Russian spies may have moved in next door to target your network
Plus: Microsoft seizes phishing domains; Helldown finds new targets; Illegal streaming with Jupyter, and more
Infosec in brief Not to make you paranoid, but that business across the street could, under certain conditions, serve as a launching point for Russian cyber spies to compromise your network.
Using what it described as "a novel attack vector … not previously encountered," threat intel and memory forensics firm Volexity reported it's spotted what it believes to be the APT28 Kremlin-backed threat actor targeting one of its clients by first compromising multiple organizations whose offices are in close physical proximity to the target.
Dubbed the "nearest neighbor attack" for lack of "any terminology describing this style of attack," Volexity explained the multi-step attack began with password-spraying the victim's web portals to get valid credentials.
Those credentials were unusable on the org's services because it had implemented multifactor authentication – except on its Wi-Fi network.
To get around the fact it was targeting a Wi-Fi network thousands of miles away, APT28 breached the target's neighboring organizations, identified devices with both wired and wireless network adapters, and used them to connect to the target's Wi-Fi network with the stolen credentials. Once connected, the attackers moved laterally within the network and routed exfiltrated data through compromised machines on neighboring networks.
"Volexity's investigation reveals the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber espionage objectives," the security shop observed. "To reiterate, the compromise of these credentials alone did not yield access to the customer's environment. However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect."
In other words, now you have yet another system to secure with some form of multifactor authentication. Volexity noted that the guest Wi-Fi network was also compromised, and a single system able to access both networks was identified to move into the more sensitive network – so be sure you isolate everything, too.
Critical vulnerabilities of the week: Cisco cert lapse warning
Cisco reported a critical issue in its Firepower Management Center software this week, affecting versions 6 and 7, that can lead to a loss of management capabilities.
According to the report, an internal self-signed root certificate authority valid for ten years might be expiring soon, leaving administrators without the ability to manage connected devices. If it does lapse "a more complex renewal process" will be necessary – so inspect yours and install necessary hotfixes ASAP.
Just one active, critical exploit to mention this week that we haven't already covered:
- CVSS 10.0 – CVE-2024-1212: Progress Software's LoadMaster load balancing software allows unauthenticated users to access it through the management interface, allowing for arbitrary system command execution.
There's one less phisher in the sea
Microsoft last week reported that it seized 240 fraudulent websites linked to a Phishing-as-a-Service operation based in Egypt that used the Linux Foundation's Open Neural Network Exchange (ONNX) to brand its malware.
"Abanoub Nady (known online as 'MRxC0DER') developed and sold 'do it yourself' phish kits and fraudulently used the brand name 'ONNX,'" Microsoft claimed. Along with the ONNX brand, Nady allegedly marketed his phishing kits under the names Caffeine and FUHRER, Microsoft's Digital Crimes Unit added.
Microsoft wrote that Nady's outfit operated since 2017 and offered ready-to-phish software with multiple subscription tiers – including an "Enterprise" edition that cost $550 for six months of "unlimited VIP support."
Microsoft and the Linux Foundation, which the Windows giant helps bankroll, have sued Nady, and a court document [PDF] unsealed last week indicates all the seized domains are now under Microsoft's control.
"We are taking affirmative action to protect online users globally rather than standing idly by while malicious actors illegally use our names and logos to enhance the perceived legitimacy of their attacks," Microsoft said.
DoD says its handling of controlled cryptographic devices is ▇▇▇▇
The US Department of Defense's inspector general last week released a report on the military's handling of controlled cryptographic items (CCI) used for secure communications – but you'll have to take the IG's word that everything is in good order, because it's not releasing any details.
In a barebones summary [PDF] of the audit, the IG said its review of seven CCI Central Offices of Record (COR) in the DoD did not yield any recommendations.
For those who don't read many US federal government IG reports, a recommendation is made whenever inspectors find noncompliance with some element of government policy – in this case the "handling, controlling, and accounting for CCI."
Zero recommendations means zero problems, we assume, but there's no way to be sure.
"This original evaluation contains a substantial amount of what was determined by the CORs to be controlled unclassified information," the summary read, "and, therefore, we are unable to release the full report or a redacted version."
If you want to learn more, you'll have to file a Freedom of Information Request and hope it succeeds.
Helldown ransomware begins targeting Linux, VMware ESX
The threat actor behind the Helldown ransomware that appeared in August targeting Windows systems has expanded to begin attacking Linux and VMware systems, Sekoia threat researchers have reported.
Racking up 31 known victims within three months, Helldown first made its mark by compromising the European subsidiary of telecom equipment vendor Zyxel. Most victims were located in the US.
As of late October, Sekoia believes there's now a Linux variant of the malware, which has been used to conduct double extortion – exfiltrating data before encrypting files.
Along with its Linux variant, "it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware," Sekoia noted.
Luckily for potential victims, this isn't a very sophisticated attack.
"Analysis suggests the ransomware they deploy is relatively basic," Sekoia explained. "The group's success appears to rely more on its access to undocumented vulnerability code and its effective use of it, making it easier to gain access for its attacks."
Jupyter Notebooks hijacked to stream football
Popular data science tools Jupyter Notebooks and JupyterLab are being hijacked by miscreants to stream UEFA matches illegally, cloud native infosec tools vendor Aqua Security has discovered.
As part of a honeypot operation to catch threat actors, Aqua said it spotted attackers targeting misconfigured Jupyter environments to drop live-stream capture tools to duplicate live sports broadcasts and "stream rip" them to their own illegal streaming servers.
The ingress route appears to rely on both vulnerabilities and weak passwords, Aqua revealed, with threat actors exploiting unauthenticated access to Jupyter Notebooks and Lab environments to establish access and achieve remote code execution.
Once in, the attackers dropped ffmpeg – an otherwise legitimate streaming tool – and misused it to stream broadcasts illegally.
"While the immediate impact on organizations might appear minimal … it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Aqua wrote.
Secure those environments, folks. ®