Novel attacks and creative phishing angles.
APT28 uses a novel technique to breach organizations via nearby WiFi networks. Your Apple ID is (not) suspended. UK highlighting Russian threats at NATO Cyber Defence Conference. US senators request an audit of TSA's facial recognition technology. Supply chain software company sustains ransomware attack. Critical QNAP vulnerability could allow remote code execution. Outdated Avast Anti-Rootkit driver exploited. No more internet rabbit holes for China. Guest Lesley Carhart from Dragos on "The Shifting Landscape of OT Incident Response." Stop & Shop turns cyber oops into coffee and cookies.
Today is November 25th, 2024 I’m Maria Varmazis, host of the T-Minus Space Daily podcast, in for Dave Bittner. And this is your CyberWire Intel Briefing.
APT28 uses novel technique to breach organizations via nearby WiFi networks.
In early 2022, cybersecurity firm Volexity uncovered a sophisticated cyber-espionage operation by the Russian group APT28, also known as Fancy Bear. This operation, termed the "Nearest Neighbor Attack," involved the group compromising multiple organizations in close proximity to their primary target, referred to as Organization A. After obtaining valid credentials through password-spraying attacks, the attackers faced multi-factor authentication barriers on Organization A's public-facing services. To circumvent this, they infiltrated a neighboring entity, Organization B, and exploited a dual-homed system connected via Ethernet and Wi-Fi. By leveraging this system's Wi-Fi adapter, they accessed Organization A's enterprise Wi-Fi network, effectively bridging the gap without physical presence. Further investigation revealed that the attackers had also compromised a third nearby organization, Organization C, using similar tactics. This method allowed APT28 to infiltrate their target's network remotely, highlighting the need for robust Wi-Fi security measures and vigilance against such innovative attack vectors.
Your Apple ID is (not) suspended.
As Black Friday approaches, scammers are out there looking for every angle to get into your wallet. A recent phishing scam is targeting Apple users with emails falsely claiming that their Apple ID has been suspended. This attack is highly believable and in a time when consumers are out there, feeling that time is short to get their best deal, may be tricked into action. These deceptive messages aim to deceive recipients into providing personal information or clicking malicious links. Apples warns users to protect themselves and be cautious of unsolicited emails, especially those requesting sensitive data or urging immediate action. Always verify the authenticity of such communications by contacting Apple directly through official channels.
UK highlighting Russian threats at NATO Cyber Defence Conference.
On November 25, 2024, UK Cabinet Office Minister Pat McFadden addressed the NATO Cyber Defence Conference in London, highlighting the escalating cyber threats posed by Russia. He emphasized that Russian cybercriminals are increasingly targeting nations supporting Ukraine, utilizing advanced technologies like artificial intelligence (AI) to enhance their attacks. To counter these threats, McFadden announced the establishment of the Laboratory for AI Security Research, backed by an initial £8.22 million investment. This initiative aims to develop sophisticated cyber defense tools and promote intelligence sharing among NATO allies. McFadden underscored the necessity for NATO and its members to remain vigilant and proactive in the evolving "AI arms race," ensuring robust defenses against potential cyberattacks on critical infrastructure.
US senators request audit of TSA's facial recognition technology.
A bipartisan group of US senators last week sent a letter to the Department of Homeland Security's inspector general requesting an audit of the Transportation Security Administration's (TSA's) use of facial recognition technology according to the Record. The letter stated, "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology’s precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy. TSA has not provided Congress with evidence that facial recognition technology is necessary to catch fraudulent documents, decrease wait times at security checkpoints, or stop terrorists from boarding airplanes." The senators added that "this program could become one of the largest federal surveillance databases overnight without authorization from Congress."
The letter asks DHS Inspector General Joseph Cuffari "to thoroughly evaluate TSA's facial recognition program and report your findings to Congress before it becomes the default form of passenger verification at security checkpoints."
Supply chain software company sustains ransomware attack.
US-based supply chain management software company Blue Yonder sustained a ransomware attack last week, disrupting its services to several grocery store chains in the US and UK. Morrisons and Sainsbury supermarkets in the UK have both confirmed outages related to the incident. The incident led to challenges in the flow of goods to stores. Blue Yonder's Azure public cloud services remained unaffected. The company is collaborating with external cybersecurity experts to investigate and recover from the attack, implementing defensive and forensic protocols to safeguard its systems. As of November 24, Blue Yonder reported continued progress in restoration efforts but has not provided a definitive timeline for full recovery.
Critical QNAP vulnerability could allow remote code execution.
A critical vulnerability has been identified in QNAP's Network Attached Storage (NAS) devices, potentially allowing attackers to execute remote code. This flaw, designated as CVE-2024-27130, stems from a stack buffer overflow in the 'No_Support_ACL' function within the 'share.cgi' script. Exploitation requires the attacker to obtain a valid 'ssid' parameter, typically generated when a NAS user shares a file. QNAP has addressed this issue in QTS 5.1.7.2770 build 20240520 and later, and QuTS hero h5.1.7.2770 build 20240520 and later. Users are strongly advised to update their systems promptly to mitigate potential risks.
Outdated Avast Anti-Rootkit driver exploited.
Recent cybersecurity investigations have uncovered a malicious campaign exploiting a legitimate but outdated Avast Anti-Rootkit driver to disable security defenses on targeted systems. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), involves attackers deploying the legitimate 'aswArPot.sys' driver, which contains known vulnerabilities, to gain kernel-level access. Once installed, the driver allows the malware to terminate processes and disable security products, effectively evading detection. This method has been observed in various malware campaigns, including those involving the AvosLocker ransomware, highlighting the persistent threat posed by the exploitation of vulnerable drivers.
No more internet rabbit holes for China.
China's Cyberspace Administration (CAC) has initiated a campaign to regulate internet algorithms, aiming to curb practices that create "information cocoons"—echo chambers that limit diverse content exposure. The CAC mandates that tech companies prevent the dissemination of homogeneous content and enhance transparency in content ranking algorithms. Additionally, the use of algorithms for discriminatory pricing in e-commerce is prohibited, requiring platforms to avoid price differentiation based on user demographics. Companies have until the end of the year to comply, with assessments beginning in January.
Coming up next on the guest segment, Dragos’ Technical Director Lesley Carhart spoke with Dave Bittner about "The Shifting Landscape of OT Incident Response." We’ll be right back
Welcome back. You can find a link to the blog Lesley discussed in our show notes.
Stop & Shop Turns Cyber Oops Into Coffee and Cookies – Hackers Can’t Keep These Snacks Down!
After a recent cybersecurity hiccup left Stop & Shop's shelves emptier than a diet soda can, the grocery chain has bounced back and offered free coffee and sweet treats to customers in Connecticut, Massachusetts, and Rhode Island. This gesture was their way of saying, "Thanks for sticking with us through the tech turbulence." So, if you were in the area over the weekend and happened to swing by between 10 a.m. and 3 p.m, I hope you got a chance to grab a complimentary pick-me-up.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.