Podcasts
CyberWire Daily
Ep 2124
The CyberWire Daily Podcast 8.7.24
Ep 2124 | 8.7.24

When updates attack.

Show Notes
Transcript

Crowdstrike releases a postmortem. LoanDepot puts a multimillion dollar price tag on their ransomware incident. RHADAMANTHYS info stealer targets Israelis. Zola ransomware is an advanced evolution of the Proton family. Firefox fixes several high-severity vulnerabilities. Researchers at Certitude uncover a vulnerability in Microsoft 365’s anti-phishing measures. Threat actors exploit legitimate anti-virus software for malicious purposes. Samsung’s new bug bounty program offers rewards up to a million dollars. Guest Adam Marré, CISO at Arctic Wolf, joining us to share his observations on the ground at Black Hat USA 2024. Ransomware gangs turn the screws and keep up with the times. 

Today is Wednesday August 7th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Crowdstrike releases a postmortem.  

CrowdStrike has released a detailed analysis of the Falcon sensor update issue that occurred on July 19, 2024, causing system crashes for millions of Windows users. The problem stemmed from a mismatch between the expected input fields for the sensor’s Content Interpreter and those provided by a new Template Type introduced in February 2024. Specifically, the IPC Template Type required 21 input fields, but the sensor only supplied 20, a discrepancy missed during development due to the use of wildcard matching criteria. The issue was triggered when a non-wildcard criterion was deployed, causing an out-of-bounds memory read and resulting in crashes. CrowdStrike’s report outlines several mitigations, including implementing compile-time validation, adding runtime checks, expanding testing, correcting logic errors, and introducing staged deployments. They also provide customers with control over updates. As of July 29, 99% of Windows affected systems were back online, with a hotfix expected by August 9. Two independent reviews of the Falcon sensor code have been commissioned by Crowdstrike.

LoanDepot puts a multimillion dollar price tag on their ransomware incident. 

LoanDepot reported nearly $27 million in costs from a ransomware attack disclosed in January 2024. The breach potentially compromised personal details of over 16 million individuals, including Social Security and financial account numbers. Expenses include investigation, remediation, customer notifications, identity protection, legal fees, and litigation settlements. A $25 million accrual was recorded for class action litigation related to the incident. The Alphv/BlackCat ransomware group claimed responsibility. 

RHADAMANTHYS info stealer targets Israelis. 

A new cybercampaign has emerged targeting Israeli users, showcasing the RHADAMANTHYS information stealer, a sophisticated malware developed by Russian-speaking cybercriminals. Offered as Malware-as-a-Service, RHADAMANTHYS is adept at data exfiltration, employing an intricate infection chain. The attack uses social engineering tactics, sending Hebrew phishing emails impersonating notifications from Calcalist and Mako. These emails exploit urgency and fear by falsely alleging copyright infringement, prompting users to act quickly. The emails include a locked RAR archive containing a suspicious executable named “Copyright infringing images.exe.” in hebrew. Once executed, RHADAMANTHYS employs anti-analysis tactics to avoid detection and injects code into legitimate Windows processes, persisting through registry modifications. It steals credentials, browsing history, cryptocurrency info, and system details, communicating with its C2 server over HTTPS. The malware also acts as a downloader for additional payloads. 

Zola ransomware is an advanced evolution of the Proton family. 

Zola ransomware is the latest evolution of the Proton family, first appearing in March 2023. Discovered by Acronis researchers, Zola uses advanced techniques to disable Windows Defender and employs various hacking tools for privilege escalation, network reconnaissance, and credential theft. It distinguishes itself with features like a single mutex to prevent simultaneous execution, administrative rights verification, and a Persian language-based kill switch. Zola’s preparation includes generating victim IDs, modifying registry values, disabling recovery options, and killing 137 processes and 79 services to remove security measures. The ransomware employs the ChaCha20 algorithm for encryption and uses Crypto++ for cryptographic functions, while falsely claiming AES and ECC encryption in ransom notes. An anti-forensics measure fills the disk with uninitialized data to hinder recovery and forensic analysis. Zola is available in x86 and x64 versions, targeting a wide range of systems and retaining much of Proton’s core functionality. Future variants are expected to continue this pattern of rebranding.

Firefox fixes several high-severity vulnerabilities. 

Mozilla has released Firefox 129, addressing several high-severity vulnerabilities to enhance browser security. The update fixes critical issues like out-of-bounds memory access in graphics handling (CVE-2024-7518 and CVE-2024-7519), which could lead to memory corruption and sandbox escapes. Other vulnerabilities include obscuring fullscreen notification dialogs, incomplete WebAssembly exception handling, and use-after-free in JavaScript and IndexedDB. These flaws pose risks of spoofing, unauthorized data access, and memory corruption. Mozilla advises users to update Firefox immediately to ensure a safer browsing experience. 

Researchers at Certitude uncover a vulnerability in Microsoft 365’s anti-phishing measures. 

Researchers at Certitude recently uncovered a vulnerability in Microsoft 365’s anti-phishing measures. They discovered a way to bypass the First Contact Safety Tip, a feature that alerts Outlook users when they receive an email from an unfamiliar sender. This alert is inserted into the email’s HTML body, but attackers can manipulate its appearance using CSS. By changing the background and font colors to white, the warning becomes invisible to the user.

The team at Certitude demonstrated how attackers could further exploit this vulnerability by spoofing the icons that indicate encrypted and signed emails. By altering the HTML code and using Unicode characters to prevent Outlook from recognizing email addresses, they made phishing attempts appear legitimate.

Despite Certitude’s proof of concept and advisory submitted through the Microsoft Researcher Portal, Microsoft chose not to address the issue. 

Threat actors exploit legitimate anti-virus software for malicious purposes. 

Researchers at LevelBlue Labs have identified a new tactic used by threat actors to exploit legitimate anti-virus software for malicious purposes. The attack uses a tool called SbaProxy, which disguises itself as a legitimate anti-virus component to establish proxy connections via a command and control (C&C) server. SbaProxy is distributed in various formats, such as DLLs, EXEs, and PowerShell scripts, and can easily evade detection due to its legitimate appearance and valid certificates. The attackers modify anti-virus binaries, like those from Malwarebytes and BitDefender, maintaining their benign appearance. Malicious binaries signed with valid certificates bypass security checks, making detection challenging. LevelBlue Labs discovered that these binaries execute XOR-encrypted shellcode and establish C&C communication by hijacking anti-virus functions. The lab developed detection methods, including SURICATA IDS signatures, to identify this threat, with indicators of compromise available.

Samsung’s new bug bounty program offers rewards up to a million dollars. 

Samsung has launched the Important Scenario Vulnerability Program (ISVP), a new bug bounty initiative for its mobile devices, offering rewards of up to $1,000,000 for critical vulnerabilities. The program focuses on issues like arbitrary code execution, device unlocking, data extraction, and bypassing protections. Device unlocks with full data extraction can earn $400,000. The program aims to improve security by incentivizing reports of significant vulnerabilities. Samsung paid over $827,925 in 2023 and aims to surpass previous records with ISVP. Since 2017, Samsung has awarded over $4.9 million in bug bounties.

 

Coming up, Arctic Wolf’s CISO Adam Marré checks in to share his observations as our man on the street from Black Hat USA 2024.

We’ll be right back

Welcome back

Ransomware gangs turn the screws and keep up with the times. 

And finally, updated research from Sophos shows that Ransomware gangs are increasingly sophisticated in their tactics, adapting over time to exert more pressure on their victims. Initially, in 2021, tactics included threats to publish stolen data, contacting employees, and alerting media outlets. These methods are still in use, but recent developments show that threat actors have become more creative and aggressive. They now exploit legitimate entities such as the media, legislation, and law enforcement to apply pressure on victims. This includes encouraging affected customers and employees to sue the victim organizations, and using stolen data to highlight potential legal or regulatory violations.

Ransomware groups, such as ALPHV/BlackCat, have even filed official complaints with regulatory bodies like the SEC, accusing victims of non-compliance. Other groups assess stolen data for evidence of wrongdoing to use as leverage. In some cases, ransomware operators publicly shame their victims, portraying themselves as vigilantes, while targeting individuals with reputational damage by revealing personal or embarrassing information. Tactics also include leaking highly sensitive data, such as medical records and private images, to further intimidate victims.

The evolution of these tactics reflects a broader willingness to exploit any means available to coerce payment and damage reputations. As ransomware groups grow more audacious, the threat landscape becomes more perilous, necessitating heightened vigilance and robust defenses from potential targets.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.