π What’s going on in the cyber world today?
APT29, PyRDP, RDP Servers, Espionage, HubPhish, HubSpot, Free Forms, Phishing, UAC-0125, Cloudflare Workers, Malware, Army+, Ukraine, Remote Code Execution, Fortinet, Apache, Struts, Critical Vulnerability, Crimson Wine Group, Breach, Personal Information, Hapn, GPS Data, Leak, Pirelli, Positive Behavior Supports Corporation, Breach, Bank Rakyat Indonesia, Ransomware Attack, TP-Link, Routers, Ban, US, Cybersecurity Concerns, UK, White Hat Legal Shield, Raccoon Infostealer, Sentenced, US, Department of Justice, Dutch Data Protection Authority, Netflix, GDPR Violations, BlueQubit, Quantum Software Solutions, Real-World Apps
Listen to the full podcast
π¨Β Cyber Alerts
Russia-linked APT29, also known as Earth Koshchei, has launched a sophisticated cyber-espionage campaign targeting governments, military organizations, think tanks, academic researchers, and Ukrainian entities. Using rogue Remote Desktop Protocol (RDP) servers and the open-source tool PyRDP, the group intercepts and manipulates RDP connections. Spear-phishing emails deliver malicious RDP configuration files, codenamed HUSTLECON, which redirect victims to attacker-controlled servers.
The phishing campaign known as “HubPhish,” revealed by Palo Alto Networks Unit 42, targeted over 20,000 users in Europe’s automotive, chemical, and industrial sectors, aiming to steal credentials and infiltrate Microsoft Azure cloud environments. Exploiting HubSpot’s Free Form Builder service, attackers sent Docusign-themed phishing emails that redirected recipients to fake Office 365 login pages via malicious forms hosted on the “.buzz” top-level domain. Although HubSpot’s infrastructure was not compromised, the attackers used Bulletproof VPS hosting to operate their phishing sites.
UAC-0125, a threat actor associated with the Russian GRU, is exploiting Cloudflare Workers to distribute malware disguised as the legitimate Army+ app, developed by Ukraine’s Ministry of Defence. The malware, which targets military personnel, is delivered through fake websites prompting users to download a Windows executable. The binary, created using Nullsoft Scriptable Install System (NSIS), runs a PowerShell script to install OpenSSH, generate RSA keys, and exfiltrate the private key to an attacker-controlled server via the TOR network.
Fortinet has issued critical security advisories for two vulnerabilities affecting its FortiWLM and FortiManager products, both of which could allow attackers to execute arbitrary code remotely. The first vulnerability, CVE-2023-34990, in FortiWLM, is a path traversal flaw that enables unauthenticated attackers to access sensitive files, impacting versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. Affected users are urged to update to FortiWLM 8.6.6 or higher. The second flaw, CVE-2024-48889, found in FortiManager, could allow authenticated attackers to execute arbitrary commands remotely, affecting multiple versions across FortiManager and FortiAnalyzer.
A critical security vulnerability, tracked as CVE-2024-53677, has been discovered in Apache Struts, a widely used framework for developing web applications. With a CVSS score of 9.5, the flaw allows attackers to exploit file upload parameters and perform path traversal, potentially enabling remote code execution. This vulnerability is similar to another issue addressed in December 2023, CVE-2023-50164, which led to active exploitation shortly after its disclosure.
π₯ Cyber Incidents
Crimson Wine Group, a premium wine company based in Napa, California, recently filed a notice of a data breach affecting approximately 26,000 individuals. The breach, which was discovered on June 30, 2024, exposed sensitive consumer data, including names, Social Security numbers, driverβs license numbers, financial details, and medical information. Unauthorized access to the companyβs computer systems occurred between June 26 and June 30, 2024, and Crimson Wine Group completed its investigation by December 9, 2024.
GPS tracking company Hapn, formerly known as Spytec, has exposed sensitive customer data due to a website vulnerability. The flaw, discovered by a security researcher in late November 2024, allows anyone with a Hapn account to access a database revealing personal information, including the names and workplace affiliations of over 8,600 GPS tracker owners. The data does not contain location information but includes unique IMEI numbers for the devices. Despite multiple attempts to contact Hapn, the company has not responded, and the exposed data remains accessible.
Pirelli Tire LLC, a major player in the tire industry, recently reported a data security breach involving unauthorized access to sensitive customer information. The breach, which occurred between September 18 and September 19, 2024, involved personal data such as names and Social Security numbers being accessed without permission. Pirelli promptly took action to secure its systems, including updating passwords and engaging cybersecurity experts.
On December 17, 2024, Positive Behavior Supports Corporation (PBS) notified the Texas Attorney General about a data breach that exposed sensitive client information. The breach occurred after an unauthorized party accessed PBS’s IT network between August 13 and November 27, 2024. The compromised data includes personal details such as names, addresses, phone numbers, Social Security numbers, health insurance information, and diagnostic codes.
Bank Rakyat Indonesia (BRI) has responded to claims of a ransomware attack, assuring its customers that both their data and funds remain secure. The speculation arose following a report from Falcon Feeds.io, which claimed the bank had been targeted by Bashe Ransomware. In a statement released on December 18, 2024, Arga M. Nugraha, BRI’s Director of Digital and IT, confirmed that the bank’s operations had not been disrupted.
π’ Cyber News
The U.S. government is considering a ban on TP-Link routers due to cybersecurity concerns, as investigations reveal that these devices may pose a national security risk. TP-Link, a leading manufacturer of routers for home and small office use, holds a 65% share of the U.S. market, and its devices are commonly distributed by over 300 internet service providers. The investigation follows a report from Microsoft, which uncovered a botnet of hacked TP-Link routers used in cyberattacks linked to Chinese threat actors.
A proposed amendment to the UK’s Computer Misuse Act (CMA), aimed at providing a legal shield for white hat hackers, was rejected in the House of Lords on December 18, 2024. The amendment, put forward by Conservative life peer Chris Holmes, sought to create new defenses for security researchers against unauthorized access charges, provided their actions were necessary for crime prevention or deemed in the public interest. However, during a bloc vote on the Data Use and Access Bill, the proposal failed to gain support.
Mark Sokolovsky, a 28-year-old Ukrainian national, has been sentenced to 60 months in federal prison for his involvement in operating the Raccoon Infostealer malware as part of a global cybercrime scheme. The malware-as-a-service (MaaS) allowed criminals to steal personal data, including login credentials and financial information, from victimsβ computers through phishing attacks. Sokolovsky, who was arrested in 2022, faced charges related to fraud, money laundering, and identity theft.
The Dutch Data Protection Authority (DPA) has imposed a β¬4.75 million ($4.93 million) fine on Netflix for violating the General Data Protection Regulation (GDPR) between 2018 and 2020. The investigation, which began in 2019, revealed that Netflix failed to provide adequate transparency about how it used customer data, including email addresses, payment details, and viewing habits. The company also did not sufficiently inform customers when they requested details about the data Netflix collected from them.
BlueQubit, a San Francisco-based quantum software startup founded by Stanford alumni, has raised $10 million in a Seed funding round led by Nyca Partners. The companyβs Quantum Software as a Service (QSaaS) platform aims to bridge the gap between classical computing and quantum technology, providing enterprise access to Quantum Processing Units (QPUs) and quantum computing emulators.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
