Podcasts
CyberWire Daily
Ep 2139
The CyberWire Daily Podcast 8.28.24
Ep 2139 | 8.28.24

From screen share to spyware.

Show Notes
Transcript

Threat actors use a malicious Pidgin plugin to deliver malware. The BlackByte ransomware group is exploiting a recently patched VMware ESXi vulnerability. The State Department offers a $2.5 million reward for a major malware distributor. A Swiss industrial manufacturer suffers a cyberattack. The U.S. Marshals Service (USMS) responds to claims of data theft by the Hunters International ransomware gang. Park’N Fly reports a data breach affecting 1 million customers. Black Lotus Labs documents the active exploitation of a zero-day vulnerability in Versa Director servers. Federal law enforcement agencies warn that Iran-based cyber actors continue to exploit U.S. and foreign organizations. We kick off our new educational CertByte segment with hosts Chris Hare and George Monsalvatge.  Precrime detectives root out election related misinformation before it happens. 

Today is Wednesday August 28th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Threat actors use a malicious Pidgin plugin to deliver malware. 

Threat actors have been delivering malware to instant messaging users via a malicious Pidgin plugin and an unofficial fork of the Signal app. The Pidgin messaging app developers discovered that a plugin named ScreenShare-OTR had made it onto their official third-party plugins list. The plugin, which claimed to offer screen sharing over the OTR protocol, actually contained keylogging code and shared screenshots with its operators. ESET’s analysis revealed that the plugin could download and execute malicious scripts, including the DarkGate malware, which steals credentials and logs keystrokes. A similar backdoor was found in Cradle, an unofficial Signal fork, which also included malicious code and used the same certificate as the Pidgin plugin. Both the Pidgin plugin and the Cradle app had Linux versions with similar capabilities. ESET has provided indicators of compromise (IoCs) to help detect these threats.

The BlackByte ransomware group is exploiting a recently patched VMware ESXi  vulnerability. 

Security researchers at Cisco Talos have identified that the BlackByte ransomware group is exploiting a recently patched vulnerability, CVE-2024-37085, in VMware ESXi hypervisors to deploy ransomware and gain full administrative access to victim networks. This vulnerability allows attackers to bypass authentication on ESXi systems joined to an Active Directory domain. By exploiting this flaw, BlackByte can create a malicious “ESX Admins” group, granting themselves administrative privileges. Cisco Talos researchers observed the group using this vulnerability to deploy ransomware, which spreads across networks using stolen credentials and vulnerable drivers. Microsoft has also noted similar exploits by other ransomware groups. Organizations are urged to patch their VMware ESXi systems promptly and implement strong access controls and monitoring to mitigate the impact of these attacks.

The State Department offers a $2.5 million reward for a major malware distributor. 

The U.S. Department of State announced a $2.5 million reward for information leading to the arrest of Volodymyr Kadariya, a Belarusian and Ukrainian national, involved in mass malware distribution. Kadariya, also known by several aliases, was indicted in June 2023 alongside Maksim Silnikau and Andrei Tarasov for wire fraud and computer fraud conspiracy. Kadariya allegedly participated in distributing the Angler Exploit Kit from 2013 to 2022, using malvertising and scareware ads to spread malware, including ransomware. Victims were deceived into downloading malicious software or providing personal information, which was then sold on Russian cybercrime forums. The scheme also involved selling access to compromised devices. Silnikau was recently extradited to the U.S. to face related charges.

A Swiss industrial manufacturer suffers a cyberattack. 

Schlatter Industries AG, a Swiss industrial manufacturer, experienced a significant disruption in its IT services due to a cyberattack involving malware on Friday. The company, a global leader in welding and weaving machines, reported that the attackers are attempting to blackmail them, likely demanding a ransom in exchange for encryption keys or to prevent the release of stolen data. While the specific malware wasn’t disclosed, the nature of the attack suggests it could be ransomware. Schlatter has involved internal specialists, external experts, and authorities to mitigate the damage and investigate the potential theft of data. 

The U.S. Marshals Service (USMS) responds to claims of data theft by the Hunters International ransomware gang. 

The U.S. Marshals Service (USMS) has investigated claims by the Hunters International ransomware gang, which recently posted 386 GB of sensitive data online, including files on gangs, FBI documents, and case information. USMS spokesperson Brady McCarron stated that the data does not stem from a new breach but is identical to information stolen during a ransomware attack on the agency in 2022. The Marshals Service confirmed that the 2022 incident was significant, though the group behind it was never identified. Hunters International, known for high-profile attacks, is now soliciting monetary offers for the stolen data until August 30. The USMS did not comment on whether they had received any ransom demands, and the investigation into last year’s hack remains ongoing. The gang’s recent actions have raised alarms due to their history of threatening victims to extort money.

Park’N Fly reports a data breach affecting 1 million customers. 

Park’N Fly, a major off-airport parking service provider in Canada, has reported a data breach affecting 1 million customers after hackers accessed its network using stolen VPN credentials in mid-July. The breach, which occurred between July 11 and July 13, 2024, exposed personal information such as full names, email addresses, physical addresses, Aeroplan numbers, and CAA numbers. However, no financial or payment card information was compromised. The company discovered the breach on August 1 and has since restored impacted systems while implementing additional security measures. Park’N Fly’s CEO, Carlo Marrello, expressed regret over the incident and emphasized their commitment to safeguarding customer data. Customers have been advised to watch for phishing attempts and consider resetting passwords, especially those linked to Air Canada’s frequent-flyer program. 

Black Lotus Labs documents the active exploitation of a zero-day vulnerability in Versa Director servers. 

Black Lotus Labs at Lumen Technologies discovered the active exploitation of a zero-day vulnerability (CVE-2024-39717) in Versa Director servers, used by internet and managed service providers to manage SD-WAN configurations. This vulnerability, affecting all Versa Director versions before 22.1.4, allows attackers to deploy a custom web shell named “VersaMem,” which intercepts credentials and runs additional Java code in-memory. The exploitation, linked to Chinese state-sponsored groups Volt Typhoon and Bronze Silhouette, began as early as June 2024 and targeted several U.S. and non-U.S. entities. Black Lotus Labs advises all Versa Director users to upgrade to version 22.1.4 or later and follow Versa Networks’ security advisories. Due to the severity and potential impact on strategic assets, Lumen Technologies has shared this intelligence with U.S. Government agencies.

Federal law enforcement agencies warn that Iran-based cyber actors continue to exploit U.S. and foreign organizations. 

The FBI, CISA, and the Department of Defense Cyber Crime Center have issued a joint Cybersecurity Advisory warning that Iran-based cyber actors continue to exploit U.S. and foreign organizations as of August 2024. These targets include sectors such as education, finance, healthcare, defense, and local governments in the U.S., as well as entities in Israel, Azerbaijan, and the UAE. The FBI assesses that these actors aim to gain network access and collaborate with ransomware affiliates to deploy ransomware, while also conducting cyber espionage for the Iranian government. The advisory provides detailed tactics, techniques, procedures, and indicators of compromise, urging organizations to implement recommended mitigations to defend against these ongoing threats. The guidance is based on FBI investigations and technical analysis of these malicious activities.

 

On today’s show, our guests are N2K's Chris Hare and George Monsalvatge introducing our new bi-weekly CertByte segments that kick off today on the CyberWire Daily podcast. Following the interview, enjoy the first installment of CertByte where Chris and George share a practice question and study tip about the PMP exam. 

We’ll be right back

Welcome back. You can hear new segments of CertByte every other week here on the CyberWire Daily. Our show notes have more details about the content Chris and George talked about. 

Precrime detectives root out election related misinformation before it happens. 

And finally, In a twist straight out of “Minority Report,” the cybersecurity firm BforeAI is playing the role of “precrime” detectives, just like the “precogs” from the movie, but with a digital twist. They’re not predicting murders, but they are spotting cybercrimes before they happen—specifically, election-related scams and misinformation campaigns. These cybercriminals are registering domains with candidate names like “Trump,” “Biden,” “Harris,” and “Kamala” to create believable phishing sites aimed at stealing personal and financial information or spreading propaganda. Some sites are laughably amateurish, while others are sophisticated enough to fool unsuspecting voters. BforeAI has even found some precrime sites linked to shady cryptocurrency schemes and others spreading spyware. While these bad actors seem more interested in making a quick buck than swinging an election, their tactics are a reminder that the digital Wild West is alive and well as we head toward the polls.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.