SAN MATEO, CA, September 23, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Phishing campaign shut down by Europol
A phishing-as-a-service (PhaaS) platform called iServer has been taken down by Europol after affecting more than 483,000 victims around the world, “mainly Spanish-speaking nationals from European, North American, and South American countries.” The takedown operation, called Operation Kaerb, was a collaboration between law enforcement and judicial agencies from Spain, Argentina, Chile, Colombia, Ecuador, and Peru and has led to “17 arrests, 28 searches, and the seizure of 921 items, including mobile phones, electronic devices, vehicles, and weapons.” iServer “offered a web interface that enabled low-skilled criminals, known as ‘unlockers,’ to siphon device passwords, user credentials from cloud-based mobile platforms, essentially permitting them to bypass Lost Mode and unlock the devices.” It is believed the scheme successfully unlocked as many as 1.2 million phones. Read more.
Mysterious “Noise Storms” flooding the internet
Internet intelligence company GreyNoise has been tracking online “Noise Storms” full of spoofed internet traffic since the start of 2020, but their origin and purpose remain a mystery. They are suspected of being “covert communications, DDoS attack coordination signals, clandestine command and control (C2) channels of malware operations, or the result of a misconfiguration.” A “LOVE” ASCII string in the generated ICMP packets adds to the mystery as researchers attempt to get to the bottom of the phenomena. The phony traffic the storms generate is directed to specific internet service providers such as “Cogent, Lumen, and Hurricane Electric, but avoid others, most notably Amazon Web Services (AWS).” The traffic has also been observed changing window sizes and other parameters to spoof various operating systems and remain elusive. GreyNoise has invited other researchers to help them solve the puzzle. Read more.
MacOS Sequoia breaks cybersecurity tools
Mac users may want to hold off on updating to Apple’s latest operating system, as macOS Sequoia appears to be breaking the functionality of cybersecurity tools from CrowdStrike, SentinelOne, Microsoft, and more. Frustrating those who depend on Mac-focused security, the instances of incompatibility are being shared on social media and across Apple message boards. CrowdStrike has had to delay support for the new OS, essentially blaming Apple for the issues and saying that CrowdStrike will have to fix their code in the absence of a patch from Apple. SentinelOne has also issued a statement urging users not to update their endpoints to Sequoia until they have a “supported SentinelOne Agent.” It is not unusual for early adopters of new Apple operating systems to experience growing pains in the first months after an update, but this particular version seems to have security implications that previous systems have not. Read more.
Ivanti Cloud Appliance vulnerability
A critical vulnerability (CVE-2024-8963) has been discovered in Ivanti’s Cloud Service Appliance that is being actively exploited in cyberattacks. With a CVSS score of 9.4, the flaw allows “an attacker to bypass admin authentication and execute arbitrary commands on the appliance” when combined with another vulnerability (CVE-2024-8190). Instances of these flaws being chained indicate that the threat actors leveraging them can “achieve code execution on susceptible devices.” Ivanti recommends users upgrade to CSA version 5.0, as version 4.6 is at the end of its life and is no longer supported. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply urgent fixes by October 10, 2024. Read more.
Chinese engineer charged for cyber espionage campaign
39-year-old Chinese national Song Wu has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft for carrying out a spear-phishing campaign targeting data from NASA, research universities, and private organizations from January 2017 through December 2021. The charges carry a maximum sentence of 20 years per wire fraud count and a two-year consecutive sentence for aggravated identity theft. Song was employed at Beijing-based Aviation Corporation of China (AVIC), a state-owned aerospace and defense conglomerate sanctioned by the US. Song allegedly created accounts designed to mimic US-based researchers and used them to spear-phish others in the industry and obtain proprietary data. “Once again, the FBI and our partners have demonstrated that cybercriminals worldwide seeking to steal our companies’ most sensitive and valuable information can and will be exposed and held accountable,” said Keri Farley, Special Agent in Charge of FBI Atlanta. Read more.
Temu denies breach after 87 million data records posted
A threat actor on BreachForums claims to have 87 million customer records from Temu up for sale and is providing a sample of said data to prove its validity. The data is said to include usernames, IDs, IP addresses, full names, birth dates, gender, addresses, and hashed passwords. Temu denies the breach, saying they “conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false… Not a single line of data matches our transaction records.” The company also threatens legal action against “those responsible for spreading false information and attempting to profit from such malicious activities.” BleepingComputer, having been in touch with the threat actor, reports that the individual insists the stolen data is legitimate. Read more.
US sanctions Predator spyware developer Intellexa
In the US government’s continued effort to pressure the commercial spyware industry, new financial sanctions have been imposed against five individuals and a corporate entity associated with Intellexa, the developer of Predator spyware. Predator allows the deployer full access to a victim’s compromised phone, including data regarding their real-time location and private messages. Nearly invisible when installed, Predator is alleged to have been sold to authoritarian governments to spy on citizens, dissidents, journalists, opposing politicians, and US government officials. To an extent, the pressure seems to be working. According to TechCrunch, several people within the spyware industry have become concerned about repercussions they may face as this crackdown continues. Read more.
Windows flaw allows info stealer malware attacks
US federal agencies have been issued an order from CISA to update their systems against a Windows MSHTML spoofing zero-day bug (CVE-2024-43461) that was recently patched. Exploited by the Void Banshee APT hacker group, chaining CVE-2024-43461 and CVE-2024-38112 “enables remote attackers to execute arbitrary code on unpatched Windows systems by tricking the targets into visiting a maliciously crafted webpage or opening a malicious file.” Observed attacks saw hackers using CVE-2024-43461 exploits to “deliver malicious HTA files camouflaged as PDF documents. To hide the .hta extension, they used 26 encoded braille whitespace characters (%E2%A0%80).” Read more.
Apple drops case against NSO Group
Apple has voluntarily moved to dismiss its case against Israel-based spyware maker NSO Group. Its reasons for doing so are because pressure from international governments and the industry on spyware vendors has “substantially weakened” the defendant and because the company is concerned that information revealed about its security features during the case would be used against it. Citing the volatile and dynamic nature of the spyware industry, with companies operating under different names to avoid regulations and continue to spread and upgrade their products, Apple worries that the information presented in court will find its way to other vendors and be used to enhance their software. Predator spyware, for example, has resurfaced with more evasion features and better infrastructure despite the company behind it being sanctioned. Read more.
X account security cannot prevent takeover
Researchers at eSentire’s Threat Research Unit (TRU) have discovered that threat actors can hack X accounts even if those accounts have two-factor authentication set up. They are warning that X’s security features, which allow users to use SNS codes or an authenticator app to get into their accounts, can be bypassed by hackers “either through an adversary-in-the-middle (AiTM) attack, intercepting or tricking users into revealing their authentication codes or through SIM swapping. This redirects the authentication code to the attacker’s phone.” Threat actors on X are taking over high-profile accounts and using them to promote crypto scams or phishing links to their thousands of followers on the platform. According to TRU researcher Spence Hutchinson, how X lets people use SMS codes or authenticator apps undermines the use of security keys and passkeys. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
