π What’s going on in the cyber world today?
CISA, iOS Vulnerability, runC, Leaky Vessels, Container Security, Italian Threat Actor UNC4990, USBs, Ivanti, Zero-Day, Gateways, SOHO Router Security, Volt Typhoon Attacks, Ripple Co-founder, Canadian Global Affairs Department, Compromised VPN, Romanian Chamber of Deputies, Exactech, IntelBroker, Mobile Banking App, Egyptian IT Experts, ISIS Cyber Operations, EU, Cybersecurity Certification Scheme, Proofpoint, Layoffs, German Police, Movie2k.to, Telegram, Low-Cost Hub, Phishing Operations.
Listen to the full podcast
π¨Β Cyber Alerts
1. CISA Alerts on iOS Vulnerability
Β The U.S. Cybersecurity and Infrastructure Security Agency (Cisa) flagged a critical flaw affecting Apple’s iOS, iPadOS, macOS, tvOS, and watchOS, designated as CVE-2022-48618. This high-severity vulnerability allows attackers to bypass Pointer Authentication, with evidence of active exploitation detected. Despite patches released in December 2022, public disclosure came only on January 9, 2024, prompting Cisa’s recommendation for Federal agencies to apply fixes by February 21, 2024.
2. Leaky Vessels Threaten Security
Multiple security vulnerabilities in the runC command line tool, collectively known as Leaky Vessels, enable threat actors to breach container boundaries and launch subsequent attacks. Tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, these flaws could grant unauthorized access to the host OS and compromise sensitive data. While runC version 1.1.12 addresses the issues, users are urged to update their container runtime environments, with Docker, AWS, and Google Cloud releasing alerts emphasizing the potential risks of exploiting these critical flaws.
3. Italian Threat Actor UNC4990 Targets USBs
Financially motivated threat actor UNC4990 is utilizing weaponized USB devices as an initial infection vector, targeting various sectors in Italy, including health, transportation, construction, and logistics, according to a report by Google-owned Mandiant. Operating since late 2020, UNC4990 employs a strategy involving widespread USB infections followed by the deployment of the EMPTYSPACE downloader. The threat actor relies on third-party websites like GitHub and Vimeo to host encoded additional stages, showcasing a modular and adaptable approach in their toolset development, as revealed in Mandiant’s Tuesday report.
4. Ivanti Warns of Active Zero-Days
Ivanti has raised alarms about two vulnerabilities, including a zero-day flaw (CVE-2024-21893) already being actively exploited in Connect Secure, Policy Secure, and ZTA gateways. This server-side request forgery vulnerability allows attackers to bypass authentication and access restricted resources. Another flaw (CVE-2024-21888) in the gateways’ web component enables threat actors to escalate privileges to administrator levels, prompting Ivanti to release security patches and mitigation measures for affected versions while urging immediate action to ensure full protection.
5. FBI, CISA Warn of Volt Typhoon Router Threat
The Cybersecurity and Infrastructure Security Agency (Cisa) has released eight advisories addressing security issues and vulnerabilities in various Industrial Control Systems (ICS) products. The advisories cover products from companies like Emerson, Mitsubishi Electric, Hitron Systems, and Rockwell Automation. Cisa urges users and administrators to review the advisories for technical details and recommended mitigations, emphasizing the importance of staying informed about current security issues in ICS environments.
π₯ Cyber Incidents
Hackers made off with approximately $112 million worth of Ripple-focused cryptocurrency XRP from Ripple’s co-founder and executive chairman, Chris Larsen. The theft prompted Larsen to quickly detect and report the unauthorized access to his personal XRP accounts, prompting exchanges to freeze the affected addresses. While the stolen funds were reportedly laundered through various crypto exchanges, including Binance and Kraken, details about the ownership of the hacked wallet remain murky, with conflicting information emerging about its connection to Ripple.
Β Canada’s Global Affairs department is grappling with a data breach stemming from a compromised Virtual Private Network (VPN), affecting the personal information of users, including employees. The breach led to unauthorized access, impacting remote network access, internal drives, emails, calendars, and contacts of staff members. The breach, attributed to a compromised VPN managed by Shared Services Canada, has prompted investigations and mitigation measures, while the government collaborates with IT partners to restore full connectivity and address the security lapse.
Romania faces a significant cyber threat as hackers target the Chamber of Deputies, compromising sensitive data, including identity documents and medical records. A cyber attack advertisement on a specialized website claimed responsibility, threatening to expose deputies’ personal information unless a ransom of 0.8 bitcoin (30,000 euros) was paid. Despite the ransom demand, House representatives deny any payment, and the situation is treated as a criminal act. The Romanian Minister of Research, Innovation, and Digitalization, Bogdan Gruia-Ivan, confirmed the cyber incident, emphasizing ongoing investigations and the forthcoming technical report that will guide actions against the perpetrators.
Global medical device firm Exactech has disclosed a data breach compromising personal information, including names, Social Security numbers, financial details, and medical records. Unusual network activity was detected in April 2023, with unauthorized downloads of certain files identified between April 4th and 20th. While the number of victims was not specified, a breach notification with the Office of the Maine Attorney General mentioned 4,230 individuals affected. Exactech is cooperating with law enforcement and regulatory bodies and has found no evidence of personal information misuse beyond the unauthorized download.
The IntelBroker hacker group asserts responsibility for a significant cyberattack on an undisclosed popular mobile banking app, targeting over 10 million users. Known for exploiting vulnerabilities, IntelBroker posted details of the exploit on a hacker forum, offering capabilities to scrape and leak sensitive information from the banking app, including full names, countries, and payment methods of users. The hacker demands payment exclusively in XMR (Monero) and provides visuals to underscore the severity of the exploit. While the exact target is not explicitly stated, speculation points towards Nu Bank as a potential victim.
π’ Cyber News
The US government has imposed sanctions on two Egyptian IT experts, Muβmin Al-Mawji and Sarah Jamal, for providing cybersecurity assistance and training to the terrorist organization ISIS. The individuals enabled ISIS to use cryptocurrency and supported the group’s online recruitment and propaganda efforts. The sanctions reflect a growing trend of using economic measures against individuals engaged in malicious cyber activities, reinforcing the global commitment to counter terrorism and cyber threats.
Β The European Union has taken a significant step in enhancing cybersecurity by adopting its inaugural Cybersecurity Certification scheme. Formulated by the European Union Agency for Cybersecurity (ENISA) in collaboration with member states, the European Cybersecurity Scheme on Common Criteria (EUCC) aims to fortify the cybersecurity of IT products and services across the EU. This voluntary scheme, integrated into the EU cybersecurity certification framework, will supersede existing national certifications, fostering a standardized approach. The EUCC facilitates ICT suppliers in undergoing a universally accepted assessment process, certifying cybersecurity assurance for digital products, encouraging suppliers to enhance their security measures and positioning European ICT providers competitively in national, EU, and global markets.
Β Silicon Valley’s Proofpoint, specializing in email security, is cutting 280 positions, constituting about 6% of its workforce. The move aligns with the company’s forward-looking strategy, aiming for a leaner structure with fewer management layers. After being acquired by Thoma Bravo in 2021, Proofpoint’s recent leadership changes and acquisitions have led to this restructuring, which the company expects to balance through overseas expansion and new hiring initiatives by the end of 2024.
Β The police in Saxony, Germany, have confiscated 50,000 Bitcoins, worth over $2.1 billion, from the former operator of the pirate site movie2k.to. The platform, active from 2008 to 2013, faced legal challenges and was taken down in 2013. The Bitcoin seizure, the largest in Germany to date, resulted from a voluntary deposit by one of the identified operators, marking a significant development in the battle against online piracy.
Β The rise of Telegram as a central hub for cybercrime has democratized the phishing landscape, allowing threat actors to orchestrate mass attacks for a mere $230. Guardio Labs researchers reveal how this messaging app has evolved into a bustling marketplace, facilitating the exchange of illicit tools, tutorials, and even hackers-for-hire, creating a well-organized supply chain for cybercriminals. With low-cost phishing kits readily available on Telegram, aspiring cybercriminals can effortlessly set up scam pages, leveraging compromised websites, backdoor mailers, and expertly designed email templates to maximize their success in deceiving victims.
