CyberSecurity Newsletter August 19th 2024
In this week’s news: Ransomware disables EDR, AnyDesk users targeted running fake update screen, a critical vulnerability in Github, Tech support scammers impersonate Google, US Presidential campaigns targeted by APT42, Solarswinds critical RCE vulnerability and Background check service National Public Data confirms a data breach.
RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system:
https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/
A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. The operation emerged in July and although researchers observing the activity did not seen any incidents involving data encryption, the gang notes on their data leak site that they use AES/RSA algorithms to lock files.:
https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-fake-windows-update-screen-to-hide-data-theft/
Palo Alto Networks’ Unit 42 has discovered a critical security vulnerability within GitHub Actions. This vulnerability, dubbed “ArtiPACKED,” allows attackers to steal sensitive information potentially, including GitHub authentication tokens, from popular open-source projects:
https://hackread.com/artipacked-flaw-exposed-github-actions-to-token-leaks/
Tech support scammers impersonate Google via malicious search ads:
https://www.helpnetsecurity.com/2024/08/16/google-ads-support-scams/
A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify:
https://thehackernews.com/2024/08/google-pixel-devices-shipped-with.html
An Iranian state-backed threat actor is targeting individuals associated with the Harris and Trump Presidential campaigns, according to Google’s Threat Analysis Group (TAG). The group, APT42, has been observed attempting to compromise the email accounts of individuals associated with the respective US Presidential campaigns via spearphishing attacks:
https://www.infosecurity-magazine.com/news/google-iranian-attacks/
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the networking.k8s.io or extensions API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.:
https://github.com/kubernetes/kubernetes/issues/126744
The Central Bank of Iran (CBI) was reportedly hit with a cyberattack alongside several other banks on Wednesday, causing disarray within Iran's financial system. According to a report by Iran International, the scale and impact of the attack indicate that it may be one of the largest cyberattacks Iran's state infrastructure has ever faced. Hackers also reportedly stole information belonging to account holders:
https://www.darkreading.com/cyberattacks-data-breaches/iran-reportedly-grapples-with-major-cyberattack-on-banking-systems
SolarWinds patches critical RCE vulnerabilities in its Web Help Desk. Labelled CVE-2024-28986, the flaw is down to a Java deserialisation vulnerability. An attacker with access to the WHD application can send malicious commands to the target system and achieve code execution:
https://www.scmagazine.com/news/solarwinds-patches-critical-rce-vulnerability-in-its-web-help-desk
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a SolarWinds Web Help Desk bug to its Known Exploited Vulnerabilities catalogue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Web Help Desk deserialisation of untrusted data vulnerability, tracked as CVE-2024-28986 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalogue:
https://securityaffairs.com/167157/security/cisa-adds-solarwinds-web-help-desk-bug-to-its-known-exploited-vulnerabilities-catalog.html
Microsoft warned Entra global admins on Thursday to enable multi-factor authentication (MFA) for their tenants until October 15 to ensure users don't lose access to admin portals:
https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/
A Russian national was sentenced to over three years in prison for selling stolen information and credentials on a dark web marketplace. The 27-year-old Russian national Georgy Kavzharadze (also known as “George,” “TeRorPP,” “Torqovec,” and “PlutuSS”) has been sentenced to over three years in prison for selling financial information, login credentials, and other personal data on the dark web marketplace, Slilpp:
https://securityaffairs.com/167146/deep-web/russian-national-sentenced-40-months.html
A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture," Palo Alto Networks Unit 42 said in a Thursday report:
https://thehackernews.com/2024/08/attackers-exploit-public-env-files-to.html
A sophisticated ValleyRAT campaign is targeting Chinese Windows users. Learn about the malware’s multi-stage attack, its ability to evade detection, and the potential impact on compromised systems. Understand the threat actor’s tactics and the risks posed to individuals and organizations.:
https://hackread.com/valleyrat-malware-chinese-windows-users/
Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC. The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts:
https://thehackernews.com/2024/08/russian-hackers-using-fake-brand-sites.html
Threat actors have amassed more ransomware payments and cryptocurrency heist proceeds during the first six months of 2024, compared with the same period last year, reports The Record, a news site by cybersecurity firm Recorded Future.:
https://www.scmagazine.com/brief/ransomware-attack-proceeds-crypto-theft-rise-in-first-half
Machines with unsecured SSH passwords have been brute-forced by a novel variant of the Gafgyt botnet, also known as Torlus, BASHLITE, and Lizkebab, to facilitate cryptomining with the XMRig malware and the impacted devices' GPU computational capabilities, according to The Hacker News.:
https://thehackernews.com/2024/08/new-gafgyt-botnet-variant-targets-weak.html
Reuters reports that the U.S. Commerce Department has been urged by House Select Committee on China Heads John Moolenaar, R-Mich., and Raja Krishnamoorthi, D-Ill., to investigate major Chinese network equipment manufacturer TP-Link — which the IDC noted to be the world's leading WiFi router seller — for possible national security risks stemming from potential cyberattack usage:
https://www.reuters.com/world/us/us-lawmakers-urge-probe-wifi-router-maker-tp-link-over-fears-chinese-cyber-2024-08-15/
Background check service National Public Data confirms a data breach that exploded millions of social security numbers and other sensitive information:
https://securityaffairs.com/167171/data-breach/national-public-data-confirms-data-breach.html
A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains and Google searches to promote malware and spam sites. Android users receive "new info related to..." Google search notifications about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles:
https://www.bleepingcomputer.com/news/security/azure-domains-and-google-abused-to-spread-disinformation-and-malware/
A critical 7-year-old security flaw in a pre-installed app on millions of Google Pixel devices has been exposed. The vulnerability allows for potential remote code execution and data breaches. While Google has acknowledged the issue, the delay in addressing this serious threat has raised concerns about user safety:
https://hackread.com/7-year-old-pre-installed-google-pixel-app-flaw-risk/
On Friday, OpenAI said it banned a set of accounts linked to what it said was an Iranian covert influence operation that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election. "This week, we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035," OpenAI said:
https://thehackernews.com/2024/08/openai-blocks-iranian-influence.html
Microsoft has shared a workaround for a known issue affecting Microsoft 365 customers and causing classic Outlook to crash after opening or when starting up in Safe mode. Impacted users can confirm if they're affected by this specific issue by looking for Event 1000 or Event 1001 crashes in the Windows Event Viewer Application Log with 0xc0000005 exception codes linked to the faulting module ucrtbase.dll:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workaround-for-outlook-crashing-after-opening/
A highly controversial California AI safety bill passed in the state’s Appropriations Committee Thursday, but despite several amendments designed to appease concerned voices in the tech industry, some critics said the changes don’t go far enough to prevent the bill from stifling AI innovation, startups and open-source projects. California Senate Bill 1047 (SB 1047) would put the onus on AI developers to prevent AI systems from causing mass casualties — for example, through the AI-driven development of biological or nuclear weapons — or major cybersecurity events costing more than $500 million in damage:
https://www.scmagazine.com/news/changes-to-controversial-california-ai-safety-bill-fail-to-satisfy-critics