Cyber News Roundup for July 15, 2024
Welcome to this week’s cybersecurity roundup, focusing on key developments in digital security. Start your week with the latest headlines from around the globe to keep you informed and ready to defend against evolving cyber threats.
We begin with a follow-up to last week’s blog on AT&T’s breach, which exposed metadata that cybercriminals could use for impersonation. NATO has announced a new cyber defense center in Belgium to combat state-sponsored threats. Microsoft is phasing out Android use for employees in China due to security concerns, and CISA has added a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog, highlighting ongoing zero-day risks. Additionally, the U.S. Senate is introducing legislation to streamline cybersecurity regulations.
1. The personal security implications of the AT&T breach
The phone carrier’s data breach, which was announced on Friday, contained records of the phone numbers that were called to or texted to by customers between May 1, 2022 and October 31, 2022. The stolen data does not include any content of calls or texts, nor their time or date. In some instances cell site information was stolen, which might assist threat actors to triangulate customers’ locations as well as the people they interacted with, through the numbers themselves. According to Rachel Tobac, a social engineering expert and founder of cybersecurity firm SocialProof Security, quoted in TechCrunch, this type of data, referred to as metadata, “makes it easier for cybercriminals to impersonate people you trust, making it easier for them to craft more believable social engineering or phishing attacks against AT&T customers.” She continues, “the attackers know exactly who you’re likely to pick up a call from, who you’re likely to text back, how long you communicate with that person, and even potentially where you were located during that conversation due to the metadata that was stolen.” (TechCrunch)
Read our latest blog on network modeling to discover what RedSeal can do to bolster your cybersecurity efforts.
2. NATO will build a cyber defense center in Belgium
NATO members have agreed to establish the NATO Integrated Cyber Defence Centre (NICC) at the Supreme Headquarters Allied Powers Europe (SHAPE) in Belgium. Announced during NATO’s 75th-anniversary summit in Washington DC, the NICC aims to enhance resilience and respond to digital threats. The center will house civilian and military experts from member states and utilize advanced technology to improve situational awareness and collective cyber defense. Its primary role is to inform military commanders about offensive cyber threats and vulnerabilities, including those affecting civilian critical infrastructure. NATO has been bolstering its cyber capabilities, conducting defense exercises and developing rapid response strategies. The NICC and similar initiatives respond to rising threats from countries like Russia and China, emphasizing the alliance’s commitment to cybersecurity. (Infosecurity Magazine)
3. Microsoft is phasing out Android use for employees in China
Starting in September, Microsoft employees in China will be required to use iPhones for work, cutting off Android devices. An internal memo revealed that this move is part of Microsoft’s Secure Future Initiative, aiming to ensure all staff use Microsoft Authenticator and Identity Pass apps. The decision stems from the fragmented Android app market in China, where Google Play is unavailable, and local platforms by Huawei and Xiaomi prevail. Consequently, Microsoft has decided to block these devices from accessing its corporate resources. Affected employees will receive an iPhone 15 as a one-time replacement. The change is driven by security concerns, following multiple state-sponsored cyberattacks, including a significant breach linked to Russia earlier this year. Microsoft’s Executive Vice President, Charlie Bell, emphasized the company’s commitment to prioritizing security, pledging a major overhaul to address cloud vulnerabilities and enhance credential protection. (Bloomberg)
4. CISA adds a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco NX-OS Command Injection Vulnerability, CVE-2024-20399, to its Known Exploited Vulnerabilities catalog. This zero-day vulnerability, exploited by the China-linked group Velvet Ant, allows authenticated, local attackers with administrator credentials to execute arbitrary commands as root on affected devices. Cisco addressed the flaw, which affects several Nexus series switches, and recommended using the Cisco Software Checker to identify vulnerable devices. Federal agencies must fix this vulnerability by July 23, 2024. (Securityaffairs)
5. Top threats facing NATO ahead of major milestone
Ahead of NATO’s 75th anniversary, analysts at Mandiant have outlined the greatest threats facing the organization and its allied countries. According to Mandiant Intelligence chief analyst John Hultquist, the primary adversaries remain Russia and China. The main threat actors identified include Russia’s APT29, COLDRIVER, and APT44, focusing on espionage, disinformation, and disruptive cyberattacks. China’s espionage efforts have become more stealthy, targeting government, military, and economic entities within NATO using sophisticated techniques like zero-day exploits and operational relay box (ORB) networks. Disinformation and hacktivism are increasing, with groups exploiting geopolitical tensions to undermine NATO’s stability and security. (Security Week)
6. Senate takes aim at ‘overly burdensome’ cybersecurity regs
The Senate has introduced new bi-partisan legislation called the “Streamlining Federal Cybersecurity Regulations Act.” The bill would create a committee tasked with harmonizing the “overly burdensome, inconsistent, or contradictory” cybersecurity requirements currently imposed on companies by federal regulatory agencies. The committee would include the national cyber director, the heads of each federal regulatory agency and other government leaders. The new bill comes a month after assistant national cyber director for cyber policy and programs, Nicholas Leiserson, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. (CyberScoop)
7. Chinese threat actors exploit N-day vulns in mere hours
U.S. agencies including CISA, the FBI and NSA, as well as international law enforcement have issued a joint advisory warning that Chinese state-sponsored actor, APT40, is targeting newly discovered software vulnerabilities within hours. Rather than using techniques that require user interaction, the group is exploiting vulnerable, public-facing infrastructure to obtain valid credentials. The speed at which ATP40 is operating is setting up a “patching race” condition for organizations. This highlights the need for security teams to promptly patch internet-facing vulnerabilities and monitor for advisories from trusted sources.(Dark Reading)
8. Microsoft patches two zero-days
Microsoft yesterday issued patches for 142 vulnerabilities, including two actively exploited zero-days, Help Net Security reports. One of the zero-days (CVE-2024-38112) is a spoofing vulnerability in the Windows MSHTML Platform that can be triggered with a malicious HTML file. Researchers at Check Point found that threat actors have been exploiting the flaw since at least January 2023. Check Point explains, “Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.” (Help Net Security)
9. Australia targets government tech under foreign control
Australia’s Department of Home Affairs issued new instructions to all government agencies, ordering them to review their tech stacks for Foreign Ownership, Control or Influence risks. The agencies have until June 2025 to report these risks. A separate order requires developing a security risk management plan for any internet-facing services or systems that can be “directly accessed by untrusted or unknown entities.” A third order mandates government agencies using threat intelligence platforms to connect to a centralized sharing platform run by the Australian Signals Directorate. (The Record)
10. New group targets Veeam vulnerability
Researchers at Group-IB discovered a ransomware group known as EstateRansomware began exploiting a known flaw in Veeam Backup & Replication in early April 2024. Veeam patched this flaw in March 2023. The group gained initial access through Fortinet VPN appliances using dormant accounts. From there the attacks access a failover server. Once obtaining access, EstateRansomware created a rogue user account and established a command shell. Before dropping its ransomware payload, the group disabled Windows Defender. The Russian FIN7 cybercrime group exploited the same flaw last year. (The Hacker News)
11. Google expands security services
It’s always a good idea to keep abreast of changes to Google security services. Google introduced its Advanced Protection Program back in 2017, designed to provide extra security for targeted users like journalists and politicians. Since launch, this required two physical security keys to set up, with users having to provide a password and one of those keys to log in. Now Google allows setting up the service with a single passkey using phone-based biometrics. The company also announced it will make its “Dark Web reports” available to all Google accounts later this month. Google previously limited these reports to Google One subscribers. As such, the reports will no longer show up in the Google One app, moving instead to general account settings. (The Verge, 9to5Google)
12. A massive phishing campaign is exploiting Microsoft SharePoint servers
A massive phishing campaign is exploiting Microsoft SharePoint servers to host malicious PDFs with phishing links. The attack, observed by malware hunting service ANY.RUN, has surged, with over 500 detections in the last 24 hours. This campaign uses trusted SharePoint services, making it hard to detect malicious intent. The phishing flow involves an email link directing to a SharePoint PDF, a CAPTCHA prompt, and a fake Microsoft login page. Users should verify email sources, check URLs, and enable multi-factor authentication. Indicators of phishing include unexpected SharePoint notifications, mismatched file types, urgent requests, and suspicious login pages. (Cyber Security News)
13. Germany strips Huawei and ZTE from 5G infrastructure
The German government has agreed with major telecom companies to phase out critical Huawei and ZTE components from their 5G infrastructure over the next five years. Interior Minister Nancy Faeser announced that Deutsche Telekom, Vodafone, and Telefonica would discontinue using Chinese-made components in core 5G network parts by the end of 2026 and from antennas, transmission lines, and towers by the end of 2029. This decision aims to protect Germany’s economy and communication systems from potential cybersecurity risks. Despite no specific evidence against Huawei, the move aligns Germany with other European countries and the US, which have already restricted Huawei and ZTE equipment. (NYT)
14. CDK Global reportedly pays $25M ransom following cyberattack
Following up on the story regarding CDK Global, the maker of specialized software for car dealerships, The Register reports that the company paid the $25 million ransom in bitcoin, to the group that runs BlackSuit ransomware. The consulting firm Anderson Economic Group suggests that the total financial damage to dealers in the first two weeks of the shutdown is just over $600 million, or 24 times the ransom. The problems for CDK and its customers are not yet over, with certain parts of the network still offline as restoration and rebuilding continues. (The Register and Anderson Economic Group)
15. CISA breaks into a U.S. federal agency, goes unnoticed for five months
As part of a red teaming exercise, named by CISA as SILENTSHIELD assessments, specialists exploiting an unpatched vulnerability in the Oracle Solaris enclave of an unnamed federal civilian executive branch agency, leading to what it said was a full compromise. The intrusion was made in January 2023, and for the following five months of the assessment, the target organization “failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.” As reported in The Register, “After gaining access to the Solaris enclave, the red team discovered they couldn’t pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful.” (The Register)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.