Cyber revolt or just digital ruckus?
Hacktivists respond to the arrest of Telegram’s CEO in France. Stealthy Linux malware stayed undetected for two years. Versa Networks patches a zero-day vulnerability. Google has patched its tenth zero-day vulnerability of 2024. Researchers at Arkose labs document Greasy Opal. A flaw in Microsoft 365 Copilot allowed attackers to exfiltrate sensitive user data. Gafgyt targets crypto mining in cloud native environments. Microsoft investigates an Exchange Online message quarantine issue. Our guest is Bar Kaduri, research team leader at Orca Security talking about AI Goat, the first open source AI security learning environment based on the OWASP top 10 ML risks. Kentucky Prisoners Trick Tablets to Generate Fake Money.
Today is Tuesday August 27th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Hacktivists respond to the arrest of Telegram’s CEO in France.
The arrest of Telegram CEO Pavel Durov in France sparked a wave of cyberattacks by hacktivists protesting his detention. French authorities detained Durov over Telegram’s lack of moderation, which they claimed facilitated criminal activities. This move triggered backlash, with many viewing it as an attack on internet privacy and free speech. In response, hacktivist groups launched cyberattacks on French websites under the campaign “opDurov.”
Key targets included government sites, media outlets, and health agencies, primarily through distributed-denial-of-service (DDoS) attacks. Prominent groups involved include the Russian Cyber Army Team, linked to Russia-backed APT44, and UserSec, both known for pro-Russian cyber activities. The Malaysian group RipperSec also participated. Despite these disruptions, many affected websites were back online by Monday afternoon, though some remained inaccessible. The attacks highlighted ongoing tensions over digital privacy and the geopolitical dimensions of cyber warfare.
And a quick program note - We have a detailed discussion on the arrest of Pavel Durov on this week’s Caveat podcast. That episode drops this coming Thursday.
Stealthy Linux malware stayed undetected for two years.
Risk management firm Stroz Friedberg uncovered a malware named “sedexp” that has been actively used since at least 2022, yet has remained undetected in online sandboxes. This malware employs an unusual persistence technique using udev rules, a device management system in Linux, to execute malicious code every time a specific device event occurs, ensuring it runs on every reboot. The technique used is not documented by MITRE ATT&CK, making it particularly stealthy. Sedexp includes features like a reverse shell for remote control and memory manipulation to conceal its presence. This malware has been linked to a financially motivated threat actor, who used it for activities like credit card scraping on compromised web servers.
Google has patched its tenth zero-day vulnerability of 2024.
Google has patched its tenth zero-day vulnerability of 2024, tracked as CVE-2024-7965. Reported by a researcher known as TheDog, the high-severity flaw was caused by a bug in the compiler backend during just-in-time (JIT) compilation in Chrome’s V8 JavaScript engine. This vulnerability allowed remote attackers to exploit heap corruption via a crafted HTML page.
Versa Networks patches a zero-day vulnerability.
Versa Networks has patched a zero-day vulnerability, CVE-2024-39717, in its Versa Director GUI, which allowed attackers to upload malicious files via an unrestricted file upload flaw. This high-severity vulnerability, found in the “Change Favicon” feature, could be exploited by users with admin privileges to disguise malicious files as PNG images. The flaw affected customers who failed to implement recommended system hardening and firewall guidelines. The vulnerability, exploited by an Advanced Persistent Threat (APT) actor in at least one attack, has prompted Versa to urge customers to upgrade their systems and apply hardening measures. The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its Known Exploited Vulnerabilities catalog, requiring federal agencies to secure vulnerable instances by September 13.
Researchers at Arkose labs document Greasy Opal.
Researchers at Arkose labs have documented Greasy Opal, an online business providing tools that enable cyberattacks, particularly through sophisticated CAPTCHA-solving software. Operating since 2009 from the Czech Republic, it offers solutions to a wide range of customers, including malicious actors. Its advanced machine-learning models allow for rapid adaptation to new CAPTCHA challenges, making it a significant threat in cybersecurity. Greasy Opal’s tools are used in large-scale bot attacks, such as credential stuffing and fake account creation. Despite being highly efficient, the tools are limited by their CPU-based architecture, which affects scalability. Sold at low prices, these tools are easily accessible, contributing to the rise of cybercrime. Companies targeted by Greasy Opal should ensure robust bot management and modern CAPTCHA solutions to mitigate these threats.
A flaw in Microsoft 365 Copilot allowed attackers to exfiltrate sensitive user data.
Researchers uncovered a critical security flaw in Microsoft 365 Copilot that allowed attackers to exfiltrate sensitive user data through a sophisticated exploit chain. Discovered by security researcher Johann Rehberger, the vulnerability combined several techniques, including prompt injection, automatic tool invocation, and ASCII smuggling. The attack began with a malicious email or document containing a prompt injection payload, instructing Copilot to retrieve additional emails and documents without user interaction. The most innovative aspect was ASCII smuggling, which used invisible Unicode characters to hide exfiltrated data within clickable hyperlinks. When a user clicked the link, sensitive information, such as MFA codes or sales figures, would be sent to an attacker-controlled server. Microsoft patched the vulnerability in January 2024, although specific details of the fix remain unclear. The original proof-of-concept exploits no longer work.
Gafgyt targets crypto mining in cloud native environments.
A new variant of the Gafgyt botnet, also known as BASHLITE, has been discovered, now targeting machines with weak SSH passwords for crypto mining in cloud-native environments. Historically, Gafgyt exploits weak or default credentials to control devices like routers and cameras. The latest variant uses brute-force attacks on SSH servers to deploy XMRig, a Monero cryptocurrency miner, leveraging GPU power for mining. Additionally, it includes a worming module to scan and propagate the malware across vulnerable servers. This evolution reflects Gafgyt’s shift from distributed denial-of-service (DDoS) attacks to crypto mining, particularly targeting environments with strong CPU and GPU capabilities.
Microsoft investigates an Exchange Online message quarantine issue.
Microsoft is investigating an issue with Exchange Online that incorrectly flagged emails containing images as malicious, leading to their quarantine. The problem, tracked as EX873252, has affected both outbound and internal emails, including replies and forwards of previously external messages. System administrators reported that the issue also impacted messages with image signatures. Microsoft is reviewing service telemetry to identify the root cause and develop a fix. The company has already implemented a mitigation strategy, successfully unblocking and replaying over 99% of affected emails. This follows a similar incident in October 2023, where a faulty anti-spam rule caused outbound emails to be wrongly flagged as spam.
Our guest Bar Kaduri joins us from Orca Security to talk about AI Goat, the first open source AI security learning environment based on the OWASP top 10 ML risks. We’ll be right back.
Welcome back. You can find out more about AI Goat in our show notes.
Kentucky Prisoners Trick Tablets to Generate Fake Money.
And finally, our law and order desk tells us the tale of the clever inmates of the Kentucky Department of Corrections.
Inmates are routinely charged for services like email, video visits, games, music, and other digital media through their commissary accounts, which are funded by money deposited by their loved ones. These accounts allow inmates to purchase tangible items from prison canteens as well as digital products offered by companies like Securus Technologies, which provides the tablets and digital services in many prisons.
Email and video visits, which are relatively low-cost services in the outside world, are sold at marked-up rates to inmates. This practice has been criticized as exploitative, especially given the limited financial resources of many prisoners and their families. The money collected from these transactions typically results in profits for both the service providers and the prison system, as contracts often include revenue-sharing agreements.
In this case, hundreds of inmates hacked their state-issued tablets, creating over $1 million in fake money. Using a simple trick—placing a minus sign before a dollar amount—they magically added funds to their commissary and digital accounts, allowing them to splurge on email stamps, video visits, games, and music. The scheme went unnoticed until an anonymous tip came in, by which time nearly $88,000 had been spent. The inmates’ digital shopping spree was so successful that officials struggled for months to recover the losses, with some prisoners even walking out of jail with cash in their pockets. The fiasco has raised eyebrows and questions about who the real crooks are—those behind bars or the companies profiting off them. As one critic put it, “At some point, you have to ask yourself, who’s really committed the crime here?”
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.