π What’s the latest in the cyber world today?
WhatsApp, View Once, Flaw, Earth Preta, Malware, Removable Drives, Konni Group, Espionage, Russia, South Korea, Quad7 Botnet, SOHO Routers, Media Servers, Zyxel, Command Injection, NAS, Slim CD Data Breach, Personal Information, 1.7 Million Users, London, High School, Ransomware, France, Boulanger, Leak, 100,000, Customers, CMS, MOVEit, Medicare Beneficiaries, New Hampshire, HPM Insurance, Client Data, Russia, VPN, Blocking, CISA, 2024, U.S. Election, Security, UK, ICO, NCA Partnership, FBI, Cryptocurrency, Fraud, Losses, Kenya, Investment, East Africa
Listen to the full podcast
π¨Β Cyber Alerts
A critical flaw in WhatsAppβs “View Once” feature, which allows users to send disappearing photos and videos, has been exploited by attackers to save and distribute media without the senderβs consent. Researchers from Zengo X discovered that the vulnerability lies in WhatsAppβs implementation, where the media is treated like regular messages but with a “View Once” flag. Attackers can modify this flag to prevent the media from disappearing, making it downloadable and shareable.
The Earth Preta threat group has recently enhanced its attack strategy by distributing malware through removable drives, utilizing a variant of the HIUPAN worm. This upgraded method allows Earth Preta to bypass traditional security measures and target a broader range of victims in the Asia-Pacific (APAC) region. By leveraging removable drives, Earth Preta can propagate its malware more rapidly and stealthily, posing a significant threat to government and foreign affairs sectors across countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan.
Konni, a threat actor associated with the North Korean state-sponsored group Kimsuky, has recently intensified its cyber espionage efforts targeting both South Korea and Russia. According to researchers at the South Korean cybersecurity firm Genians, Konni employs similar tactics across both regions, including phishing emails with lures related to taxes, scholarships, and finance. These emails deploy a custom remote access trojan, allowing attackers to gain full control over compromised systems.
The Quad7 botnet is significantly expanding its attack vector by targeting a broader range of SOHO devices, including Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers, alongside previously reported TP-Link routers. The botnet has introduced custom malware for these new targets and is moving away from traditional SOCKS proxies to more sophisticated evasion techniques. Recent findings from Sekoia reveal that Quad7 is now utilizing new staging servers, botnet clusters, backdoors, and reverse shells, while employing the KCP communication protocol and tools like ‘FsyNet’ for stealthier operations.
Zyxel has released urgent hotfixes for a critical command injection vulnerability (CVE-2024-6342) affecting its end-of-life NAS326 and NAS542 network-attached storage devices. Discovered by researchers Nanyu Zhong and Jinwei Dong from VARAS@IIE, the flaw allows unauthenticated attackers to execute operating system commands through a specially crafted HTTP POST request to the export-cgi program. Despite these devices being past their end-of-vulnerability-support phase, Zyxel has made patches available to mitigate potential risks.
π₯ Cyber Incidents
Payment gateway provider Slim CD has disclosed a significant data breach impacting approximately 1.7 million individuals. The breach, which began on August 17, 2023, and was discovered on June 15, 2024, involved unauthorized access to personal and credit card information. The compromised data includes names, addresses, credit card numbers, and expiration dates. While Slim CD has informed affected individuals and notified law enforcement and regulatory authorities, the company is not offering identity theft protection.
Charles Darwin School in south London has been forced to close temporarily following a severe ransomware attack that has disrupted its IT systems and left around 1,300 students without access to educational facilities. The attack, a cyber extortion attempt, rendered essential systems such as email and internet services unusable. The school’s headteacher, Aston Smith, has informed parents about the situation, detailing the removal of staff devices and the disabling of student accounts to prevent further breaches.
French electronics retailer Boulanger has reported a significant data breach affecting approximately 100,000 customers. The cyberattack, which occurred between September 6 and 7, 2024, compromised personal delivery addresses, and in some cases, telephone numbers and email addresses. Boulanger has assured customers that no banking information was exposed, as payment processing is handled by third-party services. The company has notified all affected individuals in compliance with GDPR regulations and warns of potential phishing attempts by fraudsters posing as Boulanger to exploit the leaked data.
The Centers for Medicare & Medicaid Services (CMS) has alerted over 946,000 Medicare beneficiaries about a significant data breach potentially affecting their personal information. This breach stems from a vulnerability in MOVEit software, used by CMS contractor Wisconsin Physicians Service Insurance Corporation (WPS) for handling Medicare claims and related services. The exposed data may include protected health information and personally identifiable information of Medicare beneficiaries, as well as individuals who received care from providers audited by CMS.
HPM Insurance, based in Amherst, New Hampshire, has reported a cybersecurity incident affecting three Maine residents. Discovered on October 27, 2023, the breach involved unauthorized access to sensitive data, including personal identification information, medical details, and financial data. HPM swiftly engaged a cybersecurity firm to investigate and secured its systems. While no misuse of the compromised information has been reported, affected individuals have been notified and offered complimentary credit monitoring services.
π’ Cyber News
Russiaβs communications watchdog, Roskomnadzor, is set to invest 59 billion rubles ($644 million) over the next five years to upgrade its internet traffic-filtering infrastructure, according to Forbes. This significant expenditure will be used to enhance hardware designed to block or slow down access to specific online resources, particularly targeting virtual private networks (VPNs). The initiative is part of Russia’s broader effort to tighten its digital sovereignty and control over internet access, following the 2019 law aimed at isolating the country from global internet services.
As the 2024 U.S. presidential election approaches, the Cybersecurity and Infrastructure Security Agency (CISA) has released crucial security guidelines to bolster election integrity. With the election set for November 5, CISAβs new checklists focus on both cyber and physical security, aiming to address vulnerabilities such as phishing, DDoS attacks, and ransomware. The checklists, designed to help election officials review and enhance their security measures, offer actionable steps to prevent and respond to potential threats.
The Information Commissionerβs Office (ICO) and the National Crime Agency (NCA) have signed a significant Memorandum of Understanding (MoU) to enhance the UK’s cyber resilience. This agreement outlines a framework for both organizations to collaborate more effectively on cybersecurity issues, focusing on protecting entities from data theft and ransomware attacks. Under this MoU, the ICO and NCA will work together to provide organizations with timely information and guidance on cybersecurity, ensuring they are directed to appropriate resources like the National Cyber Security Centre (NCSC) and are able to report cyber crimes promptly.
The FBIβs Cryptocurrency Fraud Report for 2023 reveals a significant surge in crypto-related financial crimes, with losses exceeding $5.6 billion. The report highlights over 69,000 complaints received by the FBIβs Internet Crime Complaint Center (IC3), with cryptocurrency fraud making up nearly half of the total financial losses. Investment fraud has emerged as the most damaging scheme, accounting for over $3.9 billion in losses. FBI Director Christopher Wray emphasized the importance of public reporting, urging victims to report scams to IC3 even if they did not suffer financial loss.
Kenya is calling on East African governments to significantly boost investments in cybersecurity to protect Savings and Credit Cooperatives (SACCOs) from escalating cyber threats. During a recent forum in Nairobi, Cabinet Secretary Wycliffe Oparanya, represented by Principal Secretary Susan Mangβeli, emphasized the urgent need for robust national cybersecurity frameworks and collaboration with both local and international stakeholders. SACCOs, which are crucial to financial inclusion and economic stability in the region, face increasing vulnerabilities due to their reliance on digital platforms.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
