SAN MATEO, CA, May 13, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
US government calls on Microsoft president to testify
Significant security shortcomings at Microsoft have prompted the leaders of the House Homeland Security Committee to request that Microsoft’s President Brad Smith testify before their panel on May 22. The panel is responding to the company’s inability to provide adequate protections within the cloud platforms and software used by US government agencies, described as a “cascade of failures” by a recent Cyber Safety Board report. “While Microsoft’s cooperation with the CSRB’s investigation was encouraging, the numerous failures revealed in the report led to serious threats to our homeland and must be fully examined by this Committee,” said Chairman Mark Green. “We believe recent events have undermined that trust and must be fully examined by this Committee,” he continued. “We look forward to the company’s cooperation as we work to increase the security and the resilience of our federal networks.” Microsoft has yet to commit to the hearing date. Read more.
Zero-day flaw in Chrome under active exploitation
A security update for Google Chrome addresses a zero-day flaw under active exploitation by threat actors in the wild. The high-severity bug, tracked at CVS-2024-4671, is a “case of use-after-free in the Visuals component.” Use-after-free bugs occur when a program “references a memory location after it has been deallocated” and can lead to a wide range of issues, including crashes and arbitrary,y code execution. Google has not provided details on how the bug is abused, simply stating that “Google is aware that an exploit for CVE-2024-4671 exists in the wild.” This flaw is the second zero-day bug within Chrome that Google has addressed thus far in 2024. Read more.
City of Wichita ransomware attack claimed by LockBit
Wichita, Kansas, has been reeling due to the disruption caused by a May 5 ransomware attack that shut down the city’s IT systems. The LockBit ransomware gang, itself reeling from a highly disruptive law enforcement campaign that saw authorities take over much of its infrastructure and sanction the group’s leader, has added Wichita to their extortion portal with a deadline of May 15th. If the gang’s demands are not met by that date, they threaten to publish all files stolen in the attack. The speed at which the group took credit for the attack is not typical since ransomware attackers typically seek to negotiate. This leads experts to suspect that LockBit may have expedited this victim as revenge in light of recent law enforcement disruptions that have tarnished its reputation. Many public services in Wichita remain currently unavailable. Read more.
Tech companies pledge to prioritize cybersecurity
CISA’s campaign to urge tech companies to build safer, more secure devices and products seems to have made some ground, as over 60 private-sector businesses, including Google, Microsoft, and Amazon, have pledged to prioritize cybersecurity. In addition to the big players in tech, dozens of software and hardware developers have also signed on to the commitment at an event hosted by CISA. While the pledge is entirely voluntary, CISA officials claim to be committed to checking in on the progress made by signees over the next year. “There is a real urgency that everybody in this room not only feels but is highly aware of, and it is all about developing new and retrofitting older technologies and software with security as a core consideration,” CISA Director Jen Easterly said. Read more.
LockBit ransomware administrator identified and sanctioned
“LockBitSupp,” the notorious operator of the LockBit ransomware operation, has been identified and heavily sanctioned by the FBI, the UK National Crime Agency, and Europol. Confirmed to be Russian national Dmitry Yuryevich Khoroshev, the 31-year-old developer has reportedly raked in $100 million through the gang’s activities and resides in Voronezh, Russia. The US is offering a $10 million reward for information leading to Khoroshev’s arrest. Ironically, this is the exact amount that Khoroshev offered to anyone who could prove they could identify him. The sanctions placed on him will significantly disrupt LockBit’s functionality, as any organization paying a ransom could now face government fines for defying them. Read more.
LiteSpeed Cache plugin bug puts WordPress sites at risk
LiteSpeed Cache, a WordPress plugin with more than 5 million active installations, has a high-severity flaw that threat actors are actively exploiting to create rogue admin accounts. The flaw was addressed in an October 2023 update, but unpatched and vulnerable versions of LiteSpeed Cache are present on 16.8% of all websites. The bug was not officially disclosed until February 2024. Creating bogus admin accounts on a WordPress site allows an individual to gain complete control over the website. They can then lock out legitimate users, use the site to host malware, or perform harmful actions. LiteSpeed Cache users are urged to update to the latest version immediately. Read more.
GitLab security flaw allows account takeover
CISA warns of a severe flaw within GitHub that can allow threat actors to send password reset emails to an address of their choice, thereby gaining administrative privileges and locking out the legitimate owner if they so choose. The flaw, CVE-2023-7028, has been added to CISA’s Known Vulnerability Catalog as a “GitLab Community and Enterprise Editions Improper Access Control Vulnerability.” The flaw has received the agency’s top CVSS vulnerability severity score of 10 out of 10. Researchers caution that an exploit for the bug is available publicly and that the “bar of entry for the exploit is low, implying less skilled hackers can exploit this issue.” Experts say that one of the best ways to defend against this type of attack is to have multi-factor authentication. Read more.
North Korean hackers pose as journalists
The FBI, the US Department of State, and the National Security Agency have reported that a North Korean hacker group called Kimsuky is “exploiting poorly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols to pose as legitimate journalists, academics or other experts in East Asian affairs with credible links to North Korean policy circles.” The threat actors intend to access the documents, research, and communications of policy analysts and experts to allow Pyongyang insight into the intelligence of countries deemed adversarial. Efforts are highly targeted with Kimsuky threat actors using fake usernames and actual domains to impersonate trusted individuals associated with organizations such as think tanks and universities. Read more.
LockBit’s seized site used for press releases
The website international law enforcement agencies seized from LockBit has been converted into a bulletin board for news related to the ongoing investigation into the group. One headline, “Who is LockBitSupp?” implied that further information about who was behind LockBit would be forthcoming. However, in a matter of days, the post changed to “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement.” Oddly, the site was shut down again, only to be revived without further details regarding LockBitSupp. The events leave experts speculating whether the posts were meant to pressure LockBit threat actors, were factual, or a combination of both. LockBit has struggled to regain its standing after being disrupted by law enforcement but continues to operate. Read more.
Apple Mac systems targeted by new Cuckoo spyware
Researchers have discovered a new information-stealing spyware infecting Intel and Arm-based Mac computers. Called “Cuckoo,” the means of distribution are not yet clear. However, “there are indications that the binary is hosted on sites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com that claim to offer free and paid versions of applications dedicated to ripping music from streaming services.” Cuckoo establishes persistence through a LaunchAgent and uses osascript to show victims a fake password prompt that allows threat actors to harvest credentials and gain administrative privileges. Cuckoo can capture “currently running processes, query for installed apps, take screenshots, and harvest data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
