Cyber News Roundup for November 8, 2024
In this week’s cybersecurity roundup, we delve into the latest threats and vulnerabilities impacting organizations worldwide. From North Korean hacking campaigns targeting remote workers with fake job offers to alarming ransomware attacks on the healthcare sector, the landscape of cyber threats continues to evolve. We also highlight critical vulnerabilities in major software platforms, phishing schemes exploiting copyright claims, and the potential misuse of AI in uncovering security flaws. Stay informed as we explore these developments and their implications for your organization’s security posture.
North Korean campaigns pursue fake jobs and remote workers
Hackers are increasingly exploiting vulnerabilities among remote workers, often using tactics like “vishing” to impersonate IT staff and steal sensitive information. Recently, Zscaler uncovered two North Korean campaigns, “Contagious Interview” and “WageMole,” aimed at bypassing financial sanctions by securing remote jobs under false identities. The Contagious Interview campaign lures developers with fake job postings, infecting them with JavaScript-based malware BeaverTail and Python-based InvisibleFerret, which exfiltrates data via encrypted HTTP protocols. This malware targets developers on Windows, Linux, and macOS, affecting victims primarily in India, Pakistan, Kenya, and Nigeria.
Stolen identities from these attacks fuel the WageMole campaign, allowing operatives to land remote jobs in Western firms. These operatives use AI-generated documents, portfolios, and even voice-over tools to pass interviews, impersonating experienced developers. Zscaler advises companies to verify employment history, use virtual environments for suspicious files, and authenticate applicant identities to combat these tactics. (Cyber Security News)
Interlock ransomware gang aims at U.S. healthcare, IT and government
This is apparently a new ransomware group which has been observed conducting targeted attacks across numerous sectors including healthcare, IT, and government in the U.S. and manufacturing sectors in Europe. Researchers at Cisco Talos state, in a report published yesterday, that Interlock employs both “big-game hunting” and double extortion tactics. The group operates a leak site known called Worldwide Secrets Blog to publish stolen data. Access currently is gained comes through a fake Google Chrome browser updater that installs a remote access tool disguised as a legitimate update. This RAT establishes a secure C2 connection and also “installs a credential-stealing component, allowing Interlock to capture login details for online accounts. Interlock’s arsenal extends beyond simple data collection. The group effectively evades detection by disabling Endpoint Detection and Response and clearing event logs.” Cisco Talos has also noted a potential connection between Interlock and Rhysida ransomware groups, citing overlapping attack techniques, tools and code. (InfoSecurity Magazine)
Hewlett Packard warns of critical RCE flaws in Aruba Networking software
The company has released updates for Instant AOS-8 and AOS-10 software “to address two critical vulnerabilities in Aruba Networking Access Points, which could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba’s Access Point management protocol (PAPI) over UDP port 8211.” The flaws, which have CVE numbers have severity score of 9.8 and 9.0, and exist in the command line interface service, which is accessed via the PAPI protocol. (BleepingComputer)
Malware delivered in copyright violations notifications
Researchers at cybersecurity firm Check Point are warning of a large-scale campaign under the name targeting entertainment, media and technology companies in the United States, Europe, East Asia, and South America, in which spear-phishing emails claim copyright violations. They are sent from Gmail accounts and appear to be from the legal representatives of the well-known companies. The messages accuse recipients of misusing their brand on social media platforms, along with a request for removal. The removal instructions are in a password-protected file, which of course deploys the malware, in this instance, deployment of version 0.7 of the Rhadamanthys stealer, which, as Recorded Future’s Insikt Group notes, incorporates artificial intelligence (AI) for optical character recognition (OCR). (The Hacker News)
CISA observed no significant malicious activity impacting election
US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said yesterday that the agency has “seen no evidence of malicious activity impacting the security or integrity of election infrastructure,” the Record reports. Easterly stated in a press call, “While at the national level we saw some minor disruptive activity throughout the day, that activity was largely expected and planned for.” The FBI issued a statement on a series of bomb threat hoaxes against polling centers, noting that many of the threats were sent from Russian email addresses. Easterly pointed out that this doesn’t necessarily mean the threats originated from Russia, and the federal government hasn’t made any official attributions. Easterly added that Americans should be prepared “for continued attempts by our foreign adversaries to use false narratives and disinformation to undermine American confidence and the legitimacy of election.” (The Record)
Nokia says it has no evidence that hackers breached company data
On Tuesday, known Serbian threat actor, IntelBroker, claimed they swiped Nokia’s internal data, including SSH keys, source code, and internal credentials, and intend to sell it on BreachForums for $20,000. IntelBroker claims they breached a third-party contractor that develops some of Nokia’s internal tools. Nokia confirmed they are investigating the report, and said they have “found no evidence” of their systems or data being impacted. Given that IntelBroker has carried out a number of high-profile data thefts from entities including Apple, the US House of Representatives, Europol, and GE, odds are good that the threat actor’s claims are legitimate. (Dark Reading)
Cisco bug lets hackers run commands as root on access points
Cisco has fixed a maximum severity vulnerability (CVE-2024-20418) in Unified Industrial Wireless Software’s (URWB) interfaces used to provide connectivity for industrial wireless automation. The issue allows an unauthenticated threat actor to run low-complexity command injection attacks with root privileges on vulnerable access points, without requiring any user interaction. Cisco’s advisory says affected Catalyst access points and clients would need to have the URWB operating mode enabled to be vulnerable. Cisco’s Product Security team (PSIRT) has yet to discover evidence of publicly available exploit code or attacks in the wild. (Bleeping Computer)
Hackers increasing use of Winos4.0 in attacks
On Wednesday, Fortinet reported that hackers are targeting Chinese-speaking Windows users with the malicious Winos4.0 framework through seemingly benign gaming apps. The attacks leverage Search Engine Optimization (SEO) tactics, social media, and messaging platforms like Telegram to distribute the malware. When victims execute the installers, they initiate a multi-step infection process. Ultimately, Winos4.0 collects system and environment information (e.g., IP address, OS details, CPU), checks the host for anti-virus and monitoring software, gathers crypto wallet extensions, maintains a backdoor connection to the C2 server, and exfiltrates user data files. (Bleeping Computer and The Hacker News)
Volt Typhoon breached Singtel as ‘test-run’ for U.S. telecom attacks
Over the summer, Chinese threat actors, Volt Typhoon, reportedly breached the Singaporean telecom company, Singtel. According to Bloomberg, “two people familiar with the matter” told the news outlet that the Singtel breach was “a test run by China for further hacks against US telecommunications companies.” Bloomberg said its sources confirmed that Volt Typhoon used a web shell in the Singtel breach. This aligns with an August report from Lumen Technologies, which warned that Volt Typhoon had abused a Versa SD-WAN vulnerability (CVE-2024-39717) to plant credential-harvesting web shells on customers’ networks. More recently, another Chinese-government-backed group, Salt Typhoon, was accused of breaching the infrastructure of Verizon, AT&T, and Lumen Technologies, although all three companies have declined to comment on those incidents. China has repeatedly denied these accusations. (The Register)
Okta vulnerability affects accounts with long usernames
Okta has disclosed an authentication bypass vulnerability affecting accounts with usernames that are 52 characters or longer, the Register reports. When certain conditions were met, an attacker could log into one of these accounts without a password. The company issued a patch for the flaw on October 30th.
The vulnerability could be exploited if the following conditions were met:
- “Okta AD/LDAP delegated authentication is used
- “MFA is not applied
- “The username is 52 characters or longer
- “The user previously authenticated creating a cache of the authentication
- “The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
- “The authentication occurred between July 23rd, 2024 and October 30th, 2024”
(Okta, The Register)
Schneider Electric breached for second time this year
Schneider Electric confirmed a breach on its developer platform after a threat actor named “Grep” claimed to have stolen 40GB of data from the company’s JIRA server. The intruder reportedly used exposed credentials and a MiniOrange REST API to scrape 400,000 rows of user data, including 75,000 unique email addresses and full names of Schneider Electric employees and customers though the company emphasized their products and services remain unaffected. Grep, who is part of a newly formed hacking group called International Contract Agency (ICA), had threatened to leak the data if the company did not acknowledge the breach, so we’ll have to wait and see what the threat actor does next. This is not the first time Schneider Electric was breached this year, in January the company sustainability division was ransomed and terabytes of data was allegedly stolen. (Bleeping Computer)
Google claims first vulnerability found using AI
Google’s Big Sleep project, a collaboration between Project Zero and DeepMind, recently uncovered its first real-world vulnerability: a stack buffer underflow in SQLite. Found with the help of an AI model in October, this flaw went undetected by traditional fuzzing, sparking interest in AI as a supplementary tool for vulnerability research. Though an argument could be made as to whether this was actually the first time a learning language model (LLM) was used to discover a vulnerability, a security researcher with Neuroengine said he discovered a zero-day using an LLM in April, publishing his results in June, but tells InfoSecurity Magazine he believes Google’s announcement was a “honest mistake.” (InfoSecurity Magazine), (Security Week)
New phishing attack infects Windows with Linux VMs
A phishing campaign named CRON#TRAP is deploying Linux virtual machines via phishing emails to infiltrate Windows systems with minimal detection. This attack, identified by Securonix, uses a fake “OneAmerica survey” email that installs a 285MB ZIP file containing a QEMU VM preloaded with a backdoor. Using the tool Chisel for tunneling, attackers can communicate covertly with the VM, bypassing traditional security due to QEMU’s legitimate status. (Bleeping Computer)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
