Google strikes back.

Google patches another Chrome zero-day. UK insurance agencies and the NCSC team up to reduce ransom payments. The FCC designates a robocall scam group. Vermont passes strong data privacy laws. A malicious Python package targets macOS users. ESET unpacks Ebury malware. Don’t answer Jenny’s email. Guest is author Barbara McQuade discussing her book "Attack from Within: How Disinformation is Sabotaging America.” The White House says, “Keep your crypto mining away from our missile silos!” 

Today is Tuesday, May 14th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google patches another Chrome zero-day. 

Google has released patches for a new Chrome vulnerability, a high-severity out-of-bounds write issue in the V8 JavaScript and WebAssembly engine. This zero-day flaw, reported by an anonymous researcher on May 9, is the second such vulnerability patched by Google within a week and the third in 2024. While there is a known exploit in the wild, details about the attacks remain undisclosed. Additionally, a proof-of-concept exploit has been claimed, though its effectiveness is uncertain. 

UK insurance agencies and the NCSC team up to reduce ransom payments. 

Three major UK insurance associations have collaborated with the National Cybersecurity Centre (NCSC) to issue new guidance aimed at reducing ransom payments following ransomware attacks. This initiative, based on a 2023 NCSC-sponsored research by the Royal United Services Institute, encourages organizations to thoroughly assess the impact of ransomware incidents and consider alternatives before paying ransoms. The guidance, while non-mandatory, seeks to deter the impulse to pay ransoms, which the NCSC's CEO, Felicity Oswald, argues only fuels further criminal activity. Oswald emphasized the ineffectiveness of ransom payments in eliminating future risks and noted that organizations with a Cyber Essentials certificate are significantly less likely to file insurance claims related to cyber incidents. Despite this, the decision to pay a ransom ultimately remains with the victim organization.

The FCC designates a robocall scam group. 

The FCC has issued an alert about a robocall scam group named Royal Tiger, marking it as the first Consumer Communications Information Services Threat (C-CIST). This designation aims to enhance awareness among law enforcement and industry stakeholders to combat scams. Royal Tiger, led by Prince Jashvantlal Anand (aka Frank Murphy) and Kaushal Bhavsar, operates from multiple countries and has been involved in illegal robocall operations impersonating banks, government bodies, and utilities. The group's entities, including several VoIP companies in the U.S. and abroad, have been linked to substantial consumer fraud and financial losses. The FCC, along with the FTC, has taken actions including cease-and-desist orders to halt their illicit activities and protect consumer trust in communication services.

Vermont passes strong data privacy laws. 

Vermont’s legislature has passed one of the strongest comprehensive data privacy laws in the U.S., featuring a unique provision that allows individuals to sue companies directly for privacy violations. This private right of action is limited to large data brokers, and will needs reauthorization after two years. The law includes stringent requirements on data minimization and bans the sale of sensitive consumer data. This move aligns with recent efforts in other states, like Maryland, and ongoing attempts to create a federal privacy law. Vermont's law also addresses the use of geolocation data and establishes robust civil rights protections to prevent discrimination. This legislation is seen as a significant step in empowering consumers against data abuses by large tech companies.

A malicious Python package targets macOS users. 

A malicious Python package named 'requests-darwin-lite' on PyPI, mimicking the popular 'requests' library, targeted macOS devices using the Sliver C2 framework, a tool for gaining access to corporate networks. Discovered by Phylum, the attack included multiple obfuscation steps such as steganography within a PNG image to covertly install Sliver. The package has since been removed from PyPI following Phylum's report. Sliver is known for its post-exploitation capabilities and has become a preferred tool for cybercriminals due to its effectiveness in simulating adversary actions and evading detection compared to other frameworks like Cobalt Strike. This recent incident underscores the ongoing rise in cybercriminal adoption of Sliver for targeting various platforms, including macOS.

Meanwhile, Apple has extended security updates to older iPhones and iPads, addressing a zero-day vulnerability initially patched in March for newer devices. This vulnerability, found in the iOS Kernel's RTKit, could allow attackers to bypass kernel memory protections. Although the exploiters of this flaw and the specific nature of the attacks remain undisclosed, such iOS zero-days are often used in targeted state-sponsored spyware attacks. Devices including the iPhone 8, iPhone X, and various iPad models have received the patches. Users of these devices are strongly encouraged to update immediately to safeguard against potential exploits.

ESET unpacks Ebury malware. 

Research from ESET reveals that Ebury malware, initially exposed a decade ago, continues to be a significant threat, now compromising around 400,000 servers globally. This malware primarily targets Linux systems and has been utilized by cybercriminals for financial gain, including credit card and cryptocurrency theft. Despite the arrest of one perpetrator, Ebury has evolved with new propagation methods and obfuscation techniques, making it harder to detect. It leverages compromised servers within data centers to intercept and steal credentials, particularly targeting Bitcoin and Ethereum nodes. The recent developments in Ebury’s capabilities suggest an increasing sophistication in cyberattacks, underscoring the need for continued vigilance and advanced security measures.

Don’t answer Jenny’s email! 

Security experts from Proofpoint have observed a large-scale email campaign distributing the LockBit 3.0 (also known as LockBit Black) ransomware directly via emails purportedly from "Jenny Green." Facilitated by the Phorpiex botnet, the campaign sends out millions of emails daily with a subject line 'Your Document'. Each email contains a Zip file that, when executed, downloads and activates the ransomware on the user's system. This kind of ransomware distribution via email at such a volume is unusual and has not been observed since before 2020. The Phorpiex botnet, known for delivering malware in high-volume email campaigns, has been active despite law enforcement efforts. Users are advised to be cautious of emails from Jenny Green and to avoid opening unexpected attachments.

Up next, my Caveat co host, Ben Yelin, talks with guest Barbara McQuade joins us to discuss her book "Attack from Within: How Disinformation is Sabotaging America" with Caveat co host Ben Yelin. 

We’ll be right back

Welcome back. You can find the link to Barbara’s full discussion with Ben in our show notes and check out Caveat every Thursday on your favorite podcast app. 

The White House says, “Keep your crypto mining away from our missile silos!” 

And finally, President Joe Biden has officially called "game over" for a Chinese-owned cryptomining data center in Cheyenne, Wyoming, located suspiciously close to a nuclear missile base. Via executive order, Biden told MineOne, the operators of the data center, to pack up their crypto gear and put the facility on the market within 120 days. Just a stone's throw from Francis E. Warren Air Force Base, home to America's Minuteman III nuclear missiles, the center's location raised more than a few eyebrows and national security concerns. Apparently, running a cryptomining operation near high-stakes military hardware is a big no-no. Microsoft, playing the neighborhood watch, flagged the operation to the government, leading to a CFIUS investigation and the eventual shutdown order. MineOne hasn't chimed in yet, but the message from the White House is clear: close shop and move your digital digging elsewhere.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.