SAN MATEO, CA, March 25, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Hotel doors can be unlocked using Unsaflok flaw
- More than 39K WordPress sites infected with scam redirects
- Russian nationals sanctioned by U.S.
- GitHub debuts A.I. tool to assist devs in fixing security bugs
- JetBrains TeamCity flaw results in cyberattack surge
- U.S. water systems must improve cybersecurity
- FCC adopts new label for secure IoT devices
- Earth Krahang APT breaches 70 organizations in 23 countries
- WordPress urges users to uninstall miniOrange
- Acoustic attack listens to keystrokes
- More cybersecurity news
Hotel doors can be unlocked using Unsaflok flaw
Millions of RFID locks installed in hotels and homes worldwide are vulnerable to a flaw that can allow doors to be unlocked by forging a pair of keycards. Unsaflok is actually a series of vulnerabilities that can be chained together. By reverse engineering Dormakaba’s front desk software and lock programming device, hackers can create working master keys for less than a few hundred dollars. Two keys are required: one to rewrite the lock’s data and the second to unlock it. Dormakaba has been at work remedying this flaw, but replacing and upgrading all current locks is a challenging and complicated process. As a result, 64% of all locks remain vulnerable to this exploit. Read more.
More than 39K WordPress sites infected with scam redirects
Research from Sucuri has revealed a massive malware campaign that has compromised more than 39,000 WordPress sites, redirecting visitors to scam websites using malicious JavaScript injections. The campaign, called Sign1, employs attacks that “allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.” The malware “uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists.” It will not execute if a visitor has come from a major website such as Google, Yahoo, Facebook, etc., and can remain hidden for long periods by compromising legitimate plugins that do not require placing malicious code on any server files. Read more.
Russian nationals sanctioned by U.S.
Two Russian nationals, Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin, and the companies they own have been sanctioned by the U.S. for engaging in cyber influence operations via Doppelganger, described by Meta as the “largest and the most aggressively-persistent Russian-origin operation.” Doppelganger manages a network of more than 60 websites posing as legitimate news sources in tandem with fake social media sites spreading misinformation through phony articles, some of which were to be generated by A.I. The fake sites mimic the look of the outlets they spoof, including links to legitimate ones and impersonated cookie consent pages. The two companies owned by Gambashidze and Tupikin are “responsible for providing [the Government of the Russian Federation] with a variety of services, including the creation of websites designed to impersonate government organizations and legitimate media outlets in Europe,” according to the U.S. Treasury. Read more.
GitHub debuts A.I. tool to assist devs in fixing security bugs
“Code scanning autofix” is the name of a new GitHub feature designed to help developers using Advanced Security avoid and patch flaws in their coding. “Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” reports GitHub. However, the feature is imperfect, and any suggestions it makes should be carefully reviewed before being applied. “The system has incomplete knowledge of the dependencies published in the wider ecosystem,” the company noted. “This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.” Read more.
JetBrains TeamCity flaw results in cyberattack surge
Flaws in JetBrains TeamCity software are under active exploitation, with criminals taking advantage of the bugs to “deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT.” The bug under attack, CVE-2024-27198, allows attackers to bypass authentication protocols to “gain administrative control over affected servers.” The recent disclosure of the flaw has resulted in an uptick in attacks against unpatched systems by threat actors connected to the BianLian and Jasmin ransomware families. TeamCity users are strongly encouraged to update their systems immediately to avoid compromise. Despite recent law enforcement pressure, ransomware attacks continue to be popular, lucrative, and extremely damaging to victimized organizations. Read more.
U.S. water systems must improve cybersecurity
The White House and the EPA are warning state governors across the U.S. that water and wastewater systems are being hit with cyberattacks, necessitating the bolstering of cybersecurity protocols. A letter to the nation’s governors states that, in many cases, “even basic cybersecurity precautions” are not in place at water facilities. The EPA is also setting up a task force to “identify the most significant vulnerabilities of water systems to cyberattacks.” U.S. public water systems have historically found it challenging to secure the finances and staff necessary for adequate cybersecurity. While recent attacks blamed on Iran and China have not had any effect on the safety or availability of drinking water, they highlight a critical vulnerability that has been difficult to address due to budgetary reasons and the blocking of EPA regulations through legal challenges. Read more.
FCC adopts new label for secure IoT devices
The U.S. Federal Communications Commission (FCC) has adopted a program that will allow “qualifying consumer smart device manufacturers to demonstrate that their product has met the FCC’s robust cybersecurity standards” by displaying a new “U.S. Cyber Trust” mark logo. Part of the Biden-Harris administration’s prioritization of cybersecurity, the program is designed to help consumers make safer purchases and incentivize manufacturers to build better security into their products. The FCC is set to oversee the program while “approved third-party label administrators managing activities such as evaluating production applications, authorizing use of the label and consumer education.” The program is voluntary, meaning it will largely be left to the manufacturers to determine if the market values cybersecurity in their products. Read more.
Earth Krahang APT breaches 70 organizations in 23 countries
Trend Micro researchers report that the Chinese threat group Earth Krahang has breached 70 organizations out of the 116 it targeted across 45 countries. The campaign has been in development since 2022, with most targets being government agencies. To hack victims, the group employs open-source tools to find vulnerabilities within public-facing servers and deploys spear-phishing emails to targeted victims to create backdoors used for espionage. Earth Krahang also “builds VPN servers on compromised public-facing servers using SoftEtherVPN to establish access to the private networks of their victims and further their ability to move laterally within those networks.” The threat group is believed to be working under Chinese company I-Soon as a cyber espionage task force. Read more.
WordPress urges users to uninstall miniOrange
WordPress administrators who use miniOrange’s Malware Scanner and Web Application Firewall plugins are being instructed to remove them from their sites due to the discovery of a major security bug. CVE-2024-2172 impacts the Malware Scanner and Web Application Firewall and “makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.” The attacker can then perform whatever administrative tasks they need to “upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.” The developer closed Both affected plugins on March 7, meaning users must find replacement options as they are no longer maintained. Read more.
Acoustic attack listens to keystrokes
A new acoustic side-channel attack can “deduce user input based on their typing patterns, even in poor conditions, such as environments with noise,” according to findings by Augusta University researchers that demonstrated it. By listening to the “distinctive sound emissions of different keystrokes and the typing pattern of users,” specialized software can gather a dataset from which to piece together what a specific person is writing from only the sound of them using a keyboard. The attack relies on a few factors that limit its effectiveness, such as requiring a sample of the target’s typing to build its dataset. While this unique type of attack is not yet ready for primetime, it illustrates a new vulnerability that may be implemented in tandem with malware for cyber espionage in the near future. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
