SAN MATEO, CA, November 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Modified WhatsApp versions found to be hiding CanesSpy spyware
- Atlassian reports data-wiping bug in Confluence
- Biden administration creates US AI Safety Institute
- 34 Windows drivers found to be vulnerable to full device takeover
- 40 countries vow to no longer give in to ransomware demands
- North Korean crypto thieves set sights on macOS-using blockchain engineers
- Crypto theft linked to 2022’s breach of LastPass
- Russian hackers breached 632,000 DOJ and Pentagon email addresses
- Security flaws discovered in NGINX Ingress controller for Kubernetes
- LockBit ransomware gang claims to have breached Boeing
Modified WhatsApp versions found to be hiding CanesSpy spyware
Kaspersky researchers have discovered several modified versions of WhatsApp for Android that come with CanesSpy spyware packed in. “The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client,” according to the security firm. CanesSpy establishes “contact with a command-and-control (C2) server, followed by sending information about the compromised device, such as the IMEI, phone number, mobile country code, and mobile network code.” It also sends details about the victim’s contacts and accounts every five minutes while it awaits further instructions that may include “sending files from external storage (e.g., removable SD card), contacts, recording sound from the microphone, sending data about the implant configuration, and altering the C2 servers.” Users are urged to void any apps made available from third-party marketplaces. Read more.
Atlassian reports data-wiping bug in Confluence
Atlassian warns that a critical Confluence security flaw can be leveraged via a public exploit, allowing threat actors to carry out “data destruction attacks targeting Internet-exposed and unpatched instances.” With a 9.1/10 severity rating, CVE-2023-22518 is an improper authorization vulnerability that affects all versions of Confluence Data Center and Confluence Server software. Atlassian says there are “no reports of an active exploit, though customers must take immediate action to protect their instances” by patching their systems as soon as possible. Read more.
Biden administration creates US AI Safety Institute
The Biden administration, aiming cybersecurity initiatives since the President’s election, has created a new government body to support efforts on AI safety called the US Artificial Intelligence Safety Institute (USAISI). USAISI will be a component of the US National Institute of Innovation and Technology (NIST) and has been launched to “facilitate the development of standards for the safety, security, and testing of AI models, develop standards for authenticating AI-generated content, and provide testing environments for researchers to evaluate emerging AI risks and address known impacts.” According to NIST director Laurie E. Locascio, “USAISI will bring industry, civil society and government agencies together to work on managing the risks of AI systems and to build guidelines, tools, and test environments for AI safety and trust.” Read more.
34 Windows drivers found to be vulnerable to full device takeover
Threat researchers at VMware Carbon Black have reportedly found as many as 34 Windows Driver Models and Windows Driver Frameworks that have the potential to be exploited by threat actors to “erase/alter firmware, and/or elevate privileges.” Six drivers allow kernel memory access and another 12 could be leveraged to “subvert security mechanisms like kernel address space layout randomization. Some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841). Read more.
40 countries vow to no longer give in to ransomware demands
As a result of the growing damage done to national and economic security by ransomware thieves, 40 countries have signed an agreement never to give in and pay cybercriminals. While it is unclear how this pledge will be implemented, as many private organizations don’t have the backups necessary to get back on track without paying a ransom, new regulations will likely inspire them to do so. The White House has not clarified the US’ stance on this matter. Ransomware reportedly has its biggest year yet, with threat actors having made off with around $450 million from January to June 2023. Read more.
North Korean crypto thieves set sights on macOS-using blockchain engineers
North Korean hackers in Lazarus Group are targeting blockchain engineers with a new macOS malware called KANDYKORN. Using a public Discord server, the threat actors impersonate other blockchain engineers and trick victims into downloading and executing a ZIP file containing the malicious software. Researchers at Elastic Security Labs describe KANDYKORN as “an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection” that “utilizes reflective loading, a direct-memory form of execution that may bypass detections.” Lazarus Group has a history of crypto theft, stealing the currency to help fund North Korea’s government. Read more.
Crypto theft linked to 2022’s breach of LastPass
Proving that old hacks can yield damage years into the future, news from ZachXBT and MetaMask developer Taylor Monahan reveals that hackers stole $4.4 million in cryptocurrency on October 25 using “private keys and passphrases stored in stolen LastPass databases” involved in a 2022 breach. Over 25 victims were affected by the theft, which is said to have been successful due to weak master passwords being implemented across user vaults, making it evident that whoever has stolen LastPass content has been steadily working to peel back the layers and breach potentially lucrative accounts. Read more.
Russian hackers breached 632,000 DOJ and Pentagon email addresses
Cl0p’s hack of MOVEit continues to plague the private and public sectors, as a report has revealed that 632,000 email addresses belonging to government employees were breached. “Impacted employees at the Defense Department reportedly included officials from the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff.” The hack is said to have taken place on May 28 and May 29 and has been described by the Office of Personnel Management as a “major incident.” Despite this classification, the OPM maintains that the data contained within the hacked accounts is of “low sensitivity” and does not pose a major risk to national security. Read more.
Security flaws discovered in NGINX Ingress controller for Kubernetes
A trio of high-severity security flaws have been reported in the NGINX Ingress controller for Kubernetes. If exploited, the flaws could allow a threat actor to “inject arbitrary code into the ingress controller process and gain unauthorized access to sensitive data” after stealing credentials. CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044 do not currently have patches available to fix them, so the developers of the software have disclosed mitigation procedures that “involve enabling the ‘strict-validate-path-type’ option and setting the –enable-annotation-validation flag to prevent the creation of Ingress objects with invalid characters and enforce additional restrictions.” Read more.
LockBit ransomware gang claims to have breached Boeing
LockBit has claimed to have stolen a trove of sensitive information from Boeing, according to a statement from the ransomware group. They are threatening to expose the exfiltrated data if the aerospace organization does not engage in negotiations by November 2. Boeing does extensive work with military clients and a leak of data related to their projects, plans, and contracts could yield disastrous results. Boeing has said that they are “assessing” LockBit’s claims. Read more.