Squarespace's square off with hijacked domains.

Some Squarespace users see their domains hijacked. Kaspersky Lab is shutting down US operations. BackPack APKs break malware analysis tools. Hackers use 7zip files to deliver Poco RAT malware. CISA’s red-teaming reveals security failings at an unnamed federal agency. Microsoft fixes an Outlook bug triggering false security alerts. Switzerland mandates open source software in the public sector. On our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Bellingcat sleuths pinpoint an alleged cartel member. 

Today is Tuesday July 16th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Some Squarespace users see their domains hijacked. 

Last week, over a dozen organizations using Squarespace had their domains hijacked. Squarespace, which acquired Google Domains a year ago, is migrating those domains. Many customers haven't set up new accounts yet, allowing hackers to exploit this by registering migrated domains using existing email addresses. The hijacks, occurring between July 9 and July 12, targeted mainly cryptocurrency businesses. Attackers redirected domains to phishing sites to steal cryptocurrency.

Security experts from Metamask and Paradigm explain that Squarespace assumed users would log in via social options like Google or Apple, not via email. Hackers could thus create accounts with unregistered emails, gaining domain access. Squarespace didn't require email verification, compounding the issue. This has left domain owners with reduced security and control compared to Google. A comprehensive guide advises enabling multi-factor authentication, identifying accessible emails, and securing Google Workspace accounts. Squarespace has not commented on the incident.

Kaspersky Lab is shutting down US operations. 

Kaspersky Lab, a Russian cybersecurity firm, is shutting down its U.S. operations and laying off employees after the U.S. Commerce Department banned the sale of Kaspersky software starting July 20. The ban follows national security concerns that Kaspersky or the Russian government could exploit the software to spy on American customers. Kaspersky confirmed the shutdown, citing the ban's impact on its U.S. business viability. The closure affects fewer than 50 U.S. employees, who will receive severance packages.

The U.S. had previously banned Kaspersky software from federal and military systems due to security concerns. Despite denying any misuse of its software, Kaspersky faced allegations of extracting NSA hacking tools from an employee's computer. U.S. officials stress the ban protects Americans from potential exploitation by foreign adversaries.

BackPack APKs break malware analysis tools. 

New research from Palo Alto Networks Unit 42 looks at APK files, used by the Android OS. These are packaged as ZIP archives containing a critical file named AndroidManifest.xml. This file holds essential application data. In some cases attackers tamper with ZIP headers to prevent analysis, resulting in what are known as BadPack APKs.

Tools like Apktool and Jadx often fail to extract content from these tampered files. Palo Alto Networks' analysis of their Advanced WildFire telemetry from June 2023 to June 2024 identified nearly 9,200 BadPack samples. These files pose a significant threat by preventing normal extraction techniques and hindering security analysis.

BadPack APKs alter ZIP header values, leading to discrepancies that break analysis tools but not Android runtime. Researchers suggest reversing these changes for successful analysis. Tools like apkInspector can handle such tampered files. Enhanced detection and protection measures, including multi-factor authentication and monitoring, are crucial to countering this threat.

Hackers use 7zip files to deliver Poco RAT malware. 

Hackers are using 7zip files to bypass security measures and deliver Poco RAT malware effectively. Discovered by Cofense in early 2024, Poco RAT targets Spanish-speaking individuals in the mining industry, initially through Google Drive-hosted 7zip archives. By Q2 2024, it reached four sectors, with mining still being the main target (67% of campaigns). The malware, focused on basic RAT functionality, uses consistent TTPs and exploits legitimate file hosting services to bypass Secure Email Gateways.

Poco RAT is distributed via Direct Google Drive URLs in emails, links in HTML files, and Links within attached PDFs.

Poco RAT employs POCO C++ libraries, arrives as an executable, and establishes persistence via registry keys. Despite attempts to evade detection, it faces average detection rates of 38% for executables and 29% for archives.

CISA’s red-teaming reveals security failings at an unnamed federal agency. 

In 2023, a CISA red team exercise exposed significant security failings at an unnamed federal agency. These SILENTSHIELD assessments, which simulate long-term nation-state threats without prior notice, revealed vulnerabilities in the agency's Oracle Solaris enclave due to an unpatched CVE-2022-21587, leading to a full compromise. Despite prompt notification, the agency delayed patching the vulnerability, and public exploit code emerged, further jeopardizing security.

The red team accessed the Windows network via phishing and identified weak passwords. They found unsecured admin credentials and gained access to highly privileged systems, termed a "full domain compromise." The exercise highlighted the agency's inadequate logging and over-reliance on known indicators of compromise (IoCs).

CISA emphasized defense-in-depth principles, recommending network segmentation and stressing the need to move beyond reliance on IoCs. It also called for improved software security, logging, and cooperation with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers.

In unrelated CISA news, the agency urges federal organizations to patch a critical GeoServer vulnerability, due to active exploitation evidence. This flaw allows unauthenticated remote code execution via unsafe evaluation of XPath expressions. GeoServer, an open-source server for geospatial data, improperly applies XPath evaluation to all feature types. Federal agencies must identify and patch vulnerable instances by August 5. 

Microsoft fixes an Outlook bug triggering false security alerts. 

Microsoft has resolved an Outlook bug causing incorrect security alerts, identified in February after December updates. Users reported warnings like "This location may be unsafe" when opening ICS calendar files. These false alerts stemmed from security updates which prevented NTLM hash theft via crafted files. Initially fixed in April, the update was rolled back due to issues found in testing. The bug was finally fixed in the July 9th update. Users who applied a registry workaround should reverse it before installing the update. 

Switzerland mandates open source software in the public sector. 

Switzerland has enacted the "Federal Law on the Use of Electronic Means for the Fulfilment of Governmental Tasks" (EMBAG), mandating open source software (OSS) for public sector bodies. Championed by Professor Dr. Matthias Stürmer, the law aims to reduce vendor lock-in, enhance digital transparency, and cut IT costs. Public bodies must disclose the source code of government-developed software, ensuring transparency and public contribution unless precluded by third-party rights or security concerns. Article 9 of EMBAG also allows public bodies to offer related services at cost-covering remuneration to maintain competitive balance. Despite initial resistance, persistent lobbying led to the law's adoption, which advocates say promotes digital sovereignty, innovation, and collaboration within the public sector. This legislative milestone may serve as a model for other countries, highlighting OSS benefits like security, cost efficiency, and increased public trust.

Coming up on our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. 

Thanks, Rick, Alex and Matt. You can learn more about the 555 benchmark with the link in our show notes..

 

Bellingcat sleuths pinpoint an alleged cartel member. 

And finally, our luxury high rise desk pointed us to research from Netherlands-based investigative journalism group Bellingcat, which revealed how they pinpointed the luxury Dubai residence of alleged cartel member Dženis Kadrić in 2023. Bellingcat’s sleuths determined Kadrić was renting an apartment owned by Candido Nsue Okomo, the brother-in-law of Equatorial Guinea’s President.

Kadrić’s arrest in Bosnia for alleged organized crime left him under house arrest, but his wife’s Instagram posts flaunted her designer outfits against the Dubai skyline. These posts, showcasing the distinctive pools and landmarks of Burj Khalifa, the world’s largest skyscraper, gave them a vital clue.

Bellingcat's team started their investigation by identifying the unique pools and surrounding skyscrapers seen in her photos, confirming the location as the Burj Khalifa. Next, they analyzed perspective angles from the photos to narrow down the floor level, using visible landmarks as reference points.

Creating a 3D model of the famous skyscraper using Blender, an open-source software, allowed Bellingcat to match the exact views from the Instagram posts. By tracing perspective lines and finding the eye level, they pinpointed the floor level with remarkable accuracy.

Their investigation established Kadrić as a renter in the Burj Khalifa, thus exposing a connection to the investigation into dirty money in Dubai real estate. This geolocation work was a crucial piece of the puzzle in uncovering financial misdeeds.

So next time you’re on a digital detective mission, remember: Instagram, perspective angles, and a 3D model can lead you to the truth! And if you’re up to no good, you may want to remind your loved ones to cut back on posting pics to social media. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.