CyberSecurity Newsletter July 28th 2023
In this week’s news: Stalkerware company is breached, a post Crowdstrike malware, FBI introduces CAT, Google exposed thousands of accounts, ServiceNow vulns, Ukraine shut down Russia ATM services, and threat actors take advantage of Crowdstrike outage.
Spytech Software, a Minnesota-based company that produces SpyAgent and similar programs, has been breached. TechCrunch was able to access a cache of files taken from Spytech's servers by unknown hackers and has exposed the company's activities and the devices targeted by its stalkerware products:
https://www.techspot.com/news/103972-stalkerware-company-spytech-compromised-data-reveals-thousands-remotely.html
Daolpu Infostealer: Full analysis of the latest malware exploited post CrowdStrike outage:
https://www.infostealers.com/article/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/
Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday. On Friday, CrowdStrike pushed out a defective update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops:
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-repair-tool-to-remove-crowdstrike-driver/
A recent posting to the official FBI website introduced the world to the Cyber Action Team. Described as a rapid response fly team consisting of 65 core members, CAT can deploy most anywhere across the globe within hours:
https://www.forbes.com/sites/daveywinder/2024/07/28/fbi-flies-65-strong-cyber-action-team-across-globe-to-fight-hackers/
A case study into how the newly-formed Linux CNA (CVE Numbering Authority) has affected Linux kernel vulnerability management through the mishandling of a vulnerability we reported a little over a month ago in the upstream 5.10 LTS kernel:
https://grsecurity.net/cve-2021-4440_linux_cna_case_study
Google Workspace's security flaw exposed thousands of accounts to hackers. Google recently found that hackers were able to bypass the email verification system, which is needed to create a Google Workspace account:
https://www.neowin.net/news/google-workspace-security-flaw-exposed-thousands-of-accounts-to-hackers/
Security firm experiencing nightmare after learning remote employee is North Korean hacker:
https://www.foxbusiness.com/technology/security-firm-nightmare-after-learning-remote-employee-north-korea-hacker
Threat actors have been observed exploiting two critical severity vulnerabilities in the ServiceNow platform less than two weeks after they were publicly disclosed, according to Resecurity reports. ServiceNow announced patches for the security defects, tracked as CVE-2024-4879 (CVSS score of 9.3) and CVE-2024-5217 (CVSS score of 9.2), on July 10:
https://www.securityweek.com/threat-actors-exploit-fresh-servicenow-vulnerabilities-in-attacks/
Five ways threat actors are taking advantage of the CrowdStrike outage:
https://www.scmagazine.com/news/5-ways-threat-actors-are-taking-advantage-of-the-crowdstrike-outage
Microsoft said 8.5 million Windows hosts were affected by the Friday outage caused by a faulty CrowdStrike software content update:
https://www.govinfosecurity.com/microsoft-sees-85m-systems-hit-by-faulty-crowdstrike-update-a-25819
Google addressed a Chrome’s Password Manager bug that caused user credentials to disappear temporarily for more than 18 hours:
https://securityaffairs.com/166200/security/chrome-password-manager-bug.html
China-Backed Phishing Attack Targets India Postal System Users. A large text-message phishing attack campaign attributed to the China-based Smishing Triad employs malicious iMessages:
https://www.darkreading.com/endpoint-security/china-backed-smishing-campaign-targets-india-post-users
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that targets Apple macOS systems to steal users' Google Cloud credentials from a narrow pool of victims:
https://thehackernews.com/2024/07/malicious-pypi-package-targets-macos-to.html
3,000 Fake GitHub Accounts Used to Spread Malware in Stargazers Ghost Scheme. Cybercriminals are using GitHub to distribute malware through fake accounts. Learn how the “Stargazers Ghost” network operates and how to protect yourself from falling victim to this malicious scheme. Discover tips to identify suspicious repositories and stay safe online:
https://hackread.com/fake-github-accounts-spread-malware-stargazers-ghost/
Ukraine launched a massive cyber operation that shut down the ATM services of the biggest Russian banks on July 27, reported the Kyiv Post:
https://securityaffairs.com/166214/cyber-warfare-2/atm-services-russian-banks-hacked.html
Play ransomware is the latest gang to deploy a dedicated Linux locker for encrypting VMware ESXi virtual machines. Cybersecurity company Trend Micro, whose analysts spotted the new ransomware variant, says the locker is designed first to check whether it's running in an ESXi environment before executing and that it can evade detection on Linux systems:
https://www.bleepingcomputer.com/news/security/new-play-ransomware-linux-version-targets-vmware-esxi-vms/
Cisco recently disclosed that its RV340 and RV345 Dual WAN Gigabit VPN Routers have a significant flaw in the upload module. This flaw could allow a remote, authenticated attacker to run arbitrary code on an impacted device:
https://cybersecuritynews.com/cisco-vpn-routers-flaw/
Critical Splunk Vulnerability Exploited Using Crafted GET Commands. Given the CVE ID as CVE-2024-36991, the vulnerability was associated with Path Traversal on the “/modules/messaging/” endpoint in Splunk Enterprise on Windows. The severity for this vulnerability was given as 7.5 (High) and affected Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10:
https://cybersecuritynews.com/critical-splunk-vulnerability-cve-2024-36991-exploit/
POC for CVE-2024-36991: This exploit will attempt to read the Splunk /etc/passwd file:
https://github.com/bigb0x/CVE-2024-36991
GitHub - Mr-xn/CVE-2024-36991: Path Traversal On The "/Modules/Messaging/" Endpoint In Splunk Enterprise On Windows
Path Traversal On The "/Modules/Messaging/" Endpoint In Splunk Enterprise On Windows - Mr-xn/CVE-2024-36991
Indian cryptocurrency exchange WazirX announced on Saturday a controversial plan to “socialise” the $230 million loss from its recent security breach among all its customers, a move that has sent shockwaves through the local crypto community. The Mumbai-based firm, which suspended all trading activities on its platform last week following the cyber attack that compromised nearly half of its reserves in India’s largest crypto heist, has outlined a strategy to resume operations within a week or so while implementing a “fair and transparent socialised loss strategy” to distribute the impact “equitably” among its user base:
https://techcrunch.com/2024/07/27/wazirx-to-socialize-230-million-security-breach-loss-among-customers/
A hacktivist entity known as USDoD has claimed to have leaked CrowdStrike’s “entire threat actor list” and alleged possession of the company’s “entire IOC [indicators of compromise] list”, which contains over 250 million data points:
https://cybersecuritynews.com/crowdstrike-threat-actor-database/
Daikin, the world’s largest air conditioner manufacturer, has become the latest target of the notorious Meow hacking group. The USA branch of Daikin has been listed as a victim, with hackers demanding a ransom of $40,000. The incident has raised significant concerns about cybersecurity vulnerabilities in major corporations:
https://gbhackers.com/hackers-claim-breach-of-daikin/
A new vulnerability dubbed "PKfail" has opened Secure Boot on hundreds of PCs and devices across several major tech brands. Researchers at cybersecurity firm Binarly just dropped a bombshell report showing how a leaked cryptographic key has essentially nuked the security guarantees of Secure Boot for over 200 product models:
https://www.techspot.com/news/103999-secure-boot-rendered-useless-over-200-pc-models.html
Reverse Engineering TicketMaster's Rotating Barcodes:
https://conduition.io/coding/ticketmaster/