By the CyberWire staff
At a glance.
- Hackers target recently disclosed LiteSpeed Cache vulnerability.
- US intelligence community warns of Iranian election interference.
- OpenAI disrupts Iranian influence campaign.
- Lazarus Group exploited Windows zero-day.
- Microchip Technology sustains disruptive cyberattack.
- Iranian spearphishing campaign targets religious figure with phony podcast invitation.
- Phishing campaign impersonates banks in Central Europe.
- Chinese threat actor exploited Cisco zero-day.
- Halliburton sustains cyberattack.
- Configuration flaw may affect thousands of apps using AWS ALB.
Hackers target recently disclosed LiteSpeed Cache vulnerability.
Hackers have begun exploiting a critical privilege-escalation vulnerability (CVE-2024-28000) in the LiteSpeed Cache plugin for WordPress, BleepingComputer reports. Technical details for the flaw were disclosed on Wednesday, and a patch has been issued. LiteSpeed Cache has more than 5 million installations, and BleepingComputer notes that as of yesterday only about 30% were running a patched version.
WordPress security company Wordfence has blocked thousands of attacks targeting the flaw over the past two days. Patchstack published a report on the vulnerability, stating, "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed. The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values."
Security researcher John Blackbourn discovered the flaw and was awarded $14,400 through the Patchstack Zero Day bug bounty program, which Patchstack notes is "the highest bounty in the history of WordPress bug bounty hunting."
US intelligence community warns of Iranian election interference.
The US Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint statement confirming that Iranian state-sponsored threat actors are conducting influence operations focused on the US presidential elections. The advisory states, "We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting Presidential campaigns. This includes the recently reported activities to compromise former President Trump’s campaign, which the IC attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process."
The advisory concludes, "Using strong passwords and only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication will drastically improve online security and safety."
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
OpenAI disrupts Iranian influence campaign.
OpenAI has shut down a cluster of ChatGPT accounts that were generating content for use in an Iranian influence campaign directed at users in the United States. Microsoft described the influence campaign earlier this month, tracking it as "Storm-2035." The campaign mainly posts content related to "the conflict in Gaza, Israel’s presence at the Olympic Games, and the U.S. presidential election." The operation hasn't gained much traction, receiving very little engagement on social media.
OpenAI states, "Our investigation revealed that this operation used ChatGPT for two purposes: generating long-form articles and shorter social media comments. The first workstream produced articles on U.S. politics and global events, published on five websites that posed as both progressive and conservative news outlets. The second workstream created short comments in English and Spanish, which were posted on social media. We identified a dozen accounts on X and one on Instagram involved in this operation. Some of the X accounts posed as progressives, and others as conservatives. They generated some of these comments by asking our models to rewrite comments posted by other social media users."
Lazarus Group exploited Windows zero-day.
North Korea's Lazarus Group exploited a privilege-escalation zero-day (CVE-2024-38193) affecting a Windows driver in order to install a rootkit, BleepingComputer reports. Microsoft patched the vulnerability last week. The flaw was discovered by researchers at Gen Digital, who stated in their report, "In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver. This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software."
Microchip Technology sustains disruptive cyberattack.
Arizona-based semiconductor manufacturer Microchip Technology disclosed yesterday that it sustained a cyberattack that disrupted operations. The company stated, "As a result of the incident, certain of the Company’s manufacturing facilities are operating at less than normal levels, and the Company’s ability to fulfill orders is currently impacted. The Company is working diligently to bring the affected portions of its IT systems back online, restore normal business operations, and mitigate the impact of the incident."
The company didn't share specifics about the incident, but BleepingComputer notes that the description suggests ransomware was involved.
See what cybercriminals know about your organization and customers
Digital identities go beyond just usernames and passwords, meaning cybercriminals have increased access to sensitive data they can use against you. Last year alone, SpyCloud researchers and data scientists recaptured and analyzed more than 43.7 billion distinct identity records. Use our free tool to see your organization’s darknet footprint, including breach exposures and malware-exfiltrated data that put your business at risk of account takeover and ransomware. Check your exposure now.
Iranian spearphishing campaign targets religious figure with phony podcast invitation.
Proofpoint has published a report on an Iranian phishing campaign that targeted a prominent Jewish religious figure with a phony invitation for a podcast interview. The threat actor, tracked as "TA453," impersonated the Research Director at the Institute for the Study of War. Proofpoint states, "TA453 initially sent the fake podcast invitation to the religious figure at multiple email accounts, specifically both the target’s organizational email address along with their personal email address. Phishing multiple email addresses associated with a target has been observed by a number of state aligned threats, including TA427. TA453 continued to establish their legitimacy by sending emails from understandingthewar[.]org and including a TA453-controlled Hotmail account in the email signature. After another reply from the target, TA453 replied with a GoogleDrive URL leading to a ZIP archive named 'Podcast Plan-2024.zip.' The ZIP contained an LNK titled “Podcast Plan 2024.lnk”. The LNK delivered the BlackSmith toolset which eventually loaded TA453’s AnvilEcho Powershell Trojan."
Phishing campaign impersonates banks in Central Europe.
ESET describes a phishing campaign that's targeting customers of banks in Czechia, Georgia, and Hungary. Notable, the phishing sites instruct the victim to add a Progressive Web Application (PWA) to their phone's home-screen, which impersonates a banking app. The researchers state, "This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. For iOS users, such an action might break any 'walled garden' assumptions about security. On Android, this could result in the silent installation of a special kind of APK, which on further inspection even appears to be installed from the Google Play store."
Chinese threat actor exploited Cisco zero-day.
Researchers at Sygnia warn that the China-aligned threat actor Velvet Ant exploited a zero-day vulnerability (CVE-2024-20399) affecting on-premises Cisco Switch appliances. The flaw, which was patched last month, "allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system." Velvet Ant exploited the vulnerability to "deploy tailored malware, which runs on the underlying OS and is invisible to common security tools."
DMV Rising, D.C.’s Premier Conference for Cyber Execs.
The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 12, 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
Halliburton sustains cyberattack.
Reuters reports that Halliburton, the world's second largest oil company, sustained a cyberattack on Wednesday that disrupted systems at its Texas headquarters. A company spokesperson told the Record, "We are aware of an issue affecting certain company systems and are working diligently to assess the cause and potential impact. We have activated our preplanned response plan and are working internally, and with leading external experts, to remediate the issue."
Reuters notes that the US Department of Energy said on Thursday that the incident hasn't impacted any energy services.
Cisco Talos discovers potential vulnerabilities in Microsoft apps for macOS.
Cisco Talos discovered eight vulnerabilities affecting Microsoft applications for macOS that could allow an attacker to "bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification." The flaws are related to Microsoft's use of entitlements that disable some of macOS's protections against loading unsigned libraries. Talos says an "adversary could gain any privileges already granted to the affected Microsoft applications. For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures or record videos without any user interaction."
Microsoft considers the issues to be low-risk and in some cases necessary for the proper functioning of the apps. However, the company has updated its Teams and OneNote apps to remove the entitlement. Excel, Outlook, PowerPoint, and Word remain vulnerable.
Got proof that your SSO and MFA controls are performing their security duty?
The increasing frequency of identity-based attacks highlights the necessity of ensuring your Single Sign-On (SSO) and Multi-Factor Authentication (MFA) systems are functioning as intended. Simply implementing these technologies isn’t sufficient; ongoing verification of their effectiveness is crucial. Savvy provides real-time visibility for performing audits and implementing automated controls, guiding users at scale to address issues before threat actors can exploit them. Discover how Savvy can help you put policy into practice. Learn more.
Configuration flaw may affect thousands of apps using AWS ALB.
Miggo Research has discovered a critical configuration flaw potentially affecting up to 15,000 applications that use AWS Application Load Balancer (ALB) for authentication. The researchers explain, "First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim's expected issuer. AWS subsequently signs the attacker's forged token with the victim's issuer. Finally, the attacker uses this minted token against the victim's application, bypassing both authentication and authorization."
To mitigate this risk, Miggo says AWS customers should:
- "Verify that every application using the ALB authentication feature checks the token signer.
- "Restrict your targets to accept traffic only from your Application Load Balancer."
AWS has updated its documentation to include this guidance, but it's up to the customers to make the recommended changes.
Patch news.
Google on Wednesday issued an emergency security patch for an actively exploited zero-day flaw affecting Chrome, BleepingComputer reports. The vulnerability (CVE-2024-7971) is a "[t]ype confusion in V8 in Google Chrome prior to 128.0.6613.84 [that] allowed a remote attacker to exploit heap corruption via a crafted HTML page." Google has declined to share details on the flaw until more users have had a chance to apply the fix. Chrome will automatically install the patch when users relaunch their browsers.
Crime and punishment.
The US Justice Department has charged a Latvian man who lived in Russia for his alleged participation in the Karakurt ransomware group. The defendant, 33-year-old Deniss Zolotarjovs, was arrested in Georgia last year and extradited to the US this month. The Justice Department stated, "According to court documents, Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world. Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download. It is alleged that Zolotarjovs was an active member of the Russian cybercrime group, communicating with other members, laundering cryptocurrency received from victims, and extorting victims."