FCC Chairwoman Jessica Rosenworcel recommended "urgent action" to safeguard the nation's communications systems from real and present cybersecurity threats.

Source: Asharkyu via Shutterstock

NEWS BRIEF

In the wake of recent cyberattacks against US communications companies by foreign actors, the Federal Communications Commission (FCC) has proposed new cybersecurity rules on how telecommunication companies should secure their networks. 

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said FCC Chairwoman Jessica Rosenworcel in a statement last week. "As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses." 

Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications and to submit annual certifications to FCC confirming that they have created, updated, and implemented a cybersecurity risk management plan to fortify their defenses against future attacks. The proposal focuses on a "modern framework to help companies secure their networks," Rosenworcel said.

"The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways," said Trey Ford, chief information security officer at Bugcrowd, in an emailed statement. "The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with - how inventory, score, and treat cyber risks - and the challenges in communicating what needs done, when, and how."

The Chinese-state sponsored hacker group Salt Typhoon hit several Internet service provider networks in the US earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks, and the intelligence community is still trying to determine the scope and impact of the attacks.

In what is considered one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance with the National Security Agency and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities, and limiting the attack surface. It also highlighted ways to harden Cisco network gear. 

After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC, along with CISA and the Director of National Intelligence, to create specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures, work to patch any uncovered vulnerabilities, and tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear whether there will be any immediate action on this legislation.

If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FCC Proposes New Cybersecurity Rules for Telecoms

The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Tuesday, December 10, 2024 15:52

The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” 

Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.” 

CVE-2024-49112 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Windows Lightweight Directory Access Protocol (LDAP) calls to execute arbitrary code within the context of the LDAP service. Additionally, CVE-2024-49124 and CVE-2024-49127 permit an unauthenticated attacker to send a specially crafted request to a vulnerable LDAP server, potentially executing the attacker's code if they succeed in a "race condition." Although the above vulnerabilities are marked as "critical" and with high CVSS, Microsoft has determined that exploitation is "less likely." 

CVE-2024-49126 - Windows Local Security Authority Subsystem Service (LSASS) remote code execution vulnerability. An attacker with no privileges could target the server accounts and execute malicious code on the server's account through a network call. Despite being considered “critical”, the successful exploitation of this vulnerability requires an attacker to win a “race condition” which complexity is high, Microsoft has determined that exploitation is "less likely." 

CVE-2024-49105 is a "critical" remote code execution vulnerability in a remote desktop client. Microsoft has assessed exploitation of this vulnerability as "less likely". An authenticated attacker could exploit by triggering remote code execution on the server via a remote desktop connection using Microsoft Management Console (MMC). It has not been detected in the wild. 

CVE-2024-49117 is a remote code execution vulnerability in Windows Hyper-V. Although marked as "critical," Microsoft has determined that exploitation is "less likely." The exploit needs an authenticated attacker and locally on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM and trigger remote code execution on the host server. Microsoft has not detected active exploitation of this vulnerability in the wild. 

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119 and CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128 are remote code execution vulnerabilities in Windows Remote Desktop Gateway (RD Gateway) Service. An attacker could exploit this by connecting to a system with the Remote Desktop Gateway role, triggering the “race condition” to create a “use-after-free” scenario, and then leveraging the execute arbitrary code. Although marked as "critical," Microsoft has determined that exploitations are "less likely" and the attack complexity considered “high.” Microsoft has not detected active exploitation of these vulnerabilities in the wild. 

CVE-2024-49122 and CVE-2024-49118 are remote code execution vulnerabilities in Microsoft Message Queuing (MSMQ) which is a queue manager in Microsoft Windows system. An attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server and win the “race condition” that is able to exploit on the server side which also means the attack complexity is “high”. While considered “critical” those were determined that exploitation is “less likely” and not been detected in the wild. 

CVE-2024-49138 is an elevation of privilege vulnerability in Windows Common Log File System Driver, and while it only has a 7.8 out of 10 CVSS score, it has been actively exploited in the wild. 

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:  

*   CVE-2024-49070 - Microsoft SharePoint Remote Code Execution Vulnerability 
*   CVE-2024-49093 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability 
*   CVE-2024-49088 and CVE-2024-49090 - Windows Common Log File System Driver Elevation of Privilege Vulnerability 
*   CVE-2024-49114 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64308, 64309, 64310, 64311, 64313, 64314, 63874, 63875, 64312, 64306, 64307. There are also these Snort 3 rules 301085, 301086, 301087, 300987, 64312, 301084

Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 
These vulnerabilities have not been patched at time of this posting. 
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule

Monday, December 9, 2024 14:30

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 

These vulnerabilities have not been patched at time of this posting. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

****MC Technologies OS command injection vulnerabilities** **

_Discovered by Matt Wiseman of Cisco Talos._ 

The MC-LR Router from MC Technologies supports IPsec and OpenVPN implementations, firewall capabilities, remote management via HTTP and SNMP, and configurable alerting via SMS and email, with two-port and four-port variants, includes models that support transparent serial-to-TCP translations and 1-in/1-out digital I/O. 

Talos recently published two advisories detailing OS command injection vulnerabilities discovered in the MC-LR Router from MC Technologies. TALOS-2024-1953 covers three vulnerabilities (CVE-2024-28025 through CVE-2024-28027), which are reachable through the I/O configuration functionality of the web interface. TALOS-2024-1954 covers one vulnerability (CVE-2024-21786) in the importation of uploaded configuration files. All vulnerabilities may be triggered with an authenticated HTTP request. 

****GoCast authentication and OS command injection vulnerabilities** **

_Discovered by Edwin Molenaar and Matt Street of Cisco Meraki._ 

The GoCast tool provides BGP routing for advertisements from a host; it is commonly used for anycast-based load balancing for infrastructure service instances available in geographically diverse regions.  

The GoCast HTTP API allows the registration and deregistration of apps without requiring authentication, shown in TALOS-2024-1962 (CVE-2024-21855). The lack of authentication can be used to exploit TALOS-2024-1960 (CVE-2024-28892) and TALOS-2024-1961 (CVE-2024-29224), leading to OS command injection and arbitrary command execution.

MC LR Router and GoCast unpatched vulnerabilities

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Ever wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help.

Thursday, December 5, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places - from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said - I'm very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity - security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I've rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I'd do it.  

**The one big thing **

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

**Why do I care? **

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

**So now what? **

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid. 

**Top security headlines of the week **

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading) 

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet) 

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop) 

**Can’t get enough Talos? **

*   New PXA Stealer targets government and education sectors for sensitive information 
*   The TTP Episode 7: Explore this year's Macro-ATT&CK findings  
*   Beers with Talos is back (kind of) with a special “B Team” episode: Misadventures, Rabbit Holes, and Turkey Lurkey Goes to the Movies 

**Upcoming events where you can find Talos ****AVAR (Dec. 4-6)   **

_Chennai, India_    

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

**Most prevalent malware files from Talos telemetry over the past week  ****SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 **

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca **

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   **

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

**SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   **

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

The emerging threat actor, potentially a Chinese state-sponsored APT, is using the known exploit kit Moonshine in cross-platform attacks that deliver a previously undisclosed backdoor called "DarkNimbus" to ethnic minorities, including Tibetans.

Source: BeeBright via Shutterstock

A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China.

A group that researchers at Trend Micro are tracking as Earth Minotaur is wielding the Moonshine exploit kit, which first surfaced in 2019, to deliver a backdoor called DarkNimbus. The malware can steal data and monitor device activity, they revealed in a blog post published today, while Moonshine typically targets vulnerabilities in instant messaging apps on Android devices to deliver the malware. It also exploits multiple known vulnerabilities in Chromium-based browsers. The latest version of the kit discovered by Trend Micro has been upgraded with "newer vulnerabilities and more protections to deter analysis of security researchers," the researchers wrote.

The attacks begin as carefully crafted messages aiming to lure victims into clicking on an embedded malicious link, which typically claims to be related to government announcements; relevant Chinese news topics, such as COVID-19, religion, or stories about Tibetans or Uyghurs; or Chinese travel information. Attackers "disguise themselves as different characters on chats to increase the success of their social engineering attacks," the researchers wrote.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

The ultimate payload, DarkNimbus, is "a comprehensive Android surveillance tool" that starts by collecting basic information from the infected device, installed apps, and geolocation systems. It goes on to steal personal information, including contact lists, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple messaging apps. DarkNimbus also can record calls, take photos and screenshots, file operations, and execute commands, the researchers added.

**Novel Cyberattack Actor, Familiar Tools & Targets**

The researchers believe Earth Minotaur is a new threat actor, though the group isn't the first to use the Moonshine toolkit, they wrote.

"In the first report of Moonshine exploit kit in 2019, the threat actor using the toolkit was named Poison Carp," according to the post. However, the researchers did not find connections between Earth Minotaur and that group, they said.

"The backdoor DarkNimbus had been developed in 2018 but was not found in any of Poison Carp's previous activity," the researchers wrote. "Therefore, we categorize them as two different intrusion sets." At this time, there are at least 55 Moonshine exploit kits being actively used by threat actors in the wild, they said.

Related:CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

Moonshine was first discovered as part of a malicious campaign against the Tibetan community, and it's also associated with previous malicious activity against Uyghurs. Both groups are ethic minorities in China that face discrimination and surveillance by the Chinese government, and both are the key targets of Earth Minotaur, the researchers said. While it's likely the group is an advanced persistent threat (APT) backed by China, the researchers did not have enough evidence to make a definitive connection, they said.

**Defending Against Persistent Threats**

Earth Minotaur's activities and use of Moonshine share similarities with two previously identified threat campaigns. One, identified in 2002, spread an Android malware called BadBazaar along with Moonshine via Uyghur-language sites and social media.

BadBazaar then resurfaced later in broader attacks against users in several countries that delivered the malware via Trojanized versions of the Signal and Telegram messaging apps, in an attack vector similar to the one Earth Minotaur was seen employing.

To prevent similar attacks, Trend Micro suggested some basics. One, that people exercise caution when clicking on links embedded on suspicious messages, "as these may lead to malicious servers like those of Moonshine compromising their devices," the researchers wrote.

Related:Venom Spider Spins Web of New Malware for MaaS Platform

They also recommended regularly updating applications to the latest versions, as Moonshine takes advantage of flaws to conduct its malicious activities.

"These updates offer essential security improvements to protect against known vulnerabilities," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Earth Minotaur' Exploits WeChat Bugs, Sends Spyware to Uyghurs

Individuals concerned about the privacy of their communications should consider using encrypted messaging apps and encrypted voice communications, CISA and FBI officials say.

Source: Weitwinkel via Shtterstock

Concerns over the extent of China-backed Salt Typhoon's intrusions into US telecom networks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI to issue guidance to the sector on addressing the threat.

The detailed recommendations come as officials from the authoring agencies this week described victims of the attack — which include Verizon, AT&T, and Lumen — as still working to eradicate the threat actor from their networks.

**Still Working to Evict**

"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing," Jeff Greene, executive assistant director for cybersecurity at CISA, said in a media call this week.

"I have confidence that we are on top of it in terms of tracking them down and seeing what's going on, but we cannot, with confidence, say that we know everything," Greene said, according to a transcript of the media call that CISA made available to Dark Reading. Given where most victims are in their investigations, it is "impossible" to predict a timeframe for when they will complete fully evicting the threat actor, he said.

Several security experts consider Salt Typhoon's attacks on US telecom infrastructure as one of the most egregious cyber espionage campaigns ever in size and scope. It's unknown how many companies the threat actor has compromised as part of the campaign so far, but known victims include some of the biggest telecom providers in the country, including AT&T and Verizon.

The attacks enabled multiple activities, including theft of a large number of call detail records — such as a caller's and receiver's phone numbers, call duration, call type, and cell tower location — of telecom customers. In a smaller number of instances, Salt Typhoon used its presence on telecom provider networks to intercept calls and messages of targeted individuals, which include government officials and politicians. Separately, the threat actor also collected information on an unknown number of individuals who were the subjects of legal national security and law enforcement intercepts.

"The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign," an FBI official said on background during this week's media call. "We have identified that PRC-affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities.

**Detailed Recommendations**

The new guidance for addressing the threat includes recommendations for quickly detecting Salt Typhoon activity, improving visibility, reducing existing vulnerabilities, eliminating common misconfigurations, and limiting the attack surface. The guidelines include a section devoted to hardening Cisco network gear, which the authoring agencies described as a popular target for the attacker in the ongoing campaign.

"Right now, the hardening guidance that we put out specifically would make the activities that we've seen across the victims much harder to continue," Greene said. "In some cases, it might result in limiting their access." He described Salt Typhoon actors as employing a variety of tactics to breach victim networks, so response and mitigation approaches will differ on a case by case basis. "These are not cookie-cutter compromises in terms of how deeply compromised a victim might be, or what the actor has been able to do."

**Use Encrypted Messaging Apps and Services**

Green and the FBI official on the media call recommended that individuals concerned about the privacy of their mobile device communications should consider using encrypted messaging apps — examples of which would include WhatsApp and Signal — and encrypted voice communications. "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media, and collaboration tools," the FBI official said.

Trey Ford, chief information security officer (CISO) at Bugcrowd pointed to phishing-resistant multifactor authentication in the new guidance as something that organizations should consider prioritizing. "Everything we can do to raise the cost and work factor for malicious actors and nation state communities helps," he notes. He also recommends that organizations add encryption to all traffic crossing third-party communications infrastructure and leverage apps like WhatsApp and Signal where it makes sense. "Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple's Secure Element, or pseudo-random code generators like Google Authenticator, Authy, \[and\] Duo, to all of your online accounts."

Chris Pierson, CEO and founder of Blackcloak, perceives the new hardening advice as useful in helping companies in the telecom sector prioritize their controls, remediation, and ongoing assessment activity. The advice to individual consumers and business executives to protect against Salt Typhoon is useful as well, he notes: "From tips on using security messaging as opposed to text/SMS, reducing the likelihood of SIM swapping by using a SIM PIN, and implementing dual factor authentication on key accounts, the guidance makes it easier for key executives and highly targeted persons to protect themselves."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 3,500 mobile phones.

Source: Coredesign via Shutterstock

Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.

Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks.

Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.

"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."

**Pegasus Spyware Reach Underestimated?**

The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.

Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.

Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.

Related:Name That Edge Toon: Shackled!

Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.

"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.

Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.

**Hunt Your Own Device Threats**

Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.

Related:Microsoft Boosts Device Security With Windows Resiliency Initiative

Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco