Disinformation office closes, Pittsburgh Transit cyberattack, Mirai NNVR botnet

Thu Dec 26 2024

State Department’s disinformation office to close after funding terminated Pittsburgh Regional Transit suffers ransomware attack Another Mirai botnet targets NVRs and TP-Link routers Thanks to today's episode sponsor, ThreatLocker Do zero-day...

Summary

Cyber Security Headlines: December 26, 2024

Hosted by CISO Series

In the latest episode of Cyber Security Headlines by CISO Series, host Steve Prentiss delves into several pressing issues in the information security landscape. From the closure of a key disinformation office to significant cyberattacks affecting public infrastructure and critical software vulnerabilities, this episode offers a comprehensive overview of the current cybersecurity challenges. Below is a detailed summary capturing the key discussions, insights, and conclusions from the episode.

1. Closure of the Disinformation Office

Timestamp: [00:06]

The episode opens with the announcement of the State Department's Global Engagement Center—an office dedicated to combating global disinformation—being shut down due to funding cuts.

Steve Prentiss reports:

"Congressional lawmakers have excluded any new funding for the office responsible for fighting global disinformation beyond this year. Known as the Global Engagement center, it actually lost its authority on December 24 despite a concerted push by state officials to lobby Congress for an extension. This has proven to be a source of frustration given the increasing activities of nation states delivering misinformation to countries around the world, especially where elections are occurring."

The termination of funding comes at a critical time as misinformation campaigns by various nation-states are on the rise, particularly targeting countries during election cycles. The closure raises concerns about the United States' capacity to counteract such disinformation efforts moving forward.

2. Pittsburgh Regional Transit Ransomware Attack

Timestamp: [00:06]

In another significant headline, Pittsburgh Regional Transit (PRT) was hit by a ransomware attack detected on December 19, causing disruptions to public transportation services.

Steve Prentiss details:

"Pittsburgh Regional Transit suffers ransomware attack this attack, which was first detected on December 19, caused disruptions to public transportation, including on some parts of the city's river rail service and some rider services overall, according to the record, IT officials at PRT are still examining whether data was stolen and have pledged to provide public updates as the investigation evolves."

The agency has withheld information regarding the perpetrators behind the attack and the timeline for restoring full service. This incident underscores the vulnerability of public infrastructure to cyber threats and the challenges in responding to such disruptions swiftly.

3. Mirai Botnet Targets NVRS and TP-Link Routers

Timestamp: [00:06]

The episode highlights an ongoing threat from a variant of the Mirai botnet, which is targeting Network Video Recorders (NVRS) and TP-Link routers.

Steve Prentiss explains:

"Another Mirai botnet targets NVRS and TP link routers this particular botnet is actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in Digi ever DS2105Pro NVRS. This attack campaign started in October. It seeks out network video recorders and TP link routers that have outdated firmware. The vulnerability exploited to compromise Digi Ever nvrs is a remote code execution flawless. Compromised devices are then used to conduct distributed Denial of Service attacks or to spread to other devices by leveraging exploit sets and credential lists."

This botnet leverages unpatched vulnerabilities to gain control over devices, which are then repurposed for larger-scale cyberattacks such as Distributed Denial of Service (DDoS) attacks. The lack of a tracker number and unpatched status of the vulnerability highlights the need for immediate attention to firmware updates and security patches.

4. Critical SQL Injection Vulnerability in Apache Traffic Control

Timestamp: [00:06]

A critical vulnerability in the Apache Traffic Control software has been identified, necessitating urgent patches.

Steve Prentiss informs:

"According to the Hacker News, the Apache Software foundation has shipped security updates to address a critical security flaw in traffic control that could allow an attacker to execute arbitrary structured query language commands in the database. This vulnerability has a CVSS rating of 9.9. Consequently, users are recommended that they update their instances to the latest versions of the software as soon as possible."

With a CVSS (Common Vulnerability Scoring System) rating of 9.9, this flaw poses a severe risk, enabling attackers to execute arbitrary SQL commands, potentially compromising entire databases. Administrators using Apache Traffic Control are strongly advised to implement the latest security updates to mitigate this risk.

5. North Korean Hackers Target Nuclear Organizations

Timestamp: [00:06]

Kaspersky has reported that North Korean hacking group Lazarus is employing new tools to infiltrate nuclear-related organizations.

Steve Prentiss states:

"According to Kaspersky, this campaign has been attributed to the Lazarus group and occurred earlier this year using an array of malware, including newly identified tools. The attack on the unnamed nuclear organization involved what was referred to as alarming twists on their usual approaches, including a complex infection chain that included multiple types of malware such as Downloader, Loader and Backdoor, demonstrating the group's evolved delivery and improved persistence methods."

The sophisticated nature of these attacks, involving multiple malware types and complex infection chains, indicates a significant escalation in Lazarus group's capabilities and intent. Targeting nuclear organizations underscores the potential for high-stakes cyber espionage and sabotage.

6. Charming Kitten Deploys New C Malware Variant

Timestamp: [00:06]

Iran-based hacking group Charming Kitten has introduced a new variant of their malware, named Bella.cpp.

Steve Prentiss reports:

"According to another report from Kaspersky, the hacking group based out of Iran has been observed deploying a C variant of unknown malware called Bella Tiao. This new version, named Bella cpp, was found inside a system in Asia that had also been infected with the Bella Qiao malware. Unlike Bella Qiao, Bella CPP does not use a web shell to upload and download arbitrary files, as well as to run commands. This new variant represents one of many custom malware families that the Charming Kitten actor has developed."

The shift from using web shells to more sophisticated methods for file manipulation and command execution indicates an advancement in Charming Kitten’s malware strategies, potentially making their attacks harder to detect and mitigate.

7. Ruyi Network's Cloud Platform Vulnerabilities Exposed

Timestamp: [00:06]

Researchers at Clarity have uncovered critical flaws in Ruyi Network's cloud platform, posing significant threats to cloud-enabled devices.

Steve Prentiss explains:

"Ruyi Network's cloud platform flaws could expose devices to remote attacks researchers at clarity, I.e. c L A R O T Y discovered the flaws they say affect both the RUI platform that is spelled R U I J I E as well as Ruyi OS network devices. If exploited, they could allow a malicious attacker to execute code on any cloud enabled device, giving them the ability to control tens of thousands of devices. Of the 10 vulnerabilities discovered by Clarity, three are rated critical in severity, with CVSS scores of 9.4, 9.8 and also 9.8. The organization's research also found that it would be easy to break MQTT authentication by knowing a device's serial number, which could subsequently exploit access to Ruoyi's MQTT broker in order to receive a full list of all cloud connected devices serial numbers."

These vulnerabilities, particularly those allowing remote code execution and breaking MQTT authentication, present severe risks, potentially leading to widespread control over numerous devices. Immediate remediation is essential to protect the integrity of these cloud-enabled systems.

8. European Space Agency’s Online Store Compromised

Timestamp: [00:06]

The European Space Agency (ESA)’s official online merchandise store was hacked, resulting in the theft of customer payment information.

Steve Prentiss reports:

"European Space Agency's official store hacked to steal payment cards this hack occurred at the agency's official online merchandise store and included a malicious script that sought to collect customer information, including payment card data provided at the final stage of a purchase. E-commerce security company Sansec noticed the malicious script on December 23 and warned that the store appeared to be integrated with ESA's systems, which could pose a risk to the agency's employees. The web store is currently unavailable, showing a message that it is temporarily out of orbit for some exciting renovations."

The insertion of a malicious script indicates a targeted attack aimed at capturing sensitive financial data from customers. The temporary shutdown of the store is a necessary measure to prevent further data breaches while the ESA addresses the security breach.

Conclusion

The episode of Cyber Security Headlines provides an in-depth look at several high-impact cybersecurity incidents and vulnerabilities. From the strategic implications of closing the Global Engagement Center to the immediate threats posed by ransomware attacks and advanced persistent threats from sophisticated hacking groups, the episode underscores the dynamic and evolving nature of the cybersecurity landscape. Additionally, the discussion emphasizes the critical need for timely software updates, robust security measures, and proactive strategies to mitigate emerging threats.

For those seeking more detailed information on these topics, CISO Series encourages listeners to visit cisoseries.com for full stories behind the headlines and to subscribe to their YouTube channel for interviews, demos, and live discussions.

Notable Quotes:

"This has proven to be a source of frustration given the increasing activities of nation states delivering misinformation to countries around the world, especially where elections are occurring." — Steve Prentiss [00:06]
"This new variant represents one of many custom malware families that the Charming Kitten actor has developed." — Steve Prentiss [00:06]
"The web store is currently unavailable, showing a message that it is temporarily out of orbit for some exciting renovations." — Steve Prentiss [00:06]

Stay informed with the latest in cybersecurity by tuning into future episodes of Cyber Security Headlines on CISO Series.

Summary

Cyber Security Headlines: December 26, 2024

Hosted by CISO Series

1. Closure of the Disinformation Office

Timestamp: [00:06]

The episode opens with the announcement of the State Department's Global Engagement Center—an office dedicated to combating global disinformation—being shut down due to funding cuts.

Steve Prentiss reports:

"Congressional lawmakers have excluded any new funding for the office responsible for fighting global disinformation beyond this year. Known as the Global Engagement center, it actually lost its authority on December 24 despite a concerted push by state officials to lobby Congress for an extension. This has proven to be a source of frustration given the increasing activities of nation states delivering misinformation to countries around the world, especially where elections are occurring."

2. Pittsburgh Regional Transit Ransomware Attack

Timestamp: [00:06]

In another significant headline, Pittsburgh Regional Transit (PRT) was hit by a ransomware attack detected on December 19, causing disruptions to public transportation services.

Steve Prentiss details:

"Pittsburgh Regional Transit suffers ransomware attack this attack, which was first detected on December 19, caused disruptions to public transportation, including on some parts of the city's river rail service and some rider services overall, according to the record, IT officials at PRT are still examining whether data was stolen and have pledged to provide public updates as the investigation evolves."

3. Mirai Botnet Targets NVRS and TP-Link Routers

Timestamp: [00:06]

The episode highlights an ongoing threat from a variant of the Mirai botnet, which is targeting Network Video Recorders (NVRS) and TP-Link routers.

Steve Prentiss explains:

"Another Mirai botnet targets NVRS and TP link routers this particular botnet is actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in Digi ever DS2105Pro NVRS. This attack campaign started in October. It seeks out network video recorders and TP link routers that have outdated firmware. The vulnerability exploited to compromise Digi Ever nvrs is a remote code execution flawless. Compromised devices are then used to conduct distributed Denial of Service attacks or to spread to other devices by leveraging exploit sets and credential lists."

4. Critical SQL Injection Vulnerability in Apache Traffic Control

Timestamp: [00:06]

A critical vulnerability in the Apache Traffic Control software has been identified, necessitating urgent patches.

Steve Prentiss informs:

"According to the Hacker News, the Apache Software foundation has shipped security updates to address a critical security flaw in traffic control that could allow an attacker to execute arbitrary structured query language commands in the database. This vulnerability has a CVSS rating of 9.9. Consequently, users are recommended that they update their instances to the latest versions of the software as soon as possible."

5. North Korean Hackers Target Nuclear Organizations

Timestamp: [00:06]

Kaspersky has reported that North Korean hacking group Lazarus is employing new tools to infiltrate nuclear-related organizations.

Steve Prentiss states:

"According to Kaspersky, this campaign has been attributed to the Lazarus group and occurred earlier this year using an array of malware, including newly identified tools. The attack on the unnamed nuclear organization involved what was referred to as alarming twists on their usual approaches, including a complex infection chain that included multiple types of malware such as Downloader, Loader and Backdoor, demonstrating the group's evolved delivery and improved persistence methods."

6. Charming Kitten Deploys New C Malware Variant

Timestamp: [00:06]

Iran-based hacking group Charming Kitten has introduced a new variant of their malware, named Bella.cpp.

Steve Prentiss reports:

"According to another report from Kaspersky, the hacking group based out of Iran has been observed deploying a C variant of unknown malware called Bella Tiao. This new version, named Bella cpp, was found inside a system in Asia that had also been infected with the Bella Qiao malware. Unlike Bella Qiao, Bella CPP does not use a web shell to upload and download arbitrary files, as well as to run commands. This new variant represents one of many custom malware families that the Charming Kitten actor has developed."

7. Ruyi Network's Cloud Platform Vulnerabilities Exposed

Timestamp: [00:06]

Researchers at Clarity have uncovered critical flaws in Ruyi Network's cloud platform, posing significant threats to cloud-enabled devices.

Steve Prentiss explains:

"Ruyi Network's cloud platform flaws could expose devices to remote attacks researchers at clarity, I.e. c L A R O T Y discovered the flaws they say affect both the RUI platform that is spelled R U I J I E as well as Ruyi OS network devices. If exploited, they could allow a malicious attacker to execute code on any cloud enabled device, giving them the ability to control tens of thousands of devices. Of the 10 vulnerabilities discovered by Clarity, three are rated critical in severity, with CVSS scores of 9.4, 9.8 and also 9.8. The organization's research also found that it would be easy to break MQTT authentication by knowing a device's serial number, which could subsequently exploit access to Ruoyi's MQTT broker in order to receive a full list of all cloud connected devices serial numbers."

8. European Space Agency’s Online Store Compromised

Timestamp: [00:06]

The European Space Agency (ESA)’s official online merchandise store was hacked, resulting in the theft of customer payment information.

Steve Prentiss reports:

"European Space Agency's official store hacked to steal payment cards this hack occurred at the agency's official online merchandise store and included a malicious script that sought to collect customer information, including payment card data provided at the final stage of a purchase. E-commerce security company Sansec noticed the malicious script on December 23 and warned that the store appeared to be integrated with ESA's systems, which could pose a risk to the agency's employees. The web store is currently unavailable, showing a message that it is temporarily out of orbit for some exciting renovations."

Conclusion

Notable Quotes:

"This has proven to be a source of frustration given the increasing activities of nation states delivering misinformation to countries around the world, especially where elections are occurring." — Steve Prentiss [00:06]
"This new variant represents one of many custom malware families that the Charming Kitten actor has developed." — Steve Prentiss [00:06]
"The web store is currently unavailable, showing a message that it is temporarily out of orbit for some exciting renovations." — Steve Prentiss [00:06]

Stay informed with the latest in cybersecurity by tuning into future episodes of Cyber Security Headlines on CISO Series.

wavePod

Disinformation office closes, Pittsburgh Transit cyberattack, Mirai NNVR botnet

Powered by Wave AI

Summary

1. Closure of the Disinformation Office

2. Pittsburgh Regional Transit Ransomware Attack

3. Mirai Botnet Targets NVRS and TP-Link Routers

4. Critical SQL Injection Vulnerability in Apache Traffic Control

5. North Korean Hackers Target Nuclear Organizations

6. Charming Kitten Deploys New C Malware Variant

7. Ruyi Network's Cloud Platform Vulnerabilities Exposed

8. European Space Agency’s Online Store Compromised

Conclusion

Summary

1. Closure of the Disinformation Office

2. Pittsburgh Regional Transit Ransomware Attack

3. Mirai Botnet Targets NVRS and TP-Link Routers

4. Critical SQL Injection Vulnerability in Apache Traffic Control

5. North Korean Hackers Target Nuclear Organizations

6. Charming Kitten Deploys New C Malware Variant

7. Ruyi Network's Cloud Platform Vulnerabilities Exposed

8. European Space Agency’s Online Store Compromised

Conclusion