π What’s happening in cybersecurity today?
MacOS, ActiveMQ, Godzilla Web Shell, TA866,Phishing Campaign, VMware Flaw, AI Bounty Hunters, ML Vulnerabilities, Microsoft Execs’ Emails, Russia-Linked APT, LockBit Ransomware, Subway, Argentinian Payoneer, 2FA-Protected Account, Tietoevry Ransomware, Swedish Data Center, Outages, D.C.’s GALA Hispanic Theater, EPIC, FTC, Google, Brave Browser, ‘Strict’ Fingerprinting Protection, Yahoo, Cookie Consent Violations, 3AM Ransomware, Conti and Royal Groups, German Court.
Listen to the full podcast
π¨Β Cyber Alerts
A Chinese hacking group, UNC3886, has been actively exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since late 2021, according to security firm Mandiant. While the flaw was patched in October, Mandiant revealed that UNC3886 utilized it in a cyber espionage campaign exposed in June 2023. The hackers breached targets’ vCenter servers, deployed backdoors, and exploited another VMware flaw (CVE-2023-20867) to escalate privileges and exfiltrate files from guest VMs.
Cybersecurity researchers are sounding alarms over a significant surge in threat actor activity exploiting a recently patched flaw in Apache ActiveMQ. Trustwave warns of concealed web shells in an unknown binary format, evading traditional security scanners. The Godzilla web shell, deployed through CVE-2023-46604, enables remote code execution, leading to active exploitation for deploying ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
Pirated applications discovered on Chinese websites pose a significant threat to Apple macOS users. Jamf Threat Labs researchers, Ferdous Saljooki and Jaron Bradley, reveal that these apps harbor a backdoor enabling remote control over infected machines. The malware, hosted on macyy[.]cn, deploys a sophisticated technique, using legitimate software like Navicat Premium and Microsoft Remote Desktop, to compromise victims’ machines secretly.
Threat actor TA866, returning after a nine-month hiatus, launches a massive phishing campaign delivering well-known malware like WasabiSeed and Screenshotter. In a recent attack blocked by Proofpoint on January 11, 2024, thousands of invoice-themed emails, featuring rogue OneDrive URLs in decoy PDFs, were sent to North America. The sophisticated infection chain ultimately deploys a variant of the WasabiSeed and Screenshotter custom toolset, indicating TA866’s persistence and adaptability.
Members of the Huntr bug bounty platform for AI and ML have discovered critical vulnerabilities in MLflow, ClearML, and Hugging Face over the past month. MLflow faced four severe issues, including a path traversal bug (CVE-2023-6831) enabling file deletion, a crafted datasets flaw (CVE-2024-0520) allowing potential RCE, a path validation bypass (CVE-2023-6977) for reading sensitive files, and a recipe configuration bug (CVE-2023-6709) leading to RCE. Hugging Face Transformers had a critical vulnerability (CVE-2023-7018) allowing RCE, and ClearML faced a high-severity stored XSS flaw (CVE-2023-6778) in the Markdown editor, potentially compromising user accounts.
π₯ Cyber Incidents
Microsoft disclosed a sophisticated nation-state attack on its corporate systems, resulting in the theft of emails and attachments from senior executives. Attributed to the Russian APT group Midnight Blizzard (formerly Nobelium), the attack involved a password spray technique compromising a test tenant account. Microsoft swiftly responded to investigate and mitigate the incident, emphasizing that no security vulnerabilities in its products were exploited, and customer environments, production systems, or source code were unaffected.
The LockBit ransomware gang announced a successful hack of Subway, the prominent American fast-food restaurant franchise. Subway IP LLC, specializing in submarine sandwiches, wraps, salads, and drinks, found itself added to LockBit’s list of victims. The ransomware group threatened to leak hundreds of gigabytes of sensitive data, including employee salaries, franchise payments, and financial aspects, unless Subway takes action to protect the compromised data.
Payoneer users in Argentina woke up to 2FA-protected accounts hacked, losing funds after receiving SMS OTP codes. The financial services platform, popular for online money transfer, is facing a wave of account breaches, with users reporting unauthorized access and emptied wallets. While suspicions point to a possible Movistar data leak or an SMS provider breach, Payoneer attributes the incident to phishing, blaming users for clicking on URLs in SMS texts.
Finnish IT services provider Tietoevry faces a ransomware attack affecting one of its data centers in Sweden, attributed to the Akira ransomware gang. The incident has impacted services for various customers, including Sweden’s largest cinema chain, Filmstaden, and other companies like Rusta and Moelven. Tietoevry is working to restore infrastructure and services, following a well-tested methodology, but the outage has caused disruptions to online services, including movie ticket purchases and managed Payroll and HR systems for government, universities, and colleges in Sweden.
D.C.βs GALA Hispanic Theatre faced a cyber attack during a wire transfer, causing a loss of over $250,000. Despite the setback, the theater remains determined to continue its productions, with ongoing fundraising efforts to recover from the financial hit. The incident highlights the vulnerability of cultural institutions to cybercrime and the need for enhanced security measures in the digital age.
π’ Cyber News
Advocacy groups EPIC and Accountable Tech filed a complaint urging the FTC to investigate Google for allegedly violating its pledge to promptly delete users’ location data related to sensitive places. The groups claim Google failed to honor its 2022 and 2023 promises and violated an FTC consent order from 2011. The complaint seeks civil penalties, data deletion, and a halt to Google’s “unlawful” data practices. Google disputes the allegations, asserting its commitment to deleting such data and calling the report inaccurate.
Brave Software plans to deprecate the ‘Strict’ fingerprinting protection mode in its privacy-focused browser due to functionality issues on many sites. Fingerprinting protection aims to enhance user privacy by preventing websites from tracking users through a technique called fingerprinting. The aggressive blocking in ‘Strict’ mode often results in degraded website functionality, and with only 0.5% of users utilizing it, the Brave team believes focusing on ‘Standard’ protection, already extensive and strong, is a more efficient use of resources, offering both privacy and compatibility.
France’s data protection watchdog fined Yahoo 10 million euros for disregarding users’ rejection of internet-tracking cookies and implying potential loss of access to email accounts. The penalty, imposed in December, followed complaints and investigations by the CNIL authority in October 2020 and June 2021. Yahoo.com visitors rejecting cookies were found with around 20 digital trackers, and Yahoo Mail users, attempting to withdraw cookie consent, were warned of potential service access loss, leading to the fine and emphasizing GDPR’s impact on obtaining user consent.
Security researchers have identified close ties between the recently surfaced 3AM ransomware operation and notorious groups such as the Conti syndicate and the Royal ransomware gang. 3AM, also known as ThreeAM, has adopted a new extortion tactic involving sharing news of a data leak with victims’ social media followers and using bots to reply to high-ranking accounts on X, redirecting them to data leaks. The researchers suggest that 3AM is connected to the Royal ransomware group, which is comprised of former members of Team 2 within the Conti syndicate, and there is a significant overlap in communication channels and tactics between the groups.
A German court has charged a programmer investigating an IT problem with hacking and fined them β¬3,000 ($3,265) for what it deemed was unauthorized access to external computer systems and spying on data. The programmer, operating as a freelance IT service provider, discovered a significant data privacy issue when resolving log generation problems for a client using merchandise management software. Despite the programmer’s efforts to inform the software vendor and act in the public interest, the court applied the Hacker Paragraph, emphasizing the need for robust protection, and imposed a fine, sparking concerns about legal precedent.
