By the CyberWire staff
At a glance.
- Israeli operation causes Hezbollah communication devices to explode.
- US government disrupts China's Raptor Train botnet.
- Threat actor claims to have stolen seven terabytes of data from India's largest health insurer.
- Ukraine bans Telegram use for government and military personnel.
- Port of Seattle refuses to pay ransom to Rhysida gang.
- FTC issues report on online surveillance and privacy concerns.
- Snowflake will enforce MFA by default.
- Vanilla Tempest deploys INC ransomware against the healthcare sector.
Israeli operation causes Hezbollah communication devices to explode.
A coordinated attack on Tuesday caused pagers used by members of Hezbollah to explode, killing at least 12 people and injuring more than 2,700. A second wave of attacks occurred on Wednesday, blowing up thousands of Hezbollah walkie-talkies and killing at least 20 more people. There was some initial speculation that malware had been used to trigger the explosions, but the New York Times reports that Israeli operatives planted explosives and detonation switches inside the devices before they were delivered to Lebanon.
Hezbollah had ordered the pagers from Gold Apollo, a Taiwanese company, though Gold Apollo says the devices were made by a Hungarian manufacturer as part of a licensing deal. The New York Times cites defense and intelligence officials as saying this Hungarian company was an Israeli front, and Israeli intelligence was behind the entire operation from manufacturing to delivery. It's unclear where the booby-trapped walkie-talkies came from; the Japanese company whose brand was on the handheld radios told the BBC that it ceased production on those models in 2014.
US government disrupts China's Raptor Train botnet.
The US Justice Department has announced a court-authorized law enforcement operation that disrupted a botnet consisting of more than 200,000 consumer devices, including routers, IP cameras, DVRs, and network-attached storage devices. The Justice Department says "the botnet devices were infected by People’s Republic of China (PRC) state-sponsored hackers working for Integrity Technology Group, a company based in Beijing, and known to the private sector as 'Flax Typhoon.'" SecurityWeek notes that the botnet, dubbed "Raptor Train," has been used to target critical sectors in the US and Taiwan.
The Justice Department stated, "The court-authorized operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices. During the course of the operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service (DDoS) attack targeting the operational infrastructure that the FBI was utilizing to effectuate the court’s orders. That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet."
Next-Gen Container Security: Why Cloud Context Matters
Attackers are able to automate their reconnaissance and other tactics due to the uniformity of cloud providers’ APIs and architectures, executing attacks in less than 10 minutes. Organizations need to rethink their approach to container security and workload protection or risk being outpaced by these attacks. Read the blog to learn why cloud context is absolutely critical to protecting your organizations’ assets and mitigating risk.
Threat actor claims to have stolen seven terabytes of data from India's largest health insurer.
A threat actor is selling more than seven terabytes of data allegedly stolen from Star Health and Allied Insurance, India’s largest health insurer, Reuters reports. Samples of the data are publicly accessible via Telegram chatbots. Reuters was able to use the chatbots to download "policy and claims documents featuring names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses."
The threat actor claims to have obtained 7.24 terabytes of data belonging to over 31 million Star Health customers. Star Health told Reuters it had reported unauthorized access to the authorities, but that its initial assessment detected "no widespread compromise" and that "sensitive customer data remains secure."
Ukraine bans Telegram use for government and military personnel.
Ukraine’s National Security and Defense Council (NSDC) has banned the use of the Telegram app on official devices used by Ukrainian government officials, military personnel, and employees working at critical infrastructure facilities, the Record reports. The NSDC cited national security concerns, saying it has "grounded information" that Russian intelligence can use the app to spread malware and gather information to assist with missile strikes, Radio Free Europe/Radio Liberty reports.
The Record notes that Telegram is the primary means of sharing news for most Ukrainians. The ban doesn't affect personal devices or people who use the app in their official duties.
Are You Confident in the Security of Your Remote and Hybrid Employees?
A remote or hybrid workforce expands your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities. You need to develop a strategy to stay secure while remote employees work across untrusted networks. To learn how you can secure your company's workforce, get a free copy of latest ThreatLocker® whitepaper on how to secure remote workforces.
Port of Seattle refuses to pay ransom to Rhysida gang.
The Port of Seattle, which also oversees Seattle's airport, has refused to pay a $6 million ransom demanded by the Rhysida ransomware gang to prevent the release of stolen data, the Register reports. The group claimed to have stolen more than three terabytes of data, including "full names, social security numbers, dates of birth, home addresses, phone numbers, heights and weights, hair and eye colors, signatures, and passport scans," as well as login credentials from the port's employees. Rhysida has since offered the data for sale for 100 Bitcoin (approximately $6 million).
The Port is still working to recover some systems following the attack, which occurred on August 24th.
FTC issues report on online surveillance and privacy concerns.
The US Federal Trade Commission (FTC) has published a staff report alleging that major social media platforms and streaming services have "engaged in vast surveillance of consumers in order to monetize their personal information while failing to adequately protect users online, especially children and teens." The report cites Amazon (owner of Twitch), Facebook (now Meta), YouTube, Twitter (now X), Snap, ByteDance (owner of TikTok), Discord, Reddit, and WhatsApp.
The FTC states, "The report found that the companies collected and could indefinitely retain troves of data, including information from data brokers, and about both users and non-users of their platforms. The staff report further highlights that many companies engaged in broad data sharing that raises serious concerns regarding the adequacy of the companies’ data handling controls and oversight. In particular, the staff report noted that the companies’ data collection, minimization, and retention practices were 'woefully inadequate.' In addition, the staff report found that some companies did not delete all user data in response to user deletion requests."
The report concludes with recommendations for policymakers and companies, calling for "federal privacy legislation to fill the gap in privacy protections provided by COPPA for teens over the age of 13."
Snowflake will enforce MFA by default.
Cloud data storage provider Snowflake has announced new security measures following a string of high-profile breaches affecting the company's customers, GovInfoSecurity reports. Beginning in October, Snowflake will enforce multifactor authentication by default and require passwords with a minimum of 14 characters.
Dozens of Snowflake customers, including Ticketmaster and Santander Bank, were breached by criminal threat actors earlier this year via credential-stuffing attacks. Mandiant, which investigated the campaign, found that none of the breached accounts had multifactor authentication enabled.
Vanilla Tempest deploys INC ransomware against the healthcare sector.
Microsoft warns that the financially motivated threat actor "Vanilla Tempest" has deployed the INC ransomware for the first time, hitting an organization in the US healthcare sector, BleepingComputer reports. The company said in a series of X posts, "Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool. The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Patch news.
D-Link has fixed several critical vulnerabilities affecting three of its wireless router models, BleepingComputer reports. Three of the flaws (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697) were assigned CVSS scores of 9.8. CVE-2024-45694 and CVE-2024-45695 are both stack-based buffer overflow vulnerabilities that can allow unauthenticated attackers to achieve remote code execution. CVE-2024-45696 and CVE-2024-45697 can allow an attacker to enable telnet and log in using hardcoded credentials.
Crime and punishment.
A Europol operation involving law enforcement agencies from nine countries has dismantled the encrypted messaging app Ghost, which has been widely used by cybercriminals, SecurityWeek reports. Australian police arrested the app’s alleged administrator, Jay Je Yoon Jung, at his parents' home in Sydney. Thirty-eight other suspects were arrested in Australia, with additional arrests made in Canada, Sweden, Ireland, and Italy. Australian Federal Police Deputy Commissioner Ian McCartney stated, "We allege hundreds of criminals including Italian organized crime, motorcycle gang members, Middle Eastern organized crime and Korean organized crime have used Ghost in Australia and overseas to import illicit drugs and order killings."
The US Justice Department has charged a Chinese national, Song Wu, for allegedly sending spearphishing emails to employees at the US Air Force, Navy, Army, NASA, and the Federal Aviation Administration, as well as major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio. The Justice Department says Song was an employee of the Aviation Industry Corporation of China (AVIC), a Beijing-headquartered aerospace and defense conglomerate owned by the Chinese government.
Courts and torts.
Apple has filed a motion to dismiss its lawsuit against spyware vendor NSO Group, stating that "proceeding further with this case has the potential to put vital security information at risk," the Record reports. Apple says the landscape of the spyware market has changed since it filed the lawsuit three years ago, with new spyware firms springing up to rival NSO. The company believes the information that would be revealed during the case could be exploited by these other spyware vendors to target Apple products.
Genetic testing company 23andMe will pay $30 million to settle a class-action lawsuit related to a 2023 breach of customer data, the Register reports. The company said in a court filing that "[c]ontinuing this Litigation would be extremely expensive, complex, uncertain, and lengthy," and that it finds the terms of the settlement to be "fair, reasonable, and adequate." The company told Reuters that around $25 million of the settlement costs will be covered by insurance.
Policies, procurements, and agency equities.
California Governor Gavin Newsom on Tuesday signed a bill making it illegal to create and publish election-related deepfakes 120 days before Election Day and 60 days after, the Associated Press reports.