At a glance.
- Volt Typhoon exploits Versa zero-day to target ISPs in the United States.
- Telegram CEO Pavel Durov charged in France.
- APT29 deploys exploits apparently made by spyware vendors.
- Iranian cyberespionage actor conducts ransomware attacks on the side.
- RansomHub affiliates have hit over 200 victims since February 2024.
- Malicious Pidgin plugin delivers malware.
- Linux malware exploits udev rules to evade detection.
- Greasy Opal's tools facilitate cyberattacks.
- California advances legislation to regulate AI models.
Volt Typhoon exploits Versa zero-day to target ISPs in the United States.
Researchers at Lumen Technologies' Black Lotus Labs discovered an actively exploited zero-day flaw (CVE-2024-39717) affecting the SD-WAN management platform Versa Director. Versa has issued a patch for the vulnerability, and users are urged to upgrade to version 22.1.4 or later. The flaw allows threat actors to execute code by uploading Java files disguised as PNG images.
The researchers found a custom-made web shell designed to exploit the vulnerability, which they attribute to the Chinese threat actor Volt Typhoon. Lumen states, "Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024. The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell."
The US government has accused Volt Typhoon of conducting battlespace preparation within US critical infrastructure, pre-positioning themselves to launch disruptive or destructive cyberattacks. KrebsOnSecurity notes that targeting ISPs could lay "the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China."
Telegram CEO Pavel Durov charged in France.
Telegram CEO Pavel Durov has been charged in France with several counts related to criminal activity on Telegram and the company's alleged unwillingness to cooperate with law enforcement, the Associated Press reports. According to the BBC, the charges include "complicity in the administration of an online platform to enable illicit transactions by an organized gang" and "complicity in organised criminal distribution of sexual images of children." Durov has been released on a €5 million bail but is barred from leaving France.
Slate notes that Durov's arrest has been criticized by free-speech and privacy advocates, particularly concerning the two counts related to "cryptology services" which could "imply that France sees the use of internationally based, unregulated 'encryption' services as a crime all its own."
APT29 deploys exploits apparently made by spyware vendors.
Google's Threat Analysis Group (TAG) says the Russian state-sponsored threat actor APT29 (also known as "Cozy Bear") has been using exploits that are "identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group." The exploits were found embedded in Mongolian government websites for use in watering-hole attacks. The campaign delivered "an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then later, a Chrome exploit chain against Android users running versions from m121 to m123."
TAG concludes, "We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives."
Iranian cyberespionage actor conducts ransomware attacks on the side.
An Iranian state-sponsored threat actor tracked as "Pioneer Kitten" is collaborating with criminal ransomware groups for financial gain, according to a joint advisory issued by the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3). The threat actor operates under the cover of an IT company called "Danesh Novin Sahand." The FBI says "a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware." The threat actor has worked closely with the NoEscape, Ransomhouse, and ALPHV/BlackCat ransomware gangs.
The group also appears to be working as a contractor for the Iranian government, conducting cyberespionage operations "towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, and the United Arab Emirates." The FBI notes that "the group’s ransomware activities are likely not sanctioned by the [Government of Iran], as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity."
RansomHub affiliates have hit over 200 victims since February 2024.
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, MS-ISAC, and the Department of Health and Human Services have issued a joint advisory on the RansomHub ransomware-as-a-service operation. RansomHub affiliates have hit at least 210 victims since the operation surfaced in February 2024, targeting entities in "the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors." RansomHub has attracted affiliates from other high-profile ransomware variants, including LockBit and ALPHV.
BleepingComputer reports that RansomHub was responsible for the recent attack against US-based oil giant Halliburton.
Malicious Pidgin plugin delivers malware.
Threat actors used a malicious plugin for the Pidgin messaging app to deliver malware, SecurityWeek reports. The malware was added to Pidgin's list of third-party plugins on July 6th, and contained keylogging and screenshotting capabilities. Pidgin stated, "It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be requiring that all plugins that we link to have an OSI Approved Open Source License and that some level of due diligence has been done to verify that the plugin is safe for users."
Researchers at ESET discovered the same backdoor in Cradle, an unofficial fork of the Signal messaging app. The malicious Cradle app is designed to install the DarkGate malware.
Linux malware exploits udev rules to evade detection.
Researchers at Stroz Friedberg, a risk management firm owned by Aon Insurance, discovered a stealthy strain of Linux malware dubbed "sedexp" that uses udev rules to maintain persistence. Udev is a device manager for the Linux kernel that handles device nodes in the /dev directory. The sedexp malware exploits udev rules "to execute every time a specific device event occurs, making it stealthy and difficult to detect." The researchers note that this persistence technique is uncommon, stating, "The malware modifies memory to hide any file containing the string "sedexp" from commands like ls or find. In Stroz Friedberg’s investigation, this capability was used to conceal webshells, modified Apache configuration files, and the udev rule itself."
The sedexp malware has been active since at least 2022 but has gone largely unnoticed. It was deployed by a financially motivated threat actor to scrape credit card information.
Greasy Opal's tools facilitate cyberattacks.
Arkose Labs describes a cyberattack enablement business dubbed "Greasy Opal" that's been operating out of the Czech Republic since 2009. Greasy Opal provides "a low-cost, highly efficient solution for bad actors who seek to bypass enterprises’ and government agencies’ account security measures through bot-led CAPTCHA solving at scale." The researchers add, "Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery. This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream."
Arkose Labs notes that the Vietnam-based threat actor Storm-1152 used Greasy Opal's tools to create 750 million fake Microsoft accounts.
Patch news.
Censys has published an advisory on a remote code execution vulnerability affecting Progress Software's WhatsUp Gold network monitoring and management solution, SecurityWeek reports. The researchers explain, "The vulnerability exists in the GetFileWithoutZip functionality of WhatsUp Gold. An attacker can send a crafted request with directory traversal payloads to upload files to arbitrary locations on the server. By uploading malicious files, the attacker can achieve remote code execution." Several proof-of-concept exploits have been published on GitHub, and users are urged to update to version 2023.1.3 as soon as possible.
Crime and punishment.
The US State Department is offering a $2.5 million reward for information leading to the arrest of Volodymyr Kadariya, a Belarusian and Ukrainian national accused of distributing the Angler Exploit Kit and other strains of malware via malvertising campaigns.
The US Secret Service stated, "Kadariya and his associates used multiple strategies to profit from their widespread hacking and wire fraud scheme, including by using accounts on predominantly Russian cybercrime forums to sell to cybercriminals access to the compromised devices of victim Internet users (so-called 'loads' or 'bots'), as well as information stolen from victims and recorded in “logs,” such as banking information and login credentials, to enable further efforts to defraud the victim Internet users or deliver additional malware to their devices."
Policies, procurements, and agency equities.
The California State legislature has passed SB 1047, a bill that would impose safety requirements for developers of large-scale AI models, the Verge reports. The bill now goes to Governor Gavin Newsom, who can decide to sign it, veto it, or allow it to pass without his signature. California State Senator Scott Wiener, the main author of the bill, says the legislation "enacts common sense, first-in-the-nation safeguards to protect society from AI being used to conduct cyberattacks on critical infrastructure; develop chemical, nuclear or biological weapons; or unleash automated crime."
Critics of the bill include OpenAI, Google, and Meta, as well as prominent Silicon Valley-area Democrat politicians, who argue that the regulation will stifle innovation and place a heavy burden on smaller startups, POLITICO reports.