Cyber News Roundup for July 22, 2024
Welcome to this week’s cybersecurity roundup. Key developments include Microsoft’s confirmation of a faulty CrowdStrike update impacting cloud PCs, CISA’s addition of major vulnerabilities to its KEV catalog, and the arrest of a teenage hacker linked to the MGM ransomware attack. Rite Aid disclosed a ransomware incident, and Alphabet is in talks to acquire Wiz for $23 billion. Additionally, Kaspersky is shutting down US operations, and a critical GeoServer flaw is under attack. Ransomware costs for critical infrastructure are spiking, North Korean malware targets Macs, and the GhostEmperor threat group resurfaces.
Start your week in the know!
Microsoft confirms CrowdStrike update also hit cloud Windows PCs
The faulty CrowdStrike update that continues to reverberate around the world also resulted in a number of Windows 365 Cloud PCs getting stuck in reboot loops, rendering them unusable. The standard fix suggested by Microsoft for rebooting Windows devices into Safe Mode or the Recovery Environment and manually removing the problematic kernel driver, does not apply to Windows 365 Cloud PCs being virtual machines running in the cloud. Instead, Microsoft recommends restarting the affected VMs as many as 15 times via the Azure Portal, or restoring from an Azure Backup before the time of the outage with the risk of possibly losing data created after the backup, or using the Azure CLI or Azure Shell to repair the OS disks offline. They also suggest reaching out to CrowdStrike itself. (BleepingComputer)
CISA adds some big names to its KEV catalog
The vulnerabilities in question are Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability, the SolarWinds Serv-U Path Traversal Vulnerability, and the VMware vCenter Server Incorrect Default File Permissions Vulnerability. CISA has ordered all Federal agencies to fix these vulnerabilities by August 7, and experts recommend that private organizations review the catalog as well. A link to a summary of the vulnerabilities is available in the show notes. (Security Affairs and CISA KEV catalog)
Teenage MGM hacker arrested in England
Police in the UK apprehended the 17-year old, who has not been named, for his “alleged role in the cybercriminal group that brought MGM Resorts casinos to a standstill last year in a ransomware attack.” The arrest was made as part of an ongoing FBI investigation into the incident that occurred last September and which has been attributed to the Scattered Spider gang, also known as Octo Tempest and 0ktapus. It should be noted that in reviewing this hack “MGM Resorts praised its own response to the incident, saying that its refusal to pay a ransom and decision to shut down all of its systems, as well as its coordination with law enforcement — had sent the message to criminals that “it’s not worth it.” (The Record)
Rite Aid discloses ransomware attack
US pharmacy giant Rite Aid sustained a ransomware attack last month that led to a breach of some customer data, BleepingComputer reports. The company said in a statement, “Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation. We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational. We are sending notices to impacted consumers.” Rite Aid didn’t disclose what type of customer data was affected, but said it didn’t involve health or financial information. BleepingComputer notes that the RansomHub gang claimed responsibility for the attack and stole 10 GB of customer information, including “name, address, dl_id number, dob, [and] riteaid rewards number.” (Bleepingcomputer)
Alphabet in talks to acquire Wiz
The Wall Street Journal’s sources say Alphabet remains in advanced talks on the deal, reportedly valued at about $23 billion. If it goes through, it would become Alphabet’s biggest acquisition and dwarf its 2022 acquisition of Mandiant for $5.4 billion. The Wiz acquisition would significantly build out its cloud security offerings. It’s unclear what kind of regulatory hurdles the deal will see. In recent years big tech deals have seen unprecedented levels of antitrust scrutiny. But Google Cloud’s market share remains behind Amazon and Microsoft. Keep in mind, that these are just talks, so it’s not a done deal yet. (WSJ)
AT&T allegedly paid hacker to delete data
We may be getting some more details behind the recent AT&T data breach, which saw call records on millions of customers stolen through Snowflake cloud storage. A threat actor in the ShinyHunters hacking group told WIRED that AT&T paid a 5.7 bitcoin ransom, worth over $300,000, related to the attack back in May, in exchange for deleting the data. These transactions were confirmed by the crypto-tracing firm TRM Labs, and by the security researcher Reddington, who acted as a go-between in the deal. Reddington said an American hacker living in Turkey contacted him about the stolen data in mid-April 2024. 404 Media previously identified this individual as John Binns, and not the same threat actor that received payment from AT&T. Reddington notified Mandiant about the breach, which told AT&T. This timeline lines up with AT&T SEC filings. Binns was indicted on 12 counts related to a 2021 hack of T-Mobile back in May, allegedly arrested in Turkey. (Wired, 404 Media)
PoC turnaround time getting shorter
Cloudflare’s Application Security report documented how quickly threat actors can weaponize a proof-of-concept exploit. It observed one instance where an attacker deployed a PoC-based exploit for an authentication bypass flaw in JetBrains TeamCity 22 minutes after Rapid7 released it. This came less than six hours after Jetbrains released an update to resolve the patch and 5 hours after publicly disclosing the CVE. Cloudflare said this increased time pressure “led us to combine the human written signatures with an ML-based approach to achieve the best balance between low false positives and speed of response.” (Bleeping Computer)
Kaspersky Lab is shutting down US operations
Kaspersky Lab, a Russian cybersecurity firm, is shutting down its U.S. operations and laying off employees after the U.S. Commerce Department banned the sale of Kaspersky software starting July 20. The ban follows national security concerns that Kaspersky or the Russian government could exploit the software to spy on American customers. Kaspersky confirmed the shutdown, citing the ban’s impact on its U.S. business viability. The closure affects fewer than 50 U.S. employees, who will receive severance packages. The U.S. had previously banned Kaspersky software from federal and military systems due to security concerns. Despite denying any misuse of its software, Kaspersky faced allegations of extracting NSA hacking tools from an employee’s computer. U.S. officials stress the ban protects Americans from potential exploitation by foreign adversaries. (Zero Day)
CISA warns critical GeoServer flaw is under attack
CISA said a 9.8 severity remote code execution flaw in GeoServer’s GeoTools plugin (CVE-2024-36401) is being actively exploited in the wild. GeoServer is an open-source server that allows users to share, process, and modify geospatial data. GeoServer disclosed the vulnerability on June 30th and said the flaw is caused by the GeoTools plugin unsafely evaluating property names. The project maintainers patched the flaw (in GeoServer versions 2.23.6, 2.24.4, and 2.25.2) and also offered workarounds but warned that the workarounds may break some GeoServer functionality. CISA now requires federal agencies to patch servers by August 5, 2024. (Bleeping Computer and SecurityWeek)
Cloud security and PowerShell expertise emerge as key SOC analyst skills
According to a survey conducted by the SANS Institute, a series of hard skills have emerged as key to success of analysts working in enterprise security operations centers (SOCs). These include a knowledge of cloud security issues, PowerShell expertise, and the ability to automate repetitive tasks and systems management functions. The SANS survey polled 400 respondents from small, medium, and large companies globally. The responses showed that many SOCs continue to struggle with a lack of automation and orchestration of key functions, high-staffing requirements, a shortage of skilled staff, and a lack of visibility. They also reported a pervasive silo mentality among security, incident response, and operations teams. On the positive side, SOC analyst retention improved with 30% of respondents indicating the average tenure is between three and five years, compared to the one-to-three year tenures reported in previous SANS surveys. (Dark Reading)
Critical infrastructure ransomware costs spike
A new report from Sophos found that the median ransom payment for attacks on critical national infrastructure organizations shot up from $62,500 in 2023 to over $2.5 million in 2024, while the average payment increased 6 times on the year to $3.225 million. Since this data only comes from victims willing to disclose payment details, it doesn’t give a comprehensive picture. Interestingly, average payments for IT and telecom victims saw a much lower payment at $330,000 compared to lower education and government organizations, which paid an average of $6.6 million. Attacks also showed more signs of sophistication, with the organizations able to recover within a week down from 50% to 41% in 2024, while those taking over a month rose from 36% in 2023 to 55%. (The Register)
North Korean malware comes to Macs
Security researcher Patrick Wardle found an updated variant of the North Korean-link infostealers BeaverTail that runs on macOS. This came spoofed as a DMG file for the legitimate Miro Talk video calling service. Palo Alto researchers originally found the Windows version of BeaverTail last November, used as part of a campaign targeting software developers with fake job interview requests. BeaverTail collects browser and crypto wallet data and can serve to install a Python backdoor to gain persistence. Wardle said that while these attacks are not very technically sophisticated, the operators often see success with social media lures. (The Hacker News)
The GhostEmpreror’s new groove
Kaspersky Lab first published details about the Chinese-linked threat group GhostEmperor in 2021. Since then, the group has been quiet. That changed with a new report from Sygnia, which found GhostEmperor attacking one of its clients in late 2023. Sygnia’s director of incident response research Amir Sadon said it went public with details to try to find out if the groups dark period was simply from inactivity or a lack of visibility. GhostEmperor uses a sophisticated kernel-level rootkit, a potential sign of state-sponsored activity. In 2021 it conducted supply-chain attacks against organizations in Southeast Asia. (The Record)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.
