SAN MATEO, CA, July 1, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Apple AirPod eavesdropping exploit patched
Apple has patched a troubling authentication issue affecting AirPods and Beats earbuds. CVE-2024-27867 is a bug that could allow a threat actor to eavesdrop on victims through their earbuds. “When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones,” said Apple. This means that someone with malicious intent close to a victim could listen in on their private conversations. Users of Apple’s headphones are urged to update their devices to the newly released firmware to prevent the possibility of the exploit being used against them. Read more.
Russian national charged by US for Ukraine hack
Amin Timovich Stigal, a 22-year-old Russian national, has been charged by the US Department of Justice for “hacking into and destroying the Ukrainian government’s computer systems and data ahead of the Russian invasion in February 2022.” Stigal’s targets include the Ukrainian government’s IT systems and networks in countries that support Ukraine, including the US. FBI Deputy Director Paul Abbate said Stigal “attempted to leverage malware to aid the Russian military in the invasion of Ukraine. Today’s indictment demonstrates the FBI’s unwavering commitment to combat malicious cyber activities by our adversaries.” Stigal could be sentenced to five years in prison if convicted. His whereabouts is unknown, but a $10 million reward for information leading to his location or activity from the US State Department seems likely result in him being found. Read more.
LockBit lies about stolen data
LockBit, under pressure to regain its standing in the hacking community, has claimed to have stolen 33 terabytes of data from the US Federal Reserve. However, when the group began posting the data online, cyber sleuths determined that they had lied about its origin and that it is associated with Evolve Bank & Trust, an individual bank that the Federal Reserve had penalized in the past for deficiencies in how the bank complied with regulations designed to prevent money laundering. LockBit’s false claim has been described as “a desperate bid for relevance” as the outfit continues to fall from grace after succumbing to a takedown by international authorities and the alleged outing of its lead administrator. Unfortunately, some media outlets reported that the Fed had been hacked before confirming with the institution whether or not the group’s statements were true. Read more.
Chinese and North Korean spies destroying evidence
A number of ransomware attacks carried out against government and critical infrastructure sectors around the globe from 2021 to 2023 have been attributed to threat actors believed to be sponsored by the Chinese and North Korean governments. According to a joint report from SentinelOne and Recorded Future, the activity originates from a group called ChamelGang and another cluster whose actions overlap with attacks already attributed to state-sponsored groups. “Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for financial gain, disruption, distraction, misattribution, or removal of evidence,” the report says, indicating that threat actors are using ransomware attacks to cover their tracks after spying. Read more.
MOVEit Transfer under active exploitation again
It’s been a rough year for Progress Software MOVEit Transfer, as another recently disclosed vulnerability is under active attack. According to the company, CVE-2024-5806 is an “improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.” Researchers at Rapid7 say there are three prerequisites for hackers to exploit the bug: “Attackers need to have knowledge of an existing username, the target account can authenticate remotely, and the SFTP service is publicly accessible over the internet.” WatchTowr Labs has described the flaw as “comprising two separate vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.” Users are urged to update their instances immediately to prevent intrusion. Read more.
FBI warns crypto victims of phony law firm scams
Cryptocurrency theft victims are being hit with a double whammy from scammers posing as lawyers able to help them recover their funds. Claiming to have heard of the victim’s case from the FBI or another government agency, the scammers offer their services and say they have the authorization to assist them. Once they trick a target into believing them, they’ll ask for personal data needed to “help them recover funds,” request that they pay upfront legal fees, or request that they pay back taxes. The FBI has issued a public service announcement regarding this tactic, reporting that crypto victims have lost almost $10 million over the last year to fraudsters. Read more.
Julian Assange heads to Australia after release
Julian Assange, the founder of WikiLeaks, has been released from a maximum security UK prison after serving over five years for his role in what the US government describes as one of the “largest compromises of classified information” known. Assange pleaded guilty to one count of conspiring to obtain and disclose classified US national defense documents and is “due to be sentenced to 62 months of time already served in the Pacific island of Saipan later this week.” Assange has reached a plea deal with the US Department of Justice, thanks to a “global campaign that spanned grass-roots organizers, press freedom campaigners, legislators and leaders from across the political spectrum, all the way to the United Nations.” The Department of Justice is believed to have accepted negotiations due to Assange having already served more prison time than others charged with the same type of offense. Read more.
Hackers create rogue WordPress admin accounts
Several WordPress plugins have been compromised, allowing a threat actor to make admin accounts that can then be used to perform arbitrary actions. According to Wordfence, “the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server… In addition, the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.” The source of the campaign remains unknown, as does how they were able to backdoor the plugins. Affected plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. Read more.
CISA warns chemical facilities of breach
CISA has reported that its Chemical Security Assessment Tool (CSAT) was compromised, warning chemical facilities that they may have had sensitive information stolen. A zero-day exploit within an Ivanti Connect Secure device was leveraged to gain access to CSAT in late January 2024. An investigation into the incident by CISA “revealed that a malicious actor installed an advanced webshell on the Ivanti device. This webshell was capable of executing malicious commands or writing files to the underlying system.” There is no evidence to suggest data was exfiltrated, but individuals who had their personally identifiable information within the system could have had their data accessed. CISA has recommended that anyone with a CSAT account change their passwords. Read more.
12 Kasperksy Lab execs sanctioned by US
The US Treasury Department’s Office of Foreign Assets Control (OFAC) has singled out 12 Kaspersky Labs executives for their involvement in the tech sector of the “Russian Federation economy” and sanctioned them. This follows the announcement of a ban on the sale of Kaspersky’s antivirus software in the US. As per Executive Order 14024, “to operate or have operated in the technology sector or the defense and related materiel sector of the Russian Federation economy, or any other sector of the Russian Federation economy as may be determined by the Secretary of the Treasury” can result in sanctions. The individuals sanctioned have had their US assets frozen until the sanctions are lifted. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
