SAN MATEO, CA, September 2, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Telegram CEO arrested for facilitating criminal activity
Telegram CEO Pavel Durov was arrested by French authorities, who charged him with facilitating criminal activities and placed him under formal investigation. He is accused of “being complicit in the spread of child sexual abuse material (CSAM) as well as enabling organized crime, illicit transactions, drug trafficking, and fraud.” He is also charged with “refusal to communicate, at the request of competent authorities, information or documents necessary for carrying out and operating interceptions allowed by law.” Telegram’s lax moderation and privacy features make the platform a double-edged sword. While used by oppressed citizens under authoritarian regimes to communicate freely, it has also become a hotbed for criminal transactions and extremist communications among members of ISIS and other terrorist organizations. A Telegram statement says, “It is absurd to claim that a platform or its owner are responsible for abuse of that platform.” Read more.
Russian state hackers used spyware exploits for data theft
Google has reported evidence that Russian state hackers are taking advantage of exploits “identical or strikingly similar” to those designed by spyware developers Intellexa and NSO Group. The company said that it does not know how the Russian government got the exploits but cites their findings as an example of how the exploits of spyware manufacturers, already controversial, to say the least, can be acquired by threat actors for nefarious purposes. The threat group associated with this case is APT29. Believed to be associated with Russia’s Foreign Intelligence Service, APT29 typically engages in cyber espionage and data theft campaigns against other government agencies and tech companies. Google said that the exploit code was found on Mongolian government websites in a “watering hole” attack that would have stolen the personal data and passwords of anyone who visited the websites on an iPhone or Android device. Read more.
IT worker arrested for extortion plot against employer
57-year-old Daniel Rhyne, a former core infrastructure engineer at an industrial company in New Jersey, has been arrested for attempting to extort his employer by locking Windows admins out of 254 servers. Employees received a ransom email with the subject line “Your Network Has Been Penetrated” on November 25, claiming that all IT admins were locked out of their accounts and that server backups had been deleted. Rhyne also threatened to “shut down 40 random servers on the company’s network daily over the next ten days” unless a ransom of 20 Bitcoin ($750,000) was paid. Rhyne was caught because he “allegedly used a hidden virtual machine he accessed using his account and laptop to search the web on November 22 for information on how to delete domain accounts, clear Windows logs, and change domain user passwords using the command line.” Rhyne could face a $750,000 fine and 35 years in prison if convicted. Read more.
Iranian APT helping ransomware gangs attack US since 2017
A joint advisory from the FBI, CISA, and the US Department of Defense Cyber Crime Center (DC3) warns that an Iranian threat actor group, Fox Kitten, has “conducted a high volume of intrusion attempts against US organizations between 2017 and August 2024.” According to the warning, many of these operations were carried out to allow other groups to attack the organizations targeted. The advisory says that Fox Kitten intended to monetize their unlawful access by offering “full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.” The FBI has recently learned of Fox Kitten’s collaborative efforts with notorious ransomware gangs such as ALPHV, RansomHouse, and NoEscape. The FBI believes that Fox Kitten actors keep their identity and location a secret from the ransomware gangs they work with. Read more.
Microsoft Sway exploited in new QR code phishing effort
Researchers at Netskope Threat Labs have observed a new QR phishing campaign that “leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.” Thus far, the attacks have centered on users in Asia and North America in the technology, manufacturing, and finance sectors. Netskope says it saw a 2,000-fold increase in “traffic to unique Microsoft Sway phishing pages starting July 2024 with the ultimate goal of stealing users’ Microsoft 365 credentials” by sending weaponized QR codes hosted on Sway that direct victims to malicious websites. The tactics allow the activity to fly under the radar, as many email security features cannot scan URLs embedded within images. The fact that Sway pages are opened via Microsoft 365 also lends credibility to the scam. A QR code may also be opened on a mobile phone, where security features may not be as strict, making them an attractive lure for criminals. Read more.
Flaw in Microsoft Copilot creates user data risk
Johann Rehbeger, a security researcher, has disclosed a flaw within Microsoft 365 Copilot that lets threat actors steal sensitive user information. The attack is initiated via a malicious email or shared document that can make Microsoft Copilot “search for additional emails and documents without user consent.” After that, the attacker can “leverage ASCII smuggling, which uses invisible Unicode characters to embed sensitive information within seemingly benign hyperlinks.” If a victim clicks a link, any embedded data is sent to a server under the attacker’s control. Microsoft patched the flaw in a July 2024 update. Still, Rehbergerr feels that its existence sheds light on the dangers of AI tools such as Copilot and their vulnerability to prompt injections that can cause large language models to behave outside their intended functionality or beyond security measures. Read more.
Seattle-Tacoma International Airport and Port of Seattle hit with “possible cyberattack”
The Seattle-Tacoma International Airport has endured ongoing IT system outages, disruptions to reservation check-in systems, and flight delays due to a cyberattack. SEA-TAC is the busiest airport in the Pacific Northwest, serving almost 51 million passengers in 2023. The attack has also affected the Port of Seattle, experiencing “system outages.” Due to the airport’s website being down, its official X account has been used to warn passengers of interrupted services such as nonfunctional baggage sorting systems and offline flight screens. An FBI spokesperson said that the agency is “aware of the incident and working with partners to determine what happened,” without disclosing any additional information regarding the nature of the incident. No ransomware operator or threat actor has claimed to have attacked the airport. Read more.
Android NGate malware steals contactless payment methods
A new Android malware called NGate has been discovered by researchers that “can relay victims’ contactless payment data from physical credit and debit cards to an attacker-controlled device to conduct fraudulent operations.” According to observations, the NGate campaign’s main objective “is to clone near-field communication (NFC) data from victims’ physical payment cards using NGate and transmit the information to an attacker device that then emulates the original card to withdraw money from an ATM.” The attack is believed to involve social engineering and SMS phishing scams that direct victims to “short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store.” The malware then instructs users to turn on the NFC feature of their phone and place their payment card on the back of their device so the malware can recognize and capture it. Read more.
Hacking group provides CAPTCHA-solving services
Arkose Cyber Threat Intelligence Research (ACTIR) has identified a company called Greasy Opal that sells controversial tools such as SEO-boosting software, CAPTCHA-solving services, browser automation services, and social media automation services. Greasy Opal, based in the Czech Republic, has a yearly revenue of $1.7 million, and its tools have been observed being used to attack Arkose customers. ACTIR researchers say Greasy Opal “operates in a gray zone, while its products and services have been used for illegal activities downstream.” The group doesn’t seem concerned about the consequences of doing so, offering an “attacker’s toolkit” for $70 plus a $10 monthly fee. The group uses machine learning models and other technology to provide effective hacking tools and regularly updates its portfolio. Read more.
SonicWare’s SonicOS has critical access control flaw
SonicWall is warning users that its SonicOS is vulnerable to a critical access control flaw that attackers can exploit to gain unauthorized access to resources or crash the firewall. The flaw, CVE-2024-40766, has a severity score of 9.3 due to “its network-based attack vector, low complexity, no authentication, and no user interaction requirements.” The issue affects “SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.” The models affected by this flaw are Gen 5: SOHO devices running version 5.9.2.14-12o and older, Gen 6: Various TZ, NSA, and SM models running versions 6.5.4.14-109n and older, and Gen 7: TZ and NSA models running SonicOS build version 7.0.1-5035 and older. The security updates needed to fix the vulnerability are available for download from SonicWall. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
