SAN MATEO, CA, November 18, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
U.S. government officials exposed to espionage
The FBI and CISA have released a joint advisory update on “a broad and significant cyber espionage campaign” affecting “multiple telecommunications companies” that has compromised customers’ data and private communications, including U.S. government officials. The hack was first discovered in October, with both Donald Trump and Kamala Harris’ presidential campaigns warned that their phones may have been hacked in the attack. The advisory did not call out who may be responsible for the campaign, but several media outlets named Salt Typhoon as the perpetrator and also listed Verizon, AT&T, and Lumen Technologies as targeted companies. Salt Typhoon, linked to China’s Ministry of State Security (MSS), is known for digging into telecom companies, government agencies, and critical infrastructure providers in North America and Southeast Asia. Organizations that believe they have been targeted are told to contact their local FBI Field Office or CISA. Read more.
Millions of private records leaked by Microsoft Power Pages
Microsoft Power Pages, the company’s low-code website-building platform, is one of many drag-and-drop site creators and has “served more than 100 million monthly active website users.” Power Pages allows for role-based access controls to protect data from users, but research at AppOmni has revealed that many sites using the platform aren’t implementing these security controls correctly or at all. The result is that “vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.” Power Pages provides warning banners to alert users of misconfigured security rules, but researchers have determined that users are simply ignoring them, like due to the the fact that low-code platforms generally appeal to users with less technical expertise or cybersecurity awareness. Read more.
Decryptor released for victims of ransomware
The Romanian cybersecurity company Bitdefender developed and released a free decryptor designed for victims of ShrinkLocker ransomware. “The decryptor is the result of a comprehensive analysis of ShrinkLocker’s inner workings, allowing the researchers to discover a ‘specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks.'” ShrinkLocker has been primarily used to attack and extort victims in Mexico, Indonesia, and Jordan. Bitdefender began studying the ransomware after it was used against a healthcare company in the Middle East. ShrinkLocker is noteworthy because it is a simple ransomware variant written in VBScript, a language that Microsoft said is being deprecated, and because it exploits BitLocker to achieve encryption instead of using its own algorithm. Read more.
MacOS users targeted by new RustyAttr trojan
Researchers at cybersecurity company Group-IB have identified a hacking technique that sees threat actors abusing “extended attributes for macOS files to deliver a new trojan that researchers call RustyAttr.” The malware was discovered in samples in the wild and studied by researchers who believe it is the work of the North Korean threat group Lazarus. No victims have been found yet, which the researchers believe indicates that Lazarus may be experimenting with RustyAttr to develop a new malware delivery tactic. To help evade detection, the malicious code is hidden in custom file metadata and PDF documents. The discovery is one of a handful of new malware strains and techniques that North Korean hacker gangs are weaponizing against macOS users. Read more.
Hot Topic data breach exposes nearly 57 million accounts
Have I Been Pwned (HIBP) is warning that a data breach affected Hot Topic, Box Lunch, and Torrid retailers and has exposed the personal information of 56,904,909 customer accounts. “According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data.” Claimed on BreachForums by a user named “Satanic,” the data has been posted for sale for $20,000. Hot Topic received an additional demand for $100,000 to take the listing down. According to Atlas Privacy, “the dataset contains 25 million credit card numbers encrypted with a weak cipher that’s easy to break using modern computers.” Hot Topic has yet to make any statement regarding the breach. Read more.
iOS 18.1 security feature auto-restarts and re-encrypts data
An unannounced feature in iOS 18.1 causes iPhones to restart after long idle periods to re-encrypt data and make it more difficult to access. The feature was discovered by law enforcement officers who saw suspects’ iPhones rebooting while in custody. The restart switches the device from After First Unlock (AFU) status to Before First Unlock (BFU) status, which makes the phone much more impervious to forensic phone unlocking tools. When an iPhone is unlocked using biometric data or a PIN, iOS loads the encryption keys to memory, allowing files to be automatically decrypted when accessed. A reboot, however, puts the phone in a state where it no longer stores encryption keys to memory and prevents criminals or law enforcement from using exploits to bypass the Lock Screen. Read more.
Zero-day Citrix bug allows for remote code execution
Citrix’s Session Recording Manager has been found to have a zero-day vulnerability that could allow a threat actor to engage in unauthenticated remote code execution, resulting in data theft, desktop takeover, and lateral movement. The bug does not currently have a CVE or CVSS score and “resides in Citrix’s Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.” The feature uses BinaryFormatter, which is known to be insecure. Microsoft, the developer of BinaryFormatter, has stated that applications should stop using it as it is impossible to secure. There is currently no evidence that this Citrix vulnerability has been exploited in the wild. Read more.
North Korean hackers target macOS users
For the first time, state-affiliated North Korean threat actors are embedding malware within Flutter applications to infect macOS devices. Flutter is a cross-platform development framework. The discovery comes from Jamf Threat Labs, which says that the Flutter-built applications are just one campaign component, including malware coded in Golang and Python. “We suspect these specific examples are testing,” Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. “It’s possible they haven’t been distributed yet. It’s hard to tell … The attacker’s social engineering techniques have worked very well in the past and we suspect they’d continue using these techniques.” The activity has not yet been attributed to a specific threat group. Read more.
Campaign targets Australian cat lovers
Australians looking into the legality of owning a Bengal cat are targeted by an oddly specific campaign that infects them with the GootLoader malware. “In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: ‘Are Bengal Cats legal in Australia?'” Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in their report. Once installed, GootLoader paves the way for additional malware such as Cobalt Strike, IcedID, Kronos, REvil, and SystemBC. The bizarre campaign highlights that even benign web browsing can be weaponized by threat actors in unlikely ways. Read more.
New North Korean malware deployed against crypto firms
According to research from SentinelLabs, a campaign called Hidden Risk is currently being deployed by the North Korean threat group BlueNoroff. Targeting macOS devices, “the campaign starts with a phishing email, with two types of malware dropped following initial infection. The researchers highlighted a novel persistence mechanism in a backdoor that abuses the Zshenv configuration file.” The campaign also sees the actors hijacking valid Apple “identified developer” accounts to bypass built-in Apple security features. The campaign is financially motivated, targeting crypto firms, and is believed to have begun in July of 2024. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
