Cyber News Roundup for August 26, 2024

Start this week in the know on the latest in cyber news. We’ve got headlines from around the globe to keep you informed, from the Justice Department taking the Georgia Institute of Technology to court over cybersecurity breaches related to Pentagon contracts, amateur radio enthusiasts reeling from a million-dollar ransomware attack, and Chinese hackers exploiting a zero-day flaw in Cisco appliances. Additionally, Halliburton faces operational disruptions following a cyberattack, and the Kremlin deals with a contentious DDoS incident affecting multiple digital platforms.

Discover more about these incidents and other pressing cybersecurity challenges in today’s update.

 

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts. The lawsuit, backed by the False Claims Act, purports that Georgia Tech’s Astrolavos Lab did not develop a proper system security plan as mandated by the Department of Defense, and falsely reported their cybersecurity assessment to the Pentagon. Despite implementing a plan in February 2020, the lab reportedly failed to cover all necessary devices. The whistleblower lawsuit, filed by two former Georgia Tech cybersecurity team members, alleges a lack of enforcement of cybersecurity regulations at the university. Georgia Tech disputes the claims, stating that the lawsuit misrepresents their commitment to innovation and integrity, and insists there was no breach or data leak involved. (Cyberscoop)

 

Ham radio enthusiasts pay a million dollar ransom

The ARRL (American Radio Relay League) is a national association for amateur radio enthusiasts in the United States. A letter to their members says that in early May 2024, ARRL’s network was compromised by threat actors (TAs) using dark web-purchased information. The attackers infiltrated both on-site and cloud-based systems, deploying ransomware across various devices, from desktops to servers. The highly coordinated attack took place on May 15, leading to significant disruption. Despite ARRL being a small non-profit, the attackers demanded a multi-million-dollar ransom. After tense negotiations, ARRL paid a $1 million ransom, largely covered by insurance. The organization quickly formed a crisis management team and involved the FBI, who categorized the attack as uniquely sophisticated. Most systems have been restored, with Logbook of The World (LoTW) back online within four days. ARRL is now simplifying its infrastructure and establishing an Information Technology Advisory Committee to guide future IT decisions. (ARRL)

 

Chinese threat actor exploited Cisco zero-day

Researchers at Sygnia warn that the China-aligned threat actor Velvet Ant exploited a zero-day vulnerability (CVE-2024-20399) affecting on-premises Cisco Switch appliances. The flaw, which was patched last month, “allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system.” Velvet Ant exploited the vulnerability to “deploy tailored malware, which runs on the underlying OS and is invisible to common security tools.” (Cisco)

 

Halliburton takes systems offline following cyberattack

The oil field services company informed regulators and the media on Friday about a recent cyberattack that “necessitated the shut-down of certain systems.” The attack happened on Wednesday and affected operations at its headquarters in Houston. According to the 8-K report submitted on Thursday to the SEC, the company said hackers “gained access to certain of its systems.” (The Record)

 

Kremlin complains of DDoS attack, digital experts not so sure

Disruptions that occurred on Wednesday for some Russian users of WhatsApp, Telegram, Skype, Discord, Twitch, Wikipedia, Steam and even PornHub, are being blamed by the Russian internet regulator Roskomnadzor on a DDoS incident targeting Russian telecom operators. Local digital experts disagree with this statement, arguing that it is impossible to organize a DDoS attack on all 2,000 Russian telecom operators simultaneously. Stanislav Shakirov, co-founder and technical director of the Russian digital rights organization Roskomsvoboda, suggested that the regulator “likely tried to block Telegram, which inadvertently impacted other services.” (The Record)

 

Windows Recall to reappear

Microsoft is deploying an updated version of its Recall feature, which had been initially announced this spring and immediately derided by industry analysts as keylogger or spyware. The idea behind Recall was to take snapshots of a user’s desktop every few seconds as tool for keeping track of things. It was removed from widespread Copilot+ PC release on June 13, but is now being deployed to testers in coming weeks. Microsoft has not fully clarified how the new version will differ but has said it will include “just in time” decryption and that Windows Insiders would need a Copilot+ PC. (The Register)

 

Two years later, Log4Shell still being exploited

This is according to researchers at Datadog Security Labs. “Cybercriminals are still finding targets for Log4Shell exploits that evade detection and plant malware scripts on unpatched corporate systems.” This is due to vulnerabilities that remain unpatched even though fixes have been made available. “Security experts have warned that eradicating the problem will be a long, laborious process because of software dependencies and so-called “transitive dependencies” that make patching very difficult.” Datadog for example has noted nation-state APT actors linked to China, Iran, North Korea and Turkey using obfuscated LDAP requests (that is an Active Directory protocol) to evade detection, leading to the execution of malicious scripts on compromised systems. (Security Week)

 

Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services

A privilege escalation vulnerability in Microsoft Azure Kubernetes Services (AKS) could have allowed attackers to access sensitive information, such as service credentials used by the cluster, Mandiant reports. The issue affected AKS clusters using Azure CNI for network configuration and Azure for network policy. Attackers with command execution in a pod within the cluster could exploit this vulnerability to download cluster node configurations, extract TLS bootstrap tokens, and access all secrets in the cluster. The flaw could be exploited even without root privileges or hostNetwork enabled. Microsoft resolved the issue after being notified. Mandiant highlights the risk of Kubernetes clusters lacking proper configurations, as attackers could use this vulnerability to compromise the cluster, access resources, and even expose internal cloud services. The flaw also allowed attackers to use the TLS bootstrap token to gain broader access to cluster secrets. (SecurityWeek)

 

Configuration flaw may affect thousands of apps using AWS ALB

Miggo Research has discovered a critical configuration flaw potentially affecting up to 15,000 applications that use AWS Application Load Balancer (ALB) for authentication. The researchers explain, “First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer. AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization.”

To mitigate this risk, Miggo says AWS customers should:

  1. “Verify that every application using the ALB authentication feature checks the token signer.
  2. “Restrict your targets to accept traffic only from your Application Load Balancer.”

AWS has updated its documentation to include this guidance, but it’s up to the customers to make the recommended changes. (miggo)

 

Feds tapping into encrypted messaging haul

According to a review of court records by 404 Media, US law enforcement agencies ramped up access to encrypted chat messages obtained as part of a trove of messages from European agencies from the phone company Sky back in 2021. Records show no indication US agencies have bulk access to this data, rather received from European partners for particular people under investigation. It’s unclear how authorities obtained this trove of messages, but Sky itself claimed someone created a fake version of the app and sold phones loaded with it on “unauthorized channels.” The cases profiled by 404 Media all involved prosecutions involving narcotics smuggling and distribution.  (404 Media)

 

Microchip Technology hit by cyberattack

The US chipmaker reported to the Securities and Exchange Commission that “potentially suspicious activity” over the weekend inhibited the use of “certain servers and some business operations.” As of this recording, it says it’s still operating “at less than normal levels,” with order volume impacted.  Its response to the incident sounds bog-standard: isolating impacted systems, shutting down services, and calling in third-party experts to help investigate. No other specific on who orchestrated the attack, but we’ll follow up as more details come to light. (The Record)

 

Poisoning LLMs to create insecure code

At the USENIX Security Symposium, a team of academic researchers presented details CodeBreaker, a set of techniques to poison large language model training sets to make them more likely to suggest vulnerable code. This saw the researchers systematically create code samples that don’t register as malicious with static analysis tools. This builds on previous research that used malicious code in comments and split workloads to introduce vulnerabilities to the training set. Of course, this kind of poisoning isn’t new. Research has previously found malicious code popping up in StackOverflow tutorials. And given the lack of quality control when ingesting code scraped from the internet, vulnerable code suggestions are already a reality in these training sets. (Dark Reading)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.