Tag Archive for: network exposure analytics

Cyber News Roundup for May 9, 2024

Cuckoo malware, a paralyzed city of Wichita, and early cybersecurity preparations for the upcoming Olympics made headlines this week. RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.

 

1. Cuckoo malware targets macOS systems

Cybersecurity researchers at Kandji have identified a new malware called Cuckoo targeting Apple macOS systems. It’s designed as a universal Mach-O binary, compatible with both Intel and ARM-based Macs, and found on websites offering music ripping and MP3 conversion tools. Cuckoo establishes persistence via a LaunchAgent and employs a locale check to avoid execution in Russia or Ukraine. It tricks users into providing system passwords through fake password prompts for escalated privileges and performs extensive data harvesting. This includes capturing hardware information, running processes, installed apps, screenshots, and sensitive data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and various applications like Discord and Steam. The associated malicious application bundles are signed with a valid developer ID. (Kandji)

 

2. Secretary of State Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco

The Biden administration is set to introduce a new international cybersecurity strategy, marking the first U.S. global cyber strategy in over a decade, aimed at bolstering global cooperation against cyber threats. Secretary of State Antony Blinken will unveil the strategy at the RSA Conference in San Francisco. This strategic plan targets enhancing cybersecurity through four main pillars: establishing a secure digital ecosystem, promoting rights-respecting digital technology with allies, forming coalitions against cyberattacks, and boosting cybersecurity resilience among partner nations. A key element of this strategy is the allocation of $50 million to the newly formed Cyberspace and Digital Connectivity fund, aimed at supporting cybersecurity improvements in allied countries.

Additionally, the strategy emphasizes a proactive role in cyber diplomacy at the United Nations and seeks to develop global norms for emerging technologies like artificial intelligence (AI). The U.S. aims to foster international consensus on AI usage and cyber conduct. The strategy’s implementation is considered urgent, with efforts intensifying in the months leading up to the November presidential election, reflecting the need for consistent U.S. leadership in global cybersecurity irrespective of potential administration changes. (Politico)

 

3. Chinese-linked ArcaneDoor targets global network infrastructure

A new cyber espionage campaign named ArcaneDoor, potentially linked to Chinese actors, has targeted network devices from vendors like Cisco, starting in July 2023 with the first attack detected in January 2024, according Censys. The attacks involved custom malware, Line Runner and Line Dancer, and exploited patched vulnerabilities in Cisco Adaptive Security Appliances. The findings indicate the involvement of a China-based threat actor, given that key infrastructure used SSL certificates linked to Chinese networks and hosted services related to anti-censorship tools. (The Hacker News)

 

4. Largest city in Kansas paralyzed by ransomware attack

Another city government faces the implications of a ransomware attack. The city of Wichita, Kansas was forced to shut down portions of its network over the weekend after its IT systems were encrypted with ransomware. Bleeping Computer reports: payment systems for city water, court citations, and tickets are down. There is no additional information regarding whether any information was compromised or which ransomware group has claimed responsibility for the attack. (Bleeping Computer)

 

5. Microsoft warns Android developers to steer clear of the Dirty Stream

Microsoft has issued a warning to Android app users and developers about a new attack method called Dirty Stream, which exploits a path traversal vulnerability within Android’s content provider component, particularly the ‘FileProvider’ class. This vulnerability can lead to the takeover of apps and theft of sensitive data. Notably affected are popular apps like Xiaomi File Manager and WPS Office, which together boast over 1.5 billion installs. The vulnerability has been identified in applications totaling four billion installations and could potentially be present in other apps. Dirty Stream allows malicious apps to overwrite files in another app’s directory, facilitating arbitrary code execution and token theft. This can give attackers complete control over the app and access to user accounts. Microsoft has informed affected developers, who have patched their apps, and urges all developers to review their apps for this security flaw. Google has also published guidance for developers on handling this issue. (Security Week)

 

6. French cybersecurity teams prepare for “unprecedented” Olympic threat

Jérémy Couture, who is in charge of the cybersecurity hub for the event being held in Paris in July, says his goal is to have his team’s activities perceived as a “non-event” by successfully fending off attacks from nation state actors, hacktivists, thrill seekers, and everyone else. He adds that it’s not just the games themselves that need protecting, but also the infrastructure that supports them, such as transport networks and supply chains. Russia, which is banned from these games, is of particular focus, but, officials state, they are looking at everything. (Security Week)

 

7. Ascension health system disrupted by cyberattack

 US health system Ascension has sustained a cyberattack that disrupted some of its systems, the Record reports. The organization, which runs 140 hospitals across the country, stated, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.” The nonprofit is working with Mandiant to respond to the incident. (The Record)

 

8. Mobile medical provider DocGo discloses data breach

Mobile health service provider DocGo has disclosed a cyberattack that led to the theft of patient health information, BleepingComputer reports. The company stated in an SEC filing, “Promptly after detecting unauthorized activity, the Company took steps to contain and respond to the incident, including launching an investigation, with assistance from leading third-party cybersecurity experts, and notifying relevant law enforcement. As part of its investigation, the Company has determined that the threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the Company’s U.S.-based ambulance transportation business, and that no other business lines have been involved.”(Bleepingcomputer)

 

9. MedStar Health sustains breach

Maryland-based healthcare organization MedStar Health sustained a data breach affecting more than 183,000 patients, the Record reports. A hacker gained access to the data through email accounts belonging to three MedStar employees. The threat actor was able to access “patients’ names, mailing addresses, dates of birth, date(s) of service, provider name(s), and/or health insurance information.”The company said in a breach notification, “Patients whose information may have been involved are encouraged to review statements they receive related to their healthcare. If they identify anything unusual related to the healthcare services or the charges for services, they should contact the healthcare entity or health insurer immediately.” (The Record, MedStar Health)

 

10. US indicts LockBit ransomware ringleader

On Tuesday, the U.S. Department of Justice (DoJ) charged the mastermind behind the notorious LockBit ransomware-as-a-service (RaaS) operation. The DoJ unmasked 31-year-old Russian National, Dimitry Yuryevich Khoroshev (also known as LockBitSupp, LockBit, and putinkrab) in a 26-count indictment that includes charges of fraud, extortion, and damaging protected computers. The charges carry a combined maximum penalty of 185 years in prison. Khoroshev is accused of designing LockBit, recruiting affiliates and maintaining LockBit’s infrastructure and leak site. Khoroshev allegedly received over $100 million in proceeds from the ransom payments. The US is offering a reward of up to $10 million for information leading to Khoroshev’s arrest. Sanctions were also announced on Tuesday by the United Kingdom and Australia. (SecurityWeek)

 

11. CISA is moving the needle on vulnerability remediation

CISA launched its Ransomware Vulnerability Warning Pilot in January 2023, and issued 1,754  warning notices to entities with vulnerable internet-accessible devices in its first year. The agency said that nearly half (for a total of 852) of these notifications resulted in organizations either patching, briefly taking systems offline to fix the issue, or otherwise mitigating exploitable flaws. The pilot program is set to launch as a fully automated warning system by the end of next year.

Another CISA-led initiative called Known Exploited Vulnerabilities (KEV), which the agency introduced in 2021, is also speeding up vuln remediation times. The KEV is designed to notify government agencies and enterprises of high-risk threats in the wild. Bitsight reported that critical KEVs are remediated 2.6 times faster than a non-KEV threats, while high-severity KEVs are fixed 1.8 times faster. Non-profits and NGOs are the slowest to remediate, while tech companies and insurance and financial firms are the fastest.(The Register and Dark Reading)

 

12. Lockbit takes credit for Wichita attack

The pernicious ransomware organization added the city of Wichita to its leak site, giving officials until May 15th to pay an unspecified ransom. We previously covered the city’s announcement of the attack over the weekend. In the wake of the attack, city officials say it can only accept cash or checks for all city services, although the city will not shut off water services as a result until regular payment methods come back online. This attack also comes on the heels of the US law enforcement agencies publicly naming the suspected leader of LockBit, Dmitry Khoroshev. (The Record)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Cyber News Roundup for May 2, 2024

From sophisticated cyberattacks crippling essential infrastructure to stealthy botnet discoveries and revelations about data breaches, this week’s roundup has something for all. Join us as we delve into the latest stories surrounding cyber warfare, emerging threats, and innovative defense strategies.

RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.

 

1.  A crucial Kansas City weather and traffic system is disabled by a cyberattack

Last week, the Kansas City Scout System, a crucial bi-state traffic and weather management tool operated by the Departments of Transportation in Missouri and Kansas, was disabled by a cyberattack. This outage occurred during a weekend of severe storms, posing significant risks as the system displays real-time weather and traffic updates on highway signs and through its app and website. Following the attack, all systems, including traffic cameras and message boards, were shut down as a protective measure by the IT team. Restoration efforts are underway, but there is no specified timeline for when services will resume. The disruption has raised concerns about the inability to communicate urgent weather warnings to drivers, complicating safety measures during a critical time. (The Record)

 

2. Muddling Meerkat uses China’s Great Firewall to manipulate DNS queries

Infoblox has published a report on “Muddling Meerkat,” a suspected Chinese government threat actor that uses China’s Great Firewall (GFW) to generate fake DNS Mail Exchange (MX) records. The group’s motivations are unclear. Infoblox explains, “The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses. This behavior, never published before, differs from the standard behavior of the GFW. These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead. This feature is truly remarkable and largely inexplicable.”

The researchers speculate that Muddling Meerkat may be pre-positioning for future DDoS attacks, creating DNS noise to cover up malicious activity, or simply conducting internet mapping and research. Renée Burton, Vice President of Threat Intelligence at Infoblox, concludes in a blog post, “In my professional experience, I have found Chinese threat actors to be extremely adept at managing, understanding, and leveraging the DNS for many purposes—whether that be censorship, cybercrime, or DDoS attacks. They also have some of the finest researchers in the field. Whatever the real goal of Muddling Meerkat is, we should not underestimate the talent and patience required to achieve it.” (Infoblox)

 

3. Marriott backtracks claims of encryption protection

Marriott is trying to sweep some new revelations about a 2018 breach under the rug. According to CSO Online, the hotel conglomerate has defended itself after a massive data breach, arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. It turns out, however, that the company had never used any encryption at the time but had instead implemented a hashing mechanism. Regarding the part about wanting to sweep this whole ‘miscommunication’ under the rug, Marriott has not released any updates about the misrepresentation. Instead, it has added a couple of sentences to an old article that is more than five years old. An impact statement from 2018 reveals that Marriott believes the information of approximately 500 million guests was impacted. (CSO)(Marriott Statement- 2018)

 

4. Massive malware campaigns infect Docker Hub

Researchers at JFrog have identified that around 20% of the 15 million Docker Hub repositories hosted malicious content, including malware and phishing sites. They discovered nearly 4.6 million repositories lacking actual Docker images, with 2.81 million linked to three major malicious campaigns initiated since early 2021. These campaigns employed various strategies, such as batch creation of fake repositories and SEO manipulation, to distribute harmful software. One prominent campaign, active in 2021 and 2023, utilized a generic Trojan to push malware through fake installation dialogs, potentially as part of a larger adware or monetization operation targeting compromised systems. (Bleeping Computer)

 

5. New vulnerabilities are found in Intel processors

Researchers from multiple universities, including UC San Diego and Purdue, along with industry partners such as Google, have discovered two new types of cyberattacks targeting the conditional branch predictor in Intel processors. These attacks, detailed in their upcoming presentation at the 2024 ACM ASPLOS Conference, exploit the Path History Register—a feature that tracks the order and addresses of branches, revealing more precise information than previous methods. The attacks allow for an unprecedented level of control and data extraction from affected processors, posing potential risks to billions of devices. These findings have prompted Intel and AMD to issue security advisories. The research showcases the ability to manipulate processor behaviors, potentially exposing confidential data through sophisticated techniques that outpace existing security measures. (Helpnet Security)

 

6. Researchers discover a stealthy botnet-as-a-service coming from China

A comprehensive botnet-as-a-service network originating from China has been identified by researchers at EPCyber. It features multiple domains, over 20 active Telegram groups, and using domestic communication channels. This infrastructure supports a botnet capable of launching coordinated attacks, including denial-of-service (DDoS) strikes that can incapacitate systems despite advanced DDoS protections from services like CloudFlare. The botnet’s efficacy in bypassing current defenses poses significant threats. Particularly at risk are European companies, as attackers target their domain names, potentially redirecting users to harmful sites. This highlights vulnerabilities in the Domain Name System (DNS), underscoring the urgent need for robust DNS security to protect online operations and maintain customer trust. (GBHackers)

 

7. US Department of Defense launches CORA program

The US Department of Defense Information Network, part of the Joint Force Headquarters, on March 1st launched its Cyber Operational Readiness Assessment (CORA) program following a successful nine-month pilot phase. Air Force Lieutenant General Robert Skinner, commander of the Joint Force Headquarters DoD Information Network, stated, “CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information and executing cyber orders. Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture enabling greater command and control and enhancing decision making.” (US DOD)

 

8. Anti Ukraine hack exploits seven-year-old Microsoft Office vulnerability

According to security experts at Deep Instinct Threat Lab, a recent campaign targeting Ukraine used a Microsoft Office vulnerability to deploy Cobalt Strike. In this case it was a malicious PowerPoint Slideshow PPSX file. Its filename included the word signal and made it look like it was shared through the Signal app. It was based on an outdated U.S. Army manual for tank mine clearing blades. The payload included a DLL file that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike. The researchers could not attribute the attacks to a known threat actor. (Security Affairs)

 

9. Russia-linked APT group uses GooseEgg to exploit Windows Print Spooler flaw

According to Microsoft, APT28 group who we also know as Fancybear and Strontium, has been exploiting a Windows Print Spooler flaw with the CVE code 2022-38028 using a previously unknown tool called GooseEgg. This has been going on since at least June 2020. GooseEgg modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. APT28 has been seen using GooseEgg activities against targets, including government, education, and transportation sector organizations in Ukraine, Western Europe, and North America. (Security Affairs)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.