SAN MATEO, CA, July 29, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Spytech “stalkerware” developer breached
Spytech, a Minnesota-based developer of spyware including RealtimeSpy and SpyAgent, has been breached, revealing that more than 10,000 devices around the globe are surveilled remotely. The breached data contains “detailed device activity logs from the phones, tablets, and computers Spytech monitors, with some of the files dated as recently as early June.” SpyTech’s products, often called “stalkerware,” are generally marketed towards parents wanting to supervise their children. However, this kind of software may also be used illegally to keep tabs on domestic partners, opening up the possibility of abuse. Spytech has not commented on whether or not it will notify users, the owners of monitored devices, or state authorities of the breach. Read more.
Cybersecurity firm tricked into hiring fake IT worker
Cybersecurity awareness training company KnowB4 reported it was tricked into hiring an IT worker who was a cover for North Korean hackers. The fraud involved using an AI-enhanced stock photo and a stolen US-based identity, which passed background checks and video interviews during the hiring process. The newly employed remote worker immediately got to work using a KnowB4-provided Mac workstation to “manipulate session history files, transfer potentially harmful files, and execute unauthorized software.” KnowB4’s security detected the activity quickly, and when contacted, the remote worker initially said they may have triggered a warning while attempting to troubleshoot his router before no longer responding. “The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” said KnowB4’s president. Read more.
CrowdStrike crash due to “buggy security content update”
A preliminary Post Incident Review (PIR) from CrowdStrike indicates that a “defect in a Rapid Response Content configuration update” was the cause of a worldwide outage that resulted in the disruption of airports, hospitals, and other organizations. These updates are part of CrowdStrike’s methodology to deliver new content to its software and “respond to the changing threat landscape at operational speed.” The report states that the update contained “problematic content” that “when received by the sensor and loaded into the Content Interpreter” resulted in a Windows operating system crash. The company has also turned to social media to explain how the outage happened and apologize to customers still reeling from the fallout. Read more.
Malware distributor using 3,000+ GitHub accounts
A group known as Stargazer Goblin has used over 3,000 fake GitHub accounts to distribute information-stealing malware through a service called Stargazers Ghost Network. This operation uses GitHub repositories and compromised WordPress sites to distribute password-protected malware archives, often including infostealers like RedLine and Lumma Stealer. These fake accounts enhance legitimacy by starring, forking, and subscribing to malicious repositories. GitHub has removed over 1,500 malicious repositories since May 2024, but the operation continues distributing malware via over 200 existing fake accounts. Users are advised to be cautious with links that lead directly to GitHub repositories. Read more.
Ukraine heating shutdown caused by cyberattack
In January 2024, a cyberattack using a new malware dubbed FrostyGoop disrupted heating for over 600 apartment buildings in Lviv, Ukraine, for nearly 48 hours. Security researchers from Dragos identified the malware, which targets industrial control systems via the Modbus protocol and has been widely used in industrial environments for decades. Dragos reported that hackers exploited a vulnerability in a Mikrotik router to infiltrate the municipal energy company’s network. Once inside, they manipulated the controllers, causing them to report inaccurate data and shut down the heating systems for two days. During this period, affected Ukrainians had to endure sub-zero temperatures. The attackers maintained access to the network for nearly a year before executing the attack, which Dragos believes was conducted from Moscow-based IP addresses. Read more.
Teenager arrested following cyberattack on MGM Resorts
UK police arrested a 17-year-old youth from Walsall in connection with last year’s ransomware attack on MGM Resorts. The unnamed teenager is suspected of being involved with a global cyber hacking community responsible for multiple ransomware attacks, including the one that crippled MGM’s operations in September 2023. The attack significantly disrupted MGM’s services, affecting their computer systems, ATMs, slot machines, and other amenities for over nine days. The teen’s arrest is part of a larger campaign targeting a nebulous cybercrime activity ecosystem known as “Scattered Spider.” Authorities confiscated several digital devices from the suspect’s home, which are now undergoing forensic examination. The teenager was released on bail while investigations continue. Read more.
Play ransomware now targets VMWare EXSi environments
The Play ransomware group has developed a new Linux variant targeting VMware ESXi virtual machines (VMs). Trend Micro discovered this variant, which was designed to check if it operates within an ESXi environment via ESXi-related commands before executing its malicious activities. If it determines that it is not in the proper environment, it self-terminates. If the environment is suitable, it powers off all VMs, encrypts VM files, and appends the “.PLAY” extension to them. Lastly, a ransom note is displayed in the ESXi client login portal and the root directory. This expansion of Play’s capabilities reflects a growing trend among ransomware groups focusing on ESXi VMs due to their critical role in enterprise data storage and application hosting. Read more.
Russian hacktivists sanctioned after US water breach
The US Treasury has sanctioned two Russian cybercriminals, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for targeting critical infrastructure. Both are members of the hacktivist group Cyber Army of Russia Reborn (CARR), which has conducted cyberattacks since 2022. Pankratova is the group’s alleged leader, taking charge of their operations and acting as their official spokesperson, while Degtyarenko is believed to be CARR’s primary hacker. CARR has escalated its Ukraine-focused DDoS attacks to target industrial systems, including manipulating a water treatment facility in Texas. Despite not causing major damage, the group poses significant risks. The sanctions block US-based assets and prohibit transactions with the individuals, aiming to disrupt their activities and deter others. Read more.
Phony CrowdStrike fixes infect companies with malware
In the fallout and desperation following the CrowdStrike update glitch, threat actors are swooping in to trick businesses into downloading fake fixes that instead infect their systems with malware, remote access tools, and data wipers. CrowdStrike advises customers to verify that they only communicate with official CrowdStrike representatives. The UK National Cyber Security Center warned users to be aware that an increase in phishing scams impersonating the company is already being observed. One such campaign has sent messages instructing victims to approve a “mandatory download” required to “avoid connection and synchronization errors to the company’s internal network.” The download, however, contains Remcos RAT. Read more.
Massive Chinese organized crime network uncovered
According to The Hacker News, a Chinese organized crime syndicate has utilized an “advanced technology suite” to run its entire cybercrime operation. The maintainer of the suite, “Vigorish Viper,” has a history of involvement in pig butchering and illegal gambling. It has changed its name and been absorbed into another entity called “Ponymuah” over the last two years. The enterprise uses front companies to secure sponsorship deals with European football clubs and Indian cricket and kabaddi teams. Then, it uses the funds to advertise illegal gambling sites on sites associated with the phony brands. According to Infoblox, the organization that uncovered Vigorish Viper’s operation, it is “a vast network of over 170,000 active domain names, evading detection, and law enforcement through its sophisticated use of DNS CNAME traffic distribution systems.” Despite providing criminal infrastructure used for everything from human trafficking to illegal streaming, Vigorish Viper appears to be operating in China “without meaningful consequences.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
