SAN MATEO, CA, October 21, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
North Korean IT workers demand ransom payments
North Korean nationals hired to work for Western companies using fake identities are adding extortion to the mix by demanding ransom payouts to not leak sensitive or proprietary data they have stolen. “In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in their report. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.” North Korea engages in employment scams regularly as a means by which to generate capital for the country by having IT workers pose as freelance contractors and apply to positions within Western countries. “This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.” Read more.
Microsoft warns of macOS vulnerability
Microsoreported on a macOS flaw, HM Surf, which “Allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology to access sensitive user data, including browsed pages and the device’s camera, microphone and location.” Microsoft said that possible exploitation activity was detected and associated with Adload, a family of malware that targets macOS. “TCC bypass can be achieved by leveraging the com.apple.private.tcc.allow TCC entitlement in Safari, which is the default browser for macOS. This allows the app to completely bypass TCC checks for services that are mentioned under the entitlement.” Third-party browsers cannot be used to take advantage of this vulnerability. Apple patched the flaw in a September 16 update to macOS Sequoia and is encouraging all users to keep their systems up to date to prevent exploitation. Read more.
Sipulitie dark web drug marketplace seized
The servers belonging to the Sipulitie dark web marketplace, known for trading in illegal drugs and narcotics, have been seized by Finnish authorities in a joint effort between Finnish Customs, Europol, the Swedish police, Polish law enforcement authorities, and researchers at Bitdefender cybersecurity company. Visitors to the market are now greeted with a banner informing them of the site’s takedown, and Finnish Customs have released a statement saying that “during the investigation, the identities of the administrators of Sipulitie, Sipulimarket, and Tsätti have been discovered. The identities of moderators and customer service agents supporting the administration have also been uncovered. Using the seized material, drug sellers and buyers operating on Sipulitie have also been identified.” Arrests of the site’s administrators are expected to be announced soon. The original version of Sipulitie, Sipulimarket, was taken down in 2020 but quickly replaced with the one now in the hands of Finland’s law enforcement. Read more.
Starbucks Coffee Lovers Box phishing scam
UK’s national fraud and cyber reporting center, Action Fraud, has issued a warning regarding a phishing scam promising victims a free Starbucks Coffee Lovers Box. The agency reportedly received over 900 complaints about the scam in the last two weeks. The emails contain malicious links “designed to steal personal and financial information or download malware onto personal devices” and are being sent in high numbers. According to David Spencer, Director of Technical Product Management at Immersive Labs, “The aim is maximum profit, so it’s a numbers game. The more targets cybercriminals reach, the more clicks they’ll get.” Spencer goes on to say that to get people to click on the links embedded in the phony emails, the threat actors send them during times of the day when the receiver is likely to be less alert and, perhaps, craving coffee. Read more.
SolarWinds Help Desk under active exploitation
CISA has added CVE-2024-28987 to its Known Exploited Vulnerabilities Catalog, as the critical flaw is being exploited in SolarWinds Help Desk. CISA says, “SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.” The flaw “allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials,” security researcher Zach Hanley said. The vulnerability received a severity rating of 9.1, and SolarWinds initially disclosed it in August 2024. Details regarding the nature of the exploitation or who is responsible for it have not been revealed. Read more.
8 million downloads of Google Play malicious apps
Researchers at Zscaler have reported that more than 200 malicious apps available on the Google Play store have been downloaded nearly 8 million times from June 2023 to April 2024. The most common threats discovered were Joker, an “info-stealer and SMS message grabber that subscribes victims to premium services,” adware apps that “consume internet bandwidth and battery to load either intrusive foreground ads or invisible ads in the background, generating fraudulent ad impressions,” Facestealer, a “Facebook account credential stealers that overlay phishing forms on top of legitimate social media applications, Coper, an “info-stealer and SMS message interceptor that can also perform keylogging and overlay phishing pages,” Loanly Installer and Harly, two apps that subscribe victims to premium services, and Anatsa, “a banking trojan that targets over 650 applications of banks worldwide.” Read more.
Cybersecurity skills shortages rank only after Zero-day
Security vendor Sophos warns that “a shortage of cybersecurity expertise and capacity in global SMBs is fueling talent burnout and creating new opportunities for threat actors.” A report from the company reveals that the shortage “is now ranked by SMBs as their second top cyber challenge after zero-day threats,” making it hard for teams and admins to learn on the job while continually trying to keep up with the advancements and developments in the cyberthreat landscape. The report also states that for a third of the time, SMBs have “no one actively monitoring, investigating or responding to alerts.” Pressured teams also suffer burnout, leaving fewer people on guard and resulting in less-than-ideal outcomes even when a threat is identified. “A shortage of in-house cybersecurity skills is one of the biggest cyber risks for businesses today. When you couple this mounting skills gap with a major burnout crisis among cybersecurity professionals, small businesses are more vulnerable to attacks,” said Sophos field CTO, Aaron Bugal. Read more.
Hacked data broker National Public data files for bankruptcy
Florida-based data broker National Public Data is crumbling under the weight of litigation following a data breach that affected more than 300 million people making it one of the largest of the year. National Public Data’s parent company, Jericho Pictures, told a Florida court that it would likely be unable to repay its debtors, address the class action lawsuits filed against it, or pay for credit monitoring for the people affected by the breach. Researchers estimate that the stolen database contains around 270 million Social Security numbers, and it appears as though affected individuals hoping for compensation or relief from the fallout of such sensitive information falling into the hands of criminals will be out of luck, as the company’s insurance provider refused to cover the incident. The company’s bankruptcy filing revealed that the company reported net profits of $475,426 in 2022 and $865,149 in 2023. Read more.
10 million conversations exposed in AI call center cyberattack
An AI-powered call center in the Middle East has suffered a breach that has exposed more than 10 million conversations. Cybersecurity firm Resecurity breaks the news, with their report revealing that “the breach involved unauthorized access to the platform’s management dashboard, allowing attackers to collect over 10.2 million interactions between consumers, operators and AI agents.” Threat actors could use the information stolen to perform data exfiltration, hijack conversations to convince callers to hand over sensitive personal payment details, or intercept AI-assisted conversations. “Conversational AI platforms have become a critical element of the modern IT supply chain for major enterprises and government agencies,” Resecurity said. These platforms are becoming popular across industries and pose a significant risk to user privacy if compromised. Read more.
Threat actors use ChatGPT to create malware
A report from OpenAI has revealed that the company has “Disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks.” This is the first official report to confirm notions from other research firms that threat actors use AI tools, particularly ChatGPT, to build their tools. OpenAI calls out a Chinese threat actor, SweetSpecter, who was “Using a cluster of ChatGPT accounts that performed scripting and vulnerability analysis research with the help of the LLM tool” to engage in spear phishing emails for cyber espionage. The company’s report also details efforts from Iranian threat actors to develop custom scripts and malware. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
