The CyberWire Daily Podcast 11.15.24
Ep 2191 | 11.15.24

One tap, total access: Pegasus exploits unveiled.

Transcript

Unredacted court filings from WhatsApp’s 2019 lawsuit against NSO Group reveal the scope of spyware infections. Glove Stealer can bypass App-Bound Encryption in Chromium-based browsers. Researchers uncover a new zero-day vulnerability in Fortinet’s FortiManager. Rapid7 detects an updated version of LodaRAT. CISA warns of active exploitation of Palo Alto Networks’ Expedition tool. Misconfigured Microsoft Power Pages accounts expose sensitive data. Iranian state hackers mimic North Koreans in fake job scams. Australia warns its critical infrastructure providers about state sponsored embedded malware. An especially cruel cybercriminal gets ten years in the slammer. Guest Ambuj Kumar, Co-founder and CEO of Simbian, joins us to discuss how AI Agents may change the cyber landscape. We’re countin’ down the top ten least secure passwords.

Today is Friday November 15th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Unredacted court filings from WhatsApp’s 2019 lawsuit against NSO Group reveal the scope of spyware infections. 

Unredacted court filings from WhatsApp’s 2019 lawsuit against NSO Group reveal that the Israeli spyware firm used its Pegasus tool to infect 1,400 devices, targeting journalists, human rights activists, and political dissidents. Pegasus, a zero-click spyware, exploited WhatsApp vulnerabilities to gain full access to targeted phones. NSO developed methods, including the “Eden” and “Heaven” exploits, by reverse-engineering WhatsApp’s code and creating a fake client to bypass security measures.

NSO admitted to creating a WhatsApp Installation Server (WIS) to impersonate the app and deploy spyware. Despite WhatsApp’s updates thwarting these exploits, NSO adapted, allowing its government clients to easily target devices by entering phone numbers. Pegasus provided turnkey access, retrieving data with no technical input from users, according to depositions.

Notably, Pegasus was allegedly used against Dubai’s Princess Haya amid human rights violations by Sheikh Mohammed bin Rashid Al Maktoum. WhatsApp vows to hold NSO accountable for violating U.S. laws and user privacy.

Glove Stealer can bypass App-Bound Encryption in Chromium-based browsers. 

A new malware, Glove Stealer, can bypass App-Bound Encryption in Chromium-based browsers, a security mechanism introduced in Chrome 127 to protect cookies. Written in .NET, the malware exfiltrates sensitive data like credentials, cookies, and information from cryptocurrency wallets, password managers, email clients, and over 80 local applications. It also targets data in 280 browser extensions.

Glove Stealer exploits the IElevator service, unique to each browser, to harvest and decrypt encryption keys. While primarily affecting Chromium browsers like Chrome, Edge, and Brave, it also targets Opera, Yandex, and CryptoTab.

Delivered via phishing emails with malicious HTML attachments, victims are tricked into running scripts that execute the infostealer. The malware gains administrative privileges, downloads additional modules, and exfiltrates protected data through a command-and-control server.

Researchers uncover a new zero-day vulnerability in Fortinet’s FortiManager. 

Security firm watchTowr has uncovered a new zero-day vulnerability in Fortinet’s FortiManager, dubbed FortiJump Higher. This flaw enables privilege escalation from a managed FortiGate device to control the central FortiManager instance, potentially compromising entire Fortinet-managed fleets.

FortiJump Higher resembles an earlier vulnerability, FortiJump (CVE-2024-47575), which allowed remote code execution on FortiManager via unauthenticated crafted requests. FortiJump carries a CVSS score of 9.8 and has been actively exploited, often alongside CVE-2024-23113.

WatchTowr claims Fortinet’s patch for FortiJump missed key exploit methods, leaving systems vulnerable. Attackers could exploit these flaws to escalate privileges and compromise entire networks.

Rapid7 detects an updated version of LodaRAT. 

Rapid7 has detected a malware campaign featuring an updated version of LodaRAT, a remote access tool first observed in 2016. This new version can steal cookies and credentials from Microsoft Edge and Brave browsers. Written in AutoIt, LodaRAT retains its core functions, such as screen capturing, webcam control, data exfiltration, and delivering additional payloads, but it hasn’t seen major updates since 2021.

The malware is now distributed via DonutLoader and Cobalt Strike and often masquerades as legitimate software like Discord or Skype. Rapid7 also found LodaRAT on systems infected with other malware families, though its distribution method remains uncertain. Unlike earlier targeted campaigns, this version has global reach.

By tweaking older code, attackers demonstrate that even legacy malware can remain effective, emphasizing the need for vigilance and timely patching.

CISA warns of active exploitation of Palo Alto Networks’ Expedition tool. 

CISA has issued an alert about new vulnerabilities in Palo Alto Networks’ Expedition tool being exploited in the wild. Initially, the agency warned of a critical flaw that allowed attackers to take over administrator accounts and access sensitive credentials. Now, two additional vulnerabilities have come to light.

The first newly exploited flaw allows attackers to run operating system commands as root, exposing cleartext credentials, device configurations, and API keys. The second lets attackers manipulate the database to extract sensitive information and create or read files on the system—all without authentication.

These issues come alongside news of an unrelated zero-day remote code execution vulnerability affecting Palo Alto firewalls. The attacks don’t appear connected.

Misconfigured Microsoft Power Pages accounts expose sensitive data. 

Organizations are unintentionally exposing sensitive data online due to misconfigured access controls in Microsoft Power Pages, a popular low-code website creation tool. Aaron Costello of AppOmni discovered these issues, revealing leaks of personal and organizational data caused by excessive permissions granted to “authenticated users,” often treated as internal despite public registration options.

One notable case involved a UK National Health Service provider inadvertently exposing data for over 1.1 million employees, including email addresses and home addresses. While this issue was fixed, other organizations globally—spanning health, finance, and tech sectors—are also affected.

Costello attributed most leaks to overly permissive database settings, such as global access or unprotected columns. Despite Microsoft warnings about risky configurations, complex access controls and column security setups are often ignored, leaving sensitive information vulnerable to exploitation.

Iranian state hackers mimic North Koreans in fake job scams. 

Iranian state hackers, tracked as TA455 or APT35, are mimicking North Korean tactics to target the aerospace industry with fake job offers. Using platforms like LinkedIn and malicious domains such as careers2find.colm, these hackers create convincing recruiter profiles to lure victims into downloading malware called SnailResin.

This campaign mirrors North Korea’s “Operation Dream Job,” employing DLL side-loading techniques and malicious ZIP files disguised as job-related documents. These files have low antivirus detection rates, increasing their effectiveness.

Hackers encode command-and-control data on GitHub and leverage Cloudflare to mask their infrastructure, making tracking difficult. ClearSky researchers suggest Pyongyang may have shared tools or methods with Tehran, given the overlap in techniques. By exploiting trust-based platforms, TA455 circumvents traditional security measures and infiltrates networks under the guise of legitimate activity.

Australia warns its critical infrastructure providers about state sponsored embedded malware. 

The Australian government is warning critical infrastructure providers about state-sponsored cyber actors embedding malware in networks to disrupt national security during crises or military conflicts. The Cyber and Infrastructure Security Center (CISC) highlighted threats posed by foreign actors compromising systems without immediate espionage value to enable strategic disruption.

The Five Eyes alliance previously warned about China-sponsored Volt Typhoon, which infiltrated U.S. critical infrastructure sectors like energy, water, and telecoms to prepare for potential attacks. These actors employ stealthy “living off the land” techniques, using built-in tools to evade detection and blend into normal network activity.

In response, Australia expanded its critical infrastructure protections, requiring designated operators to enhance incident response, fix vulnerabilities, and share system data. Legislative updates also empower regulators to enforce risk management and support cybersecurity resilience across interconnected systems.

An especially cruel cybercriminal gets ten years in the slammer. 

Robert Purbeck, a 45-year-old from Idaho, has been sentenced to 10 years in prison for a series of cybercrimes targeting medical facilities and other organizations. Over seven years, Purbeck hacked systems, stole sensitive personal data, and extorted victims, causing devastating financial and emotional harm. His crimes impacted at least 19 victims, including medical practices, a safe house for domestic violence survivors, and public institutions.

Using aliases like “LifeLock” and “Studmaster,” Purbeck sent threatening emails to extort payments, often targeting individuals’ families. In one case, he harassed a dentist, threatening to expose patients’ data and even referenced the dentist’s child to intimidate compliance. Another victim, an orthodontist, suffered significant losses and had to sell their practice due to Purbeck’s relentless harassment.

The FBI seized Purbeck’s devices in 2019, revealing data from 132,000 people.

Targeting a safe house for women and children fleeing domestic violence is particularly vile, turning a refuge into a potential danger zone. 

 

Our guest today is Co-Founder and CEO of Simbian (sim-BEE-an), Ambuj Kumar (um-BOOZH koo-MAR) talking about how AI Agents are going to change the cyber landscape. We’ll be right back.

Welcome back.

We’re countin’ down the top ten least secure passwords. 

And finally, the folks at NordPass have released their annual list of the 200 most common passwords. So sit down, tune in your favorite FM radio, and let’s review the list…

“Welcome back to our Countdown… if you’re just joining us, we’re not talking about the latest pop hits. Nope, we’re diving into the top ten passwords people are using in the U.S.! That’s right, folks, these are the biggest security slip-ups on repeat, year after year. So, grab a seat, secure your logins, and let’s count down from number 10 to number 1!”

“Starting off our list at Number 10, it’s a classic combo that just won’t quit: abc123! With over 44,000 people using it, this one’s cracked faster than you can say, ‘weak password.’”

“Coming in at Number 9, it’s… 12345! Now, I don’t know what’s shorter, this password or the time it takes to crack it — less than a second! With nearly 50,000 users, this one’s practically an invitation.”

“Sliding into the Number 8 spot is another familiar sequence — 12345678. Over 52,000 people use this one, and hackers can break through it before you can even blink.”

“Lucky Number 7? It’s password1! Clever, right? Or not so much. With around 55,000 users, it’s one of the easiest passwords for hackers to guess, clocking in at under a second to crack.”

“At Number 6, we’ve got the classic 123456789. Almost 90,000 people keep going up in numbers, thinking it’ll somehow protect them more… Spoiler alert: it doesn’t!”

“Moving into the Top 5 now, things are getting real predictable! Number 5 is qwerty1! That’s right, it’s what’s right there on your keyboard, just waiting to be hacked. Over 200,000 people are using it!”

“At Number 4, say hello to qwerty123! A crowd favorite with over 209,000 users, and yes, it’s still cracked in less than a second. They should really call this the ‘gateway password.’”

“Now, folks, the Top 3! Taking the third spot is simply… password. Yep, you heard that right! It’s got 227,000 users thinking they’re safe. But with a crack time under one second, it’s more like an open door.”

“Number 2 might sound familiar — 123456! Over a quarter million people are relying on this one. I guess they like to keep things simple… but so do hackers.”

“And finally, America, the Number 1 most-used password — drumroll, please! 🥁 It’s secret! Yes, the least secret ‘secret’ ever. Over 328,000 people use it, but it’s cracked in less than a second! If you’re using it, it’s time to change that ‘secret’ into something actually secure.”

“So, there you have it, folks — America’s Top 10 Passwords! If any of these sound familiar, it might be time for an upgrade. Remember, a strong password is your first line of defense. So here’s a reminder to keep your feet on the ground and your passwords long and random.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

HH Technical.ly Award voting plea:

Shameless plug time!! On behalf of myself and my amazing Hacking Humans co hosts, Maria Varmazis and Joe Carrigan, we are hoping to earn your vote. I know you all thought the election was over, and it is, but our hosting team was nominated in the Creator of the Year category in the 2024 Technical.ly Awards for the Baltimore region. We'd love your support! There's a link in our show notes to cast your vote. Make sure you choose the "Baltimore" region on your ballot (that is where our nomination is). And, do be quick about it, voting ends on Monday, November 18th!

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.