?

The vulnerability allows attackers to upload malicious files, execute commands remotely, and potentially steal sensitive data. First detected on December 3, the attacks have escalated rapidly, targeting industries like consumer goods and trucking.

The Technical Lowdown:

  • Affected Products: Harmony, VLTrader, and LexiCom (versions before 5.8.0.21).
  • What’s the Risk?: Attackers can run unauthorized commands, leading to data breaches and operational disruptions.
  • The Culprit: Termite ransomware, which has already hit major organizations like Blue Yonder and Starbucks, is suspected.

How to Stay Safe: Immediate Steps to Take

While Cleo develops a new patch, here’s how you can mitigate the risk:

  1. Unplug from the Internet: Temporarily disconnect Cleo systems from public access.
  2. Turn Off Autorun:
    • Open Cleo’s settings.
    • Go to Configure > Options > Other Pane and disable the autorun directory.
    • Save the changes.
  3. Check for Signs of Trouble:
    • Look for suspicious files like healthchecktemplate.txt or .jar files in Cleo directories.
    • Use Cleo-provided scripts to scan for malicious activity.
  4. Stay Updated: Monitor Cleo’s security bulletins for patch updates.

Who’s Behind This?

All signs point to Termite, a growing ransomware group that mirrors the infamous Clop gang in its operations. Termite has gained a reputation for targeting file transfer software vulnerabilities, and some experts speculate they could be filling the gap left by Clop’s declining activity.

Their tactics include deploying malicious web shells to maintain access, running reconnaissance tools to identify assets, and using stolen data as leverage in ransom demands.

Conclusion

The Cleo zero-day vulnerability serves as another reminder of how quickly ransomware groups exploit weaknesses in trusted software. Organizations relying on Cleo products need to act now to protect their systems and data.

Third-Party Breaches: A Growing Concern

The ripple effects of a breach like this extend far beyond the immediate victims. High-profile organizations like Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame, which rely on Cleo software, now face the risk of third-party breaches. Attackers targeting Cleo’s vulnerabilities could exploit access to these businesses’ supply chains, putting customer data and operations at risk.

Third-party breaches are a significant pain point for businesses today, exposing them to reputational damage, financial loss, and regulatory scrutiny. Companies must assess their supply chain security and demand transparency and accountability from vendors like Cleo.

Zello Faces Another Potential Data Breach, Urges Precautionary Measures

Introduction

Zello, the widely-used push-to-talk app, is once again under scrutiny for its handling of user security. Recently, the company required users to reset their passwords, citing concerns that point to either a credential-stuffing attack or a potential data breach. With 175 million users spanning sectors like emergency response and hospitality, this incident has raised significant questions about the platform’s security measures.

What Happened?

On November 15, 2024, Zello warned users whose account creation date was before November 2nd to change their password. While the exact incident is not known, evidence suggests that:

  • Possible Breach: Customer credentials may have been accessed by unauthorized users.
  • Credential-Stuffing Attack: Threat actors might be using passwords compromised earlier to gain access.

This measure aims to mitigate risks to affected accounts.

Zello Potential Data Theft
Credit: CyberIL

Breaches History at Zello

In 2020, Zello faced a similar challenge:

Data Breach in 2020:

  • Unauthorized activity on a server led to the exposure of email addresses and hashed passwords.
  • Zello required password resets and asked users not to reuse passwords across platforms.

While the company achieved ISO 27001 certification in September 2024—a certification enforcing strict information security procedures—the recurrence of such incidents questions the strength of Zello’s defenses.

The Implications

If confirmed, such a breach or an attack might empower cybercriminals to:

  • Steal Credentials: Access account data for unauthorized use.
  • Expand Attacks: Use cracked passwords for credential-stuffing attacks on other platforms.
  • Expose Sensitive Operations: With Zello used by first responders and other critical sectors, data misuse could disrupt essential services.

What Users Should Do

Zello users should take the following steps to safeguard their accounts immediately:

  • Reset Passwords: Change passwords immediately for accounts created before November 2, 2024.
  • Use Unique Passwords: Avoid reusing passwords across different services.
  • Enable Security Tools: Consider using password managers to generate strong, unique passwords.

With passwordless solutions like PureAuth, organizations can eliminate vulnerabilities altogether, ensuring security by design and default.

Conclusion

The latest security incident at Zello serves as a grim reminder of the changing cyber threats that organizations face. Though breaches may not always be avoidable, proactive measures like enforcing password resets and adopting robust access management solutions can go a long way in mitigating risks.

By going passwordless, facilitated by solutions like PureAuth, businesses can ensure user credentials and data are secure by default and design, protecting against future incidents.

Read Also

Your 1st Step to #GoPasswordless

Making World Password Free

3 ways passwords are Failing the Enterprises

RockYou2024: Nearly 10 Billion Passwords Leaked Online

Introduction

On July 4, 2024, the cybersecurity community was rocked by the discovery of RockYou2024, the largest password compilation leak in history. This staggering breach, revealed by a Cybernews research team, includes nearly 10 billion unique plaintext passwords. The massive dataset, posted on a popular hacking forum, presents severe security risks, especially for users prone to reusing passwords.

The RockYou2024 Password Leak

The RockYou2024 password leak, tracked as the largest of its kind, was unveiled by Cybernews researchers. The file, named rockyou2024.txt, contains an astounding 9,948,575,739 unique plaintext passwords. The dataset was posted by a user named “ObamaCare,” who has a history of leaking sensitive information. This compilation is believed to be a mix of old and new data breaches, significantly increasing the risk of credential stuffing attacks.

Credit: Cybernews

A Brief History of RockYou

The RockYou series of password leaks dates back to 2009, when the original RockYou breach exposed over 32 million user account details. In 2021, the RockYou2021 compilation, containing 8.4 billion passwords, set a new record at the time. RockYou2024 expands on this legacy, adding another 1.5 billion new passwords, making it the largest password dump to date.

Impact and Exploitation Risks

The RockYou2024 leak poses significant dangers due to the vast number of real-world passwords it contains. Cyber-criminals can leverage this data to execute brute-force attacks, attempting to gain unauthorised access to various online accounts. Combined with other leaked databases containing usernames and email addresses, RockYou2024 could lead to widespread data breaches, financial fraud, and identity theft.

How to Protect Against RockYou2024

Reset Compromised Passwords

Immediately reset passwords for any accounts associated with the leaked data. Ensure new passwords are strong, unique, and not reused across multiple platforms.

Enable Multi-Factor Authentication (MFA)

Enable MFA wherever possible. This adds an extra layer of security by requiring additional verification beyond just a password.

Implement Passwordless Solutions

Adopting passwordless solutions can further enhance security. SAML-based passwordless solutions, such as Single Sign-On (SSO) systems, eliminate the need for passwords by using secure tokens for authentication. These solutions reduce the risk of password-related attacks and improve user convenience.

Monitor Accounts and Stay Informed

Regularly monitor accounts for suspicious activity and stay informed about the latest cybersecurity threats and best practices.

Conclusion

This recent breach highlights how fragile and unsafe passwords are, underscoring the need for more secure authentication methods. The RockYou2024 leak demonstrates that even with strong, unique passwords, the risks remain significant. Multi-factor authentication (MFA), while an added layer of security, is not foolproof. For example, MFA breaches such as the 2022 Uber hack and the attack on Microsoft’s Office 365 users in 2021 show its vulnerabilities.

Additionally, password managers are not entirely reliable. The Okta breach in 2022 and the OneLogin breach in 2017 exposed millions of user accounts, demonstrating that even these tools can be compromised.

In light of these risks, passwordless systems are emerging as the next hot trend in cybersecurity. SAML-based passwordless solutions, like PureAuth, provide enhanced security by eliminating the need for passwords and reducing the attack surface for cybercriminals.

Embracing passwordless systems, combined with continuous monitoring and updated security practices, is essential for protecting against the evolving threat landscape. Stay ahead of cyber threats by adopting innovative authentication methods and ensuring your digital assets are well-protected.

Google 2FA Breach: Rethink Authentication Security

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Credit : Forbes

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

  1. Password Spraying & brute forcing attacks
  2. Credential Phishing, Push fatigue and Adversary in the middle attacks
  3. Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
  4. Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
  5. Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Read Also

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

GitHub: Millions of Secrets Exposed

Introduction

In 2023, developers inadvertently leaked a staggering 12.8 million secrets on public GitHub repositories, marking a concerning 28% increase from the previous year. This revelation underscores the security challenge faced by GitHub, as highlighted in a recent report by GitGuardian, a leading security vendor in the software development realm.

Persistent Security Gap

Despite the alarming number of leaked secrets, GitGuardian found that a staggering 90% of these exposed secrets remained active even five days after the initial leakage. Shockingly, only a mere 2.6% were revoked within one hour of receiving notification via email.

The Threat of Malicious Repository Forks

The report adds to the ongoing security challenges faced by GitHub. Since mid-2023, attackers have exploited GitHub’s ecosystem, employing sophisticated tactics to infiltrate legitimate repositories and spread malware. These incidents serve as a reminder of the ongoing challenges in securing the software supply chain.

Commonly Leaked Secrets

The most commonly leaked secrets included Google API keys, MongoDB credentials, OpenWeatherMap tokens, Telegram Bot tokens, Google Cloud keys, and AWS IAM. These leaked credentials could potentially grant unauthorised access to sensitive enterprise resources, posing a significant threat to organisational security.

Growing Popularity of AI Services

GitGuardian’s report also shed light on the growing popularity of AI services, with a notable increase in leaks of OpenAI API keys and HuggingFace user access tokens. These findings underscore the need for heightened security measures in the rapidly evolving landscape of artificial intelligence.

Sectoral Impact

The IT sector emerged as the worst offender, accounting for 65.9% of the total leaked secrets, followed by education, science & technology, retail, manufacturing, and finance and insurance.


It’s concerning to see India leading the charge in secret leaks, underscoring the necessity of bolstering security practices in CI/CD pipelines. This serves as a reminder of the critical need for enhanced vigilance in safeguarding sensitive data.

Call to Action

GitGuardian urged organisations to not only detect but also remediate these leaks effectively. While detection is crucial, remediation efforts are equally essential in mitigating the risks associated with leaked secrets. Additionally, organisations can enhance their security posture by leveraging advanced authentication frameworks such as PureAUTH’s CASPR module.

This module ensures codebase integrity with cryptographic verification. By implementing robust security measures and utilising advanced authentication solutions, organisations can better safeguard their data.

Conclusion

In conclusion, the findings from GitGuardian’s report underscore the pressing need for organisations to prioritise security measures to safeguard sensitive data and prevent unauthorised access to critical resources. The threat posed by millions of malicious repository forks since mid-2023 further highlights the importance of bolstering GitHub’s security infrastructure. By adopting advanced authentication frameworks such as CASPR, organisations can bolster their defences against security threats and ensure the integrity of their codebase.

PureID helps enter prises to remove secrets like passwords, static keys, access tokens with its passwordless technology. By adopting it’s other  advanced authentication frameworks such as ZITA – Just-In-Time-Access & CASPR code-commit protection, organisations can bolster their defences against security threats and ensure the integrity of their codebase.

American Express Warns Customers of Third-Party Data Breach

Introduction

American Express (Amex) has disclosed a potential data breach, affecting some of its credit card holders. The breach, originating from a third-party service provider, has raised concerns about the security of cardholder information.

Timeline

  • March 4, 2024: Breach Notification:
    • American Express files a breach notification letter with the Massachusetts State Attorney General’s Office as a precautionary measure.
    • The breach is attributed to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.
  • March 5, 2024: Public Disclosure:
    • Details of the breach are publicly disclosed by American Express, acknowledging the potential compromise of cardholder names, account numbers, and expiration dates.
    • American Express reassures card members and emphasises its robust monitoring systems.
Screenshot of American Express Breach Notice

Details of the Breach

Incident Overview:

  • The breach occurred due to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.

Affected Information:

  • Account information potentially compromised includes cardholder names, American Express card account numbers, and expiration dates.
  • Both active and previously issued credit card account numbers may have been impacted.

Customer Perspective

Customer Liability:

  • American Express assures its card members that they won’t be liable for fraudulent charges on their accounts.
  • The company emphasises its sophisticated monitoring systems to detect and address any suspicious activity promptly.

Recommendations for Customers:

  • Customers should regularly review and monitor their account activity.
  • American Express recommends Free fraud and account activity alerts via email, SMS text messaging, and app notifications for added protection.

Industry Perspective

Accountability of Third-Party Service Providers:

  • Cyber security experts such as Liat Hayun, CEO and co-founder of Eureka Security, stress the importance of holding third-party service providers accountable for data security.
  • Recent incidents, like the Bank of America breach with Infosys McCamish Systems, highlight the persistent challenge of third-party vulnerabilities.
  • With breaches attributed to groups like LockBit ransomware, there’s a pressing need to fortify security measures.
  • Previous breaches, such as Bank of America’s exposure via Ernst & Young, emphasise the necessity of securing access points to sensitive data.

Conclusion

The American Express data breach serves as a reminder of the ongoing cybersecurity challenges faced by financial institutions and the imperative need for proactive security measures. Using and Managing passwords also costs a lot. The easiest solution of this unavoidable situation is adopting passwordless solutions for Identity and Access Management (IAM). Password-based authentication methods are increasingly vulnerable to cyber threats.  Embracing advanced authentication mechanisms can mitigate unauthorised access risks and safeguard sensitive information.

Securing Cloud Environments: Lessons from the Microsoft Azure Breach

Introduction

In the wake of the recent Microsoft Azure breach, it has become increasingly evident that organizations must prioritise enhancing their security posture to mitigate the risk of similar incidents in the future. This breach, attributed to compromised passwords & MFA manipulation, underscores the critical importance of implementing passwordless authentication solutions to strengthen overall security.

The Breach

The breach unfolded through a series of sophisticated maneuvers executed by cyber criminals to exploit weaknesses in Azure’s security framework. Initially, phishing emails targeted mid and senior-level executives, enticing them into disclosing their login credentials unwittingly. 

Armed with these credentials, attackers gained unauthorised access to Azure accounts, despite the presence of multi-factor authentication (MFA). By circumventing MFA and substituting victims’ MFA settings with their own, attackers maintained undetected access to Azure resources. 

They further obscured their identities using proxies, evading detection while seizing control of sensitive data and cloud resources.

This helps attackers bypass any poorly designed adaptive authentication solution relying on IP based access restriction or re-authentication.

How Microsoft Azure was Breached

The Lessons

  1. Phishing: Implement Phishing-Resistant Authentication Methods
    • Organisations must adopt phishing-resistant authentication methods to combat prevalent phishing attacks. Staff training alone may not suffice, necessitating solutions that minimise the risk of credential theft.
  2. Credential Theft: Go Passwordless
    • Enhanced credential security with multi-factor authentication is insufficient. Robust password management practices and adaptive MFA solutions have been and will continue to be breached unless you eliminate credentials altogether. Passwordless solutions are the optimal choice for enterprises, as they have been for quiet some time now. Both enterprises and individuals must recognise and adopt it as a standard practice.
  3. MFA Replacement: Implement Continuous Monitoring and Anomaly Detection
    • When you’re using credentials, it’s crucial to keep an eye on them. Continuous monitoring and anomaly detection play a vital role here. They help spot any unauthorised changes in MFA settings promptly, preventing any further access.
  4. Masking Location Using Proxies: Strengthen Adaptive Authentication Checks
    • Strengthening adaptive authentication checks is vital to detect suspicious activities like masked locations. Geo-location based authentication or behavioural biometrics can enhance authentication accuracy.
  5. Cloud Account Takeover: Implement Zero Trust Security Architecture
    • Implementing a Zero-trust security model is crucial to verify every access request, regardless of source or location. Granular access controls and continuous monitoring can mitigate the impact of cloud account takeovers.

Moving Forward

In the aftermath of this breach, organizations must prioritise fortifying their security posture to prevent similar incidents. While passwordless authentication solutions offer promising alternatives, organizations should also concentrate on strengthening existing security protocols, conducting regular security audits, and enhancing employee awareness to mitigate future threats effectively.

Conclusion

The breach of Microsoft Azure serves as a stark reminder of the imperative for proactive cybersecurity measures in safeguarding sensitive data and mitigating the risk of unauthorised access. 

By embracing passwordless authentication solutions and implementing a holistic security strategy, organizations can enhance their resilience against evolving cyber threats and safeguard their invaluable assets effectively.

Mother of all breaches: Which you could have avoided !!

Introduction

Don’t use passwords they said. It can be breached they said. Well, surprise, surprise, we didn’t pay much attention. Now, here we are, nervously checking our email IDs against the colossal 26 billion-record breach – the mother of all breaches!

Breach Unveiled: A Symphony of Chaos

So, there’s this massive breach, Mother of All Breaches (MOAB), a digital pandemonium that has exposed a whopping 26 billion records. It’s like a digital opera – records from MySpace to Adobe, starring Tencent, Weibo, Twitter, and LinkedIn. Your data just had its grand debut!

The Dramatic Unfolding

Picture this: MOAB is a blockbuster compilation of data breaches, meticulously curated. It’s like a Hollywood blockbuster, but your credentials are the star, and not in a good way. Your once-secure passwords are now part of a hacker’s treasure trove. Slow clap for the password drama.

Passwords – The Ultimate Blunder

If  Ellen DeGeneres hosted this show, she’d say, “You had one job – say no to passwords!” See the aftermath? Identity theft, phishing attacks, and a surge in password-stuffing shenanigans. All thanks to those outdated, reused, and easy-to-crack passwords.

Passwordless Paradise: Where Dreams Come True

Now, imagine an alternate universe where you actually listened – where passwordless authentication is the superhero. No MOAB nightmares, just smooth, secure logins without the hassle of juggling countless passwords. A utopia, right?

Mitigation Party: Reclaim Your Digital Kingdom

Inspect Your Vulnerability: Employ tools such as “Have I Been Pwned” and data leak checker. data leak checker. Use “Privacy Hawk” to trace your data’s path and request removal from unwanted websites. Move swiftly: Purge your digital footprint by eliminating your data from irrelevant websites.

Conclusion: Lessons Learned (Hopefully)

In an ideal world, you’d have embraced passwordless authentication, and we’d all be sipping digital margaritas by now. But, alas, here we are – dealing with the aftermath. Take this as a digital wake-up call: passwords belong to the past, let’s march into a passwordless future.

A Final Plea: Break Free from Passwords

Passwords are so yesterday!! The revolution is calling – will you answer? Join the passwordless parade; your digital sanity will thank you later. Use PureId, Stay Safe.

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Introduction

In a recent disclosure, Microsoft unveils the details of a sophisticated cyber breach by Russian state-sponsored hackers. The breach, detected on January 12, sheds light on the tactics of the notorious hacking group, Midnight Blizzard, also known as APT29 or Cozy Bear.

Breach Overview: Understanding the Intrusion

In November 2023, Midnight Blizzard initiated a password spray attack. They compromised a legacy non-production test tenant account, gaining access to limited Microsoft email accounts.

Compromised Accounts: Impact on Corporate Email Security

The aftermath reveals that a select group fell victim, including members of Microsoft’s senior leadership team and employees in crucial functions such as cybersecurity and legal. The attackers exfiltrated emails and attached documents, putting sensitive information at risk.

Attribution and Interest: Identifying the Culprits

Microsoft’s threat research team attributed the breach to APT29, emphasising the group’s specific interest in Microsoft’s knowledge of their operations. This marks Midnight Blizzard’s return after their infamous 2020 cyberattack on SolarWinds.


Highlighting the Key Issue: Addressing Problems with Passwords

The breach underscores the vulnerability posed by traditional password systems. The password spray attack exploited weak passwords, showcasing the critical need for organizations to evolve towards passwordless solutions to enforce security.

Risk Mitigation: Addressing Future Threats

Microsoft, quick to respond, is now advocating for the adoption of passwordless solutions as a preventive measure against such breaches. The urgency to reassess and enhance cybersecurity measures has never been more evident.

Immediate Response: Microsoft’s Swift Action

In response to the breach, Microsoft has promptly applied enhanced security standards to its legacy systems and internal business processes. This immediate action aims to sabotage potential follow-up attacks and protect against further unauthorised access.

Ongoing Investigation: Collaborating with Authorities

The investigation is ongoing, with Microsoft actively collaborating with law enforcement and regulators to comprehensively assess the full impact of the breach. This collaboration is crucial for determining additional preventive measures and addressing the evolving landscape of cyber threats.

Conclusion: Looking Ahead

As companies face ever-changing online risks, the Microsoft hack is a clear signal that using weak passwords can be a big problem. Implementing passwordless solutions stands out as a critical step towards a more secure digital future.