Monday 18th November 2024

Good morning and thank you for joining me for this edition of Cyber Daily. In today’s installment, we’re untangling a web of threats targeting everything from AI enthusiasts to government telecoms. First up, a botnet is exploiting old security cameras for cryptomining schemes—time to retire that outdated tech. Next, fake AI apps are making headlines (and stealing wallets) as Lumma Stealer and AMOS malware hit unsuspecting users. Finally, T-Mobile narrowly dodges major fallout from a wave of telecom hacks linked to Chinese cyber spies.

Enjoy!

A botnet’s new toy: GeoVision zero-day

A botnet exploiting a zero-day vulnerability (CVE-2024-11120) in GeoVision’s end-of-life (EOL) devices is on the rise, according to cybersecurity researchers at the Shadowserver Foundation. This pre-auth command injection flaw (scored 9.8/10 in severity) allows attackers to execute arbitrary commands remotely. The flaw impacts several EOL products, including the GV-VS12 and GV-VS11 models.

The botnet uses compromised devices to execute DDoS attacks and cryptomining operations, with approximately 17,000 Internet-facing GeoVision devices still vulnerable. Most affected devices are in the US (9,179), followed by Germany, Taiwan, and Canada.

• The vulnerability, verified by Taiwan’s CERT, has already been exploited in active attacks.
• Researchers urge users to decommission or secure vulnerable devices, as GeoVision no longer supports them.

With old hardware proving to be easy pickings for attackers, this incident highlights the dangers of ignoring end-of-life warnings.

Fake AI apps steal your creds—and your crypto

Malware disguised as AI image and video editing software is targeting Windows and macOS users, spreading Lumma Stealer and AMOS malware to pilfer credentials, browsing data, and cryptocurrency wallets. The scam uses professional-looking fake websites promoting the bogus app, “EditProAI.”

Cybercriminals lure victims via search ads and viral political deepfake videos (like Biden and Trump sharing ice cream). Clicking on the app download links installs malware that extracts sensitive data from Chrome, Edge, and Firefox browsers.

• Windows users get Lumma Stealer, delivered through an executable signed with a stolen certificate.
• macOS users encounter AMOS malware via a malicious .dmg file.

The damage: The stolen information—including passwords, cookies, credit cards, and crypto wallets—is sent to the attackers, who can resell it or use it for further exploits.

If you’ve downloaded this fake app, change all your passwords immediately, enable multi-factor authentication, and monitor financial accounts for suspicious activity.

T-Mobile dodges major fallout in telecom hack wave

T-Mobile has confirmed it was targeted in a wave of telecom breaches attributed to Chinese state-sponsored hackers, but says its systems remain largely unscathed. The campaign, linked to the Salt Typhoon hacking group, exploited vulnerabilities in U.S. telecom networks to access call logs, private communications, and law enforcement data requests.

The company asserts there’s no evidence of customer data being accessed or exfiltrated, crediting their security controls and network monitoring.

Salt Typhoon targeted multiple telecom giants, including AT&T and Verizon, reportedly focusing on high-profile U.S. government officials to steal sensitive communications and data.

This marks the ninth T-Mobile breach since 2019, with previous incidents exposing customer information, employee data, and proprietary systems.

The FBI and CISA are investigating the larger breach campaign. Though T-Mobile appears to have dodged this bullet, the incident highlights the ongoing vulnerabilities in the telecom industry.