Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, cyberattack disrupts Japan Airlines, U.S. court rules NSO Group violated hacking laws, the European Space Agency’s web store hacked, FTC orders Marriott to overhaul data security, Sophos patches critical firewall flaws and Apache fixes critical SQL injection in Traffic Control.
See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines
Cyberattack Disrupts Japan Airlines, Delays Domestic Flights
Japan Airlines experienced a cyberattack on Thursday, delaying 24 domestic flights by over 30 minutes. The attack – a possible distributed denial of service incident – began in the morning, overwhelmed the airline’s network, temporarily disrupting ticket sales and internal systems. JAL said that flight safety was not compromised, and no customer data was leaked. Systems were restored within hours, resuming normal operations.
Chief Cabinet Secretary Yoshimasa Hayashi said the transport ministry urged JAL to expedite system recovery and assist affected passengers. The attack coincided with Japan’s year-end holiday travel season, leaving many travelers stranded at Tokyo’s Haneda Airport.
U.S. Court Rules NSO Group Violated Hacking Laws with Pegasus Spyware
A U.S. federal judge ruled that Israeli spyware maker NSO Group violated American hacking laws by exploiting WhatsApp zero-day vulnerabilities to deploy Pegasus spyware on over 1,400 devices. The court found NSO breached the Computer Fraud and Abuse Act and California’s Computer Data Access and Fraud Act.
WhatsApp, owned by Meta, sued the commercial spyware company in 2019, alleging NSO reverse-engineered its code to deliver spyware through zero-click attacks, including a previously unknown exploit called “Erised.” NSO continued deploying Pegasus until Meta patched the flaw in May 2020.
“This ruling is a major win for privacy,” said WhatsApp’s Will Cathcart.
European Space Agency Web Store Hacked
Hackers penetrated the European Space Agency’s merchandise web store, compromising customer payment data. The attack involved malicious JavaScript that generated a fake Stripe payment page during checkout. The counterfeit page was highly convincing as it appeared to be served from the ESA store itself.
E-commerce security firm Sansec detected the breach and flagged the malicious script, warning of potential risks to ESA employees due to the store’s integration with ESA systems. The exfiltration domain mimicked the legitimate store’s name esaspaceshop but used the .pics top-level domain instead of .com.
Source Defense Research confirmed Sansec’s findings and captured evidence of the fake Stripe page in action. Although the fake payment page has since been removed, the malicious script remains visible in the site’s source code.
The ESA store is currently offline, displaying a message that it is “temporarily out of orbit.”
FTC Orders Marriott to Overhaul Data Security
The Federal Trade Commission finalized a consent order requiring Marriott International and its subsidiary, Starwood Hotels, to implement improved data security measures after repeated breaches exposed sensitive information of 344 million customers (see: Marriott Pays $52M to Settle US States’ Breach Litigation).
The directive follows Marriott’s acquisition of Starwood in 2016 and a series of security failures, including a breach of 339 million guest records from Starwood’s compromised database, including 5.2 million unencrypted passport numbers.
Under the FTC order, Marriott must establish a comprehensive security program with encryption, limit retention of personal data and offer U.S. consumers a way to request data deletion. The order also directs the implementation of 24-hour monitoring of IT assets for anomalies and conducting independent security audits every two years for 20 years.
This comes after Marriott settled with 50 U.S. attorneys general – 49 states plus the District of Columbia – in an October payout totaling $52 million.
Apache Fixes Critical SQL Injection in Traffic Control
The Apache Software Foundation released an update to address a critical SQL injection vulnerability, CVE-2024-45387, in Traffic Control versions 8.0.0 to 8.0.1. The flaw has a CVSS score of nine. Traffic Control enables the creation of scalable content delivery networks.
The flaw allows privileged users with roles such as “admin,” “federation,” or “steering” to execute arbitrary SQL commands through crafted PUT requests in Traffic Ops. ASF urges users to upgrade to Traffic Control 8.0.2 to mitigate the issue. Versions prior to 8.0.0 are unaffected.
This follows an earlier patch by ASF for CVE-2020-17530, a remote code execution flaw in Struts 2 caused by forced OGNL evaluation on raw user input.
Sophos Patches Critical Firewall Flaws Enabling RCE and Unauthorized Access
Sophos addressed three critical vulnerabilities in its firewall that could allow attackers to execute arbitrary code, perform SQL injection and gain unauthorized SSH access. These flaws affect versions up to 21.0 GA, with fixes provided through automatic hotfixes and firmware updates.
The vulnerabilities include an SQL injection flaw tied to specific configurations of email protection with High Availability mode, a predictable SSH passphrase remaining active after HA initialization, and a code injection issue in the User Portal that could escalate privileges. While Sophos estimates a small percentage of devices are affected, these flaws pose significant risks if left unpatched.
Sophos has been releasing hotfixes since late November, automatically applying them to affected devices. Permanent fixes are available in version 21 MR1 and later. The company recommends mitigating risks by limiting SSH access to a dedicated HA link, disabling SSH over WAN and restricting access to the User Portal and Webadmin interfaces.
Admins can verify updates and apply hotfixes manually if necessary, following guidance in Sophos’ knowledge base. These updates aim to safeguard users from potential exploits, ensuring critical infrastructure remains secure against escalating cyberthreats.
Other Stories From Last Week
- Shadow AI and Deepfake Attacks to Dominate in 2025
- Online-Erpresserbande Clop bedroht Cleo-Hacking-Opfer
- North Korean Hackers Tied to $1.3B in Stolen Crypto in 2024
- Unpacking OpenAI’s Latest Approach to Make AI Safer
- USA erwägen TP-Link-Verbot nach Volt-Taifun-Hacking-Kampagne
