Amazon health malware, BeyondTrust suffers cyberattack, FortiNet wireless vulnerability - Cybersecurity Headlines

Summary

Cyber Security Headlines – December 20, 2024
Hosted by CISO Series

The latest episode of Cyber Security Headlines by CISO Series delves into several critical incidents shaping the information security landscape. From malicious Android apps to significant cyberattacks on leading security firms, the episode provides a comprehensive overview of recent threats and vulnerabilities. Below is a detailed summary of the key discussions, insights, and conclusions presented.

1. Android Malware Disguised as a Health App on Amazon App Store

Timestamp: [00:06]

The episode opens with a concerning revelation about Android malware infiltrating the Amazon App Store. Steve Prentiss reports on the discovery of the "BMI Calculation VSN" app, published by PT VisionNet Data International. Initially presented as a simple body mass index calculator, the app covertly harbored stealer malware.

Key Details:
- Malicious Activity: The app not only performed its advertised function but also recorded all phone activities, scanned the device, and harvested SMS messages, including one-time passwords and verification codes.
- Immediate Action: Upon detection by McAfee researchers, the app was promptly removed from the Amazon App Store. Users who downloaded the app are being urged to manually delete it and conduct full device scans to eradicate any residual malware.

Notable Quote:
"The malicious app published by PT VisionNet Data International was promoted as a simple body mass index calculator tool, something that it actually does, but while doing so it also records all activity on the phone..." – Steve Prentiss [00:06]

2. Cyberattack on BeyondTrust

Timestamp: [02:30]

BeyondTrust, a renowned cybersecurity company specializing in privileged access management and secure remote access solutions, experienced a significant cyberattack on December 2.

Impact Analysis:
- Breach Mechanism: Hackers exploited a remote support SaaS API key, enabling them to reset passwords for local application accounts.
- Response Measures: BeyondTrust swiftly revoked the compromised API key and notified affected customers. However, the extent of the breach's impact on downstream customers remains unclear.

Notable Quote:
"After detecting what the company called anomalous behavior, it was determined that hackers gained access to a remote support SaaS API key that allowed them to reset passwords for local application accounts." – Steve Prentiss [02:30]

3. Fortinet’s Wireless LAN Manager Vulnerability

Timestamp: [04:15]

Fortinet has identified and patched a critical vulnerability in its Wireless LAN Manager (WLM), rated with a CVSS score of 9.6.

Vulnerability Details:
- CVE Reference: The flaw, detailed in the show notes, allowed remote attackers to exploit log reading functions through crafted requests to a specific endpoint.
- Exploitation Risks: Horizon3AI’s Zach Hanley highlighted that verbose logs in WLM exposed session IDs, enabling attackers to hijack sessions and access sensitive endpoints.

Notable Quote:
"The vulnerability enables remote attackers to exploit log reading functions via crafted requests to a specific endpoint." – Zach Hanley, Horizon3AI [04:15]

4. Juniper Routers Targeted by Mirai Malware

Timestamp: [05:45]

Juniper has issued an advisory concerning its session smart routers, which have been targeted by a variant of the Mirai malware due to the use of default factory passwords.

Incident Overview:
- Malware Activity: The malicious software scans and infects routers with default credentials, subsequently utilizing them as sources for Distributed Denial of Service (DDoS) attacks aimed at overwhelming websites with traffic.
- Recommendations: Juniper advises customers to adopt strong, unique passwords for their routers and to monitor for signs of compromise, such as unusual port scanning or spikes in outbound traffic.

Notable Quote:
"Customers with session smart routers immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound Internet traffic." – Steve Prentiss [05:45]

5. Departure of DHS Official Responsible for Cybersafety Review Board

Timestamp: [06:25]

Rob Silvers, the Undersecretary for Policy at the Department of Homeland Security (DHS), has departed his role. His tenure was marked by a strong focus on cybersecurity initiatives, including the chairing of the Cyber Safety Review Board established by President Joe Biden.

Contextual Insights:
- Common Practice: According to Recorded Future news, such departures are typical following electoral transitions preceding Inauguration Day on January 20th.
- Legacy: Silvers' contributions were pivotal in addressing ransomware threats and overseeing investigations into major digital incidents.

Notable Quote:
"During his tenure, Silver's focused heavily on cybersecurity issues such as ransomware, and also chaired the Cyber Safety Review Board established by President Joe Biden to probe major digital incidents." – Steve Prentiss [06:25]

6. CISA’s Advisory on Mobile Device Security Amid Salt Typhoon Breaches

Timestamp: [06:50]

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a five-page advisory emphasizing the importance of securing mobile devices, especially for highly targeted individuals, in the wake of the ongoing Salt Typhoon saga.

Advisory Highlights:
- Encryption Mandate: CISA recommends the consistent use of end-to-end encryption to safeguard communications.
- Threat Landscape: Anne Neuberger, US Deputy National Security Adviser for Cyber and Emerging Technologies, confirmed the presence of Chinese actors within breached systems, necessitating heightened security measures for senior officials and politicians.

Notable Quote:
"Senior government officials and politicians need to use end to end encrypted apps and should assume that all of their messages are at risk of being stolen or manipulated." – Steve Prentiss [06:50]

7. Ukrainian National Sentenced for Operating Raccoon Infostealer Malware

Timestamp: [07:15]

Mark Sokolovsky, a Ukrainian national, has been sentenced to five years in federal prison for his involvement with the Raccoon Infostealer malware. This malicious software compromised millions of computers globally to exfiltrate personal data.

Case Details:
- Role in Operations: Sokolovsky was integral to the deployment and management of the Raccoon Infostealer, which was marketed for $200 per month and facilitated through cryptocurrency payments.
- Data Compromised: The malware was adept at stealing login credentials, financial information, and other sensitive personal records.

Notable Quote:
"Ukrainian national Mark Sokolovsky has been sentenced now to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data." – Steve Prentiss [07:15]

Upcoming Events

Listeners are encouraged to join the upcoming Week in Review show featuring Bethany Delude, CISO at the Carlyle Group, who will provide expert commentary on the week's cybersecurity news. Registration is available through the CISO Series events page.

For more in-depth coverage of these headlines and additional stories, visit CISOseries.com.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Friday, December 20, 2024. I'm Steve Prentiss Android Malware found on Amazon App Store disguised as health app the app is named BMI Calculation VSN and was found by researchers at McAfee who saw that rather than being a health tool specifically it in fact stealer malware as could be guessed by its name. The malicious app published by PT VisionNet Data International was promoted as a simple body mass index calculator tool, something that it actually does, but while doing so it also records all activity on the phone and scans the device and collects SMS messages sent and stored on the device, including one time passwords and verification codes. It has since been removed from the Amazon App Store and anyone who has downloaded it is being urged to manually remove it and perform a full scan to eliminate any leftover traces Beyond Trust suffers cyber attack Beyond Trust, a cybersecurity company specializing in privileged access management and secure remote access Solutions, itself, suffered a cyberattack on December 2. Its products are used by government agencies, tech firms, retail and e commerce entities, healthcare organizations, energy and utility service providers, and the banking sector. After detecting what the company called anomalous behavior, it was determined that hackers gained access to a remote support SaaS API key that allowed them to reset passwords for local application accounts. Beyond Trust immediately revoked the API key and notified known impacted customers. It is not yet clear whether the threat actors were able to use the compromised remote support SaaS instances to breach downstream customers. Fortnet warns of critical flaw in Wireless LAN Manager this flaw, which has now been patched, could have allowed admin access and sensitive information disclosure on the wireless LAN manager. 4 TWLM product security researcher Zach Hanley from Horizon3AI stated that the vulnerability, which has a CVE number as well as a CVSS score of 9.6, enables remote attackers to exploit log reading functions via crafted requests to a specific endpoint. A subsequent report from Horizon 3 stated that 40 WLM's verbose logs expose session IDs, enabling attackers to exploit log file read vulnerabilities to hijack sessions and access authenticity endpoints. The CVE number for this vulnerability is available in the show notes to this episode, thanks to today's episode's sponsor, ThreatLocker. Do zero day exploits and supply chain attacks keep you up at night? Well, worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is thr e a t locker.com DHS official who launched Cybersafety Review Board departs Rob Silvers served as the Undersecretary for Policy at the Department of Homeland Security until his departure this past Wednesday. As stated by recorded Future news, such departures are common following an election in the period prior to Inauguration Day, which is of course January 20th. During his tenure, Silver's focused heavily on cybersecurity issues such as ransomware, and also chaired the Cyber Safety Review Board established by President Joe Biden to probe major digital incidents. Juniper routers with default passwords are attracting Mirai infections, says manufacturer According to an advisory from Juniper, customers last week started reporting suspicious behavior on their session smart routers. What the customers all had in common was that they were still using the factory set passwords on the devices. A subsequent investigation found a variation of Mirai malware that had been scanning four such vulnerable routers. Once infected, the devices were subsequently used as a DDoS attack source, attempting to disrupt websites with junk traffic. Juniper does not mention how many devices were infected or where the attacks were directed, but they recommend that customers with session smart routers immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound Internet traffic. CISA urges senior government officials to lock down mobile devices due to Salt Typhoon the Salt Typhoon saga continues now with CISA urging via a five page advisory released on Wednesday, that all highly targeted individuals rely on the consistent use of end to end encryption. End quote. Although CISA executive Jeff Green has declined to provide more information on the government's investigation into the Salt Typhoon breaches, Anne Neuberger, the US Deputy National Security adviser for Cyber and Emerging Technologies, has previously said that Chinese actors are still inside the breached systems. As such, SISA says senior government officials and politicians need to use end to end encrypted apps and should assume that all of their messages are at risk of being stolen or manipulated. End quote Ukrainian sentenced to five years in jail for work on Raccoon stealer Following up on a story we have been covering for quite a while, Ukrainian national Mark Sokolovsky has been sentenced now to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data. The 28 year old was described in court documents as being integral to operations that allowed the Leasing Raccoon Infostealer for $200 per month payable via cryptocurrency, end quote. The malware was used to extract data such as login credentials, financial information and other personal records. Make sure to join us later today at 3:30pm Eastern for our Week in Review show. Bethany Delude, CISO at the Carlyle Group, will be our guest providing her expert commentary on the news of the week. And we encourage participation and comments through our YouTube live channel. Just go to the events page@cisoseries.com to register and we will see you there. I'm Steve Prentiss reporting for the CISO series.