Hackers strike LiteSpeed cache again.

The exploitation of the LiteSpeed Cache Wordpress plugin has begun. Halliburton confirms a cyberattack. Velvet Ant targets Cisco Switch appliances. The Qilin ransomware group harvests credentials stored in Google Chrome. Ham radio enthusiasts pay a million dollar ransom. SolarWinds releases a hotfix to fix a hotfix. A telecom company will pay a million dollar fine over President Biden deepfakes. The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts. Today’s guest is Dustin Moody, mathematician at NIST, speaking with N2K's Brandon Karpf about post-quantum encryption standards.  When it comes to phishing simulations, sometimes the cure is scarier than the disease. 

Today is Friday August 23rd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The exploitation of the LiteSpeed Cache Wordpress plugin has begun. 

Hackers have begun exploiting a severe vulnerability in the LiteSpeed Cache WordPress plugin, just a day after its technical details were disclosed. This vulnerability, tracked as CVE-2024-28000, affects all versions up to 6.3.0.1 and allows attackers to escalate privileges without authentication. The flaw originates from a weak hash check in the plugin’s user simulation feature, enabling attackers to brute-force the hash value and create rogue admin accounts, leading to complete site takeovers. Over 5 million sites use LiteSpeed Cache, but only 30% have updated to a safe version, leaving millions vulnerable. Wordfence has detected over 48,500 attacks exploiting this flaw in just 24 hours. Users are urged to upgrade to version 6.4.1 or uninstall the plugin to protect their websites. This is the second major security issue with LiteSpeed Cache this year.

Halliburton confirms a cyberattack. 

Halliburton, one of the largest oilfield service companies, confirmed that its networks were impacted by a cyberattack, as first reported by Reuters. The incident, which occurred on Wednesday, appears to have affected operations at the company’s Houston headquarters, though it’s unclear if other locations were impacted. Halliburton employs nearly 48,000 people globally and generated over $23 billion in revenue last year. The nature of the cyberattack remains unspecified, but some staff were reportedly told not to connect to internal networks. Halliburton is working with external experts to address the issue and has activated its response plan. Despite the attack, the company’s stock remained stable. The incident highlights ongoing cyber threats to the petroleum sector, though experts say disruptions to Halliburton’s operations are unlikely to affect gas supplies.

Velvet Ant targets Cisco Switch appliances. 

Research from Sygnia documents the threat group ‘Velvet Ant’, who earlier this year exploited a zero-day vulnerability (CVE-2024-20399) in Cisco Switch appliances, enabling them to evade detection and maintain long-term access within networks. This vulnerability allowed attackers with admin credentials to bypass the NX-OS command line interface and execute arbitrary commands on the underlying Linux OS, leading to the deployment of custom malware named ‘VELVETSHELL.’ The malware operates invisibly, making detection by common security tools difficult. Velvet Ant’s shift to targeting network devices like Cisco switches demonstrates their evolving tactics in a multi-year espionage campaign. This highlights significant security risks associated with third-party appliances, emphasizing the need for enhanced logging, continuous monitoring, and threat hunting to detect such advanced persistent threats.

The Qilin ransomware group harvests credentials stored in Google Chrome. 

The Qilin ransomware group has adopted a new tactic, deploying a custom stealer to harvest credentials stored in Google Chrome. This method, observed by Sophos X-Ops during incident response, marks a concerning development in ransomware strategies. The attack began with Qilin accessing a network via compromised VPN credentials, followed by an 18-day dormancy, likely used for reconnaissance. The attackers then moved laterally to a domain controller, modifying Group Policy Objects (GPOs) to execute a PowerShell script that collected Chrome-stored credentials across all logged-in machines. These stolen credentials were exfiltrated, and traces were erased before deploying the ransomware payload. This approach complicates defense, as widespread credential theft can facilitate further attacks and make response efforts more challenging. To mitigate risks, organizations should enforce strict policies against storing credentials in browsers, implement multi-factor authentication, and apply least privilege principles.

Ham radio enthusiasts pay a million dollar ransom. 

The ARRL (American Radio Relay League) is a national association for amateur radio enthusiasts in the United States. A letter to their members says that in early May 2024, ARRL’s network was compromised by threat actors (TAs) using dark web-purchased information. The attackers infiltrated both on-site and cloud-based systems, deploying ransomware across various devices, from desktops to servers. The highly coordinated attack took place on May 15, leading to significant disruption. Despite ARRL being a small non-profit, the attackers demanded a multi-million-dollar ransom. After tense negotiations, ARRL paid a $1 million ransom, largely covered by insurance. The organization quickly formed a crisis management team and involved the FBI, who categorized the attack as uniquely sophisticated. Most systems have been restored, with Logbook of The World (LoTW) back online within four days. ARRL is now simplifying its infrastructure and establishing an Information Technology Advisory Committee to guide future IT decisions. 

SolarWinds releases a hotfix to fix a hotfix. 

A telecom company will pay a million dollar fine over President Biden deepfakes. 

Lingo Telecom will pay a $1 million fine for transmitting deceptive robocalls in New Hampshire that used AI to spoof President Biden’s voice, violating federal caller ID rules, the FCC announced. The robocalls, sent before the New Hampshire primary, were arranged by political consultant Steve Kramer, who is also facing a $6 million fine and criminal indictment. The FCC emphasized the need for transparency in AI usage in communications. Lingo Telecom also agreed to a compliance plan to prevent future violations.

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts.

The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts. The lawsuit, backed by the False Claims Act, purports that Georgia Tech’s Astrolavos Lab did not develop a proper system security plan as mandated by the Department of Defense, and falsely reported their cybersecurity assessment to the Pentagon. Despite implementing a plan in February 2020, the lab reportedly failed to cover all necessary devices. The whistleblower lawsuit, filed by two former Georgia Tech cybersecurity team members, alleges a lack of enforcement of cybersecurity regulations at the university. Georgia Tech disputes the claims, stating that the lawsuit misrepresents their commitment to innovation and integrity, and insists there was no breach or data leak involved.

 

 

Coming up, N2K's Brandon Karpf speaks with NIST mathematician Dustin Moody about their first 3 finalized post-quantum encryption standards. 

Welcome back. You can hear more of Brandon and Dustin’s conversation as they go into more detail on the individual standards on Sunday in our Special Edition podcast. Stay tuned. There are also some links in the show notes to the standards and some resources to learn about post-quantum cryptography. 

 

When it comes to phishing simulations, sometimes the cure is scarier than the disease. 

And finally, In the world of phishing simulations, there’s a fine line between effective training and causing unnecessary panic—just ask the folks at UC Santa Cruz. On August 18, UCSC sent out an email with the alarming subject line, “Emergency Notification: Ebola Virus Case on Campus.” Students and staff were understandably rattled, only to later discover it was all part of a phishing awareness exercise. The email, mimicking a real phishing scam, urged recipients to log in for more details—classic phishing bait.

While the goal was to teach the community to spot phishing attempts, the choice of topic—an Ebola outbreak—backfired spectacularly. The simulated email triggered widespread concern, prompting the Student Health Center to issue a clarification. UCSC’s Chief Information Security Officer quickly apologized, admitting the simulation crossed a line and caused undue stress.

Lesson learned: phishing simulations should teach caution, not create chaos. In the future, UCSC aims to avoid such alarming scenarios, focusing instead on less panic-inducing content.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.