SAN MATEO, CA, October 7, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
CISA warns that Ivanti is under attack once again
CISA has warned that Ivanti Endpoint Management (EPM), “a tool that helps organizations manage and secure their fleets of employee devices,” is again under active attack despite being fixed in May 2024. Hackers exploit unpatched systems to run malicious code on vulnerable Ivanti customer servers. Ivanti is widely used, with over 40,000 corporate customers, including many Fortune 100 companies. Ivanti has been hit repeatedly by threat actors over the last year, with hackers exploiting bugs in Connect Secure. Many of these attacks have been linked to China-backed hackers searching for information to steal. CISA requires all federal civilian agencies to update vulnerable instances by October 23. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said. Read more.
Malicious job applications targeting HR professionals
Trend Micro has observed a spear-phishing campaign that targets HR professionals and job recruiters with a “JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applications.” More_eggs is a “malicious software that can siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts.” It is offered as a malware-as-a-service and has been used by several criminal groups but is attributed to a threat actor group called the Golden Chickens. Similar attacks have been spotted over the last year, many of which use LinkedIn as a vector for distributing fake resumes hosted on a site controlled by threat actors that are actually “Windows shortcut (LNK) files that, upon opening, trigger the infection sequence.” Read more.
96 arrested in Russian money laundering raid
The Main Investigative Department of the Investigative Committee of Russia has released information about the arrest of 96 people allegedly involved in money laundering schemes in the UAPS payment system and Cryptex cryptocurrency exchange. The operation follows the US government’s announcement of sanctions against individuals connected to UAPS and the Secret Service’s announcement that it had seized Cryptex’s domains. A one-minute video has been released to YouTube that shows Russian authorities breaking down doors, apprehending individuals, and counting cash. The video’s description says those arrested “carried out illegal activities in the exchange of currencies, cryptocurrencies, delivery and acceptance of cash, sale of bank cards and personal accounts.” Russia has not disclosed whether or not recent actions by the US government played any role in the raids. Read more.
Crypto scammers use debate buzz to push fake investments
Netcraft security researchers are warning that a surge in crypto investment scams attempting to “cash in on public awareness of the presidential debate” has followed last month’s event. Netcraft says it discovered 24 malicious domains, including 14 phishing sites, that use the word “debate” in their domain. “All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire Elon Musk, or a blend of both,” they said. The scammers push crypto-doubling schemes, often propped up with fake celebrity endorsements, that promise to double victims’ investments quickly. Many examples found by Netcraft used official Trump campaign logos, graphs, and diagrams to appear legitimate. The campaigns spread via hijacked or otherwise malicious YouTube channels. Read more.
Kaspersky defends software forced-replacement
Kaspersky’s forced replacement of its antivirus software with UltraAV was met with alarm and shock by many users, as the company did not explicitly ask for user permission to do so. At a technical level, this means that “Kaspersky uninstalled itself from customers’ machines, and UltraAV installed itself, without any user interaction.” Kaspersky’s spokesperson, Francesco Tius, told TechCrunch that “the migration process started at the beginning of September, of which all Kaspersky customers in the US eligible for the transition were informed in an email communication.” The switch was done, according to Tius, to protect Windows users from experiencing “a gap in protection upon Kaspersky’s exit from the market.” However, Mac, Android, and iOS devices required users to install and activate UltraAV services manually. In-app messages and documentation on UltraAV’s website neglected to mention that Windows users would experience an automatic changeover. Tius said that some users not having an email registered with Kaspersky was the cause of the confusion. Kasperksy has come under fire for the switch, both because of a lapse in communication and because UltraAV is a new product with no track record or published security audit. Read more.
T-Mobile $15.75 million settlement for data breaches
T-Mobile and the US Federal Communications Commission (FCC) have reached a settlement in which the telecom is to pay a $15.75 penalty for several cybersecurity incidents in 2021, 2022, and 2023 that exposed millions of customers’ personal data. FCC Chairwoman Jessica Rosenworcel said, “consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems, or there will be consequences.” T-Mobile has also agreed to invest another $15.75 million into its cybersecurity systems to “address foundational security vulnerabilities, work to improve cyber hygiene, and adopt robust modern architectures, like zero trust and phishing-resistant multi-factor authentication (MFA)” and provide regular updates on their security posture. Read more.
700,000 DrayTek routers at risk of being hacked
Forescout Vedere Labs has reported on 14 flaws that are present in residential and enterprise routers made by DrayTek. “These vulnerabilities could enable attackers to take control of a router by injecting malicious code, allowing them to persist on the device and use it as a gateway into enterprise networks,” Forescout Vedere Labs said in a technical report shared with The Hacker News. Two vulnerabilities are rated critical, nine are rated high, and the remaining three have received medium severity ratings. Forescout reports that more than 704,000 DrayTek routers are susceptible to attack from cybercriminals, with the majority of exposed instances being in the US, Vietnam, the Netherlands, Taiwan, and Australia. DrayTek has released patches for all of the flaws in question. “Complete protection against the new vulnerabilities requires patching devices running the affected software,” Forescout said. “If remote access is enabled on your router, disable it if not needed. Use an access control list (ACL) and two-factor authentication (2FA) if possible.” Read more.
Crypto exchange sanctioned by the US.
The US Office of Foreign Assets Control (OFAC) has placed sanctions on Cryptex for “processing hundreds of millions of dollars of funds derived from cybercriminal activities, according to the US government.” Cryptex has received more than $51.2 million in funds derived from ransomware attacks and is also “associated with over $720m in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex.” A Russian citizen, Sergey Sergeevich Ivanov, has also been sanctioned for serving as the “payment processor for various fraud shops using various payment processing services.” In this role, he has allegedly “laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years.” Read more.
Three Iranian nationals charged for Trump campaign hack
The Department of Justice has revealed that it has charged three Iranian nationals for their involvement in a hacking operation carried out against Donald Trump’s 2024 presidential campaign. “Masoud Jalili, Seyyed Ali Aghamiri and Yaser Balaghi are charged with conspiracy to obtain information from a protected computer, fraud, aggravated identity theft, wire fraud, providing material support to a terrorist organization, and aiding and abetting in an offense against the United States.” The three individuals were reportedly responsible for carrying out a “wide-ranging hacking campaign” that honed in on the online accounts of both current and former government officials, campaign staffers, press, and nongovernmental organizations. The operation, as per the indictment, was spearheaded by Iran’s Revolutionary Guard Corps with an intent to “sow discord and undermine our democracy,” according to FBI Director Christopher Wray. The State Department is offering a reward of up to $10 million for information about the people involved in the scheme. Read more.
Four arrested for alleged links with LockBit
Four suspects have been arrested for their alleged links to the LockBit ransomware gang. In a collaborative effort between law enforcement authorities from 12 countries, a developer, a bulletproof hosting service administrator, and two people connected to LockBit activity have been detained. The operation saw authorities seize LockBit infrastructure servers, and it has been revealed that Australia, the US, and the UK have placed sanctions on a person that the UK NCA believes to be involved with Evil Corp, a notorious affiliate of LockBit. Additionally, the UK sanctioned 15 Russian nationals connected to Evil Corp. “These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months,” said Europol. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
