This Week’s Top 5 Cybersecurity News Stories November 2024 | 01

Cybersecurity threats are evolving constantly as threat actors look to gain access to your data and money. To help you stay secure, we have searched the internet for the top five cybersecurity news stories of the week that we think you should be aware of.  No story is too big or small, as we look at threats from espionage to security flaws in every day devices:

 

1. New Phishing Kit Xiū gǒu Targets Users Across Five Countries With 2,000 Fake Sites

A sophisticated phishing kit, Xiū gǒu, has emerged, targeting users in Australia, Japan, Spain, the U.K., and the U.S. Developed by a Chinese-speaking threat actor, it uses Cloudflare and Telegram for concealment and credential theft.

Leveraging Rich Communication Services (RCS) messages, attackers lure victims with urgent notifications, while Google pilots new protections to curb phishing.

More details: The Hacker News.

 

2. LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

A severe vulnerability (CVE-2024-50550) in the LiteSpeed Cache plugin for WordPress enables attackers to elevate privileges, risking admin access for over six million sites.

Exploiting weak security hash checks, attackers can bypass settings to simulate admin roles. Addressed in version 6.5.2, this flaw highlights the need for stronger security practices, as similar vulnerabilities continue to surface across WordPress plugins.

More details: The Hacker News.

 

3. New Windows Theme Zero-Day Vulnerability Let Attackers Steal Credentials

A new Windows theme vulnerability allows attackers to steal NTLM credentials by exploiting network requests embedded in theme files. Microsoft’s patch (CVE-2024-21320) addressed similar risks, but bypasses remain due to legacy methods.

Security firms, including 0patch, offer micropatches to protect all current and legacy Windows versions, including Windows 11. Microsoft has yet to release an official fix for this vulnerability.

More details: Cyber Security News.

 

4. Critical Chrome Security Update: Patch for Out-of-Bounds & WebRTC Vulnerability

Google’s latest Chrome update addresses two serious vulnerabilities: an “out-of-bounds write” in Dawn (CVE-2024-10487) and a “use after free” in WebRTC (CVE-2024-10488), which could lead to remote code execution and memory exploitation.

Users should update Chrome immediately via the “About Google Chrome” section to protect against these threats, underscoring the importance of timely software updates in cybersecurity.

More details: The Hacker News.

 

5. UK finance firms told to beef up buffers against CrowdStrike-like events

The Financial Conduct Authority (FCA) has urged UK financial firms to strengthen their resilience against severe disruptions, like a global tech outage, by March 2025. Following CrowdStrike’s July outage, which caused global business disruptions, the FCA recommends firms enhance testing, third-party risk controls, and clear contract terms for incident management. This proactive approach aims to reduce potential consumer impact in future crises.

More details: Reuters

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.

For more information please contact us now!