Cyber News Roundup for July 29, 2024

In this week’s cybersecurity news, the U.S. government is probing CrowdStrike following a massive outage that disrupted critical services and led to numerous Delta Air Lines flight cancellations. In Ukraine, Russian-linked malware caused a heating outage in Lviv. Security awareness and compliance training and testing organization, KnowBe4, discovered a North Korean operative posing as an IT worker, while Check Point identified a malicious network on GitHub. Meta cracked down on Nigerian scammers targeting U.S. victims. U.S. intelligence agencies warned of foreign investment risks, and Israel intervened in a lawsuit to protect state secrets involving NSO Group.

 

U.S. government looking for answers amidst CrowdStrike aftermath

In the wake of the defective CrowdStrike update that disrupted airlines, banks, hospitals and other critical services last Friday, U.S. House leaders are calling on CrowdStrike CEO George Kurtz to testify to Congress about the company’s role in the widespread outage. Republicans who lead the House Homeland Security committee said Monday, “While we appreciate CrowdStrike’s response and coordination with stakeholders, we cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history.”

Meanwhile on Tuesday the U.S. Transportation Department said it was opening an investigation into Delta Air Lines after the carrier canceled more than 5,000 flights since Friday due to the CrowdStrike incident. While other carriers have been able to resume normal operations, Delta canceled 30% or more of its flights daily through Monday and axed or delayed over 1,000 more flights as of mid-day on Tuesday. Transportation secretary, Pete Buttigieg, said the department “will leverage the full extent” of its investigative and enforcement power “to ensure the rights of Delta’s passengers are upheld.” (SecurityWeek and The Guardian)

 

Hackers shut down heat in Ukrainian city

Ukraine’s Cyber Security Situation Center (CSSC) announced that Windows-based malware, dubbed FrostyGoop, has been linked to a heating outage in Lviv, Ukraine back in January. The Russian-linked malware was used to attack a municipal district energy company and cut off heat to over 600 apartment buildings for two days during sub-zero temperatures. FrostyGoop is designed to target Modbus TCP communications, a standard industrial control systems (ICS) protocol. An investigation showed that attackers likely gained access to the network nine months earlier by exploiting a vulnerability in an Internet-exposed Mikrotik router. From there, attackers were able to access four management servers and the district’s heating system controllers which were not properly segmented. (Bleeping Computer and TechCrunch)

 

KnowBe4 hires fake North Korean IT worker

On Tuesday, security awareness training firm KnowBe4 said a North Korean operative posing as a software engineer slipped past its hiring background checks. The new hire spent the first 25 minutes on the job using their new Mac to download malware, manipulate session history files, and execute unauthorized software on company systems. KnowBe4 said its security team quickly detected the suspicious activity and contained the infected workstation. The worker’s identity was revealed as an AI deepfake and is one of hundreds of cases of North Korean nation-state operatives posing as an IT worker to infiltrate US companies. (SecurityWeek)

 

Stargazer Goblin hosts malicious code repositories on GitHub

A secret network of around 3,000 “ghost” accounts on GitHub has been manipulating the platform to promote malware and phishing links, as revealed by research from cybersecurity firm Check Point. Operating since at least June last year, a cybercriminal group, dubbed “Stargazer Goblin” by Check Point, has been hosting malicious code repositories on GitHub, the world’s largest open-source code site. Antonis Terefos, a malware reverse engineer at Check Point, discovered that these fake accounts “star,” “fork,” and “watch” malicious repositories to make them appear popular and legitimate. This tactic leverages GitHub’s community tools to boost the visibility and credibility of harmful pages. The network’s activities are coordinated through a cybercrime-linked Telegram channel and criminal marketplaces.

The “Stargazers Ghost Network” spreads malicious repositories offering fake downloads for social media, gaming, and cryptocurrency tools, targeting Windows users. They claim to provide tools like VPNs or licensed software but instead deliver malware The operator behind this network charges other hackers to distribute their malicious content, a service Check Point terms “distribution as a service.” GitHub has responded by disabling user accounts violating their policies against supporting unlawful activities. With over 100 million users and 420 million repositories, GitHub continues to face challenges from cybercriminals exploiting its platform for malicious purposes. (Wired)

 

Meta cracks down on the Nigerian Yahoo Boys

Meta has banned 63,000 accounts linked to Nigerian cybercriminals known as the Yahoo Boys, targeting users in the U.S. with sextortion scams. These scammers, primarily targeting adult men, coerced victims into sharing explicit images, then threatened to release them unless paid in gift cards, mobile payments, wire transfers, or cryptocurrency. Some attempts targeted minors, reported to NCMEC. Meta’s crackdown follows FBI warnings about the growing threat of financial extortion targeting children. A smaller network of 2,500 accounts, linked to 20 individuals in Nigeria, was also uncovered. These scammers used fake accounts and shared resources for scamming, including scripts and guides. Meta designated the Yahoo Boys as a banned entity under its strict Dangerous Organizations and Individuals policy. The company is improving detection tactics and sharing information with other tech companies through the Tech Coalition’s Lantern program. (The Record)

 

US warns venture firms about foreign investments

The US National Counterintelligence and Security Center issued a joint bulletin with several other US intelligence agencies, warning tech startups and venture firms about foreign investment fronts. These investors look to use early-stage investments as a way to gather data and technology to eventually undermine US businesses. The bulletin warned firms to be on the lookout for funding from complex ownership “incorporated in offshore locations lacking transparency.” The NCSC also weaned that startups with these investors could impact government contracts down the road.  (Bloomberg)

 

Israel’s secret shield in spyware saga

Israel has intervened in the ongoing lawsuit between WhatsApp and NSO Group to prevent the disclosure of state secrets. WhatsApp alleges that NSO Group’s Pegasus spyware targeted 1,400 users, including activists and journalists. NSO claims it acted on behalf of foreign governments, seeking immunity, but this defense has been rejected by U.S. courts. The U.S. Supreme Court recently allowed WhatsApp’s lawsuit to proceed, marking a significant step towards accountability. Despite this, Israel’s involvement aims to protect sensitive national security information from being exposed during the legal proceedings. (Forbidden Stories)

 

Columbus, Ohio suffers cyber incident

The city is working to restore its systems following a cyberattack that forced it to sever its connection to the internet. Officials stated that “while its 911 and employee payroll systems remain operational, several resident-facing IT services are dealing with outages that may take time to restore. City employees were unable to send or receive emails, and the 911 service, although operational, had its staff working with pen and paper. No comments were made as to whether a ransom is involved. (The Record)

 

Ukraine launches cyberattack on Russian ATMs

Updating a story we covered on Thursday, the attack, which started on July 23, and described as unprecedented in its scope, affected debit and credit cards of at least 10 major Russian banking organizations, freezing customer credit and debit cards, bank payment systems and mobile applications, causing outages in personal offices, and preventing payments for services like public transport. The attack also disrupted services from Russian mobile and internet popular online messengers and major Russian social networks. The Kyiv Post also states that nation-state hackers gained access to the databases of major banks. (Security Affairs)