The CyberWire Daily Podcast 3.22.24
Ep 2030 | 3.22.24

When it rains, it pours.

Transcript

Advanced wiper malware hits Ukraine. Nemesis gets dismantled. Apple deals with an unpatchable vulnerability. FortiGuard rises to the rescue. CISA and FBI join forces against DDoS attacks. US airlines data security and privacy policies are under review. Hackers hit thousands in Jacksonville Beach. Geoffrey Mattson, CEO of Xage Security sits down to discuss CISA's 2024 JCDC priorities. And Hotel keycard locks can’t be that hard to crack.

Today is March 22nd, 2024. I’m Maria Varmazis, host of N2K’s T-Minus Space Daily, sitting in for Dave Bittner today. And this is your CyberWire Intel Briefing.

Advanced wiper malware hits Ukraine.

Researchers at SentinelOne have discovered a new version of AcidRain, a wiper malware that was used against modems across Ukraine at the beginning of the Russian invasion in February 2022. The researchers have dubbed the new variant "AcidPour," noting that it "expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices."

SentinelOne adds that the discovery of AcidPour coincides with the disruptions of four Ukrainian internet providers that began on March 13th. SentinelOne commented that they cannot confirm AcidPour was used to disrupt the Ukrainian ISPs. They added the “The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations."

F5 flaws exploited.

Following up our reporting on China from yesterday, “Exploiting vulnerabilities in F5 ScreenConnect,” Chinese cyber attackers have launched global campaigns. Mandiant published a report on UNC5174, a suspected Chinese threat actor that appears to work as an initial access broker for China's Ministry of State Security (MSS). Back in October 2023, the threat actor exploited a remote command execution vulnerability (CVE-2023-46747) affecting F5 BIG-IP Traffic Management User Interface. 

Mandiant notes, "China-nexus actors continue to conduct vulnerability research on widely deployed edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale. These operations often include rapid exploitation of recently disclosed vulnerabilities using custom or publicly available proof-of-concept exploits. UNC5174 and UNC302 operate within this model, and their operations provide insight into the initial access broker ecosystem leveraged by the MSS to target strategically interesting global organizations. Mandiant believes that UNC5174 will continue to pose a threat to organizations in the academic, NGO, and government sectors specifically in the United States, Canada, Southeast Asia, Hong Kong, and the United Kingdom." 

 

Nemesis gets dismantled.  

In a significant win against cybercrime, German authorities dismantle the Nemesis marketplace, a hub for illegal activities like selling stolen data and malware. German police seized the server infrastructure along with €94,000 worth of cryptocurrency according to The Record. The Bundeskriminalamt (BKA) said in a press release, "The measures carried out in a concerted action on March 20, 2024 were preceded by extensive investigations that have been conducted by the BKA, the ZIT as well as the FBI, DEA (Drug Enforcement Administration) and IRS-CI (Internal Revenue Service Criminal Investigation) since October 2022."

Apple deals with an unpatchable vulnerability. 

Hackers have discovered a vulnerability in Apple's Mac chips, enabling them to extract secret encryption keys. The flaw can’t be patched directly because it stems from the design of the silicon itself. It only can be mitigated by building defenses into third-party cryptographic software, but that could degrade M-series performance. Researchers have named the attack GoFetch. It uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on macOS. Mitigating the effects of the vulnerability falls on the people developing code for Apple hardware. Apple failed to comment on the GoFetch research. Concerned users should check for GoFetch mitigation updates that become available for macOS software. 

FortiGuard rises to the rescue.

A critical Remote Code Execution (RCE) flaw in Fortinet VPN appliances has been identified, posing a severe risk to organizations. Attackers can exploit this vulnerability to compromise network security. This vulnerability was found to be exploited by threat actors in the wild. However, Fortiguard has acted swiftly upon this vulnerability and has released patches to fix it.

CISA and FBI join forces against DDoS attacks.

The CISA and FBI have released a comprehensive guide to combat Distributed Denial of Service (DDoS) attack. While they have been around for what seems like forever, DDoS attacks are still common tactics used by cybercriminals to disrupt services. The guide provides invaluable insights and strategies to defend against DDoS attacks, emphasizing proactive mitigation measures. Bottom line: educate your teams, implement robust DDoS protection solutions, and collaborate with law enforcement to strengthen cyber resilience. 

US airlines data security and privacy policies under review.

The US Department of Transportation intends to review data security and privacy policies of US airlines, reflecting growing concerns about privacy and data monetization in the aviation sector. This move underscores the need for stringent cybersecurity measures to protect passenger information and ensure air travel safety. rSen. Ron Wyden, D-Ore., who previously warned about the threat posed by data brokers, will work in concert with the department to carry out the investigation. Stay tuned. 

 

Hackers hit thousands in Jacksonville Beach.

Jacksonville Beach is one of the latest US municipalities to have fallen victim to cyberattack. It underscores a national issue: These attacks on local governments disrupt services, compromise sensitive data, and highlight the need for improved cybersecurity measures at all levels of government. 

Coming up next, we are talking with Xage Security’s CEO Geoffrey Mattson. In a crossover from our T-Minus Space Daily (which I host), we spoke with Geoff about CISA's 2024 JCDC priorities. Shameless plug: You can find a link for T-Minus in today’s show notes. 

 

Hotel keycard locks can’t be that hard to crack.

Friend of the show, WIRED reporter Andy Greenberg, shared the disturbing story of how hackers discovered a way to open hotel rooms equipped with keycards (you know, pretty much all of them these days) in just seconds. The Saflok hotel lock, utilized in thousands of hotels worldwide, faces a serious security flaw discovered when hackers were invited to hack a Vegas hotel room at hacker summer camp in 2022. The vulnerability known as Unsaflok enables unauthorized access to hotel rooms underscoring the importance of robust cybersecurity in the hospitality industry to protect guest safety and privacy.  The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels.  Feel free to add your personal anecdotes. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

Be sure to check out our newest episode of Research Saturday tomorrow, Dave Bittner sits down with Liviu Arsene from CrowdStrike and they are discussing research titled "HijackLoader Expands Techniques to Improve Defense Evasion." Check it out! 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Maria Varmazis. Thanks for listening.