Cyber News Roundup for November 26, 2024
As you gather around the Thanksgiving table later this week, the last thing you want is to be the one out of the loop on the latest cybersecurity headlines. Trust us, your friends and family will never let you live it down! From new attack techniques to massive outages and government recommendations on password legacies, we’ve rounded up the must-know news so you can stay informed and keep the dinner table chatter on point. Read on to get the full scoop—because you don’t want to be left in the digital dust this holiday season!
APT28 uses novel technique to breach organizations via nearby WiFi networks*
Volexity has published a report on a novel attack vector used by the Russian threat actor GruesomeLarch (commonly known as “APT28” or “Fancy Bear”) to breach enterprise Wi-Fi networks. The threat actor first compromised vulnerable organizations in close proximity to the targeted entity until they found a system that had both wired and wireless network connections. They would then use this system’s Wi-Fi adapter to connect to the SSID of the targeted organization’s Wi-Fi and authenticate to it, granting them access to the target’s network.
The researchers note, “Volexity believes this represents a new class of attack that has not previously been described, in which a threat actor compromises one organization and performs credential-stuffing attacks in order to compromise other organizations in close physical proximity via their Wi-Fi networks. To reiterate, the compromise of these credentials alone did not yield access to the customer’s environment, as all Internet-facing resources required use of multi-factor authentication (MFA). However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect.” Volexity adds, “The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away.” Volexity says the threat actor used this technique to steal information on Ukrainian matters just before Russia’s invasion of Ukraine in February 2022. (Volexity)
Microsoft 365 outage update
If you were wondering whether Microsoft’s outages on Monday should have been your cue to start your Thanksgiving vacation early, you weren’t alone. Microsoft addressed widespread Microsoft 365 outages affecting services like Exchange Online, Microsoft Teams, SharePoint Online, and Outlook. The issue, caused by a “recent change,” has led to difficulties accessing these platforms and performing certain actions within Microsoft Fabric and Defender for Office 365. Microsoft deployed a fix to the affected environments, initiated manual restarts on impacted systems, and, as of this recording, is monitoring progress. While this follows a major outage in July caused by a DDoS attack, Microsoft has not attributed the current incident to any malicious activity. (Bleeping Computer)
“Hair on Fire” over China’s cyber campaign
The Biden administration met with telecom executives to discuss the impact of China’s cyber espionage campaign targeting U.S. telecommunications networks, which may require a large-scale rebuild of infrastructure.Senator Mark Warner, chair of the Senate Intelligence Committee, has raised alarms over China’s persistent cyberattacks on U.S. telecommunications networks, describing their severity as far exceeding previous incidents. He said China’s actions make Russia-linked incidents like the SolarWinds hack and Colonial Pipeline attack look like “child’s play.” Warner highlighted that attackers exploited wiretapping capabilities and stole extensive data from U.S. networks, while the administration’s meeting emphasized sharing intelligence on the ongoing threat. China denies these claims, but U.S. officials have described the activity as significant and unresolved. (The Register)
Meta takes down millions of accounts linked to pig-butchering scams
Facebook’s parent company Meta has taken down over two million accounts this year tied to pig-butchering scams, CyberScoop reports. Pig butchering is a form of investment scam that involves forming a long-term, trusted relationship with the victim and tricking them into pouring a great deal of money into a phony investment scheme, usually involving cryptocurrency. The scams often begin on dating apps or social media sites.
Many of these scams are run out of criminal forced-labor operations in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines. Meta states, “During the COVID-19 pandemic, scam compounds run by organized crime emerged in the Asia Pacific region as one of the major sources of ‘pig butchering’ and other scam activity. And while they are mostly based in Asia, scam centers target people across the globe. These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.” (Cyberscoop, Meta)
DoJ seizes credit card marketplace PopeyeTools
The dark web marketplace that specialized in selling stolen credit cards long with cybercrime tools, and which has been in business 2016 was taken down by agents of the Department of Justice last week with three of its key operators now facing fraud-related charges, and the websites and hosting services seized. According to court documents, the PopeyeTools marketplace offered services such as “unauthorized payment card data and PII for cards that were marketed as ‘live’ as well as logs of stolen bank account information, email spam lists, scam pages, and guides and tutorials.” (Department of Justice announcement)
North Korean front companies impersonate U.S. IT firms for military funding
According to researchers at SentinelOne, as well as a report form Palo Alto Networks, threat actors connected to North Korea continue to impersonate U.S.-based software and technology consulting businesses. In a global campaign, which Palo Alto Networks Unit 42 is tracking as Wagemole, the actors use forged identities to get hired obtain employment at companies in the U.S. and elsewhere, sending most of their salary back to their home country. This most recent chapter in this ongoing story identifies some front companies by name, analyzed by SentinelOne, which were “all registered through NameCheap and claimed to be development outsourcing, consulting, and software businesses, while copying their content from legitimate companies.” The list is available in the show notes to this episode. (The Hacker News)
Volunteer DEFCON hackers take on U.S. water infrastructure concerns
The Franklin project, launched at this year’s DEFCON, is intended to employ the skills of top hackers to “not only … strengthen U.S. resilience to online attacks, but also to chronicle what is being done in a yearly Hacker’s Almanack so that others can learn essential skills. The program is partnered with the Harris School of Public Policy’s Cyber Policy Initiative at the University of Chicago, as well as the National Rural Water Association (NRWA). Together they are using the coders’ talents to investigate water companies in Utah, Vermont, Indiana, and Oregon, to fix any issues they find, and then pass the knowledge on. (The Register)
VMware vCenter Server flaws are being actively exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that two vulnerabilities affecting VMware vCenter Server are being actively exploited. One of the flaws (CVE-2024-38812) has been assigned a CVSS score of 9.8 and can allow an attacker to achieve remote code execution. Broadcom issued updated patches in October after determining that its September patches didn’t fully address the vulnerability. The company strongly encourages customers to ensure they’ve applied the new patches. The vulnerabilities affect “VMware vCenter and any products that contain vCenter, including VMware vSphere and VMware Cloud Foundation.” (CISA, vmware)
MITRE offers updated list of most dangerous software vulnerabilities
MITRE, the not-for-profit organization that oversees federally funded R&D centers with an eye to cybersecurity, has updated its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses” list, reflecting the newest developments in the cyber threat landscape. At the top of the list is cross-site scripting in top place followed by out-of-bounds write flaws, SQL injection bugs. Missing authorization comes in at number 10. CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to “review the list and prioritize these weaknesses in development and procurement processes.” (Security Week and MITRE)
Easily exploitable bugs found in Ubuntu Server utility after 10 years
The researchers at Threat Research Unit of Qualys, say they refuse to release exploit code for five bugs in Ubuntu Server’s needrestart utility. They state they were “able to develop a working exploit but wouldn’t release it, describing the findings as alarming.” The five vulnerabilities described by the researchers were actually introduced in April 2014. They reside in the needrestart utility of Ubuntu Server, which is designed to determine if a restart is needed following, for example, a critical library update or an upgrade is made. All five vulnerabilities have CVE numbers and four of them have a 7.8 CVSS score. (The Register)
Japan’s government suggests putting your usernames and passwords in your will
Described as “digital end of life planning” Japan’s National Consumer Affairs Center on Wednesday released a collection of suggestions to help avoid the complications and costs associated with passing to the great beyond with passwords still hidden. Helping loved ones deal with a digital legacy can include: ensuring family members can unlock your smartphone or computer; maintaining a list of subscriptions with user IDs and passwords; adding these details to a document intended for the person or persons responsible for managing such affairs, and designate a person to have access to the smartphone and other accounts. (The Register)
Oracle patches zero-day flaw
Oracle has issued a patch for an actively exploited vulnerability (CVE-2024-21287) affecting its Agile Product Lifecycle Management software, BleepingComputer reports. Oracle stated, “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure.” The flaw was assigned a CVSS score of 7.5. (Bleepingcomputer, Oracle)
Chinese threat actors infiltrate more telcos
CrowdStrike has published a report on LIMINAL PANDA, a Chinese threat actor targeting telecommunications companies in countries associated with China’s Belt and Road Initiative. The researchers note, “The adversary targets these organizations to directly collect network telemetry and subscriber information or to breach other telecommunications entities by exploiting the industry’s interoperational connection requirements.” The goal of the operation is likely cyberespionage. CrowdStrike explains, “LIMINAL PANDA has previously focused on telecommunications providers in southern Asia and Africa, suggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may also be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access. Equally, depending on their current collection requirements, the adversary could employ similar TTPs to target telecoms in other regions.” (Axios, CrowdStrike)
Apple issues emergency security update
The company issued a patch for two vulnerabilities impacting most of Apple’s portfolio, including iOS, iPadOS, macOS Sequoia, Safari, and visionOS. Researchers at Google’s Threat Analysis Group initially disclosed the issues to Apple. One flaw impacts JavaScriptCore; the other is a “cookie management issue” in WebKit. The company said it found signs of active exploitation on Intel-based Mac systems, although no details on any threat actors targeting the vulnerabilities were released. These mark the sixth zero-day vulnerabilities disclosed by Apple this year. (Infosecurity Magazine)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.