By the CyberWire staff
At a glance.
- Iran-linked hackers target US presidential campaigns.
- Microsoft's Patch Tuesday fixes six actively exploited zero-days.
- Hackers leak nearly 2.7 billion records with personal information.
- CISA warns of actively exploited SolarWinds flaw.
- Google will remove high-privileged Android app from Pixel phones.
- FBI disrupts Radar/Dispossessor ransomware operation.
- New macOS malware surfaces.
- Australian gold mining company sustains ransomware attack.
Iran-linked hackers target US presidential campaigns.
The Trump campaign disclosed last Saturday that some of its internal communications had been hacked by "foreign sources hostile to the United States," citing a report from Microsoft on Iranian election interference, the BBC reports. Microsoft's Threat Analysis Center (MTAC) said in the report last week that it had observed a threat actor attributed to Iran's Islamic Revolutionary Guard Corps (IRGC) send "a spear-phishing email to a high-ranking official of a presidential campaign from a compromised email account of a former senior advisor." Microsoft didn't name the campaign that was targeted, but the Washington Post cites sources as saying it was Trump's. A Trump campaign spokesperson said in a statement that this hack "coincides with the close timing of President Trump’s selection of a vice presidential nominee."
POLITICO says it received the hacked information from an anonymous AOL email address in late July. The data included "internal communications from a senior Trump campaign official" and a 271-page vetting document on Trump's VP pick, Ohio Senator JD Vance.
Google’s Threat Analysis Group (TAG) published a report on Wednesday outlining the Iran-aligned threat actor APT42's targeting of US presidential campaigns. Google confirms that APT42, which is attributed to the IRGC, has targeted both the Trump and Biden-Harris campaigns with spearphishing attacks: "In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns. We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals." TAG adds that the group "successfully gained access to the personal Gmail account of a high-profile political consultant."
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
Microsoft's Patch Tuesday fixes six actively exploited zero-days.
Microsoft on Tuesday issued patches for 89 flaws, nine of which were known zero-days, KrebsOnSecurity reports. Six of the zero-days were being actively exploited and three were publicly disclosed. The company is still working on a fix for an additional publicly disclosed zero-day (CVE-2024-38202). Three of the zero-days (CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193) allow an attacker to gain SYSTEM-level privileges on a machine. One of the actively exploited vulnerabilities (CVE-2024-38213) allows malware to bypass Windows' Mark of the Web security feature, though it requires user interaction to succeed.
Microsoft also patched a critical zero-click remote code execution vulnerability (CVE-2024-38063) that affects all Windows machines using IPv6, which is enabled by default, BleepingComputer reports. There's no evidence of exploitation so far, but Microsoft has given the flaw its "Exploitation more likely" label. The company says "[a]n unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution." The vulnerability was discovered by a researcher at Kunlun Lab, who noted that the bug is triggered before the packet reaches the Windows firewall. Users are urged to update Windows as soon as possible or disable IPv6 until patches can be applied.
Hackers leak nearly 2.7 billion records with personal information.
A threat actor has leaked nearly 2.7 billion records with personal information belonging people in the US, the UK, and Canada, BleepingComputer reports. The leak contains names, Social Security numbers, all known physical addresses, and possible aliases. The data was allegedly stolen from National Public Data, a background check company that scrapes this information from public sources. BleepingComputer says the data appears to be legitimate, though some of it may be inaccurate or outdated.
National Public Data confirmed the breach on Tuesday, stating that "[t]he incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024."
Fight Cloud Threats Faster with the Power of AI
Cloud attacks happen fast, making it difficult for security teams to keep up and perform thorough investigations. Sysdig Sage™ is the first AI cloud security analyst capable of multistep reasoning, and is designed to address the inherent complexity of securing cloud infrastructures. Read the blog to learn how security teams, through simple AI conversation, can quickly analyze cloud threats and get contextual guidance on how to respond.
CISA warns of actively exploited SolarWinds flaw.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical-severity vulnerability in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities catalog. The issue is a "deserialization of untrusted data vulnerability that could allow for remote code execution."
SolarWinds has issued a hotfix for the flaw, noting, "While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available."
Google will remove high-privileged Android app from Pixel phones.
Researchers at iVerify discovered an Android package called "Showcase.apk" with excessive privileges installed on "a very large percentage of Pixel devices shipped worldwide since September 2017." The package was likely designed for in-store demos at Verizon stores. The researchers state, "The application package is designed to retrieve a configuration file over unsecured HTTP. It allows the app to execute system commands or modules that could open a backdoor, making it easy for cybercriminals to compromise the device." They add that the package "makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware."
Google has disputed the severity of iVerify's findings, stating that "[e]xploitation of this app on a user phone requires both physical access to the device and the user's password." However, the company says it will remove the app from supported in-market Pixel devices in an upcoming update. Rocky Cole, co-founder of iVerify, told the Record that Google's assertion that exploitation requires physical access "is merely an assumption."
iVerify discovered the package while performing an investigation for data analytics giant Palantir. A Palantir spokesperson said the company will be "completely phasing out Android devices over the next few years, owing not just to this vulnerability, but past detections, as well."
D.C.’s Premier Gathering of Cybersecurity Visionary Leaders
N2K CyberWire is proud to partner with DMV Rising 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, and provide a unique opportunity to foster new connections and innovative ideas. Join us on September 12, 2024 to experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
FBI disrupts Radar/Dispossessor ransomware operation.
The US Federal Bureau of Investigation has disrupted the Radar/Dispossessor ransomware operation, working with law enforcement in the UK and Germany to dismantle "three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain." The group has been active since August 2023, hitting at least 43 victims around the world.
The Bureau stated, "Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors. Originally focused on entities in the United States, the investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany."
New macOS malware surfaces.
Elastic Security is tracking a new macOS malware dubbed "BANSHEE Stealer" that surfaced this month. The malware is being offered on cybercriminal forums for a monthly subscription fee of $3,000. BANSHEE targets "vital system information, browser data, and cryptocurrency wallets," and can function across both macOS x86_64 and ARM64 architectures. The malware also targets around 100 browser extensions. The researchers note that "[d]espite its potentially dangerous capabilities, the malware's lack of sophisticated obfuscation and the presence of debug information make it easier for analysts to dissect and understand."
Upcoming webinar: Unpacking the 2024 Ransomware Landscape
Join David Bittner and Deepen Desai, Chief Security Officer at Zscaler, on August 22nd for an exclusive deep dive into the latest findings from the Zscaler ThreatLabz 2024 Ransomware Report. In this discussion, we will highlight critical insights into the most targeted industries and regions, uncover the dynamics behind a record ransom payout, discuss emerging ransomware families to watch, and share predictions for the upcoming year. Register now to secure your spot.
Australian gold mining company sustains ransomware attack.
Australian gold mining company Evolution Mining sustained a ransomware attack on August 8th that disrupted its IT systems, the Record reports. Evolution said in a filing with the Australian Stock Exchange, "The Company has been working with its external cyber forensic experts to investigate the incident. Based on work to date, the Company believes the incident is now contained. The incident has been proactively managed with a focus on protecting the health, safety and privacy of people, together with the Company’s systems and data. The Company does not anticipate any material impact on operations."
Courts and torts.
Texas Attorney General Ken Paxton has filed a lawsuit against General Motors, claiming the company violated the privacy rights of millions of Texans by selling their vehicle location data to data brokers, POLITICO reports. The lawsuit states, "General Motors deceptively collected scores of data points from consumers about their driving habits, monetized that data by selling it to other commercial actors, and permitted those actors to use the ill-gotten data to make adverse decisions when dealing with those same consumers."
POLITICO notes that this is the first state-level enforcement against an automaker for data sales.