Podcasts
CyberWire Daily
Ep 2178
The CyberWire Daily Podcast 10.28.24
Ep 2178 | 10.28.24

Operation Magnus strikes back.

Show Notes
Transcript

Operation Magnus disrupts notorious infostealers. Pennsylvania officials debunk election disinformation attributed to Russia. TeamTNT targets Docker daemons. Delta sues CrowdStrike. NVIDIA released a critical GPU Display Driver update. Fog and Akira ransomware exploit SonicWall VPNs. A researcher demonstrates Downgrade attacks against Windows systems. Qilin ransomware grows more evasive and disruptive. Pwn2Own Ireland awards over $1 million for more than 70 zero-day vulnerabilities. Our guest is Grant Geyer, Chief Strategy Officer at Claroty, talking about safeguarding our nation's critical food infrastructure. At long last, it’s legal to fix your McFlurry.

Today is Monday October 28th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Operation Magnus disrupts notorious infostealers. 

In a landmark operation, the Dutch National Police, the FBI, and international partners dismantled the infrastructure behind the Redline and Meta infostealer malware. This campaign, called Operation Magnus, targeted two notorious malware strains that had been stealing sensitive data like passwords and credit card information worldwide. Redline, an affordable malware tool, has been extensively used to steal data like passwords, cryptocurrency wallets, and authentication cookies, while Meta, an upgraded version launched in 2022, was designed to expand upon Redline’s capabilities.

Through this seizure, law enforcement now holds vast amounts of data tied to the malware’s users, including account credentials, IP addresses, and activity timestamps, making future arrests and prosecutions likely. Authorities also gained access to crucial backend systems, such as source code, license servers, and Telegram bots, suggesting a unified infrastructure between Redline and Meta. Speculations have arisen that both malware strains could share the same creators, with further information expected to be disclosed on the Operation Magnus website.

The operation, verified by Europol and the UK’s NCA, disrupts the activities of those behind these tools and sends a warning to cybercriminals: their identities and actions are no longer hidden. With support from agencies like the NCIS, DOJ, and law enforcement in Portugal and Belgium, Operation Magnus exemplifies the strength of international cooperation in fighting cybercrime, underscoring the law enforcement community’s commitment to countering threats from information-stealing malware.

Pennsylvania officials debunk election disinformation attributed to Russia. 

In Pennsylvania, a video falsely depicting ballot destruction circulated on social media, leading officials to warn it was a disinformation effort attributed to Russian actors. The video, posted on X and other platforms, showed an individual allegedly destroying ballots for Donald Trump while preserving those for Kamala Harris, but the Bucks County Board of Elections quickly dismissed it as fake, pointing out inconsistencies in the materials shown. Federal agencies, including the FBI, identified the video as part of Moscow’s attempts to question U.S. election integrity and stir division.

Disinformation researcher Darren Linvill linked the video to Storm-1516, a Russian group known for similar tactics. This network aims to influence American political discourse through staged videos and misinformation campaigns. Additionally, domestic disinformation surfaced as Pennsylvania officials debunked unfounded claims of voter fraud involving nuns. As Pennsylvania remains a crucial swing state, it is expected to be a major target for foreign and domestic influence campaigns leading up to the election.

For further insights into Disinformation and Misinformation in the U.S. election, check out our 3-part mini-series, DisMis. Rick Howard sits down with election experts to navigate the 2024 Presidential election's information storm, offering a toolkit to help you distinguish between deceptive narratives and legitimate content in today’s rapidly shifting election security landscape. It is worth your time. 
Today, we’ve got Infinidat’s Eric Herzog on our Industry Voices segment. Eric and I discussed merging cybersecurity and cyber storage resilience. 

TeamTNT targets Docker daemons. 

Cybersecurity researchers at Aqua Nautilus have identified a new hacking campaign by the notorious group Adept Libra, also known as TeamTNT, which exploits exposed Docker daemons to deploy Sliver malware, cryptominers, and other malicious tools. TeamTNT hijacks resources for cryptocurrency mining by compromising Docker Hub accounts.

Using a tool dubbed “Docker Gatling Gun,” TeamTNT scans millions of IPs for Docker daemon vulnerabilities on specific ports. Once accessed, they execute a malicious script that sets up further attacks, often searching for credentials and scanning networks. To evade detection, they disguise processes under familiar names and rely on Sliver malware for stealth.

This attack underscores TeamTNT’s evolving tactics and the importance of robust cybersecurity, especially for organizations using Docker or cloud-native environments.

Delta sues CrowdStrike. 

Delta Air Lines has filed a lawsuit against cybersecurity firm CrowdStrike, blaming its software for the July outage that led to 7,000 flight cancellations and $380 million in losses. Delta alleges that a faulty CrowdStrike update bypassed its disabled auto-update feature, affecting its systems and triggering widespread disruptions. Despite CrowdStrike CEO George Kurtz’s apology, Delta accuses the company of neglecting proper testing, claiming it prioritized profits over reliability.

CrowdStrike disputes Delta’s claims, labeling them as “misinformation” and arguing that the airline’s outdated IT infrastructure slowed its recovery compared to other airlines affected by the outage. CrowdStrike maintains that its liability should be capped at $10 million and accuses Delta of misrepresenting the incident to deflect from its own IT shortcomings.

NVIDIA released a critical GPU Display Driver update. 

NVIDIA released a critical security update last week for its GPU Display Driver to address vulnerabilities allowing remote code execution, privilege escalation, and other risks on Windows and Linux. Users should update immediately to mitigate these high-severity vulnerabilities, which could lead to data tampering, denial of service, and information disclosure. Key vulnerabilities, such as CVE-2024-0126, pose significant security risks and affect both OS platforms. 

Fog and Akira ransomware exploit SonicWall VPNs. 

Fog and Akira ransomware groups are increasingly breaching corporate networks through unpatched SonicWall VPN vulnerabilities, specifically exploiting a critical flaw in SonicOS. Despite a patch issued in August 2024, attacks continue as many endpoints remain unpatched. Arctic Wolf reports that Akira and Fog have conducted at least 30 intrusions using SonicWall VPNs, with Akira responsible for 75% of cases. The two groups appear to share infrastructure, indicating an ongoing, unofficial collaboration.

Attacks rapidly escalate from intrusion to encryption, sometimes within two hours, often bypassing security by using VPN/VPS to hide IP addresses. Most targeted organizations lacked multi-factor authentication and ran the vulnerable VPN on default ports. The ransomware groups primarily encrypted virtual machines and recent data, leaving older files untouched. Approximately 168,000 SonicWall endpoints remain exposed, and Black Basta may also be exploiting the same flaw in recent attacks.

A researcher demonstrates Downgrade attacks against Windows systems. 

A vulnerability in Windows allows attackers to downgrade security-critical components, bypassing protections like Driver Signature Enforcement (DSE) to install rootkits on fully patched systems. SafeBreach researcher Alon Leviev demonstrated how attackers with admin access could exploit the Windows Update process to reintroduce outdated, vulnerable software. This approach, termed “ItsNotASecurityBoundary”, bypasses kernel security enhancements, allowing for rollback attacks that compromise even the latest Windows 11 versions.

Using Leviev’s tool Windows Downdate, attackers can re-enable vulnerabilities in components like ‘ci.dll’, critical for enforcing DSE, thereby facilitating rootkit deployment and disabling security checks. Additionally, attackers can disable Virtualization-Based Security (VBS) protections by modifying registry keys, exposing secure kernel elements to attack.

Microsoft acknowledged the risk and plans mitigations but views admin access as outside traditional security boundaries. Until a fix is ready, Leviev urges security teams to monitor for downgrade attacks, which remain a significant threat.

Qilin ransomware grows more evasive and disruptive. 

The Qilin ransomware group, also known as Agenda, has released a new variant, Qilin.B, enhancing its capabilities to evade detection and disrupt defenses. The ransomware, deployed in high-profile attacks like the July incident against the U.K.’s NHS provider Synnovis, uses advanced encryption methods (AES-256-CTR and Chacha20) tailored for different system architectures, making decryption virtually impossible without private keys. Written in Rust, the ransomware’s structure resists reverse engineering, making it hard to analyze.

Qilin.B aggressively disrupts backup systems, especially targeting Windows Volume Shadow Copy, while disabling security and virtualization tools from vendors like Sophos, Acronis, and Veeam. It initiates by gaining administrative privileges, clearing event logs, and deleting itself to minimize forensic traces. Encrypted files are marked with a unique extension linked to a “company_id,” with ransom instructions provided in a Tor-accessible note, making recovery without insider knowledge unfeasible.

Pwn2Own Ireland awards over $1 million for more than 70 zero-day vulnerabilities. 

At the inaugural Pwn2Own Ireland event, a Vietnamese team from Viettel Cyber Security claimed the top prize, winning $205,000 for discovering exploits in multiple products, including TrueNAS storage, Lorex cameras, QNAP routers, and HP and Lexmark printers. The event, hosted by Trend Micro’s Zero Day Initiative (ZDI) in Cork, awarded over $1 million for more than 70 zero-day vulnerabilities, with findings set to be disclosed to vendors for patching.

End users will benefit from the competition’s outcomes, as identified vulnerabilities lead to security enhancements in affected devices. The competition saw growing manufacturer participation, aiming to safeguard their products against future cyber threats. Meta joined as a sponsor, though no workable exploits were found for WhatsApp in the new Messenger App category. The next Pwn2Own will take place in Tokyo in January 2025, focusing on vulnerabilities in automotive systems, including Tesla and electric vehicle chargers.

 

 

Our guest is Claroty’s Chief Strategy Officer Grant Geyer talking with me about safeguarding our nation's critical food infrastructure. We’ll be right back.

Welcome back. You can find a link to some background information on issues affecting the security of the nation's critical food infrastructure in our show notes. 

At last, it’s legal to fix your McFlurry. 

And finally, good news for ice cream lovers and DIY repair fans: it’s now legal to hack McFlurry machines and certain other restaurant equipment, thanks to a new federal rule. Frustrated with Taylor ice cream machines constantly breaking down? Now, McDonald’s franchises can legally bypass software locks to fix them without waiting for authorized repair professionals. The same goes for other commercial kitchen devices that might be hogging downtime due to pesky “technical protection measures” (TPMs).

This exemption, part of an updated Section 1201 of the DMCA, also extends to medical devices, preventing manufacturers from monopolizing repair services. The Copyright Office was inspired by years of McFlurry malfunctions, persistent franchise workarounds..

But there’s a catch: while bypassing locks is now legal, selling or sharing the necessary tools isn’t, meaning most franchise owners won’t find it easy to repair machines independently. iFixit CEO Kyle Wiens calls it a “mixed bag,” emphasizing the need for Congress to fully legalize repair. While the door is technically open, many small businesses may still find it hard to step through without those specialized tools.

Now if we can just find a way to convince McDonalds to offer the McRib year round. And the Shamrock shake. And that Rick and Morty Szechuan sauce. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.