UnitedHealth responsibility, Europol dropper takedown, malware bricks routers
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts , RSS link , add as an Alexa Skill , or search "Cyber Security Headlines" on your favorite podcast app.
Senator calls for UnitedHealth leadership to be held responsible
In recent years, we’ve seen increasing legal responsibility thrust onto CISOs. From the SolarWinds Orien supply chain attack to the guilty verdict of former Uber CISO Joe Sullivan, we’ve seen criticism about why the buck stops with the CISO. That might be changing, as US Senator Ron Wyden sent a letter to the FTC and SEC, calling on senior executives and directors from UnitedHealth Group to be held responsible for reckless decisions leading up to its high-profile ransomware attack back in February. Wyden specifically called out the hiring of CISO Steven Martin as negligent, saying he never previously worked full-time in a cybersecurity role. The letter said “It would be unfair to scapegoat Mr. Martin,” with the responsibility falling on the leadership that appointed him.?
(The Record )
Europol seizes 2,000 domains in dropper takedown
The law enforcement agency announced it carried out “Operation Endgame,” which targeted malware droppers used to initially get malware loaded onto systems. This saw the seizure of over 2,000 domains, four arrests across Armenia and Ukraine, and the release of over 13.5 million unique passwords to Have I Been Pwned. Authorities previously tied the dropper sites to use with IcedID, SmokeLoader, and Trickbot. German authorities also added eight other suspects related to this takedown to the EU’s Most Wanted list.???
(CyberScoop )
Malware bricked over 600,000 routers
Researchers from Lumen Technologies’ Black Lotus Labs reported new details about an incident that occurred last October, where hundreds of thousands of customers from a single ISP reported bricked SOHO routers. The report didn’t name the ISP, but the timeline matches a large-scale outage by Windstream. On October 25th, 2023, an unknown threat actor deployed the commodity Chalubo malware on over 600,000 routers connected to a single autonomous system number, using custom scripts to overwrite the router firmware. Notably, the attack targeted the ASN, not a particular router model, with routers from two different manufacturers impacted. The researchers don’t know the exact attack chain or if a nation-state actor perpetrated the attack.?
(Ars Technica )
NIST getting outside help with NVD
NIST announced it awarded a contract for additional processing support for the National Vulnerability Database. This comes after NIST announced expected delays in CVE analysis in NVD back in February, and its disclosure of a growing vulnerability backlog back in April. The new contract is not a long-term solution, but NIST says it is confident the support will allow it to return to pre-February 2024 processing rates “within the next few months” and clear its backlog by the end of September. The agency still plans to use an industry consortium to improve the program as part of a wider reform of NVD.?
领英推荐
Thanks to today’s episode sponsor, Vanta
Meta and OpenAI disrupt influence operations
In its quarterly threat reports, Meta announced it removed accounts tied to six distinct political influence campaigns originating across Bangladesh, China, and Croatia, as well as the Israeli political campaign firm Stoic. The largest of these used over 500 accounts across Instagram and Facebook. Meta says two of the campaigns likely used content created with gen AI tools, but that these tools were not yet sophisticated enough to avoid its detection methods.?
Stoic also saw disruption by OpenAI, which announced it discovered similar campaigns operating from Russia and China. The campaigns used OpenAI tools to do things like write posts, translate content, and build social media automation software. The company noted that in many cases, these campaigns don’t show signs of becoming more effective, but can operate at a greater scale.?
Google confirms Search leak
Earlier this week, SEO expert Rand Fishkin published 2,500 pages of leaked documents from an anonymous source related to how Google Search works. This doesn’t get into what specific data and signals impact search rankings directly, but does give details on its search API, what it collects from sites and users, as well as what data it makes available to employees. Google subsequently confirmed the leaked data as legitimate, but cautioned about drawing conclusions from “out-of-context, outdated, or incomplete information.” No word on how this data on Google’s secretive search practices got out.?
(The Verge )
RedTail malware hits Palo Alto firewalls
Security researchers at Akamai discovered the operators of this crypto-mining malware began exploiting a recently discovered flaw in Palo Alto Networks firewalls. The flaw in PAN-OS allows an unauthenticated attacker to execute code with root access on a firewall. Palo Alto released a patch last month. RedTail previously attacked network equipment from TP-Link, Barracuda Networks, Ivanti, and VMware. The Palo Alto attacks show evolving sophistication by the group, which now uses encrypted mining configurations, a switch to private mining pools rather than a hard-coded wallet, and advanced evasion techniques.?
LightSpy makes its way to macOS
LightSpy serves as a modular surveillance framework, targeting iOS and Android devices. However, a report from ThreatFabric discovered a variant targeting macOS. It discovered this by exploiting a misconfigured interface, finding LightSpy can exploit a series of WebKit flaws to execute within Safari. The interface also showed references to Windows, Linux, and routers but did not include any technical documentation of how its attack chain works. It’s not clear how wide of a reach the spyware will have. It only works on macOS 10.13.3 or earlier. Apple cut off support for macOS 10 almost four years ago, so it’s probably vulnerable to a lot of other nasty stuff too.?