CyberWire Daily - Zero-day exploited in the wild.
Episode Date: October 22, 2024A zero-day affects Samsung mobile processors. A critical vulnerability is discovered in the OneDev DevOps platform. German authorities warn against vulnerable industrial routers. The Bumblebee loader ...buzzes around corporate networks. Ghostpulse hides payloads in PNG files. A Michigan chain of dental centers agrees to a multimillion dollar data breach settlement. A White House proposal tamps down international data sharing. Fortinet is reportedly patching an as-yet undisclosed severe vulnerability. In our Threat Vector segment, host David Moulton speaks with Nathaniel Quist about cloud extortion operations, the rise of ransomware attacks, and the challenges businesses face in securing public cloud environments. Russian deepfakes spread election misinformation. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of the Threat Vector podcast, host David Moulton, Director of Thought Leadership at Palo Alto Networks, speaks with Nathaniel Quist, Manager of Cloud Threat Intelligence at Cortex & Unit 42. David and Nathaniel discuss recent cloud extortion operations, the rise of ransomware attacks, and the challenges businesses face in securing public cloud environments. You can hear the full discussion here and catch new episodes of Threat Vector every Thursday on your favorite podcast app. Selected Reading Google Warns of Samsung Zero-Day Exploited in the Wild (SecurityWeek) Critical OneDev DevOps Platform Vulnerability Let Attacker Read Sensitive Data (Cyber Security News) Critical Vulnerabilities Expose mbNET.mini, Helmholz Industrial Routers to Attacks (SecurityWeek) Hackers Use Bumblebee Malware to Gain Access to Corporate Networks (GB Hackers) CISA Adds Sciencelogic SL1 Unspecified Vulnerability to KEV Catalog (Cyber Security News) Pixel perfect Ghostpulse malware loader hides inside PNG image files (The Register) Dental Center Chain Settles Data Breach Lawsuit for $2.7M (BankInfo Security) Biden administration proposes new rules governing data transfers to adversarial nations (The Record) Fortinet issues private notifications to FortiManager customers to patch an undisclosed flaw (Beyond Machines) Russian Propaganda Unit Appears to Be Behind Spread of False Tim Walz Sexual Abuse Claims (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A zero-day affects Samsung mobile processors.
A critical vulnerability is discovered in the OneDev DevOps platform.
German authorities warn against vulnerable industrial routers.
The Bumblebee loader buzzes around corporate networks.
Ghost Pulse hides payloads in PNG files.
A Michigan chain of dental centers agrees to a multi-million dollar data breach settlement.
A White House proposal tamps down international data sharing.
Portanet is reportedly patching an as-yet undisclosed severe vulnerability.
In our Threat Vector segment, host David Moulton speaks with Nathaniel Quist about cloud extortion operations,
the rise of ransomware attacks, and the challenges businesses face in securing public cloud environments.
And Russian deepfakes spread election misinformation.
It's Tuesday, October 22nd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It is great, as always, to have you with us.
Google's Threat Analysis Group has warned of a zero-day vulnerability
in Samsung's mobile processors that has been actively exploited
with a CVSS score of 8.1.
This use-after-free bug can be abused to escalate privileges on vulnerable Android devices,
specifically impacting Samsung's Exynos processors. The flaw resides in the M2M
scalar driver, which handles media hardware acceleration. Attackers can exploit the bug
by manipulating I.O. virtual memory mapping, leading to arbitrary code execution
within the privileged camera server process. This allows them to bypass Android's kernel
isolation protections. Google researchers have noted that this exploit chain likely targets
Samsung devices and could be linked to spyware vendors, though specific details about attacks have not been provided.
The vulnerability was patched by Samsung in their October 2024 security update.
However, its active exploitation highlights the ongoing risks from zero-day threats.
A critical vulnerability has been discovered in the OneDev DevOps platform, affecting versions prior to 11.0.9.
This flaw allows unauthenticated users to read arbitrary files on the OneDev server, posing a serious risk to organizations using the platform for software development and deployment.
The vulnerability could expose sensitive information, such as configuration files and source code, which attackers could exploit for further attacks or espionage.
Due to the lack of credentials required to exploit the flaw, it significantly heightens the risk of unauthorized access and potential breaches.
OneDev has released an update to address this issue, and users are strongly urged to update immediately.
Germany's CERT VDE has warned organizations about critical vulnerabilities in industrial routers,
including the MBNet Mini router from MBConnectLine used for VPN access to industrial environments. Discovered by Moritz Abrel of Sys,
two critical vulnerabilities allow unauthenticated remote attackers to execute OS commands
and take control of devices using hard-coded credentials. Three other high-severity flaws
enable privilege escalation and information disclosure, with some requiring local access.
These vulnerabilities also affect Helmholtz's REX100 industrial router, likely due to shared
hardware and software between the two devices. If exposed to the internet, attackers could
potentially compromise industrial control systems by exploiting these flaws. Both MB Connectline
and Helmholtz have released patches, though SIS has not verified their effectiveness.
The advanced malware loader Bumblebee has resurfaced, potentially posing a major threat
to corporate networks. Netscope Threat Labs recently identified a new infection chain linked to
Bumblebee, marking its return after a four-month absence following Europol's Operation Endgame
crackdown on botnets in May of this year. First discovered by Google in 2022, Bumblebee is used
by cybercriminals to infiltrate networks, deploying dangerous payloads like cobalt strike
beacons and ransomware. The latest campaign targets U.S. organizations via phishing emails
containing LNK files that trigger the malware's download. Unlike past attacks, this version uses
MSI files disguised as legitimate software installers, running entirely in memory to evade detection.
Linked to high-profile ransomware groups like Quantum and Conti, Bumblebee's sophisticated
stealth techniques and ties to ransomware operations make it a severe threat to corporate
cybersecurity. Experts warn that organizations should not underestimate its potential damage.
Experts warn that organizations should not underestimate its potential damage.
CISA has added a critical vulnerability in ScienceLogic SL1 to its known exploited vulnerabilities catalog due to active exploitation.
This vulnerability, with a CVSS score of 9.3,
involves a third-party component and could lead to remote code execution.
ScienceLogic has issued patches.
Rackspace experienced unauthorized access to internal servers due to this flaw.
CISA urges immediate action with a deadline for federal agencies set for November 11th.
The Ghost Pulse malware strain has evolved to retrieve its payload by embedding malicious data within PNG image pixels,
marking a significant change since its 2023 launch.
Security experts, including Salim Bittam of Elastic Security Labs,
note that Ghost Pulse is often used as a loader for more dangerous malware like Luma.
This new technique makes detection even more challenging,
as the malware uses Windows APIs to extract pixel data and uncover the encrypted configuration.
Ghost Pulse's evasion tactics, combined with social engineering techniques
like tricking victims into running PowerShell scripts,
highlight the increasing sophistication of this malware.
Great Expressions Dental Centers, a Michigan-based practice with 250 locations across nine states,
has agreed to a $2.7 million settlement after a 2023 data breach affected over 1.9 million patients and employees.
The breach exposed sensitive information, including social security numbers,
medical records, and financial details.
Under the settlement, affected individuals will receive compensation
based on the severity of their data exposure,
with those whose social security numbers were compromised
eligible for up to $5,000 in
reimbursements. Great Expressions will also implement improved data security measures,
including multi-factor authentication and enhanced encryption. The breach, occurring between February
17th and 22nd of 2023, compromised unencrypted data. Attorneys are set to receive $900,000 in fees.
Despite agreeing to the settlement, Great Expressions denies any wrongdoing.
The Biden administration is cracking down on data transfers to countries like China and Russia
with a new set of proposed rules. These are all about keeping
sensitive personal and federal data out of the hands of foreign adversaries. Under the plan,
U.S. companies would be blocked from sending specific types of data, like genomic, biometric,
and geolocation info, when certain limits are hit. For example, no more than 100 Americans'
when certain limits are hit.
For example, no more than 100 Americans' genomic data or 1,000 people's biometric data can be shared with companies in those nations.
The rules also aim to stop data brokers from selling this information to foreign governments,
which could use it for cyberattacks or surveillance.
Businesses will have to comply with new standards from CISA,
and violations could mean serious penalties. There are a few exceptions, like personal communications and clinical trial data,
but overall, this is about tightening security and keeping American data safe.
Fortinet has released critical security updates for FortiManager to address a severe vulnerability reportedly being exploited by Chinese threat actors.
The company privately notified select customers and recommended mitigations, including restricting device registrations to known serial numbers and isolating access to trusted networks.
isolating access to trusted networks. While specific details about the vulnerability haven't been disclosed, the issue seems related to FortiGate to FortiManager communication.
If you're a user of the affected products, this may be a good opportunity to reach out
to your contacts at Fortinet to check in on the latest.
in on the latest.
Coming up after the break, in our Threat Vector segment, David Moulton speaks with Nathaniel Quist about recent cloud extortion operations.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. On today's segment from the Threat Vector podcast,
host David Moulton speaks with Nathaniel Quest,
manager of cloud threat intelligence at Cortex and Unit 42.
They discuss recent cloud extortion operations,
the rise of ransomware attacks,
and the challenges businesses face in securing public cloud environments.
And is honeyified an official term?
It should be, right?
Right? Like, you got me laughing here.
I'd muted the mic, but I've never heard honeyified.
I like that.
I feel like that's something that we should have in more of our headlines,
things that have been honeyified.
I think more things, you know, honeyified, it's like a tasty treat. You just want to grab it.
Yeah, sounds like breakfast.
Welcome to Threat Factor, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership.
Today I'm speaking with Nathaniel Quist, Q to those who know him. He's a manager of Cloud Threat Intelligence at Palo Alto Networks and Cortex Uniforty2. Q leads the team focused on uncovering and analyzing threats
targeting cloud infrastructures, including AWS, GCP, and Azure. With his expertise in public
cloud security, threat intelligence, and malware analysis, he has been at the forefront of
understanding the growing and evolving cloud threat landscape. Q, welcome to ThreatVector.
I'm really excited to have you here. Awesome. Thank you, David. Appreciate being here.
Today, we're going to get in and talk about the cloud threat landscape and some of your
thoughts on the latest developments, including cloud extortion operations, cloud native threats,
and how businesses can strengthen their defenses. We've got a lot to talk about.
So Q, let's look at that research that you've recently published on Unit 42.
It was highlighting some of the large-scale cloud extortion operations.
And we'll have a link to this article in the show notes.
But could you walk us through some of the key findings and how those attackers were exploiting cloud environments?
Yeah, most certainly.
So, it started out with exposed credentials.
And these exposed credentials were actually environment variables. Just a quick idea, a quick synopsis of what an
environment variable file is. Let's say you have a web front-end system, and you want to be able
to connect to a database in the back-end, and you need to have authentication to make that happen.
You don't want to have to manually do it because it's automated. So you have something called an environment variable.
And that will have your username,
it'll have passwords, prep session tokens,
things of that nature.
And due to the sensitive nature of these,
you obviously don't want those to be exposed publicly.
However, these were.
And so the threat actor found
that there were a number of environment variables
that were exposed.
They were specifically looking for something called Mailgun, which is an email service,
which is a very common target for threat actors.
Email services within cloud because they want to send phishing emails.
That's really important.
So they were looking for Mailgun.
As they were looking through Mailgun, they started collecting a lot of credentials. They targeted about 110,000 different domains and IP addresses looking for environment variables.
They were able to collect 90,000 plus environment variable files.
And inside of those environment variable files, they found roughly 1,200 AWS access keys and IDs that they were able to get into the cloud systems from there.
So it was kind of worm-like in some aspects
when they were able to find one environment variable,
they were able to get into that S3 bucket behind it.
And then that RDS system,
they pulled down and deleted
all of those particular files from S3 and
RDS, left a little ransom note
and said,
we have your systems for ransom, please
pay this amount
and you can have your data back.
So that's kind of where it started.
It was a real attack that we went
through. We were working with
the incident response team for Unit 42
and they pulled us in for Threat Intel enrichment to see where they're coming from, how that worked.
So how does a tech like this evolve over time? And are there specific patterns that you're starting to notice?
Well, what we're finding with Threat actors, specifically looking at cloud, they're really starting with that low-hanging fruit.
A couple of years back, it was all cryptojacking and crypto mining operations.
We're starting to see an evolution into ransomware because a lot of the just-exposed systems are not really there anymore to make cryptojacking super lucrative. So they're looking for exposed identity access management credentials, those keys and IDs,
session tokens, so they can get into those cloud environments.
Once you're inside of that cloud environment, we're starting to see more evolution in lateral
movement.
We're starting to see more privilege escalation happen in those environments.
And then that makes ransomware attacks, theft of intellectual property,
a little bit more common.
So the evolution is really,
as we as threat researchers
and intelligence analysts,
we're seeing that these types of attacks are occurring.
We create blocks and mitigations for them.
Threat actors will have to raise their game
so they can get over
some of those protections
to find more credentials
or more ways
to laterally move
or increase their permissions
inside of that cloud environment.
And then, you know,
we defend against that
and they go over that
and they go over that
so we're getting into
that cat and mouse game.
So really what we're seeing
last few years,
very exposed endpoints.
A lot of exposed
Docker containers, a lot of exposed Docker containers,
a lot of exposed Kubernetes containers,
a lot of exposed virtual machines and cloud environments
that they would just take advantage for cryptojacking purposes.
Now we're starting to see they're starting to leave the endpoints,
go into the cloud system and start their own endpoints
to do their operations.
So looking ahead, do you see the cloud threat landscape evolving over the next few years?
And what should businesses prioritize to future-proof their cloud security strategies?
Yeah, I mean, it's a big question.
My opinion is that we should focus more time on automation, and we should really focus that time on automation
in the ability to create known state of cloud systems.
So what are the applications and services that we're using,
and are they created effectively to begin with?
So starting with infrastructure as code templates,
making sure that everything is started from a very base, secure state.
From an identity
and access management
policy,
really get
organizations to
understand that we
need to use roles
as opposed to
individual IDs or
individual users
in cloud environments.
That will make
user management
a whole lot easier
to maintain
and to
operationalize.
And then for also
security teams to know who happened, you know, to operationalize. And then we're also security teams to know
who happened when and where.
So making sure that you're doubling down on automation,
simplifying the process of preserving data
as it's happening,
and then make sure that you have
some sort of CNAP operation,
some sort of runtime operation
to look at your critical assets
to ensure that you're seeing everything that they're using.
Thanks for listening to this segment
of the Threat Vector podcast.
If you want to hear the whole conversation,
you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry
and from Palo Alto Networks
to get their insights on cybersecurity,
the threat landscape,
and the constant changes we face.
See you there.
Be sure to check out the entire Threat Vector podcast wherever you get your favorite podcasts.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, in the run-up to the 2024 U.S. presidential election,
combating misinformation remains a significant challenge, as seen in the latest case involving false claims about Minnesota Governor Tim Walz.
false claims about Minnesota Governor Tim Walz.
A Russian-aligned network, Storm 1516,
is believed to be behind the spread of these fabricated sexual abuse allegations.
The campaign gained traction after the release of a deepfake video, a tactic common in Russian disinformation efforts.
Darren Linville of Clemson University's Media Forensics Hub points out that
Storm 1516 typically plants fake stories and AI-altered videos, which are then amplified by
other online networks. Once viral, these false claims are shared by unsuspecting users, sometimes
even picked up by mainstream outlets. This strategy aims to manipulate public
perception and undermine political figures like waltz. Experts warn that this disinformation
campaign, linked to pro-Kremlin and QAnon influencers, is part of a broader effort to
sway opinions ahead of the November election. For further insights into disinformation and misinformation in the U.S. election,
be sure to check out our three-part miniseries, Dismiss.
Rick Howard sits down with election experts
to navigate the 2024 presidential elections
information storm,
offering a toolkit to help you distinguish
between deceptive narratives and legitimate content
in today's rapidly shifting election
security landscape. It's worth your time. Check it out.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire
is part of the daily routine of the most influential leaders and operators in the public
and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law
enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced
by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone
Petrella is our president. Peter
Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.