Teen serial swatter-for-hire busted, pleads guilty, could face 20 years
PLUS: Cost of Halliburton hack disclosed; Time to dump old D-Link NAS; More UN cybercrime convention concerns; and more
Infosec in brief A teenager has pleaded guilty to calling in more than 375 fake threats to law enforcement, and now faces years in prison.
Alan Filion, now 18, last week pleaded guilty to four counts of making interstate threats to injure another person. Each count could see Filion spend five years in prison. He will learn his fate when sentenced in February.
According to the US Department of Justice, Filion targeted religious and educational institutions, government officials, and numerous individuals across the United States. He placed most of the calls between 2022 and 2024, making many when aged just 16.
Filion’s actions are commonly known as “swatting” - a term that refers to calling emergency services to report a fake emergency of sufficient seriousness that it has the potential to result in the deployment of Special Weapons and Tactics (SWAT) teams.
On one occasion, Filion claimed that his calls "usually get the cops to drag the victim and their families out of the house, cuff them and search the house for dead bodies," according to the DoJ.
Court documents indicate that Filion also conducted swatting calls as a service, and used social media to advertise his prices for making the scam calls.
Swatting has increasingly become a tactic used by cybercriminals to extort additional ransoms from their targets - in at least one case last year, a cancer center that was compromised by ransomware had the attackers threaten to swat the hospital if the facility didn't pay.
Critical vulnerabilities of the week: Metabase vuln resurrected
Open source data analytics program Metabase was found vulnerable in 2021 due to (CVE-2021-41277). Depending on who you ask, the flaw is either a CVSS 7.5 or 10.0. Either way, it's under active exploitation as of last week.
Metabase, prior to versions 0.40.5 and 1.40.5, is apparently not bothering to validate URLs before loading them. A fix is available that you should have installed back in 2021.
Also under active exploitation:
- CVSS 9.9 - CVE-2024-9463: Palo Alto Networks Expedition migration tool allows unauthenticated users to run arbitrary OS commands as root - fun!
- CVSS 9.2 - CVE-2024-9465: Expedition again - this time there's an SQL injection vuln that allows an unauthenticated attacker to reveal database contents, including password hashes, usernames, device configurations, and device API keys. Double fun!
UN cybercrime treaty still needs work, say security researchers
Bug bounty outlet HackerOne has sent a letter to the US government urging it to push for the adoption of cybersecurity researcher protections in the UN Convention Against Cybercrime, which it said are all but nonexistent.
"The treaty encourages signatories to recognize the contributions of legitimate security researchers," said HackerOne chief legal officer Ilona Cohen. However, she opined the agreement "… falls far short of encouraging signatories to establish legal protections for legitimate security research."
HackerOne is hardly the first to complain about the language of the Convention, with everyone from the Electronic Frontier Foundation to Cisco suggesting it's too flawed to be adopted without modifications.
Like other concerned parties, HackerOne is worried that countries that don't have their own protections for researchers could end up passing laws based on the UN Convention, leaving researchers unprotected and open to prosecution.
And we all know what happens when the good guys can't get a crack at stuff: The bad guys end up getting there first.
Halliburton incident costs $35M
An August cyberattack that saw an unknown third party break into systems at oil equipment manufacturer Halliburton cost the company $35 million, the company admitted in its third-quarter earnings report.
Little mention was made of the incident in Halliburton's earnings statement - only a single line on page 13 mentioned a "cybersecurity incident" and its impact on unaudited earnings information.
The oil giant has been tight-lipped about the incident, only spilling the news formally in an SEC filing the day after it came to light. In September, it emerged that the incident led to data theft, but Halliburton said it didn't believe there would be any material impact on its business from the matter.
That is, aside from the $35 million spent dealing with the fallout. The company’s net income for the quarter was $571 million.
D-Link NAS devices won’t be patched to protect under-exploit flaw
It's been a little over a week since D-Link announced that several of its end-of-life network attached storage (NAS) devices included a rather serious command injection vulnerability that the company had no intention of fixing.
Now that vulnerability is under active exploitation.
Per the Shadowserver Foundation, attackers are targeting CVE-2024-10914, rated 9.2 on the CVSS scale. Shadowserver said it's spotted around 1,100 affected devices connected to the internet and open to exploitation, but there may be thousands more devices not directly accessible from the internet that could still be hit by an attacker who manages to breach a network perimeter.
D-Link said affected models include the DNS-320, DNS-325 and DNS-340L devices – and suggested all should be retired immediately. The vulnerability was discovered by NetSecFish, the same person who found another nasty bug in D-Link NAS devices back in April.
Google names top five online scams
Google trust and safety VP Laurie Richardson warned in a blog post last week that online scams are becoming more prevalent, and more complex.
The top five scams the Chocolate Factory tracks won't come as a surprise to anyone with an interest in infosec.
According to Google, "realistic public figure impersonation campaigns" involving the use of deepfakes are trending, as are crypto investment schemes.
App and landing page cloning is also a popular scam, as is landing page cloaking, which involves masking the actual content of a page from what Google sees, to keep malicious pages a secret from auditors. Pages that are cloaked are often reproductions of well-known sites used to trick users into buying counterfeit or "unrealistic" products.
Lastly, Google said cybercriminals continue to prey on current events to launch scam campaigns, with sporting events, elections, popular television shows, and natural disasters all attracting con artists.
You've been warned, now go warn your users. ®