By the CyberWire staff
At a glance.
- US charges Iranian operatives for allegedly hacking the Trump campaign.
- Telegram will share more data with law enforcement.
- Newly disclosed Linux RCE flaws are serious, but overhyped.
- US to propose ban on smart car tech from China and Russia.
- CrowdStrike VP testifies before Congress.
- SloppyLemming conducts cyberespionage in Pakistan.
- Marko Polo scammers target cryptocurrency influencers and gaming personalities.
- Web vulnerability exposed Kia vehicles to hacks.
- UNC1860 serves as an initial access provider for Iranian threat actors.
- Russia's Gamaredon remains highly active against Ukraine.
- MoneyGram disrupted by cybersecurity incident.
- Water facility in Kansas hit by cyberattack.
US charges Iranian operatives for allegedly hacking the Trump campaign.
The US Justice Department yesterday indicted three employees of Iran's Islamic Revolutionary Guard Corps (IRGC) for allegedly conducting hack-and-leak operations against Donald Trump's presidential campaign. The Justice Department stated, "The activity was part of Iran’s continuing efforts to stoke discord, erode confidence in the U.S. electoral process, and unlawfully acquire information relating to current and former U.S. officials that could be used to advance the malign activities of the IRGC, including ongoing efforts to avenge the death of Qasem Soleimani, the former commander of the IRGC – Qods Force."
CyberScoop reports that the Iranian hacking group appears to have continued access to the Trump campaign. Last week the threat actor shared apparent stolen materials with journalists, including a letter dated September 15th. The threat actor had previously stolen a vetting report on vice presidential nominee JD Vance and shared it with US news outlets. The major media outlets, including Politico, the New York Times, and the Washington Post, declined to publish the hacked material. The threat actor also attempted to share the material with the Biden-Harris campaign, which condemned the outreach as "unwelcome and unacceptable malicious activity," the AP reports.
Tehran has denied the allegations of its involvement.
Telegram will share more data with law enforcement.
Telegram will now share users' phone numbers and IP addresses with law enforcement in response to search warrants or other valid legal requests, BleepingComputer reports. Telegram said in its updated privacy policy, "If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency."
The announcement follows the arrest of Telegram CEO Pavel Durov by French authorities last month. He was released on bail after being charged with failing to cooperate with law enforcement in criminal investigations. Durov said in a Telegram post today, "While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk."
Special Offer: Claim your complimentary security questionnaire today.
Time spent on customer security questionnaires is time you could invest in improving your security posture. At BARR Advisory, we take the burden off your shoulders by managing your vendor due diligence processes and much more, so you can focus on what matters—growing your business. From internal audits to penetration testing, BARR’s comprehensive consulting services cover all your cybersecurity and compliance needs. Take advantage of our limited-time offer: Claim your free security questionnaire now.
Newly disclosed Linux RCE flaws are serious, but overhyped.
A security researcher has disclosed a set of vulnerabilities affecting Linux systems that could lead to remote code execution. SecurityWeek notes that the flaws are less impactful than many people in the cybersecurity industry had anticipated. The flaws affect the Unix printing system CUPS and require user interaction during a print job for exploitation. Users who employ Unix-based systems for printing should apply mitigations until patches are available.
The group of vulnerabilities was originally assigned a critical CVSS score of 9.9, but has since been revised to a "high" severity rating. The researcher who discovered the flaws stated, "I think that the initial 9.9 was mostly due to the fact that the RCE is trivial to exploit and the package presence so widespread. Impact wise I wouldn’t classify it as a 9.9."
US to propose ban on smart car tech from China and Russia.
The US Commerce Department will propose a ban on some Chinese- and Russian-made software and hardware for connected vehicles, NPR reports. Commerce Secretary Gina Raimondo told reporters, "In extreme situations, a foreign adversary could shut down or take control of all their vehicles operating in the United States, all at the same time, causing crashes (or) blocking roads." Raimondo also noted that China or Russia could use backdoored software to collect detailed location data on Americans.
CNN says the ban would not affect cars that have already been manufactured. The software ban would take effect for vehicles with the model year 2027 and the hardware ban for model year 2030.
CrowdStrike VP testifies before Congress.
Adam Meyers, vice president for counter-adversary operations at CrowdStrike, appeared before a US congressional committee this week to address questions about the global outage caused by a faulty CrowdStrike update in July, Infosecurity Magazine reports. The outage was due to a mismatch between input parameters and the rules engine in CrowdStrike's Falcon sensors, triggering "blue screen of death" errors on all Windows machines that installed the update.
Meyers stated, "On July 19, 2024, new threat detection configurations were validated through regular validation procedures and sent to sensors running on Microsoft Windows devices. However, the configurations were not understood by the Falcon sensor’s rules engine, leading affected sensors to malfunction until the problematic configurations were replaced."
Meyers apologized for the disruption and outlined measures taken to prevent future incidents, including enhanced validation and testing processes, phased rollouts of updates, and added runtime safeguards.
Are You Confident in the Security of Your Remote and Hybrid Employees?
A remote or hybrid workforce expands your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities. You need to develop a strategy to stay secure while remote employees work across untrusted networks. To learn how you can secure your company's workforce, get a free copy of the latest ThreatLocker® whitepaper on how to secure remote workforces.
SloppyLemming conducts cyberespionage in Pakistan.
Cloudflare has published a report on "SloppyLemming," a cyberespionage actor that "primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations." The threat actor has also hit organizations in Bangladesh, Sri Lanka, Nepal, and China. CrowdStrike tracks the same group as "OUTRIDER TIGER," and has tied the threat actor to India.
The researchers note, "Of particular interest, Cloudforce One has observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations. Separately, there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan’s sole nuclear power facility. Outside of Pakistan, SloppyLemming’s credential harvesting has focused primarily on Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities."
Marko Polo scammers target cryptocurrency influencers and gaming personalities.
Recorded Future's Insikt Group is tracking a cybercriminal group dubbed "Marko Polo" that "operates a vast network of scams, targeting individuals and businesses worldwide with sophisticated infostealer malware." The group distributes at least fifty malware strains via more than thirty types of social media scams, primarily targeting cryptocurrency influencers and online gaming personalities. Insikt Group says the threat actor has infected tens of thousands of devices around the world.
The researchers note, "Insikt Group identified a series of posts on dark web and special-access sources suggesting that Marko Polo is a financially motivated “traffer team”. Traffer teams are groups of organized individuals who redirect victims' traffic to malicious content operated by other threat actors. Marko Polo is only one active traffer team among dozens in the cybercriminal underground, demonstrating the scale of this ecosystem."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Web vulnerability exposed Kia vehicles to hacks.
A group of researchers today disclosed a vulnerability in a Kia web portal that could give an attacker remote control over vehicle functions using only a license plate number, WIRED reports. The attacker could exploit the flaw to reassign themselves as an owner of a vehicle, allowing them to unlock the car, start its ignition, or passively track its location. The researchers note, "These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription."
WIRED says Kia appears to have patched the flaw.
UNC1860 serves as an initial access provider for Iranian threat actors.
Mandiant has published a report on an Iranian state-sponsored threat actor tracked as "UNC1860" that's targeting the government and telecommunications sectors in the Middle East. The group is tied to Iran’s Ministry of Intelligence and Security (MOIS), and likely serves as an initial access provider for other Iranian threat actors. The researchers write, "Mandiant responded to several engagements in 2019 and 2020 in which organizations compromised by suspected APT34 actors were previously compromised by UNC1860. Similarly, organizations previously compromised by suspected APT34 actors were later compromised by UNC1860, suggesting the group may play a role in assisting with lateral movement. Mandiant additionally identified recent indications of operational pivoting to Iraq-based targets by both APT34-related clusters and UNC1860."
Russia's Gamaredon remains highly active against Ukraine.
ESET has published a report on the toolset used by the Russian threat actor Gamaredon to target Ukraine over the past two years. The researchers note that Gamaredon "is currently the most engaged APT group in Ukraine," primarily conducting cyberespionage against Ukrainian government entities. The Security Service of Ukraine has attributed the threat actor to the FSB's 18th Center of Information Security, based in Crimea.
ESET states, "In general, we can categorize Gamaredon’s toolset into downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. The group uses a combination of general-purpose and dedicated downloaders to deliver payloads. Droppers are used to deliver various VBScript payloads; weaponizers alter properties of existing files or create new files on connected USB drives, and stealers exfiltrate specific files from the file system. Additionally, backdoors serve as remote shells, and ad hoc tools perform specific functions, like a reverse SOCKS proxy or payload delivery using the legitimate command line program rclone."
[On Demand Podcast] Cloud Security in the Age of Generative AI
Listen to the recent discussion between N2K CyberWire’s Dave Bittner and Sysdig’s Loris Degioanni on how generative AI (GenAI) and Large Language Models (LLMs) are changing the cloud security landscape. We explored how to secure your AI deployments to safeguard sensitive information and went into the state-of-the-art for employing AI to boost the effectiveness of your cloud security teams in the face of evolving threats. Watch or listen to the discussion now.
MoneyGram disrupted by cybersecurity incident.
Digital payment service MoneyGram says a "cybersecurity issue" has forced it to take some systems offline, causing network outages and disruptions for customers, the Record reports. The company stated, "Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline which impacted network connectivity. We are working with leading external cybersecurity experts and coordinating with law enforcement."
The Register says the incident has disrupted in-person payments and online transactions.
Water facility in Kansas hit by cyberattack.
A water treatment facility in Arkansas City, a small city in southern Kansas, has switched to manual operations after sustaining a cyberattack, SecurityWeek reports. City Manager Randy Frazer stated, "Despite the incident, the water supply remains completely safe, and there has been no disruption to service. Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."
The city hasn't disclosed the nature of the attack, but SecurityWeek notes that the response suggests ransomware may have been involved.
Patch news.
HPE Aruba Networking has patched three critical flaws (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) affecting the Command Line Interface (CLI) service of its Aruba Access Points, BleepingComputer reports. The flaws affect ArubaAccess Points running Instant AOS-8 and AOS-10. BleepingComputer explains that the vulnerabilities "can be exploited by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211) to get privileged access to execute arbitrary code on vulnerable devices."
Crime and punishment.
The US Justice Department, assisted by police in the Netherlands, Latvia, Germany, and the UK, seized three web domains associated with cryptocurrency exchanges allegedly used by Russian cybercriminals for money laundering, the Record reports. The US Treasury Department has sanctioned the cryptocurrency exchange Cryptex and Russian national Sergey Sergeevich Ivanov, who is allegedly involved with the virtual currency exchange PM2BTC and the payment processor UAPS. Law enforcement seized websites and infrastructure used by PM2BTC, UAPS, and Cryptex, and the US State Department is offering up to $10 million for information leading to Ivanov's arrest.
Courts and torts.
The Irish Data Protection Commission (DPC) has fined Meta €91 million ($102 million) under GDPR for storing hundreds of millions of Facebook passwords in plaintext, TechCrunch reports. DPC deputy commissioner Graham Doyle said in a statement, "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts."
A Meta spokesperson told TechCrunch, "As part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry."