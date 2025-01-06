Every tap, click, and swipe we make online shapes our digital lives, but it also opens doors—some we never meant to unlock. Extensions we trust, assistants we rely on, and even the codes we scan are turning into tools for attackers. The line between convenience and vulnerability has never been thinner.

This week, we dive into the hidden risks, surprising loopholes, and the clever tricks cybercriminals are using to outsmart the systems we depend on.

Stay with us as we unpack what's happening behind the screen and how you can stay one step ahead.

⚡ Threat of the Week

Dozens of Google Chrome Extensions Caught Stealing Sensitive Data — The challenges with securing the software supply chain reared once again after about three dozen extensions were found surreptitiously siphoning sensitive data from roughly 2.6 million devices for several months as part of two related campaigns. The compromises came to light after data loss prevention service Cyberhaven revealed that its browser extension was updated to include malicious code responsible for stealing credentials for Facebook and OpenAI ChatGPT and other data. The attack was made possible through a spear-phishing email sent to one of the company's employees, urging them to take immediate action for failing to comply with Google Chrome Web Store policies. A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. Once granted access, the rogue application gave the attacker the ability to push a malicious version of Cyberhaven's Chrome extension to the Chrome Web Store. Since then, it has emerged that several other extensions have been targeted in a similar manner. One of these extensions, named Reader Mode, is also said to have been targeted along with a few others as part of a related data-gathering activity that started no later than April 2023. The malicious code, which appears to be part of a monetization library, is designed to log every website visited on the browser. The development is another sign that browser add-ons are a weak link in the security chain.

🔔 Top News

Apple Settles Siri Privacy Lawsuit — Apple has agreed to pay $95 million to settle a long-running class action lawsuit in the U.S. over claims that its voice assistant Siri routinely recorded private conversations. A payment of up to $20 per Siri-enabled device is expected for those submitting valid claims, with each affected U.S.-based customer limited to a maximum of five devices. The proposed settlement, currently pending approval by a federal judge, involved cases where Siri would be inadvertently activated and capture sensitive data without the users' knowledge. The lawsuit was filed in August 2019 following a report from The Guardian that the recordings were apparently prompted without users ever saying the wake words, "Hey, Siri." The report also alleged third-party contractors "regularly hear confidential medical information, drug deals, and recordings of couples having sex" while working on Siri quality control. It's currently unknown how many customers were affected. Apple isn't acknowledging any wrongdoing in the settlement.

— A proof-of-concept (PoC) exploit has been released for a now-patched security flaw impacting Windows Lightweight Directory Access Protocol (LDAP) that could trigger a denial-of-service (DoS) condition. The vulnerability, tracked as CVE-2024-49113 (CVSS score: 7.5), was patched by Microsoft last month, along with CVE-2024-49112 (CVSS score: 9.8), a remote code execution flaw in the same component. Organizations are recommended to apply the patches as soon as possible to avoid potential exploitation risks. U.S. Treasury Sanctions Beijing Cybersecurity Firm — The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned a Beijing-based cybersecurity company known as Integrity Technology Group, Incorporated for orchestrating several cyber attacks against U.S. victims. The attacks have been publicly attributed to a Chinese state-sponsored threat actor tracked as Flax Typhoon (aka Ethereal Panda or RedJuliett), which has controlled an Internet of Things (IoT) botnet called Raptor Train. A government contractor with ties to China's Ministry of State Security, Integrity Group has been accused of providing infrastructure support to Flax Typhoon cyber campaigns between mid-2022 and late-2023.

‎️‍🔥 Trending CVEs

Your favorite software might be hiding serious security cracks—don't wait for trouble to find you. Update now and stay one step ahead of the threats!

This week's list includes — CVE-2024-43405 (ProjectDiscovery Nuclei), CVE-2024-54152 (Angular Expressions), CVE-2024-12912, CVE-2024-13062 (ASUS router AiCloud), CVE-2024-12828 (Webmin CGI), CVE-2024-56040, CVE-2024-56041 (VibeThemes VibeBP), CVE-2024-56042, CVE-2024-56043, CVE-2024-56044, CVE-2024-56045, CVE-2024-56046 (VibeThemes WPLMS), CVE-2024-56249 (Webdeclic WPMasterToolKit), CVE-2024-56198 (path-sanitizer npm package), CVE-2024-55078 (WukongCRM), and CVE-2024-12583 (Dynamics 365 Integration plugin).

📰 Around the Cyber World

Two Indian Nationals Charged in the U.S. — The U.S. Department of Justice has announced charges against two Indian nationals, Ahmed Maqbul Syed, 57, and Rupesh Chandra Chintakindi, 27, for orchestrating a tech support fraud scheme targeting elderly victims in the U.S. Both have been charged with conspiracy to commit money laundering. Syed has also been charged with conspiracy to commit wire fraud. Each of these charges carries a maximum penalty of 20 years in prison and a $250,000 fine. In the operation, victims were lured through bogus pop-up notifications on their computers, warning that their machines had been hacked and instructing them to contact tech support or government representatives to resolve the problem. The defendants then asked the victims to withdraw funds from their accounts, or purchase gold under the pretext of securing their assets. They also urged them to purchase gift cards from various private businesses and transfer the gift card numbers to people who they said would help them. In at least one case, a victim was asked to make cash deposits into a Bitcoin ATM.

🎥 Expert Webinar

🔧 Cybersecurity Tools

Adalanche is a powerful open-source tool designed to simplify Active Directory security. It provides instant visual insights into permissions, helping you uncover who can access or control accounts, machines, or even the entire domain. With its all-in-one binary, Adalanche collects and analyzes data effortlessly, highlighting vulnerabilities and misconfigurations.

Hawk-eye helps you find hidden secrets and sensitive data (PII) across your entire system in no time. From cloud storage to databases and files, it scans everything with precision, using smart tools to keep your data safe. Quick to set up and easy to use, Hawk-eye makes protecting your digital world simple and effective.

🔒 Tip of the Week

Upgrade Your Network Security — Take your network security to the next level with powerful, free tools designed to keep threats at bay. Use PfSense for enterprise-grade firewall protection and pair it with Suricata or Snort for real-time threat detection. Detect rogue devices with WiFiGuard and suspicious Wi-Fi activity with Kismet. Secure your communication with ZeroTier for private networking and encrypt DNS queries using DNSCrypt-Proxy or NextDNS to block malicious domains.

Plant decoys using Canarytokens to catch intruders, monitor activity with Wireshark, and safeguard SSH with Fail2Ban against brute-force attacks. Strengthen Wi-Fi with WPA3 and 802.11w Management Frame Protection, and track your network's health in real-time using Netdata. These free tools give you enterprise-level defense at no cost—your network's secret weapon.

Conclusion

That's a wrap for this week! If there's one thing we've learned, it's that staying safe online isn't just about tech—it's about the choices we make every day. Whether it's ignoring a shady email, keeping your apps updated, or thinking twice before clicking "yes," small steps can make a big difference.

The digital world moves fast, but with a little care and attention, we can stay ahead. Keep asking questions, stay alert, and remember—we're all in this together. See you next week with more updates to keep you informed and ready.