Chinese threat actor targets ISP

StormBamboo goes after ISP to deliver malware

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ Researchers have found that a China-nexus advanced persistent threat (APT) group dubbed Evasive Panda (aka Bronze Highland, Daggerfly, and StormBamboo) compromised an unnamed Internet service provider (ISP) to exploit its update mechanisms using DNS poisoning and deliver malware targeting Windows and macOS systems such as MgBot and MACMA. DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to an attacker-controlled server in order to steal and manipulate information transmitted to users. [The Hacker News / Dark Reading / Ars Technica]

↘️ Major gaps in Microsoft’s Windows Update architecture could be exploited by malicious actors to launch software downgrade attacks (aka version-rollback attacks) that can “unpatch” fully patched Windows systems and reintroduce old vulnerabilities. In other words, the update mechanism can be used as a trojan horse to revert an immune, fully up-to-date software back to an older version with known, exploitable vulnerabilities. Microsoft said it’s working on a patch for these issues. [WIRED / The Hacker News]

via GIPHY

↘️ Researchers have identified a new attack called Bucket Monopoly impacting AWS that leverages an attack vector called Shadow Resource, which involves bad actors creating S3 buckets in advance in other AWS regions and then waiting for the targeted users to enable vulnerable services in those regions, causing sensitive files and configurations to be stored in the attacker-controlled buckets. This could then be used to gain administrative control over the account. The attacks take advantage of the fact that the S3 bucket names are unique across the entire AWS infrastructure, thus opening the door to a scenario where an attacker can registered in advance the bucket name and wait for the victim organisation to set up a service at a later time in a different region. [The Hacker News]

↘️ The Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors can be bypassed owing to the fact that they all share a test cryptographic key from American Megatrends International (AMI) that was accidentally leaked in 2022 via a GitHub repository. Secure Boot is a critical feature of the Unified Extensible Firmware Interface (UEFI) specification that performs cryptographic signature verification for all the components loaded during the boot process to ensure its integrity and that the boot mechanism has not been tampered with. The public exposure of the platform key means it could be exploited by a malicious actor to load arbitrary modules in the EFI partition on disk, which will get executed during startup, giving control to them. [Ars Technica / CSO Online / Dark Reading / The Hacker News]

↘️ Apple has introduced a new open-source package for its programming language Swift, called swift-homomorphic-encryption, which allows computations on encrypted data without decryption, safeguarding user information. The feature, per Apple, is already being used to power new Live Caller ID Lookup feature in iOS 18. “Live Caller ID Lookup uses homomorphic encryption to send an encrypted query to a server that can provide information about a phone number without the server knowing the specific phone number in the request,” the iPhone maker said. [Apple]

↘️ As many as six vulnerabilities in ATM-maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS), could be exploited by attackers to bypass an unpatched ATM’s hard drive encryption and take full control of the machine. The issues have since been patched as of 2022 and 2023. [WIRED]

↘️ Security flaws discovered in Ecovacs vacuum and lawn mower robots could be hacked by an attacker in physical proximity to spy on their owners using the devices’ cameras and microphones. Ecovacs said it does not plan to address the vulnerabilities. [TechCrunch]

↘️ A number of security vulnerabilities have been disclosed in the Apache HTTP Server (httpd) — Filename confusion, documentRoot confusion, and handler confusion — which could be exploited to achieve remote code execution (RCE) or accessing any file on the compromised server. The issues have been resolved in versions 2.4.59 and 2.4.60. [DEVCORE / Akamai]

↘️ A now-patched security vulnerability in the V8 JavaScript engine present in Chrome (CVE-2024-5830) that could allow RCE in the renderer sandbox of the browser by a single visit to a malicious site. It was fixed in June 2024 with version 126.0.6478.54. [GitHub]

↘️ A massive data extortion campaign that compromises AWS resources through credentials collected from environment (.env) files stored insecurely on web servers has been uncovered in the wild. Examples of the leaked credentials included 1,185 unique AWS access keys, 333 PayPal OAuth tokens, 235 GitHub tokens, 111 HubSpot API keys, 39 Slack webhooks, and 27 DigitalOcean tokens. The accidental exposure of such files is a known issue that other researchers have warned about in the past, so it's not unusual for attackers to run attack tools that scan for their presence. But the scale of the attacks suggests that the misconfigurations are more widespread. In the hands of knowledgeable hackers, leaked secrets can be very powerful and dangerous, as they could be weaponized to breach cloud environments. [The Hacker News]

↘️ Scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes targeting Indonesian users. These scams are designed to deceive users into sharing their account details, leading to significant financial losses. “In exchange for referring the wallet to individuals as part of the referral process, the bot would claim to be depositing an amount upwards of 100,000 to the wallet, upon exchanging Account Number associated with Digital Wallet,” researchers said. “Upon further investigation, it was found that the bots were being operated by scammers to propagate and increase downloads / traffic for games and phishing domains cycling pig butchering scams.” [CloudSEK]

↘️ An Iranian nation-state actor known as TA453 (aka APT42 or Charming Kitten) targeted a prominent Jewish figure starting in late July 2024 as part of a spear-phishing campaign designed to deliver a new trojan malware called AnvilEcho. APT42 uses sophisticated spear-phishing techniques that involve impersonating multiple organizations and individuals that are known or of interest to their victims. Instead of delivering a malicious payload right away, the attackers engage in longer conversations with their targets to gain their trust. Sometimes this also involves impersonating more than one person — a technique called multi-persona impersonation — as part of a single email thread to build legitimacy. [The Hacker News]

↘️ Threat actors are now making use of progressive web applications (PWAs) to impersonate banking apps and steal credentials from Android and iOS users. Doing so offers a lot of advantages over native malicious apps in that they can trivially evade security protections or app installation restrictions. They are also cross-platform, allowing the adversaries to reach a broader audience through a single campaign. The novel attacks rely on a broad range of methods to reach their target audience, including automated calls, SMS phishing, and malvertising on Facebook and Instagram, to trick users into adding a PWA app to their Home Screen under the guise of a critical security update. [The Hacker News]

↘️ New research has discovered how cross-site scripting (XSS) vulnerabilities could be combined with the OAuth authentication standard to facilitate cookie theft and ultimately seize control of online accounts on susceptible websites. Separately, researchers are also warning about the increasing prevalence of Server-Side Template Injection (SSTI) vulnerabilities that could allow attackers to execute arbitrary commands on the server, potentially leading to unauthorized data access, server compromise, or exploitation of additional vulnerabilities. [Salt Security / Dark Reading / Check Point]

↘️ Threat actors partaking in the ransomware landscape are increasingly staying away from established ransomware-as-a-service (RaaS) platforms following a spate of law enforcement disruption operations and exit scams. [The Record / The Register / The Hacker News]

↘️ The China-linked threat actor known as Volt Typhoon used a previously unknown vulnerability, known as a zero-day flaw, in a program made by Versa Networks for managing wide-area networks to breach a handful of victims in the U.S. The activity is not surprising and fits with their established modus operandi of targeting edge infrastructure to then move inbound for living-off-the-land. [The Hacker News / The Washington Post]

↘️ Authorities from the Argentine Federal Police (PFA) arrested a Russian national for money laundering and seized millions of dollars in assets from his Argentinian-based operation. The 29-year-old suspect, known only as as V.B., is alleged to have accepted illicit cryptocurrency proceeds from North Korea's Lazarus Group, child sexual abuse vendors, and terrorist financiers, and subsequently converted them into clean, fiat currency, TRM Labs said. According to local media outlet La Nacion, authorities seized over $121,000 worth of cryptocurrency and an additional $15 million from other properties he controlled. The location of V.B. was traced using information shared by Binance. [TRM Labs]

↘️ An ongoing cyber attack campaign is leveraging two little-known techniques called GrimResource and AppDomainManager Injection to breach organizations in Southeast Asia. The intrusions leverage ZIP archives containing specially crafted management saved console (MSC) files to execute code without user interaction and deliver Cobalt Strike. AppDomainManager Injection makes use of .NET Framework's AppDomainManager class to inject and run malicious files, achieving the same effect as DLL side-loading but in a more stealthy manner. The campaign is believed to be the work of a China-linked group tracked as APT41, due to the tactics used and the targeting of government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam. [NTT Security Holdings]

↘️ Blockchain security firm CertiK was criticized for the manner in which it disclosed and exploited a critical security flaw impacting the Kraken cryptocurrency exchange to siphon $3 million in cryptocurrency, before returning the funds. More than two months later, it has now said that it “regret[s] that this incident occurred” and that it “made errors in judgment and poorly communicated with Kraken, resulting in a public dispute that raised significant concerns within the community.” The company also said it has “taken necessary steps to minimize the risk of similar misunderstandings occurring again.” [CertiK]

↘️ Salesforce-owned Slack has patched a security vulnerability that, if successfully exploited, could allow an attacker with access to the messaging platform to exfiltrate data present in private channels they are not a part of. The method takes advantage of a prompt injection flaw that allows a threat actor to provide malicious instructions in a public channel under their control. Thus, users who end up querying for information through Slack AI are served results that render the rogue instruction at the top. In a theoretical attack, this technique could be used to extract sensitive API keys shared in private channels. Alternatively, the mechanism could be used to render phishing links to victims. Slack has deployed a patch to remediate the problem. [PromptArmor]

↘️ The U.S. Department of Justice (DoJ) Office of the Inspector General (OIG) said the Federal Bureau of Investigation fails to properly label, store, and secure decommissioned electronic storage media. “We found the FBI does not always account for its loose electronic storage media, including hard drives that were extracted from computers and servers, thumb drives, and floppy disks,” the OIG said. “However, extracted internal hard drives are not tracked, and the FBI does not have the ability to confirm that these hard drives that contained SBU and/or NSI information were properly destroyed. The lack of accountability of these media increases the risk of loss or theft without possibility of detection.” [OIG]

↘️ The U.S. National Institute of Standards and Technology (NIST) has published the final version of the three new encryption algorithms — FIPS 203 (aka CRYSTALS-Kyber or ML-KEM), FIPS 204 (aka CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (aka Sphincs+ or SLH-DSA) for general encryption and for protecting digital signatures — to secure current systems against future attacks using quantum technologies, marking the culmination of an eight-year effort from the agency. A fourth algorithm, FN-DSA (originally called FALCON), is slated for finalization later this year and is also designed for digital signatures. They were first announced in July 2022. One of the biggest looming threats to many forms of encryption is quantum computing, where companies are bracing for a potential future breakthrough in quantum computing that could make current methods of protecting users’ communications obsolete. [NIST / Dark Reading / The Record / SecurityWeek]

↘️ Threat actors are known to trick developers into accidentally installing malicious packages from open-source repositories by exploiting common typing errors or using slight variations in the name of a legitimate package, a technique called typosquatting. Other common tactics have included cloning and infecting popular repositories, poisoning artifacts by making use of compromised credentials. But a new attack technique called Revival Hijack opens the door to a more seamless form of supply chain attack. All that it involves is re-registering a malicious package on PyPI using the same name as any legitimate, previously registered but now removed package from the repository and then waiting for organizations to download it. A staggering 120,000 removed packages could be exploited by attackers to sneak malware onto PyPI, although that number drops to 22,000 when factoring those that had been active for at least months or that users had previously downloaded more than 100,000 times. [The Hacker News]

↘️ The U.S. Department of Justice accused five members of Russia’s military intelligence agency of hacking several Ukrainian government agencies, an unnamed U.S. government agency in Maryland and computers belonging to 26 NATO countries. The attacks have been attributed to a covert Russian military intelligence unit known as the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). [WIRED / The Hacker News]

↘️ Cryptocurrency-related losses totalled more than $5.6 billion in 2023 with over 69,000 crypto-related complaints received by the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3). Overall losses in scams relating to cryptocurrency increased 45% since 2022. Losses from cryptocurrency-related investment fraud schemes reported to the IC3 rose from $2.57 billion in 2022 to $3.96 billion in 2023, an increase of 53%. Overall, losses to investment scams rose from $3.31 billion in 2022 to $4.57 billion in 2023. [IC3]

↘️ North Korean attackers are posing as recruiters for financial firms to lure developers into executing trojanized Python projects on their machines as part of fake job interviews. [The Hacker News]

↘️ A joint law enforcement operation has taken down a massive Chinese state-sponsored botnet dubbed Raptor Train that the attackers used to compromise hundreds of thousands of devices globally. The group behind the botnet, Flax Typhoon, hijacked routers and Internet of Things devices like cameras, video recorders and storage devices. The threat actor has been attributed to a Beijing-based company named Integrity Technology Group. [The Hacker News / CyberScoop]

↘️ Apple has filed a motion to dismiss its years-long legal effort against Pegasus spyware developer NSO Group, stating it could be forced to hand over sensitive threat intelligence that it said could be used by adversaries against its own security defenses. It also cited changes in the risk landscape, including the decentralization of spyware vendors and increased efforts on part of international governments to tackle the threat. Despite sanctions, commercial spyware continues to be a threat, in part driven by a purposefully nebulous ecosystem comprising a complex network of interrelated entities based in various locations and dependent on different jurisdictions. The government clampdown has also led espionage retailers to improve their ability to evade detection and do business in the shadows, often by renaming and shifting their identities in an effort to get around sanctions. [The Hacker News]

↘️ The Czech Republic has become the target of a new phishing campaign that leverages NATO-themed decoys to deliver a Rust-based loader dubbed Freeze, which is used to launch the Havoc command-and-control (C2) framework. The attack has been attributed with medium confidence to a Russian origin threat actor. [Seqrite Labs]

↘️ Swedish authorities have named proxies affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), a group calling itself Anzu Team, for penetrating an unnamed Swedish company in July 2023, taking over its SMS service, and sending over 15,000 messages calling for revenge against Quran burners on August 1, 2023. It’s currently not clear how the breach took place, although indications are that the purpose of the breach was an influence operation to impact public opinion and paint an image of Sweden as an Islamophobic country. [Säkerhetspolisen / Associated Press]

↘️ A now-patched security flaw in a web portal operated by carmaker Kia could have been exploited to reassign control of the internet-connected features of most modern Kia vehicles, dozens of models representing millions of cars, from the smartphone of a car's owner to the attacker's own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, the research found that it was possible to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will. [WIRED / The Hacker News]

↘️ New research has uncovered a privacy flaw in WhatsApp that’s being exploited by attackers to bypass the app’s “View once” feature and view messages again. Specifically, it was found that the feature can be trivially bypassed via malicious browser extensions that slightly modify WhatsApp web app. This, in turn, is achieved by setting the View Once field to false in the database and make the official WhatsApp web app show them. While WhatsApp appears to be taking steps to remediate the problem, it has been found that the core issue remains unsolved to date. [Zengo]

↘️ Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot have surged sharply last month, launching 300,000 attacks across over 100 countries. The botnet has been found to leverage five built-in command-and-control servers (C2s) to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. [The Hacker News]

↘️ Amazon Web Services (AWS) says it’s using a massive neural network graph model named Mithra with 3.5 billion nodes and 48 billion edges to speed up the detection of malicious domains in its cloud infrastructure. “Mithra’s reputation scoring system is tailored to identify malicious domains that customers come in contact with, so the domains can be ranked accordingly,” Amazon said. “Mithra is not only able to detect malicious domains with remarkable accuracy and fewer false positives, but this super graph is also capable of predicting malicious domains days, weeks, and sometimes even months before they show up on threat intel feeds from third parties.” Mithra also works alongside a threat intel honeypot sensor system called MadPot, which has been used to detect distributed denial-of-service (DDoS) botnets and malicious payloads linked to state-sponsored APTs like Volt Typhoon and Sandworm. [AWS]