Cyber Security Headlines – December 20, 2024
Hosted by CISO Series

The latest episode of Cyber Security Headlines by CISO Series delves into several critical incidents shaping the information security landscape. From malicious Android apps to significant cyberattacks on leading security firms, the episode provides a comprehensive overview of recent threats and vulnerabilities. Below is a detailed summary of the key discussions, insights, and conclusions presented.

1. Android Malware Disguised as a Health App on Amazon App Store

Timestamp: [00:06]

The episode opens with a concerning revelation about Android malware infiltrating the Amazon App Store. Steve Prentiss reports on the discovery of the "BMI Calculation VSN" app, published by PT VisionNet Data International. Initially presented as a simple body mass index calculator, the app covertly harbored stealer malware.

• Key Details:
  • Malicious Activity: The app not only performed its advertised function but also recorded all phone activities, scanned the device, and harvested SMS messages, including one-time passwords and verification codes.
  • Immediate Action: Upon detection by McAfee researchers, the app was promptly removed from the Amazon App Store. Users who downloaded the app are being urged to manually delete it and conduct full device scans to eradicate any residual malware.

Notable Quote:
"The malicious app published by PT VisionNet Data International was promoted as a simple body mass index calculator tool, something that it actually does, but while doing so it also records all activity on the phone..." – Steve Prentiss [00:06]

2. Cyberattack on BeyondTrust

Timestamp: [02:30]

BeyondTrust, a renowned cybersecurity company specializing in privileged access management and secure remote access solutions, experienced a significant cyberattack on December 2.

• Impact Analysis:
  • Breach Mechanism: Hackers exploited a remote support SaaS API key, enabling them to reset passwords for local application accounts.
  • Response Measures: BeyondTrust swiftly revoked the compromised API key and notified affected customers. However, the extent of the breach's impact on downstream customers remains unclear.

Notable Quote:
"After detecting what the company called anomalous behavior, it was determined that hackers gained access to a remote support SaaS API key that allowed them to reset passwords for local application accounts." – Steve Prentiss [02:30]

3. Fortinet’s Wireless LAN Manager Vulnerability

Timestamp: [04:15]

Fortinet has identified and patched a critical vulnerability in its Wireless LAN Manager (WLM), rated with a CVSS score of 9.6.

• Vulnerability Details:
  • CVE Reference: The flaw, detailed in the show notes, allowed remote attackers to exploit log reading functions through crafted requests to a specific endpoint.
  • Exploitation Risks: Horizon3AI’s Zach Hanley highlighted that verbose logs in WLM exposed session IDs, enabling attackers to hijack sessions and access sensitive endpoints.

Notable Quote:
"The vulnerability enables remote attackers to exploit log reading functions via crafted requests to a specific endpoint." – Zach Hanley, Horizon3AI [04:15]

4. Juniper Routers Targeted by Mirai Malware

Timestamp: [05:45]

Juniper has issued an advisory concerning its session smart routers, which have been targeted by a variant of the Mirai malware due to the use of default factory passwords.

• Incident Overview:
  • Malware Activity: The malicious software scans and infects routers with default credentials, subsequently utilizing them as sources for Distributed Denial of Service (DDoS) attacks aimed at overwhelming websites with traffic.
  • Recommendations: Juniper advises customers to adopt strong, unique passwords for their routers and to monitor for signs of compromise, such as unusual port scanning or spikes in outbound traffic.

Notable Quote:
"Customers with session smart routers immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound Internet traffic." – Steve Prentiss [05:45]

5. Departure of DHS Official Responsible for Cybersafety Review Board

Timestamp: [06:25]

Rob Silvers, the Undersecretary for Policy at the Department of Homeland Security (DHS), has departed his role. His tenure was marked by a strong focus on cybersecurity initiatives, including the chairing of the Cyber Safety Review Board established by President Joe Biden.

• Contextual Insights:
  • Common Practice: According to Recorded Future news, such departures are typical following electoral transitions preceding Inauguration Day on January 20th.
  • Legacy: Silvers' contributions were pivotal in addressing ransomware threats and overseeing investigations into major digital incidents.

Notable Quote:
"During his tenure, Silver's focused heavily on cybersecurity issues such as ransomware, and also chaired the Cyber Safety Review Board established by President Joe Biden to probe major digital incidents." – Steve Prentiss [06:25]

6. CISA’s Advisory on Mobile Device Security Amid Salt Typhoon Breaches

Timestamp: [06:50]

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a five-page advisory emphasizing the importance of securing mobile devices, especially for highly targeted individuals, in the wake of the ongoing Salt Typhoon saga.

• Advisory Highlights:
  • Encryption Mandate: CISA recommends the consistent use of end-to-end encryption to safeguard communications.
  • Threat Landscape: Anne Neuberger, US Deputy National Security Adviser for Cyber and Emerging Technologies, confirmed the presence of Chinese actors within breached systems, necessitating heightened security measures for senior officials and politicians.

Notable Quote:
"Senior government officials and politicians need to use end to end encrypted apps and should assume that all of their messages are at risk of being stolen or manipulated." – Steve Prentiss [06:50]

7. Ukrainian National Sentenced for Operating Raccoon Infostealer Malware

Timestamp: [07:15]

Mark Sokolovsky, a Ukrainian national, has been sentenced to five years in federal prison for his involvement with the Raccoon Infostealer malware. This malicious software compromised millions of computers globally to exfiltrate personal data.

• Case Details:
  • Role in Operations: Sokolovsky was integral to the deployment and management of the Raccoon Infostealer, which was marketed for $200 per month and facilitated through cryptocurrency payments.
  • Data Compromised: The malware was adept at stealing login credentials, financial information, and other sensitive personal records.

Notable Quote:
"Ukrainian national Mark Sokolovsky has been sentenced now to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data." – Steve Prentiss [07:15]

Upcoming Events

Listeners are encouraged to join the upcoming Week in Review show featuring Bethany Delude, CISO at the Carlyle Group, who will provide expert commentary on the week's cybersecurity news. Registration is available through the CISO Series events page.

For more in-depth coverage of these headlines and additional stories, visit CISOseries.com.