Cybersecurity News Review - Week 48
I had to cut a lot from this week’s packed list of cybersecurity developments, but this newsletter will hopefully help you efficiently digest all the key updates.
Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network
Russian APT group Fancy Bear executed a sophisticated "Nearest Neighbor" cyber-espionage attack, compromising Wi-Fi networks near a target US organization to gain remote access. This novel method involved daisy-chaining breaches of multiple nearby organizations to ultimately infiltrate the intended target. The attack, discovered by Volexity just before Russia's invasion of Ukraine, used credential stuffing and exploited Wi-Fi networks lacking multi-factor authentication. Fancy Bear employed a living-off-the-land approach, utilizing standard Microsoft protocols and tools like Cipher.exe. This incident highlights new risks associated with Wi-Fi networks and emphasizes the need for enhanced security measures, including separate networking environments and stronger authentication requirements for Wi-Fi access.
Found in the wild: The world’s first unkillable UEFI bootkit for Linux
A new Linux bootkit called Bootkitty has been discovered, marking the first time this type of chip-dwelling malware has been found targeting Linux systems. While still rudimentary and likely a proof-of-concept, Bootkitty demonstrates that threat actors may be developing Linux versions of the unkillable bootkits previously only seen on Windows. These bootkits infect firmware that runs before the operating system, allowing them to persist even if the hard drive is replaced. Although no infections have been detected in the wild yet, researchers warn this development highlights the need to prepare for potential future Linux bootkit threats.
New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products
Researchers at AmberWolf have revealed a new attack method targeting corporate VPN clients, demonstrating vulnerabilities in popular products from Palo Alto Networks, SonicWall, Cisco, and Ivanti. They released an open-source tool called NachoVPN to simulate a rogue VPN server that exploits these vulnerabilities. The attack leverages the trust between VPN clients and servers, potentially allowing attackers to install malicious certificates, execute remote code, and escalate privileges. Palo Alto Networks and SonicWall have addressed the vulnerabilities in their respective products, CVE-2024-5921 and CVE-2024-29014, by releasing patches and advisories. While exploitation requires user interaction or specific network conditions, the public availability of the NachoVPN tool raises concerns about potential malicious use.
npm Package Lottie-Player Compromised in Supply Chain Attack
The widely used npm package @lottiefiles/lottie-player was targeted in a supply chain attack, with malicious versions 2.0.5, 2.0.6, and 2.0.7 released through an unauthorized access token. These versions introduced pop-ups prompting users to connect web3 wallets, allowing attackers to drain crypto assets. LottieFiles quickly responded by removing the malicious versions and publishing a clean version. ReversingLabs' analysis revealed significant changes in the malicious versions, including increased file size and introduction of Bitcoin exchange URLs. The incident highlights the importance of pinning dependencies to specific versions and conducting regular security assessments of dependencies and build pipelines to mitigate risks in software supply chains.
Starbucks, UK grocers impacted by ransomware attack on Blue Yonder
A ransomware attack on Blue Yonder, a supply chain management software provider, has disrupted operations for numerous companies in the US and UK, including Starbucks and major UK supermarket chains. Starbucks reported issues with payroll processing and employee scheduling, while UK retailers experienced disruptions in warehouse management systems. Blue Yonder, a division of Panasonic, is working with cybersecurity experts to address the breach but has not provided a timeline for service restoration. The attack highlights the growing risks posed by cybercriminals targeting important supply chain infrastructure.
T-Mobile Shares More Information on China-Linked Cyberattack
T-Mobile has provided additional information about a recent cyberattack attributed to the Chinese threat group Salt Typhoon. The company maintains that the attack was successfully blocked and no sensitive customer data was accessed. T-Mobile detected infiltration attempts in recent weeks but claims its defenses protected customer information and prevented service disruptions. The attack originated from a connected wireline provider's network, which T-Mobile promptly disconnected. While T-Mobile's Chief Security Officer, Jeff Simon, stated they cannot definitively identify the attacker, he acknowledged similarities to Salt Typhoon's methods. This incident is part of a broader Chinese espionage campaign targeting US telecom infrastructure, which has affected several major providers and is being investigated by CISA and the FBI.
Salt Typhoon hackers backdoor telcos with new GhostSpider malware
The Chinese state-sponsored hacking group Salt Typhoon has been using a new "GhostSpider" backdoor to attack telecommunication service providers and other critical infrastructure worldwide. Trend Micro discovered this backdoor along with other tools used by the group, including 'Masol RAT,' 'Demodex,' and 'SnappyBee.' Salt Typhoon has successfully breached several US telecom companies and accessed private communications of government officials. The group targets various sectors across multiple regions, using exploits for known vulnerabilities to gain initial access. GhostSpider is a sophisticated, modular backdoor designed for stealthy, long-term espionage operations. Trend Micro warns that Salt Typhoon is one of the most aggressive Chinese APT groups and urges organizations to implement strong cybersecurity measures.
Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign
A threat actor called Matrix is conducting a widespread DDoS campaign by exploiting vulnerabilities in IoT devices to create a botnet. The operation, believed to be the work of a Russian script kiddie, targets various countries and uses publicly available tools to compromise devices and servers. The attacker leverages weak credentials, misconfigured services, and known security flaws to gain access to a range of internet-connected devices and cloud services. The campaign deploys malware like Mirai and other DDoS tools, and is likely offered as a DDoS-for-hire service through a Telegram bot. While not highly sophisticated, this operation highlights the importance of basic security practices in protecting against opportunistic attacks on networked devices.
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks
CyberVolk, a pro-Russia hacktivist collective originating in India, emerged in June 2024 as a significant cybercrime actor specializing in ransomware and DDoS attacks. The group, previously known as GLORIAMIST, has leveraged various ransomware families including their own CyberVolk-branded ransomware (based on AzzaSec's code), Doubleface, HexaLocker, and Parano. They primarily target entities opposing Russian interests, with recent campaigns focusing on Japanese institutions. The group's operations demonstrate the dynamic nature of modern hacktivist collectives, characterized by rapid tool adaptation, complex affiliations, and frequent internal conflicts. Following a mass Telegram ban in November 2024, CyberVolk moved their operations to Twitter/X.
Skimmer Malware Targets Magento Sites Ahead of Black Friday
A new card-skimming malware targeting Magento e-commerce websites has been discovered by Sucuri researchers. The malware uses a malicious JavaScript injection to steal payment details from checkout pages, either by creating fake credit card forms or extracting data directly from payment fields. It employs sophisticated obfuscation and encryption techniques to avoid detection, activating only on specific checkout pages and collecting additional user data through Magento's APIs. The stolen information is then encrypted and sent to a remote server using a beaconing technique. To protect against such attacks, especially during busy shopping periods like Black Friday, experts recommend regular security audits, monitoring for unusual activity, deploying web application firewalls, keeping software updated, using strong passwords, and implementing file integrity monitoring.
RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks
RomCom, a Russia-aligned threat actor, has been exploiting two zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to deliver its backdoor malware. The attack chain involves a fake website that redirects victims to a server hosting malicious payloads, which exploit these vulnerabilities to achieve code execution and install RomCom RAT without user interaction. The Firefox vulnerability (CVE-2024-9680) allows for arbitrary code execution, while the Windows Task Scheduler flaw (CVE-2024-49039) enables privilege escalation. ESET discovered this sophisticated attack, which primarily targets victims in Europe and North America. This incident marks the second time RomCom has exploited a zero-day vulnerability, demonstrating the group's increasing capabilities and commitment to developing stealthy attack methods.
Salt Typhoon Builds Out Malware Arsenal With GhostSpider
Salt Typhoon, a Chinese advanced persistent threat (APT) group, has been conducting long-term espionage campaigns against high-value government and telecommunications organizations globally. The group, known for its sophisticated tactics and diverse malware arsenal, has recently introduced a new backdoor called GhostSpider. Salt Typhoon's operations have evolved from phishing attacks to exploiting vulnerabilities in internet-facing devices, targeting organizations across multiple sectors and continents. The group's structure consists of specialized teams focusing on different geographic regions and industries, making it challenging to detect and attribute their activities. Their approach often involves compromising intermediary targets to gain access to more significant organizations, particularly those associated with government and military entities.
99% of UAE’s .ae Domains Exposed to Phishing and Spoofing
A study by EasyDMARC revealed that only 1.11% of UAE's 37,926 .ae domains have implemented DMARC, an email authentication standard crucial for protecting against phishing and spoofing attacks. Of those using DMARC, only 30.48% enforce a strict "reject" policy. The UAE's adoption rate lags behind other countries like India (46%) and Germany (4.55%), leaving most UAE businesses vulnerable to cyber threats. With ransomware attacks costing the UAE an estimated $1 billion last year, experts stress the urgent need for widespread DMARC adoption with strict policies to improve email security, especially as AI-driven phishing attacks become more sophisticated.
UK seeks collaboration for security research lab to counter Russia and 'new AI arms race'
The UK government is launching a new AI security research lab called LASR with an initial funding of £8.22 million to counter cyber threats from hostile states, particularly Russia. The lab aims to collaborate with various government departments, academic institutions, and international partners, including Five Eyes countries and NATO members. It will focus on using AI to defend against advanced cyber attacks while acknowledging that AI can also amplify existing threats. This initiative comes in response to the increasing number of AI-fueled nation-state attacks and is part of the UK's broader efforts to enhance cybersecurity, including the recent introduction of the Cyber Security and Resilience Bill to protect public services.
New EU Commission to Unveil Healthcare Cybersecurity Plan in First 100
The newly elected European Commission plans to prioritize cybersecurity in the healthcare sector during its first 100 days in office. Christiane Kirketerp de Viron from the EU Commission's DG Connect highlighted the need to focus on implementing existing cyber regulations, particularly for hospitals and healthcare providers, many of which have never conducted security risk assessments. A new action plan for healthcare cybersecurity will be presented, addressing the sector's vulnerability to data breaches, which cost an average of €8.4m per incident. While specific details are not yet available, experts suggest the plan will likely focus on best practices and guidelines rather than new regulations, given the diverse nature of healthcare systems across Europe and the EU's limited jurisdiction in this area.
Senators Propose Bipartisan Health Care Cybersecurity & Resiliency Act
The bipartisan Healthcare Cybersecurity Act, introduced by four senators, aims to enhance cybersecurity in the healthcare sector and protect Americans' health data. The bill proposes grants for health organizations to improve cyberattack prevention and response, provides cybersecurity training, and requires HHS to implement an incident response plan. It offers best practices for rural health clinics and other providers, and seeks to improve coordination between HHS and CISA for responding to cyberattacks. The legislation addresses the growing concern of cyber threats in healthcare, which can compromise sensitive patient data and disrupt critical medical services.
Over 1,000 arrested in massive ‘Serengeti’ anti-cybercrime operation
Operation Serengeti, coordinated by Interpol and Afripol, resulted in the arrest of 1,006 suspects across 19 African countries for cybercriminal activities causing nearly $193 million in global financial losses. The two-month operation targeted ransomware, business email compromise, digital extortion, and online scams, leading to the takedown of over 134,000 malicious infrastructures and networks. Authorities recovered approximately $44 million and identified more than 35,000 victims. Notable cases included a $8.6 million credit card fraud in Kenya, a $6 million Ponzi scheme in Senegal, and various scams in Nigeria, Cameroon, and Angola. The operation involved collaboration with multiple cybersecurity partners and demonstrated significant success in combating cybercrime across the African continent.
Subscribe and come back next week to get another quick overview of recent industry events.