CyberSecurity Knuggets
Aug 28, 2024
Today I came across some concerning news regarding cybersecurity threats related to the upcoming US presidential election. It seems that there are hundreds, if not thousands, of newly registered domains that are poised to become election-related financial crime or disinformation destinations. These criminals are using candidate keywords to create phishing sites and are even selling swag through malicious shops designed to steal data. Some of these websites contain inappropriate content originating from China, luring people to dangerous websites that can install adware and spyware. Additionally, there is a widespread campaign to spread misinformation and manipulate public opinion, which could have significant implications for the election.
There are reports of a significant malware organization, with a Belarusian citizen wanted in the United States for his alleged participation in distributing malware and online scams. The Department of State and Secret Service are offering a reward for information leading to the arrest or conviction of this individual. On the technical side, there have been reports of a less common technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows. This technique has been used in attacks targeting government agencies and military organizations in various countries.
Furthermore, Google has patched the tenth zero-day vulnerability exploited in the wild in 2024, which could have allowed remote attackers to exploit heap corruption via a crafted HTML page. This is a significant issue that required immediate attention.
Today’s cybersecurity news highlights some critical issues that require immediate attention. First, researchers at Lumen Technologies’ Black Lotus Labs have discovered an actively exploited zero-day flaw affecting the SD-WAN management platform Versa Director. The flaw allows threat actors to execute code by uploading Java files disguised as PNG images, and it has been exploited by the Chinese threat actor Volt Typhoon, with victims in the U.S. and non-U.S. internet service provider (ISP), managed service provider (MSP), and information technology (IT) sectors. Users are urged to upgrade to the latest patch to mitigate the risk.
In addition, researchers at Stroz Friedberg have identified a stealthy strain of Linux malware called “sedexp” that uses udev rules to maintain persistence and evade detection. This malware has been active since at least 2022 and has been deployed by a financially motivated threat actor to scrape credit card information. The persistence technique used by sedexp is uncommon and makes it difficult to detect, posing a serious threat to organizations using Linux systems.
Furthermore, the cybersecurity community has identified a cyberattack enablement business called “Greasy Opal” operating out of the Czech Republic, which offers CAPTCHA-solving services, SEO-boosting software, and social media automation services that are often used for spam and could potentially facilitate malware delivery. This trend of businesses operating in a gray zone reflects the growing sophistication of cybercriminal operations, and it is important for organizations to be aware of these threats and take proactive measures to protect their systems and data.
Finally, China’s Volt Typhoon hackers have been caught exploiting a zero-day vulnerability in servers used by ISPs and MSPs, which poses a significant risk to the security and stability of critical infrastructure and service providers. These developments underscore the ongoing and evolving threat landscape that organizations need to navigate, and it is crucial for them to stay informed and implement robust cybersecurity measures to defend against these sophisticated threats.
Stay Well!