CyberSecurity Newsletter November 3rd, 2024
In this week’s news: LastPass warns of fake support centers trying to steal customer data, Microsoft SharePoint RCE bug exploited to breach corporate network, ex-Disney employee has been arrested and charged with hacking his former employer's systems, 6 IT contractors arrested for defrauding Uncle Sam out of millions, New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls and Misconfigured Git Configurations Targeted in Emeraldwhale Attack.
LastPass is warning about an ongoing campaign where scammers are writing reviews for its Chrome extension to promote a fake customer support phone number. However, this phone number is part of a much larger campaign to trick callers into giving scammers remote access to their computers, as discovered by BleepingComputer. LastPass is a popular password manager that utilizes a LastPass Chrome extension to generate, save, manage, and autofill website passwords. Threat actors are attempting to target a large swath of the company's user base by leaving 5-star reviews with a fake LastPass customer support number:
https://www.bleepingcomputer.com/news/security/lastpass-warns-of-fake-support-centers-trying-to-steal-customer-data/
A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks. CVE-2024-38094 is a high-severity (CVSS v3.1 score: 7.2) RCE flaw impacting Microsoft SharePoint, a widely used web-based platform functioning as an intranet, document management, and collaboration tool that can seamlessly integrate with Microsoft 365 apps.
Microsoft fixed the vulnerability on July 9, 2024, as part of the July Patch Tuesday package, marking the issue as "important.":
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-rce-bug-exploited-to-breach-corporate-network/
A disgruntled ex-Disney employee has been arrested and charged with hacking his former employer's systems to alter restaurant menus with potentially deadly consequences. Michael Scheuer was charged and arrested last week for allegedly violating the Computer Fraud and Abuse Act on three occasions by breaking into a former employer's systems. Disney is not named in the complaint, but The Register has been told they are the company in question, and Scheuer's former employer:
https://www.theregister.com/2024/10/30/fired_disney_employee_hacks_menu/
The US Department of Justice has charged six people with two separate schemes to defraud Uncle Sam out of millions of dollars connected to IT product and services contracts. The two cases, involving three individuals each, were the first time the DoJ issued charges connected to an ongoing investigation involving IT manufacturers, distributors and resellers and their deals with the federal government:
https://www.theregister.com/2024/11/03/6_it_contractors_arrested_for/
Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed FakeCall that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information. "FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls":
https://thehackernews.com/2024/11/new-fakecall-malware-variant-hijacks.html
Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday. The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777:
https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8000-strong-botnet-used-in-password-spraying-attacks
Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week's Pwn2Own hacking competition within days. Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company's Synology Photos and BeePhotos for BeeStation software:
https://www.bleepingcomputer.com/news/security/synology-fixed-two-critical-zero-days-exploited-at-pwn2own-within-days/
A criminal operation dubbed Emeraldwhale has been discovered after it dumped more than 15,000 credentials belonging to cloud service and email providers in an open AWS S3 bucket, according to security researchers. The unknown data thieves embarked on a "massive scanning campaign" between August and September, looking for servers with exposed Git configuration and Laravel environment files, we're told:
https://www.theregister.com/2024/10/31/emeraldwhale_credential_theft/
Microsoft warned customers they might experience up to 30 minutes of black screens when logging into Azure Virtual Desktop (AVD) after installing the KB5040525 Windows 10 July 2024 preview update. Additional symptoms include single sign-on (SSO) failures (on Office applications such as Outlook and Teams) blocking connections to backend services or preventing data syncs and Office apps losing network connectivity while other apps like Edge retain access to the Internet and the local network:
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-virtual-desktop-users-of-black-screen-issues/
A report by Canada's Communications Security Establishment (CSE) revealed that state-backed actors have collected valuable information from government networks for five years. The biennial National Cyber Threat Assessment described the People's Republic of China's (PRC) cyber operations against Canada as "second to none." Their purpose is to "serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression.":
https://www.theregister.com/2024/10/31/canada_cybersec_threats/
Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks. The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers.
https://thehackernews.com/2024/11/microsoft-warns-of-chinese-botnet.html
Earlier this week, researchers uncovered a major cybercriminal operation, dubbed EmeraldWhale, after the attackers dumped more than 15,000 credentials into a stolen, open AWS S3 bucket in a massive Git repository theft campaign:
https://www.darkreading.com/cloud-security/emeraldwhale-massive-git-breach-config-gaps
Microsoft has made the decision to once again delay the release of its new artificial Intelligence tool, Recall, while the company works through trying to make sure all of the handy data it delivers can't be abused by adversaries:
https://www.darkreading.com/application-security/privacy-anxiety-pushes-microsoft-recall-release-again
Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS):
https://www.darkreading.com/vulnerabilities-threats/critical-auth-bugs-smart-factory-cyberattack
An unknown threat actor is targeting Facebook businesses and advertising account users in Taiwan through a phishing campaign, using decoy emails and fake PDF filenames. These dupes are designed to impersonate a company's legal team and lure the victim in with its falsified details, convincing them to download and execute malware:
https://www.darkreading.com/cyberattacks-data-breaches/facebook-businesses-targeted-infostealer-phishing-campaign
Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device:
https://thehackernews.com/2024/10/new-lightspy-spyware-version-targets.html
Multiple UK councils had their websites either knocked offline or were inaccessible to residents this week after pro-Russia cyber nuisances added them to a daily target list. The targeting began on Tuesday and among the many authorities on the list, the websites of Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford were rendered inaccessible. Eastleigh and Trafford's sites remained down on Wednesday, as did Salford's until the afternoon, when it returned with warnings of lingering technical difficulties.:
https://www.theregister.com/2024/11/01/uk_councils_russia_ddos/
A hacker who uses the handle GaryOderNichts has found a way to break into Nintendo's recently launched Alarmo clock, and run code on the device. Nintendo bills Alarmo as a way to "make waking up fun" – a tall order. The clock looks like a cartoony take on a vintage, red round alarm clock, but with an interactive screen:
https://www.theregister.com/2024/11/01/hack_nintendos_alarmo/