By the CyberWire staff
At a glance.
- Malicious backdoor infiltrates widespread Linux package.
- At least five suspected Chinese threat actors exploited Ivanti flaws.
- Jackson County, Missouri, discloses ransomware attack.
- Earth Freybug deploys new malware.
- Initial access brokers distribute new malware downloader.
- US State Department investigates alleged contractor breach.
- US DHS concludes investigation into Microsoft Exchange hack.
- Vultur RAT impersonates McAfee Security app.
- Omni Hotels confirms cyberattack.
- Cancer treatment center discloses breach.
- AT&T confirms data breach affecting 73 million accounts.
- Yacht company MarineMax discloses breach.
Malicious backdoor infiltrates widespread Linux package.
Red Hat last week issued an urgent security alert warning that someone recently inserted malicious code into the data compression library "xz," which is used in nearly every Linux distribution. According to Red Hat, "The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."
The brunt of the attack appears to have been averted due to its early discovery, but the malicious packages were deployed to Fedora 40 and Fedora Rawhide. Red Hat urges users of these versions to stop usage immediately until the code can be reverted. The US Cybersecurity and Infrastructure Security Agency (CISA) said in an alert, "CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA."
The malicious code was added by someone with the username "JiaT75," who apparently began infiltrating the xz project and building trust in 2021. The code was discovered by a Microsoft developer, Andres Freund, who noticed that SSH logins were using up an abnormal amount of CPU cycles.
Ars Technica quotes software engineer Filippo Valsorda as saying, "This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library."
At least five suspected Chinese threat actors exploited Ivanti flaws.
Mandiant has published a report on zero-day exploitation of several now-patched Ivanti vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893). Mandiant observed exploitation by five suspected China-linked threat actors (including Volt Typhoon), as well as three financially motivated groups. The researchers note, "Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives."
Balancing Your Cyber Security Strategy – Going on the Offensive
With more than half of cybersecurity experts saying an increase in pen testing decreased breaches by over 50%, it is clear that the shift to offensive security is underway. Download our OffSec Shift report to explore how leading organizations blend defense and offense for a comprehensive cybersecurity strategy.
Jackson County, Missouri, discloses ransomware attack.
Missouri's Jackson County (home to Kansas City) has disclosed a ransomware attack that caused "significant disruptions" to its IT systems, the Record reports. The attack occurred on Tuesday morning. The county stated, "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal. Systems impacted so far include tax payments and online property, marriage license, and inmate searches. As a result, the Assessment, Collection, and Recorder of Deeds offices at all County locations will be closed until further notice. It’s important to note that the Kansas City Board of Elections and Jackson County Board of Elections are not impacted by the system outage."
Earth Freybug deploys new malware.
Trend Micro has published a report on "Earth Freybug," a subset of the China-linked threat actor APT41. The threat actor is using a strain of DLL malware dubbed "UNAPIMON," which "employs defense evasion techniques to prevent child processes from being monitored." The researchers note, "A unique and notable feature of this malware is its simplicity and originality. Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer. In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case."
Initial access brokers distribute new malware downloader.
Researchers at Proofpoint and Team Cymru describe a malware downloader called "Latrodectus" that surfaced in November 2023. The malware is similar to IcedID, and was likely made by the same developers. Latrodectus is being used by initial access brokers (IABs) and is distributed via phishing campaigns. The researchers note, "While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024. It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578."
What’s your back-up plan if your IDP goes down?
Join the next Identity Orchestration workshop and see exactly how you can build the right failover into every app. During an outage, your team needs access to mission-critical apps to keep getting the job done until order is restored. Strata helps you build the appropriate failover into every app — without a dedicated IDP or a complex process — so your essential apps stay on, no matter what. Don’t miss out!
US State Department investigates alleged contractor breach.
The US State Department is investigating an alleged theft of classified information from Virginia-based government contractor Acuity, BleepingComputer reports. A threat actor known as "IntelBroker" posted on BreachForums on Tuesday claiming to have stolen "classified information and communications between the Five Eyes, 14 Eyes, and US allies." The threat actor also claims to have "full names, emails, office numbers, and personal cell numbers of government, military, and Pentagon employees, as well as their email addresses."
Acuity has confirmed that hackers stole some of its data, but the company maintains that the information is old and non-sensitive, SecurityWeek reports. Acuity CEO Rui Garcia told SecurityWeek, "Acuity recently identified a cybersecurity incident related to GitHub repositories that housed dated and non-sensitive information. Immediately upon becoming aware of this zero-day vulnerability, Acuity applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance. After conducting our own analysis and following a third-party cybersecurity expert investigation, Acuity has seen no evidence of impact on any of our clients’ sensitive data. In addition to cooperating with law enforcement, Acuity takes the security of its customers’ data seriously and is implementing appropriate measures to secure its operations further."
US DHS concludes investigation into Microsoft Exchange hack.
The US Department of Homeland Security has released the results of its Cyber Safety Review Board’s (CSRB) investigation into the Microsoft Exchange Online intrusion that occurred in summer 2023, the AP reports. The report states, "The CSRB’s review found that the intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China, was preventable. It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board recommends that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully cooperated with the Board’s review."
Cybersecurity training designed for your organization.
N2K’s Talent Development solutions make it easier for security leaders to get the right cyber training for their teams and enhance performance. Receive tailored, data-driven training roadmaps that are based on your team’s job roles and skills gaps. We’re inclusive of all learning sources–whether from our learning library, external sources, or something you already use– so your team gets the best of what they need. Let’s work together.
Vultur RAT impersonates McAfee Security app.
Researchers at Fox-IT are tracking a new variant of the Vultur Android banking Trojan that's spreading via a malicious version of the McAfee Security app, BleepingComputer reports. Fox-IT notes, "The most intriguing addition is the malware’s ability to remotely interact with the infected device through the use of Android’s Accessibility Services. The malware operator can now send commands in order to perform clicks, scrolls, swipe gestures, and more. Firebase Cloud Messaging (FCM), a messaging service provided by Google, is used for sending messages from the C2 server to the infected device. The message sent by the malware operator through FCM can contain a command, which, upon receipt, triggers the execution of corresponding functionality within the malware. This eliminates the need for an ongoing connection with the device."
Omni Hotels confirms cyberattack.
Omni Hotels & Resorts has confirmed that a cyberattack was responsible for widespread IT outages that began on Friday, March 29th, the Register reports. The company said in a statement, "Upon learning of this issue, Omni immediately took steps to shut down its systems to protect and contain its data. As a result, certain systems were brought offline, most of which have been restored. As our team works diligently to restore the remainder of the systems to full functionality, we continue to welcome our guests and accept new reservations. We apologize for the disruption and inconvenience this cyberattack is causing."
Omni hasn't disclosed the nature of the incident, but BleepingComputer cites sources as saying the company is in the process of restoring from backups following a ransomware attack.
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Cancer treatment center discloses breach.
US cancer treatment and research center City of Hope has disclosed a data breach affecting the personal, financial, and medical information of 800,000 individuals, SecurityWeek reports. The stolen data include "name, contact information (e.g., email address, phone number), date of birth, social security number, driver’s license or other government identification, financial details (e.g., bank account number and/or credit card details), health insurance information, medical records, and information about medical history and/or associated conditions."
AT&T confirms data breach affecting 73 million accounts.
AT&T has confirmed that information belonging to 73 million customer accounts has been leaked on the dark web. According to the Record, the data includes Social Security numbers, names, email addresses, mailing addresses, phone numbers, dates of birth, AT&T account numbers, and passcodes. The company stated, "While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed....Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."
Yacht company MarineMax discloses breach.
Florida-based yacht retailer MarineMax has disclosed that personal data was stolen during a cyberattack the company sustained last month, BleepingComputer reports. The company stated, "[O]ur ongoing investigation has identified that this organization exfiltrated limited data from this environment that includes some customer and employee information, including personally identifiable information." BleepingComputer notes that the Rhysida ransomware gang has claimed responsibility for the attack and is selling the allegedly stolen data for just over $1 million.
Crime and punishment.
The Indian government says it's rescued 250 Indian citizens who were forced into cyber slavery in Cambodia, the Record reports. The Record cites the United Nations as saying at least 100,000 people in Cambodia and 120,000 in Myanmar are being forced by criminal gangs to participate in online scams. Many of these individuals were lured from other countries with phony job offers.
Courts and torts.
Google has agreed to delete billions of browsing activity records collected from users who were in Incognito Mode, Mashable reports. A class-action lawsuit filed in 2020 alleged that Google failed to properly disclose the extent of data collected on users in Incognito Mode. As part of the settlement, the company has also added updated information to Chrome's Incognito home page, outlining the types of data it collects.
A Google spokesperson told CNN, "We are pleased to settle this lawsuit, which we always believed was meritless. We never associate data with users when they use incognito mode. We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization."