CyberSecurity Newsletter 11th November 2024
In this week's news: Hackers Target Texas Oilfield Supplier in Ransomware Attack, China-Backed MirrorFace Trains Sights on EU Diplomatic Corps, Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware, Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns, CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus, Cisco scores a perfect CVSS 10 with critical flaw in its wireless system and Suspect arrested in Snowflake data-theft attacks.
The Department of Defense has awarded its first generative AI defense contract to Jericho Security, marking a strategic shift in military cybersecurity. The $1.8 million Small Business Technology Transfer (STTR) Phase II contract, announced through AFWERX, tasks the New York-based startup with developing advanced cybersecurity solutions for the Department of the Air Force:
https://venturebeat.com/ai/meet-the-startup-that-just-won-the-pentagons-first-ai-defense-contract/
Cisco is warning of a critical security vulnerability found in its Unified industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) access points that could allow an unauthenticated remote attacker to release command-injection attacks. An attacker could exploit the vulnerability (CVE-2024-20418, CVSS 10) by sending HTTP requests to the Web-based management interface of an affected system. If successful, the attacker could execute arbitrary commands with root privileges in the affected device's underlying operating system:
https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injection-attacks
Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them. The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files.:
https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/
The US government’s Consumer Financial Protection Bureau (CFPB) advises employees to avoid using cellphones for work after China-linked APT group Salt Typhoon hackers breached major telecom providers. The agency has issued a directive to employees to reduce the use of their phones and invite them to use Microsoft Teams and Cisco WebEx for their meetings and conversations that involve nonpublic data.:
https://securityaffairs.com/170737/hacking/u-s-agency-limit-phone-use-due-to-salt-typhoon-hack.html
Palo Alto Networks issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation.":
https://thehackernews.com/2024/11/palo-alto-advises-securing-pan-os.html
Canadian authorities have arrested a man on suspicion he breached hundreds of accounts belonging to users of cloud-storage provider Snowflake and used that access to steal personal data belonging to millions of people, authorities said Tuesday. “Following a request by the United States, Alexander Moucka (aka Connor Moucka) was arrested on a provisional arrest warrant on Wednesday, October 30, 2024,” an official with the Canada Department of Justice wrote in an email Tuesday. “He appeared in court later that afternoon, and his case was adjourned to Tuesday, November 5, 2024. As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”:
https://arstechnica.com/security/2024/11/suspect-arrested-in-snowflake-data-theft-attacks-affecting-millions/
POC - CVE-2024–10914- Command Injection Vulnerability in name parameter for D-Link NAS:
https://github.com/verylazytech/CVE-2024-10914
Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. Remcos RAT "provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer," Fortinet FortiGuard Labs researcher Xiaopeng Zhang said in an analysis published last week.:
https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html
After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers:
https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/
Reid Hoffman, the LinkedIn co-founder and prominent tech investor, offered an optimistic vision for artificial intelligence on Tuesday, introducing his “super agency” concept that frames AI as a tool for human empowerment rather than replacement.:
https://venturebeat.com/ai/linkedin-founder-reid-hoffman-unveils-super-agency-vision-at-ted-ai-conference-takes-subtle-shot-at-elon-musk/
Telematics tech biz Microlise says an attack that hit its network likely did not expose customer data, although staff aren't so lucky. "Some limited employee data" was compromised in the incident, Microlise told the London Stock Exchange today, without going into any great detail about the nature of the data or how many staff members were affected. Microlise initially disclosed the break-in on October 31, after which time the AIM-listed company's share price dropped 16 percent and has still not fully recovered:
https://www.theregister.com/2024/11/06/microlise_cyberattack/
Microsoft has confirmed that last month's Windows security updates are breaking SSH connections on some Windows 11 22H2 and 23H2 systems. This newly acknowledged issue affects enterprise, IOT, and education customers, but the company says that only a "limited number" of devices are impacted. Microsoft is also investigating whether consumer customers using Windows 11 Home or Pro editions are affected:
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-recent-windows-11-updates-break-ssh-connections/
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit. The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized. An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices:
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/
Two high-profile criminal gangs, Scattered Spider and BlackCat/ALPHV, seemed to disappear into the darkness like their namesakes following a series of splashy digital heists last year, after which there were arrests and website seizures. Over the last couple months, however, both have reemerged – with new reported intrusions and a possible rebrand. In October, security firm ReliaQuest responded to a digital break-in at a manufacturing firm that it attributed with "high confidence" to Scattered Spider:
https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. The "intriguing" campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.:
https://thehackernews.com/2024/11/new-crontrap-malware-infects-windows-by.html
Interpol is reporting a big win after a massive combined operation against online criminals made 41 arrests and seized hardware thought to be used for nefarious purposes. Operation Synergia II – the follow up to the first Synergia raids that were announced in February – saw cops in 95 countries crack down on phishers, ransomware extortionists, and information thieves around the world. The operation was carried out in conjunction with the corporate world, specifically Group-IB, Trend Micro, Kaspersky and Team Cymru.:
https://www.theregister.com/2024/11/06/operation_synergia_ii_interpol/
Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission. The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety:
https://www.bleepingcomputer.com/news/security/unpatched-mazda-connect-bugs-let-hackers-install-persistent-malware/
A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber. "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures,":
https://thehackernews.com/2024/11/malicious-npm-packages-target-roblox.html
Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators. The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies.":
https://www.theregister.com/2024/11/06/chinas_volt_typhoon_breached_singtel/
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report:
https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html
Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week.The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems.:
https://www.darkreading.com/cyberattacks-data-breaches/mystery-hackers-texas-oilfield-supplier-ransomware-attack
IntelBroker, a notorious peddler of stolen data, claims to have pilfered source code, private keys, and other sensitive materials belonging to Nokia. In a post on cyber crime message board Breachforums this week, IntelBroker put up for sale what's claimed to be the Finnish network equipment maker's source code, SSH keys, RSA keys, Bitbucket logins, details or contents of SMTP accounts, and credentials, among other things:
https://www.theregister.com/2024/11/06/nokia_data_theft/
A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift:
https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html
Infamous Chinese advanced persistent threat (APT) group "MirrorFace" has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups:
https://www.darkreading.com/cyberattacks-data-breaches/china-backed-mirrorface-trains-sights-on-eu-diplomatic-corps
In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023:
https://www.darkreading.com/cyber-risk/canadians-expected-to-lose-more-than-569m-to-scams-in-2024
A malicious Python package named 'fabrice' has been present in the Python Package Index (PyPI) since 2021, stealing Amazon Web Services credentials from unsuspecting developers. According to application security company Socket, the package has been downloaded more than 37,000 times and executes platform-specific scripts for Windows and Linux:
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-with-37-000-downloads-steals-aws-keys/
ByteDance is being exiled from Canada, though the TikTok app is not. Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.:
https://www.darkreading.com/cyber-risk/canada-closes-tiktok-offices-national-security