The CyberWire Daily Podcast 12.4.24
Ep 2202 | 12.4.24

The end of MATRIX.

Transcript

International law enforcement takes down the MATRIX messaging platform. SailPoint discloses a critical vulnerability in its IdentityIQ platform. A Solana library has been backdoored. SolarWinds discloses a critical vulnerability in its Platform product. Researchers identify 16 zero-day vulnerabilities in Fuji Electric’s remote monitoring software. Cisco urges users to patch a decade-old vulnerability. CISA warns of active exploitation of Zyxel firewall devices. A critical XSS vulnerability has been identified in MobSF. Google’s December 2024 Android security update addresses 14 high-severity vulnerabilities. The Federal Trade Commission settles with data brokers over alleged consent violations. On today’s CertByte segment, Chris Hare and Dan Neville break down a question targeting the A+ Core (220-1101) Exam 1 certification. A vodka company gets iced by ransomware.

Today is Wednesday December 4th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

International law enforcement takes down the MATRIX messaging platform. 

International collaboration struck a blow against cybercrime on December 3, 2024, with the dismantling of MATRIX, a sophisticated encrypted messaging platform favored by organized crime. Led by Dutch and French authorities with support from Europol, Eurojust, and other nations, the operation targeted MATRIX’s decentralized infrastructure, which spanned over 40 servers, including key ones in France and Germany.

Initially uncovered on a device linked to the 2021 murder of a Dutch journalist, MATRIX was found to be a hub for illegal activities like drug trafficking, money laundering, and arms smuggling. Offering invitation-only access, end-to-end encryption, and multi-server hosting, MATRIX became a secure tool for criminals seeking anonymity. However, authorities intercepted and deciphered 2.3 million messages over three months, unraveling its web of illegal operations.

As criminals shift to other platforms like Signal, Discord, and Session, law enforcement faces a growing challenge in tracking fragmented communication methods. 

Meanwhile, German police have dismantled Crimenetwork, the country’s largest illegal dark web marketplace, and arrested a 29-year-old suspected administrator. The platform, operational since 2012, facilitated the trade of stolen data, drugs, forged documents, and other illegal goods, with over 100,000 users and 100 sellers, primarily from German-speaking countries.

Authorities seized servers, luxury vehicles, evidence, and €1m ($1.1m) in cryptocurrency assets. Crimenetwork reportedly enabled transactions worth nearly a hundred million dollars between 2018 and 2024, earning operators commissions of 1-5% and seller fees. Buyers typically paid in cryptocurrency.

The operation, coordinated by the Frankfurt Public Prosecutor’s Office, the Federal Criminal Police Office (BKA), and Dutch authorities, includes ongoing investigations into user and transaction data. The arrested individual faces charges of managing a criminal platform and drug trafficking.

SailPoint discloses a critical vulnerability in its IdentityIQ platform.

SailPoint has disclosed a critical 10/10 severity vulnerability (CVE-2024-10905) in its IdentityIQ identity and access management platform. The flaw, a directory traversal vulnerability (CWE-66), allows attackers to access unauthorized directories, potentially exposing sensitive data and compromising systems. Such bugs, described by some as “embarrassingly easy to exploit,” stem from improper sanitization of user input—a basic security failure highlighted by the US Cybersecurity and Infrastructure Security Agency (CISA). Affected customers are urged to upgrade to patched versions immediately.

A Solana library has been backdoored. 

Developers of decentralized applications (dapps) on Solana unknowingly downloaded backdoored versions of the Solana Web3.js library after a GitHub account was compromised. The malicious versions, 1.95.6 and 1.95.7, were available for five hours on December 2, 2024, and included code enabling attackers to steal private keys and drain funds.

While non-custodial wallets remain unaffected, projects handling private keys directly are at risk. Developers should immediately upgrade to the clean 1.95.8 version and rotate any compromised keys. GitHub warns systems using the backdoored versions may be fully compromised, necessitating a complete reset of credentials from a different machine. Binance reported no major cryptocurrency wallets were hacked, though third-party tools linked to private keys might have been affected.

SolarWinds discloses a critical vulnerability in its Platform product. 

SolarWinds has disclosed a critical vulnerability (CVE-2024-45717) in its Platform product, affecting the search and node information sections of its user interface. The cross-site scripting (XSS) flaw allows authenticated attackers to inject malicious code, potentially compromising system integrity and confidentiality. While the exploit requires user interaction and authentication, the flaw’s severity is rated 7.0 on the CVSS scale. SolarWinds urges users to apply necessary updates to mitigate this high-risk security issue.

Researchers identify 16 zero-day vulnerabilities in Fuji Electric’s remote monitoring software. 

Security researchers have identified 16 zero-day vulnerabilities in Fuji Electric’s remote monitoring software, affecting critical infrastructure providers. These flaws impact Tellus, Tellus Lite, V-Server, and V-SFT modules, enabling attackers to execute arbitrary code through user interaction, such as visiting malicious pages or opening files. The Zero Day Initiative attributes the vulnerabilities to improper validation of user-supplied data, leading to out-of-bounds write issues. Previously, Fuji Electric patched similar vulnerabilities in 2021, addressing risks like denial-of-service attacks and sensitive data exposure.

Cisco urges users to patch a decade-old vulnerability. 

Cisco is urging users of its Adaptive Security Appliance (ASA) to patch a decade-old vulnerability (CVE-2014-2120) in its WebVPN login page, which is being actively exploited. The flaw, caused by insufficient input validation, allows attackers to execute cross-site scripting (XSS) attacks by luring victims to malicious links, potentially compromising sensitive information or injecting malware.

Initially flagged in 2014, the vulnerability resurfaced in 2024, with malware like AndroxGh0st leveraging it for attacks. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2014-2120 to its Known Exploited Vulnerabilities catalog, requiring government agencies to address it by December 3, 2024.

With no workarounds available, Cisco strongly advises updating ASA software to the latest patched version to safeguard networks against emerging threats. 

CISA warns of active exploitation of Zyxel firewall devices. 

CISA has warned of active exploitation of a path traversal vulnerability (CVE-2024-11667) in Zyxel firewall devices. The flaw allows attackers to download or upload files via crafted URLs, potentially leading to unauthorized access, credential theft, and backdoor VPN creation.

Zyxel addressed this issue in a firmware update released September 3, alongside fixes for other vulnerabilities. Users are urged to update their firmware, change admin passwords, and check for rogue accounts. CERT Germany emphasized that patching alone is insufficient without these additional steps. CISA has added CVE-2024-11667 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch affected devices by December 24.

Additionally, CISA has added two other vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

1. CVE-2023-45727 (Proself): An XML External Entity (XXE) flaw in Proself versions before Ver5.62, Ver1.65, and Ver1.08 allows unauthenticated attackers to read server files, exposing sensitive data.

2. CVE-2024-11680 (ProjectSend): An improper authentication vulnerability in ProjectSend versions before r1720 enables attackers to exploit HTTP requests to modify configurations, create accounts, and upload webshells. 

A critical XSS vulnerability has been identified in MobSF. 

A critical vulnerability, CVE-2024-53999, has been identified in Mobile Security Framework (MobSF) version 4.2.8, allowing attackers to inject malicious scripts via stored cross-site scripting (XSS). The flaw resides in the “Diff or Compare” functionality, which improperly handles file uploads containing script-laden filenames with special characters.

Attackers can exploit this oversight to upload a malicious file, embedding scripts in its name. When the file is accessed, the script executes, compromising data confidentiality and posing a persistent threat.

Mitigation requires stricter filename validation, and restricting uploads to whitelisted characters. MobSF developers are urged to address this issue immediately. 

Google’s December 2024 Android security update addresses 14 high-severity vulnerabilities. 

Google’s December 2024 Android security update addresses 14 high-severity vulnerabilities, including a critical remote code execution flaw (CVE-2024-43767) in the System component. This flaw allows attackers to execute code without additional privileges.

The update, split into two patch levels (2024-12-01 and 2024-12-05), fixes six Framework/System bugs and eight vulnerabilities in components from Imagination Technologies, MediaTek, and Qualcomm. Updated Android versions (12–15) include these patches, now available in the Android Open Source Project repository.

Google urges users to update promptly, emphasizing the improved security of newer Android versions. No active exploitation of these flaws has been reported, and updates for Android Automotive OS and Wear OS are also included. Pixel device-specific updates are expected soon.

The Federal Trade Commission settles with data brokers over alleged consent violations. 

The Federal Trade Commission has settled with data brokers Gravy Analytics and Mobilewalla over allegations they sold sensitive location data without consent. The data, collected from apps and tracking SDKs, revealed visits to hospitals, places of worship, protests, and even specific rooms in buildings. Gravy boasted of collecting billions of daily location signals, while Mobilewalla retained data on hundreds of millions of devices.

The FTC claimed the brokers failed to verify user consent or knowingly ignored its absence. Both companies have agreed to delete improperly collected data, implement consent safeguards, and restrict the sale of information tied to sensitive locations like medical facilities and schools. The bipartisan ruling, passed unanimously, reflects growing scrutiny of data brokers.

 

 

We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Dan Neville to break down a question from the CompTIA® A+ Core Exam 1 Practice Test. We’ll be right back.

Welcome back. Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Dan talked about. 

A vodka company gets iced by ransomware. 

And finally, our wine and spirits desk reminds us that even vodka isn’t immune to the double whammy of ransomware and geopolitical drama. Stoli Group USA, famed for its Stolichnaya vodka, has filed for bankruptcy in the US, drowning in $78 million of debt. Among the culprits? A severe ransomware attack in August 2024 that crippled its IT systems, forcing manual operations and delaying financial reports until 2025. Talk about a hangover.

Adding insult to injury, Stoli faced retaliation from Russia for its pro-Ukraine stance. Founder Yuri Shefler was labeled an “extremist,” two distilleries worth $100 million were confiscated, and the group burned through millions in a decades-long trademark battle with Russian authorities.

This vodka tale serves as a sobering reminder of ransomware’s potential to shake businesses to their core – even as it remains unclear if Moscow had a hand in this particular digital assault. Still, in the battle of ransomware vs. vodka, it seems ransomware took the top shelf.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.