InfoSec MASHUP - Week 21/2024
Microsoft "Recall" feature and privacy concerns; US courtrooms backdoored; Google Patches Fourth Chrome Zero-Day in Two Weeks; Zoom Adding Post-Quantum E2E Encryption; Breach at Cencora;
Partners and Affiliates
🔐 NordVPN’s Spring Sale Campaign (May 2 - Jun 12)
Special offer update:
🇺🇸 USA & 🇸🇪 Sweden: up to 74% off + 3 months extra
🇬🇧 UK, 🇩🇪 Germany, 🇳🇱 Netherlands, 🇮🇹 Italy, 🇫🇷 France: up to 73% off + 3 months extra
🌍 Rest: up to 75% off + 3 months extra
Breaches & Security Incidents
🔓 🇺🇸 U.S. pharmaceutical giant Cencora has experienced a data breach, resulting in the theft of Americans' personal and highly sensitive medical information. The breach, which occurred earlier this year, includes patient names, addresses, dates of birth, health diagnoses, and medication information. Cencora has notified affected individuals, but the exact number of affected individuals is unknown. This incident is the latest in a series of cyberattacks targeting the U.S. healthcare sector.
🔓 🇦🇺 Western Sydney University (WSU) experienced a data breach affecting around 7,500 students and staff. Hackers accessed the university's Microsoft 365 environment, including email and SharePoint, starting in May 2023, though the breach was only discovered in January 2024. Exposed data varies by individual, but no ransomware or extortion demands have been made. WSU has taken steps to secure its systems and prevent future incidents, and impacted individuals are being notified.
🇨🇦 The LockBit ransomware gang claimed responsibility for an April cyberattack on Canadian pharmacy chain London Drugs. They assert they stole data and are threatening to publish it after failed ransom negotiations. London Drugs initially found no evidence of data compromise but has since acknowledged potential employee information exposure. They have proactively notified employees and offered credit monitoring and identity theft protection. LockBit has a history of high-profile attacks and continues to be active despite previous law enforcement takedowns.
More breaches:
MediSecure Data Breach Impacts Patient and Healthcare Provider Information
55,000 Impacted by Cyberattack on California School Association
Almost all citizens of city of Eindhoven have their personal data exposed
Cybercrime, Cyber Espionage, APT’s
🇲🇦 🎁 A Moroccan cybercrime group has been impersonating nonprofit organizations to gain access to cloud accounts and carry out gift card theft scams targeting top U.S. retailers. The group, known as Storm-0539 or Atlas Lion, has seen a 30% increase in activity since March 2024. They target key employees within companies to gain access to cloud environments and exploit company procedures to maximize stolen funds. The group is based in Morocco and does not rely on malware, instead using legitimate domains and cloud services. Companies can defend against these attacks by implementing multi-factor authentication and limiting employee access to necessary functions.
👀 🏨 Wyndham Hotels: A recent investigation uncovered spyware on hotel check-in computers, potentially compromising guest information. This malicious software was designed to steal personal data, including names, addresses, and payment details, posing significant privacy risks. The spyware was found on computers in several hotels, indicating a widespread issue. Hotel guests are advised to monitor their financial accounts for suspicious activity and consider using alternative check-in methods to protect their information.
🇨🇳 A threat actor known as "Unfading Sea Haze" has infiltrated military and government networks in the South China Sea region for six years, aligning with Chinese geopolitical interests. Using sophisticated techniques like fileless malware through MSBuild and custom tools, the group maintained persistence and stealth. They employed spear-phishing, exploited local admin accounts, and used various malware variants for espionage. To counter these attacks, organizations are advised to implement robust security measures, including patch management, multi-factor authentication, and advanced detection systems.
🇺🇸 ⚖️ Rui-Siang Lin, the alleged owner of the Incognito dark web drug market, was arrested in New York. Incognito Market facilitated over $100 million in illegal drug sales, including large quantities of methamphetamines, cocaine, and ecstasy. Lin, also known as Pharoah, managed all operations, including vendors and transactions processed via cryptocurrency. Law enforcement accessed servers hosting the market's data, revealing extensive illicit activities. Lin faces severe charges, including life imprisonment for his involvement in a continuing criminal enterprise.
🇨🇳 ⚖️ Two Chinese nationals, Daren Li and Yicheng Zhang, were arrested for laundering $73 million through a cryptocurrency scam known as "pig butchering." This scheme involves building trust with victims via social media or dating apps and then convincing them to invest in fake crypto investments, siphoning the funds instead. Li was arrested in Atlanta, and Zhang in Los Angeles. They face multiple charges, each with a potential 20-year prison sentence if convicted. The operation used numerous shell companies to transfer the funds internationally and convert them into cryptocurrency.
Government, Politics, and Privacy
🇺🇸 ⚖️ New Hampshire authorities have charged Democratic operative Steve Kramer for creating and distributing an AI-generated robocall that impersonated President Joe Biden and urged voters not to cast their ballots. Kramer was indicted on felony voter suppression and misdemeanor impersonation charges. The Federal Communications Commission has also proposed fines for Kramer and the telecommunications carrier involved in the scheme. Kramer is cooperating with authorities and is also facing a lawsuit from the League of Women Voters and New Hampshire residents.
🇺🇸 🫱🏻🫲🏼 During the RSA Conference, current and former U.S. government cyber officials emphasized the importance of public-private partnerships in cybersecurity. They highlighted successful collaborations between agencies like CISA and private companies, which have been crucial in addressing cyber threats. These partnerships enable real-time information sharing and coordinated responses to incidents, enhancing national cybersecurity defenses. Officials advocated for continuing and expanding these collaborations to tackle evolving cyber challenges effectively.
🇮🇷 🇦🇱 Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) have been involved in destructive cyberattacks against Albania and Israel. In Albania, the attacks in 2022 targeted government infrastructure, deploying ransomware and wiper malware, which shared similarities with tools used in other Iranian state-sponsored attacks. Concurrently, during the Israel-Hamas conflict, multiple Iranian groups, including IRGC-affiliated Cotton Sandstorm and MOIS-linked Pink Sandstorm, executed cyber-enabled influence operations and direct cyberattacks, such as defacing websites and disrupting security systems, to amplify their geopolitical impact.
Malware & Threats
🦠 🥸 Threat actors are using fake websites posing as legitimate antivirus solutions to spread malware on Android and Windows devices. The websites mentioned in the article are avast-securedownload[.]com, bitdefender-app[.]com, and malwarebytes[.]pro, which deliver various information stealer malware. Stealer malware has become increasingly common, with cybercriminals offering custom variants. Researchers have also discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update. It is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, and more.
🦠 🌀 The SolarMarker malware, also known as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, has evolved with a multi-tiered infrastructure to resist takedown efforts. The malware targets various sectors, including education, government, healthcare, hospitality, and small to medium-sized enterprises. SolarMarker has undergone continuous development to enhance its stealthiness and data theft capabilities. The malware is typically distributed through bogus downloader sites, malicious emails, or counterfeit installers. Recorded Future's investigation reveals a layered infrastructure with multiple command-and-control servers, making it difficult to eradicate.
🦠 💸 Researchers have discovered a cryptojacking attack that disables antivirus protections and infects machines with cryptocurrency-mining software. The malware, named GhostEngine, disables endpoint security solutions and hides evidence of compromise. It scans for endpoint protection software and uses vulnerable drivers to gain access to the kernel, terminating the security agent and deleting the security agent binary. The malware then downloads and installs XMRig, a legitimate application for mining the monero cryptocurrency. The campaign also includes persistence mechanisms and a backdoor component. Administrators can use YARA rules provided by the researchers to detect infections.
🇺🇸 ⚖️ The Justice AV Solutions (JAVS) courtroom video recording software has been backdoored in a supply chain attack, allowing attackers to take control of compromised systems. JAVS has removed the compromised version and conducted a full audit of all systems. Cybersecurity company Rapid7 discovered the trojanized installer and linked it to the Rustdoor/GateDoor malware. Potentially compromised JAVS endpoints should be reimaged, credentials reset, and the JAVS Viewer software upgraded to the latest safe version. This incident highlights the importance of supply chain security.
🦠 📄 Hackers are exploiting a flaw in Foxit PDF Reader to deliver various malware, including Agent Tesla and AsyncRAT. The flaw involves deceptive pop-up warnings that trick users into executing malicious commands. These attacks utilize legitimate platforms like Discord, GitLab, and Trello to host and distribute malware, evading detection. The malware can steal credentials, cookies, and deploy cryptocurrency miners. Foxit is expected to release a fix in its upcoming version. This exploitation has been linked to espionage activities by groups such as DoNot Team.
🦠 ☁️ Cybercriminals are exploiting GitHub and FileZilla to deliver a variety of malware, including Atomic, Vidar, Lumma, and Octo. They use fake profiles and repositories on GitHub to host counterfeit versions of popular software, distributing these via malvertising and SEO poisoning. The campaign, traced back to Russian-speaking actors, involves sophisticated infrastructure and targets multiple platforms—Android, macOS, and Windows. This operation has been linked to delivering malware like RedLine, Raccoon, and DarkComet since August 2023.
🦠 🏦 Banking malware Grandoreiro has resurfaced after a temporary disruption by law enforcement. Despite efforts to dismantle its operations, the malware is again targeting banking customers, primarily in Latin America but also expanding to other regions. Grandoreiro is known for its sophisticated methods, including using fake pop-up windows and keylogging, to steal banking credentials and personal information. This resurgence underscores the persistent threat posed by cybercriminals and the need for continuous vigilance and enhanced cybersecurity measures.
AI, Tech & Tools
💻 📸 Microsoft's new "Recall" feature on Copilot Plus PCs continuously takes screenshots of user activity to aid in content search, sparking privacy and security concerns. Critics worry it could capture sensitive information like passwords and private emails, making it a target for misuse by abusers or hackers. Although the screenshots are stored locally and encrypted, the feature lacks content moderation, increasing the risk of sensitive data exposure. The Information Commissioner’s Office (ICO) is in discussions with Microsoft about privacy safeguards.
💻 🔐 Zoom Adding Post-Quantum End-to-End Encryption to Products: “With the launch of post-quantum E2EE, we are doubling down on security and providing leading-edge features for users to help protect their data. At Zoom, we continuously adapt as the security threat landscape evolves, with the goal of keeping our users protected,”.
Vulnerabilities, Research, and Threat Intelligence
Google rolls out Chrome fix for empty pages when switching tabs
Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager
🐛 ⬇️ Veeam has released an update to address critical vulnerabilities, including an authentication bypass bug in Backup Enterprise Manager. The flaw allows an unauthenticated attacker to log in as any user. Other vulnerabilities resolved include NTLM relay attacks, stealing NTLM hash, and reading backup session logs. Users are advised to update their installations to the latest versions to mitigate these risks.
🐛 🔓 A zero-day vulnerability in QNAP QTS, the operating system for QNAP NAS devices, has been publicly disclosed. The flaw (CVE-2024-27130) in the share feature's share.cgi
script allows remote code execution (RCE) by exploiting a buffer overflow via the strcpy
function. Attackers need a valid share link SSID parameter, which can be obtained through social engineering. Despite 15 identified vulnerabilities, QNAP has only fixed four, leaving many unaddressed. A proof of concept (PoC) for this exploit has been released.
ICS & OT
🧐 Team82 has researched Honeywell ControlEdge Virtual Unit Operations Center (UOC) and found multiple vulnerabilities in the EpicMo protocol implementation within ControlEdge Virtual UOC instances. These vulnerabilities are exploitable and can lead to unauthenticated remote code execution:
🔌 ❌ Rockwell Automation has urged administrators to disconnect industrial control systems (ICS) from the internet to mitigate the risk of cyberattacks. The warning comes amid heightened global cyber threats and aims to prevent unauthorized access to vulnerable devices. Rockwell highlights several security vulnerabilities (CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, and more) affecting their ICS devices, urging immediate action to secure them. Disconnecting these systems reduces the attack surface and protects against potential exploits.