APT31 targets families, UK newspaper attacked, Apple MFA bombing
APT31 uses family members to surveil targets
On Monday, U.S. prosecutors unsealed an indictment against seven individuals alleged to be part of the Chinese state-backed hacking group, APT 31. The gang used the unusual tactic of sending malicious emails to family members of their actual targets, typically high-ranking U.S. government officials, politicians and campaign staff. Victims who clicked embedded links revealed a host of device and network info that the hackers then used to target networks belonging to their actual targets. The State Department is offering rewards of up to $10 million for information that helps locate or apprehend any of the seven named Chinese APT 31 members.
The news of the indictment comes as Finnish Police confirmed Tuesday that APT 31 was behind a breach of the country’s parliament disclosed in March 2021. Similarly, as we reported yesterday on Cyber Security Headlines, the UK sanctioned APT31 for breaching their intelligence agency and hacking into the country’s Electoral Commission systems.
(CyberScoop and Bleeping Computer)
Ransomware gang attacks UK newspaper supporting the homeless
The Big Issue, a street newspaper in the UK that provides homeless people with income for distributing the magazine, has confirmed being impacted by a cyber incident. The confirmation follows the company being listed on the Qilin ransomware gang’s darknet extortion site on Sunday. Qilin claims to have stolen 550 gigabytes of confidential data including files related to commercial and personnel operations. The newspaper is working with external cyber experts to investigate the incident and restore systems, and said its publication and distribution operations were not affected.?
MFA bombing attacks target Apple users
Apple customers are reporting being targeted in phishing attacks involving an apparent bug in Apple’s password reset feature. The phishers are using “push bombing” attacks to inundate? victim devices with multi-factor authentication (MFA) alerts hoping the victim will approve a password change or login. If the MFA bombing fails, scammers are calling their targets claiming to be from Apple support, including in the caller ID, saying the user’s account is under attack and asking to “verify” a one-time code. Once the phishers obtain the one-time code, they can then reset the account password and lock the user out. Users have unsuccessfully tried to thwart harassing notifications and calls by enabling recovery keys, changing their Apple IDs, and even purchasing new devices. Apple has yet to comment on the apparent bug.
Hackers exploit Ray framework flaw to breach servers
A new hacking campaign dubbed “ShadowRay” targets an unpatched vulnerability in the popular Ray open-source AI framework. The campaign, which started in September 2023, has hijacked computing power and leaked sensitive data from thousands of victims in education, cryptocurrency, biopharma, and other sectors. ShadowRay takes advantage of a critical remote code execution flaw (tracked as CVE-2023-48022) related to the platform’s lack of authentication. Anyscale, who produces the Ray platform, say they opted not to fix the issue as a design choice and explained that the flaw is only exploitable in deployments that reject their recommendation to limit Ray’s use to a strictly controlled network environment. Administrators should secure Ray deployments by enforcing firewall rules, adding authorization to the Ray Dashboard port, and continuously monitoring for anomalies.
领英推荐
Huge thanks to our sponsor, Varonis
Apple security bug exposes iPhones and iPads to RCE
Apple has released more details on the mysterious updates the company silently pushed last week for iOS and iPadOS 17.4.1. The updates address a new vulnerability (CVE-2024-1580) that allows a remote attacker to execute arbitrary code on affected devices. Google’s Project Zero bug-hunting team found the issue for which the company assigned a medium severity rating. Google noted that an attacker would need access to the local network or be physically near a vulnerable system to be successful. Researchers say Apple’s silence last week was likely to allow time for patches to be developed for other platforms, notably macOS.
Agenda ransomware targets VMware servers
A new Rust-based ransomware variant from the Agenda group (aka Qilin gang who we heard about earlier in this report) is targeting VMware vCenter and ESXi servers. The ransomware binary is either delivered via either Cobalt Strike or a remote monitoring and management (RMM) tool. A PowerShell script allows the ransomware to propagate after which it changes the root password on all hosts and uploads the malicious payload. The latest Agenda variant can escalate privileges, impersonating tokens, and disabling virtual machine clusters. Researchers say Linux and VMware are increasingly being targeted in attacks because they are typically used to run critical applications.
Researchers discover 40,000 End of Life device botnet
On Tuesday, researchers warned of a botnet packed with over 40,000 end-of-life routers and IoT devices. The majority of the devices are infected with a cybercriminal-focused proxy service, known as Faceless. The router botnet was first spotted ten years ago and is now operating in 88 countries as of February 2024. The botnet appears to be picking up steam to the tune of enabling nearly 7,000 new Faceless users per week. Admins should upgrade any end of life devices to supported versions and monitor for suspicious login attempts and use Web Application Firewalls to block indicators of compromise (IoCs).??
Free VPN apps on Google Play turned phones into proxies
Researchers identified 28 VPN apps on Google Play that urned Android devices into unwitting residential proxies. 15 of the apps were offered free of charge. These proxies route internet traffic through user devices, making the traffic appear legitimate and less likely to be blocked. Victims have their internet bandwidth hijacked and become at risk of facing legal trouble due to appearing as the source of malicious activity. All offending apps used a software development kit (SDK) by LumiApps containing a Golang library called “Proxylib.” In February, Google removed all apps using the SDK from the Play Store and updated Google Play Protect to detect the libraries in the future.?