Upfort CEO Featured on the Insurtech Leadership Podcast
Upfort CEO Xing Xin was a guest on The Insurtech Leadership podcast, taped at ITC 2024
Welcome to 2024's final edition of Upfort’s Threat Matrix! This month, we cover a variety of active exploitable vulnerabilities impacting businesses of all sizes, AI-generated “malvertisers” finding ways to avoid detection, and a major cyberattack against Krispy Kreme (oh, the humanity!)
Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.
The Federal Trade Commission (FTC) has mandated Marriott International and Starwood Hotels to improve their data security practices after breaches from 2014 to 2018 exposed sensitive customer information, including unencrypted passport numbers. The FTC’s order includes requirements for robust encryption, multi-factor authentication, real-time anomaly monitoring, data retention limits, and a system for customers to request personal data deletion. Marriott must also undergo regular independent security assessments for the next 20 years.
How to protect your business: Small hospitality businesses can enhance cybersecurity by encrypting customer data, enforcing multi-factor authentication for staff, and regularly auditing systems for vulnerabilities. Limit the collection and retention of sensitive information to what is absolutely necessary.
A critical vulnerability in the Apache Struts 2 framework, CVE-2024-53677 (CVSS 9.5), is under active exploitation, posing a significant challenge for organizations relying on legacy systems. The flaw, similar to last year’s CVE-2023-50164, resides in the File Upload Interceptor component, enabling remote code execution (RCE) via path traversal. While patching to the latest version (Struts 6.7.0) is recommended, a simple update isn’t enough. Fixing the issue requires migrating to the new Action File Upload Interceptor and rewriting application code, complicating remediation efforts for older systems.
How to protect your business: Legacy frameworks like Struts 2 must be proactively managed. Small businesses should prioritize migrating away from outdated technologies, conduct thorough code reviews, and implement strong patch management practices. Use modern CI/CD pipelines to reduce downtime when addressing security issues.
Krispy Kreme revealed it has been dealing with a cyberattack that disrupted its online ordering systems across parts of the United States. The company detected unauthorized activity in its technology late last month, resulting in operational disruptions that are expected to impact its revenue. While in-person orders and deliveries to grocery stores and McDonald’s locations remain unaffected, restoring the systems and employing cybersecurity experts have added significant costs.
Federal law enforcement is investigating the breach, but the full scope and impact of the attack remain unclear.
How to protect your business: Small businesses can mitigate risks by implementing incident response plans, regularly testing systems for vulnerabilities, and ensuring proper endpoint protection. Establish redundancy for critical operations to reduce disruptions in case of an attack.
Threat actors are leveraging artificial intelligence to create decoy ads, dubbed “white pages,” that trick Google’s malvertising filters by appearing legitimate and harmless. These ads are used to redirect unsuspecting users to phishing sites or malware-laden landing pages, targeting both consumers and corporate users. Recent examples include a Star Wars-themed decoy site and a spoofed page for the Securitas OneID mobile app, complete with AI-generated images.
This surge in malvertising coincides with Microsoft’s 2022 decision to block macros in Office files, pushing attackers toward alternative methods like ad-based phishing. Major brands such as Amazon, Rufus, and TradingView remain frequent targets for these campaigns.
How to protect your business: Use advanced threat detection tools to monitor ad traffic, block malicious domains, and educate employees on recognizing phishing attempts. For added security, consider ad-blocking software and verify URLs before engaging with online advertisements.
The Consumer Financial Protection Bureau (CFPB) has filed a lawsuit against Zelle and three of its largest banking backers—Bank of America, JPMorgan Chase, and Wells Fargo—alleging they failed to implement adequate safeguards to protect users from fraud. According to the CFPB, Zelle’s design flaws, including limited identity verification, have enabled scammers to exploit the platform, resulting in over $870 million in consumer losses since its 2017 launch.
Zelle’s streamlined registration process, which uses a simple one-time passcode for account verification, has made it easier for criminals to impersonate financial institutions or federal agencies to trick users into transferring money. The lawsuit also alleges that the banks did not effectively share fraud data or act on thousands of consumer complaints, further exacerbating the problem.
How to protect your business: Small businesses using payment platforms should ensure robust verification measures are in place and educate employees about common scams. Regularly monitor account activity for suspicious transactions and establish secure payment practices to mitigate fraud risks.
Two premium plugins used by the WPLMS WordPress theme were found to contain seven critical vulnerabilities, enabling attackers to execute unauthorized actions such as file uploads, SQL injections, and privilege escalations. The theme, widely used for learning management systems by educational institutions and businesses, was patched following coordinated efforts between security researchers and developers. Users must update to WPLMS version 1.9.9.5.3 and VibeBP version 1.9.9.7.7 or later to protect against exploitation.
How to protect your business: Small businesses should promptly update all WordPress plugins, configure secure file upload settings, and restrict user permissions to minimize vulnerabilities. Regularly scan your website for security flaws and apply updates as soon as they are available.
North Korean state-sponsored hackers have stolen $1.3 billion in cryptocurrency across 47 cyberattacks in 2024, representing 61% of the year’s global crypto theft. These attacks targeted cryptocurrency holders, platforms, and investors, with private key compromises accounting for 44% of losses. The stolen funds are believed to fund North Korea’s weapons programs, and incidents like the $305 million DMM Bitcoin hack highlight the severe vulnerabilities in the crypto ecosystem.
How to protect your business: Businesses handling cryptocurrency should implement strict private key security protocols, including cold storage solutions, multi-factor authentication, and routine security audits. Limit exposure by using trusted DeFi platforms with robust security records.
Rhode Island’s RIBridges system, used for applying to state benefit programs like Medicaid and SNAP, was taken offline following a cyberattack that potentially exposed the personal information of hundreds of thousands of residents. Data such as names, addresses, and Social Security numbers of individuals using the system since 2019 may have been compromised.
State officials confirmed the attack was not ransomware but an extortion attempt by a cybercriminal group. The breach also impacted HealthSource RI, the state’s healthcare marketplace, complicating operations during the critical open enrollment period. The state is providing paper applications for benefits and plans to offer free credit monitoring for affected individuals.
How to protect your business: Government agencies and businesses handling sensitive data must strengthen defenses against extortion-based cyberattacks. Use encryption, implement robust data access controls, and maintain comprehensive backup systems to ensure continuity during breaches.
A new phishing-as-a-service (PhaaS) platform named FlowerStorm has emerged, quickly filling the gap left by the shutdown of Rockstar2FA, a similar service targeting Microsoft 365 credentials. FlowerStorm enables adversary-in-the-middle (AiTM) phishing attacks, mimicking Microsoft login pages to steal credentials and multi-factor authentication tokens. With a robust backend and advanced evasion mechanisms, FlowerStorm is rapidly gaining popularity, particularly among cybercriminals targeting U.S.-based organizations in sectors like services, manufacturing, and retail.
How to protect your business: Implement phishing-resistant multi-factor authentication (e.g., FIDO2 tokens), deploy email and DNS filtering to block suspicious domains, and train employees to recognize and report phishing attempts.