SAN MATEO, CA, November 11, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Hackers send fraudulent data requests to tech companies
A public notice from the FBI warns that threat actors are gaining access to private user information from U.S.-based tech companies via compromised government and police email addresses used to send legitimate-looking but phony data requests. “In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would ‘suffer greatly or die’ unless the company in question returns the requested information.” The FBI’s notification details specific instances in which these efforts were made and provides a timeline of the events. Mitigation recommendations are also included, such as using good password hygiene, implementing recovery plans in the event of a disruption, and applying “critical thinking” to any law enforcement requests received. Read more.
Bugs in Mazda Connect allow hackers to install malware
Mazda car models that include the Mazda Connect infotainment unit are vulnerable to six bugs, according to a report from Trend Micro. Some bugs are command injection flaws that could let a threat actor “obtain unrestricted access to vehicle networks, potentially impacting the car’s operation and safety.” The vulnerabilities are currently unpatched. While they require a bad actor to have physical access to the vehicle, someone can connect a USB device to the system and quickly deploy an attack while the car is at a workshop, dealership, or being parked by a valet. By exploiting one particular vulnerability, “a threat actor could install a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) and reach the vehicle’s electronic control units (ECUs) for the engine, brakes, transmission, or powertrain.” Read more.
Personal data of 500,000 Ohio residents stolen
In a filing with Maine’s attorney general, the City of Columbus has stated that a “foreign cyber threat actor” has stolen the data of 500,000 Ohio residents in a July ransomware attack. Information taken contained names, birth dates, addresses, identification documents, Social Security numbers, and bank account details. Ransomware gang Rhysida has taken credit for the attack, claiming that it took 6.5 terabytes of data from the city in August that included “databases, internal logins and passwords of employees, a full dump of servers with emergency services applications of the city and … access from city video cameras.” The group asked for $1.9 million in Bitcoin as a ransom. While Columbus mayor Andrew Ginther said that the stolen data was likely “corrupted” and “unusable,” the personal data of hundreds of thousands of Columbus residents has been listed on the dark web. Read more.
SteelFox malware hijacks Windows PCs
SteelFox is a new malware bundle that mines for cryptocurrency, steals credit card data, and infects users via the “bring your own vulnerable driver” technique. Distributed through forums and torrent trackers, SteelFox masquerades as a crack tool that can be used to activate legitimate software for free. While the dropper that harbors the malware works, it also sneaks in an added malicious function that injects SteelFox code into the victim’s system. Kaspersky discovered SteelFox in August, but the malware has been circulating since February 2023. “SteelFox attacks do not have specific targets but appear to focus on users of AutoCAD, JetBrains, and Foxit PDF Editor. Based on Kaspersky’s visibility, the malware compromises systems in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.” Read more.
Hacker linked to Snowflake data breaches arrested in Canada
Ian McLeod, a spokesperson for the Canadian Department of Justice, told TechCrunch in an email that “following a request by the United States, Alexander Moucka (a.k.a. Connor Moucka) was arrested on a provisional arrest warrant on Wednesday, October 30, 2024″ for his involvement in a series of Snowflake-related hacks. Dozens of Snowflake-using companies have had data stolen in a campaign that used passwords stolen from employee computers. MFA was not a requirement on Snowflake, making it simple for threat actors with credentials to access accounts and take vast amounts of data. Moucka’s alleged co-conspirator, John Binns, was arrested in Turkey earlier this year. It is believed that these two individuals are responsible for the campaign. Read more.
Winos4.0 malware targets Windows users via game apps
Winos4.0 is a new malicious software framework found embedded in game-related apps. Targeting Windows users, “this malware framework is a sophisticated variant derived from Gh0strat” that can “execute multiple actions remotely and provides attackers with extensive control over affected systems.” The malware gains initial access through game-related applications, installation tools, and performance boosters and then “downloads a seemingly benign BMP file from a remote server, which extracts and activates the Winos4.0 DLL file. The malware’s first stage creates an environment to deploy additional modules. It establishes persistence on the infected machine by creating registry keys or scheduled tasks.” Winos4.0 is similar to Cobalt Strike and can “receive commands and download modules to perform actions such as document management, screen capture, and environment monitoring, among other surveillance functions.” Read more.
Schneider Electric reports third cyberattack in under two years
Multinational energy management company Schneider Electric has reported that it was the victim of a ransomware attack using a new variant called Hellcat. The attackers claim to have over 40 GB of data from the company’s JIRA platform, “including projects, issues, and plugins, along with over 400,000 rows of user data,” but did not elaborate further on the information they stole. The attack is the third time a ransomware group has hit the company in the last 18 months. The attackers’ ransom demand reads: “To secure the deletion of this data and prevent its public release, we require a payment of USD$125,000 in Baguettes. Failure to meet this demand will result in the dissemination of the compromised information.” The note also says that “stating the breach” will decrease the ransom demand by half before calling out the company’s CEO by name. Read more.
MFA mandatory on Google Cloud by the end of 2025To
To enhance security, Google has announced that multi-factor authentication will be mandatory on all admin and user accounts. According to the company’s statement, the new requirements are set to roll out to all users worldwide. “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.” The rollout will consist of three phases: messaging encouraging users to switch to MFA, adoption, and then becoming mandatory at the end of 2025. “The tech giant cites research from CISA showing that MFA makes users 99% less likely to get hacked and notes that its own data corroborates the U.S. government agency’s findings.” Read more.
ToxicPanda malware targets users with fake money transfers
ToxicPanda is a new Android malware strain allowing threat actors to initiate fraudulent banking transactions. It has already infected over 1,500 devices. “ToxicPanda’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF),” Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini said in a Monday analysis. “It aims to bypass bank countermeasures used to enforce users’ identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers.” The malware is distributed through counterfeit pages that mimic App Store listing pages and masquerades as popular apps such as Google Chrome, Visa, and 99 Speedmart. Read more.
Fake invoices sent with DocuSign’s Envelopes API
Threat actors send fake invoices impersonating reputable companies such as Norton and PayPal. DocuSign’s Envelopes API makes them appear to be legitimate. The scam aims to have victims e-sign the documents and use them to “authorize payments independently from the company’s billing departments.” Wallarm security researchers warn that the payment amounts in the invoices are kept realistic so as not to raise any red flags. The attacks appear to be automated at a large scale, but those on the receiving end are frustrated that a solution for them outside of blocking the domain is unavailable. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
