Blizzard warning: Russia’s GRU unleashes new cyber saboteurs.

Cadet Blizzard is part of Russia’s elite GRU Unit. Apache releases a security update for its open-source ERP system. SonicWall has issued an urgent advisory for a critical vulnerability. Researchers uncover a novel technique exploiting Linux’s Pluggable Authentication Modules. Google’s kCTF team has discloses a critical security vulnerability affecting the Linux kernel’s netfilter component. Predator spyware has resurfaced.  US health care firm Confidant Health exposes 5.3 terabytes of sensitive health information. Dealing with the National Public Data breach. On our Solution Spotlight: Mary Haigh [HAYG], Global CISO of BAE Systems, speaks with N2K's Simone Petrella about moving beyond the technical to build an effective cybersecurity team. An AI music streaming scheme strikes a sour note. 

Today is Friday September 6th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cadet Blizzard is part of Russia’s elite GRU Unit. 

A group of Western government agencies, including the US, UK, Ukraine, and others, revealed that a hacker group known as Cadet Blizzard is part of Russia’s GRU Unit 29155. This unit is infamous for acts of sabotage and assassination, including the attempted poisoning of Sergei Skripal and a failed coup in Montenegro. Recently, it seems to have developed its own cyber warfare team, separate from other GRU units like Fancy Bear and Sandworm. Since 2022, this new team has led cyber operations, including the Whispergate malware attack on Ukraine ahead of Russia’s invasion. The US Cybersecurity and Infrastructure Security Agency also issued a detailed advisory on Cadet Blizzard’s hacking methods. The US Department of Justice indicted five members, and the State Department offered a $10 million reward for information on the group. This underscores the increasing overlap between physical sabotage and cyber warfare in Russia’s tactics.

Apache releases a security update for its open-source ERP system. 

Apache released a security update for its open-source ERP system, OFBiz, addressing two critical vulnerabilities, including a patch bypass for previously exploited flaws. The bypass, CVE-2024-45195, allows unauthenticated attackers to execute code on affected Linux and Windows systems. This vulnerability is linked to three recently patched remote code execution (RCE) flaws (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856), which share the same root cause—controller-view map state fragmentation. Rapid7 reported the patch bypass, warning that the underlying issue persists despite earlier fixes. The update, OFBiz version 18.12.16, implements additional authorization checks to prevent exploitation and also resolves CVE-2024-45507, a server-side request forgery (SSRF) flaw. Users are urged to update to the latest version, as attackers are actively targeting vulnerable systems.

SonicWall has issued an urgent advisory for a critical vulnerability. 

SonicWall has issued an urgent advisory for a critical vulnerability, CVE-2024-40766, affecting SonicOS management access and SSLVPN. This flaw, actively exploited in the wild, could allow unauthorized access or cause firewall crashes. It impacts Gen 5, Gen 6, and Gen 7 SonicWall devices running older SonicOS versions. Users are urged to apply the latest patches immediately. For those unable to patch, SonicWall recommends restricting firewall management and disabling SSLVPN access from the internet. The vulnerability has a high CVSS score of 9.3.

Researchers uncover a novel technique exploiting Linux’s Pluggable Authentication Modules. 

Group-IB’s DFIR team uncovered a novel technique exploiting Linux’s Pluggable Authentication Modules (PAM) to create persistent backdoors on compromised systems. This method, not yet in the MITRE ATT&CK framework, involves abusing the pam_exec module to execute malicious scripts during SSH authentication. By modifying PAM configurations, attackers can exfiltrate sensitive data, like usernames and authentication details, without leaving traces in system logs, making detection challenging. This technique allows unauthorized access and persistent control over affected systems. To defend against this threat, organizations should implement proactive measures like Privilege Management for Unix & Linux (PMUL) and file integrity monitoring (FIM) to detect suspicious changes. The discovery highlights the risks of PAM’s flexibility and modularity.

Google’s kCTF team has discloses a critical security vulnerability affecting the Linux kernel’s netfilter component. 

Google’s kCTF team has disclosed a critical security vulnerability, CVE-2024-26581, affecting the Linux kernel’s netfilter component, specifically the nft_set_rbtree module. Rated with a CVSS 3.1 score of 7.8, this high-severity flaw arises from improper handling of end interval elements during garbage collection in the rbtree data structure. This issue can lead to unauthorized access or execution of malicious code. The vulnerability impacts multiple Linux kernel versions, but patches have been released for distributions like Ubuntu and Debian. Google has also released a proof-of-concept (PoC) on GitHub to raise awareness and aid security professionals in mitigating the risk. System administrators are urged to apply the latest patches to protect against potential exploitation. This discovery highlights the need for proactive security measures and timely updates to maintain the integrity of Linux systems globally.

Predator spyware has resurfaced. 

After a period of low visibility, the Predator spyware has resurfaced, according to research from Recorded Future’s Insikt Group. The spyware, developed by Intellexa, has previously targeted high-profile individuals such as U.S. Congress members and United Nations officials. New infrastructure linked to Predator was discovered, with likely customers in Angola, Saudi Arabia, and the Democratic Republic of the Congo (DRC). Intellexa’s operations were affected by U.S. sanctions and public exposure, forcing them to adapt their tactics, but they continue with minimal changes. Recorded Future identified Predator activity in the DRC, possibly linked to government use, particularly in conflict-affected regions like the eastern provinces. 

 US health care firm Confidant Health exposes 5.3 terabytes of sensitive health information.

Security researcher Jeremiah Fowler uncovered a major data breach involving the US health care firm Confidant Health, exposing 5.3 terabytes of sensitive health information. The unprotected database contained over 120,000 files and 1.7 million activity logs, including audio and video of therapy sessions, psychiatric reports, and personal medical histories. Patients’ deeply private details, such as addiction struggles and family traumas, were accessible, along with administrative records like ID and insurance cards. Confidant Health, operating in states like Connecticut, Florida, and Texas, offers addiction recovery and mental health services. Fowler alerted the company, which secured the database within an hour. However, some files had password protection, while others did not. Confidant Health’s cofounder emphasized the company’s commitment to security and expressed concern over the “sensational” portrayal of the breach.

Dealing with the National Public Data breach. 

Author Matthew Rosenquist penned a piece for Security Boulevard describing his significant challenges in dealing with the National Public Data breach, which exposed sensitive personal information, including his own. As a California resident, he has the legal right to demand data deletion, but his experience with their opt-out process has been frustrating. After confirming his data was compromised, Rosenquist followed instructions to opt out, only to encounter an unresponsive automated system and vague reassurances through voicemail. Adding to his frustration, privacy requests are directed to a sales email, raising doubts about whether his request will be properly handled. Rosenquist suspects the complex, unhelpful process may be a deliberate attempt to discourage data deletion requests, which could pose a legal liability for the company. He expresses concern about privacy rights and wonders if others have had success navigating the process or if a class-action lawsuit might be underway.

 

Next, on our Solution Spotlight segment, Mary Haigh, Global CISO of BAE Systems, speaks with N2K President Simone Petrella about moving beyond the technical to build a cybersecurity team.

We’ll be right back

Welcome back

An AI music streaming scheme strikes a sour note. 

And finally, our streaming media desk tells us of the story of Michael Smith, a North Carolina musician, who hit the jackpot—but not in the way you’d expect. Between 2017 and 2024, Smith allegedly raked in over $10 million in royalties from Spotify, Apple Music, Amazon Music, and YouTube by streaming AI-generated songs with the help of thousands of bots. That’s right—he created a digital orchestra of automated listeners.

With the assistance of an AI music company CEO and a music promoter, Smith uploaded hundreds of thousands of AI-created tracks to these platforms. Using virtual private networks (VPNs) to avoid detection, his bots streamed the songs billions of times. He even emailed his team about needing “a TON of songs” to outsmart anti-fraud policies.

Smith’s clever math saw him earning over $3,000 a day in royalties, totaling $12 million from 4 billion fake streams. Now, though, the melody has soured—he faces charges of wire fraud and money laundering, with up to 20 years in prison awaiting him.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.