Cyber Security Headlines – November 14, 2024

Hosted by Rich Stroffolino from the CISO Series

1. Volt Typhoon Rebuilding Botnet

Overview:
In early 2024, the U.S. government successfully disrupted the Volt Typhoon botnet, a notorious threat actor suspected of having ties to the Chinese government. This botnet primarily exploited unpatched Cisco, Fortinet, and Netgear devices to carry out malicious activities. Recent developments indicate that Volt Typhoon is in the process of constructing a new botnet.

Key Points:

• Reconstruction Efforts: Researchers at Security Scorecards have identified a new cluster associated with Volt Typhoon, which is covertly routing traffic through compromised Netgear Pro, Safe Microtik, and Cisco RV320 devices.
• Tactics and Infrastructure: The group appears to be utilizing the same core infrastructure and techniques previously employed by Volt Typhoon, signaling continuity in their operations.

Notable Quote:

"This appears to be using the same core infrastructure and techniques previously seen from Volt Typhoon." – Rich Stroffolino [00:00]

2. Chinese APT Targets Tibetan Media

Overview:
A cyber espionage campaign targeting Tibetan media has been attributed to the Chinalink Group, also known as Tag 112. This subgroup likely operates under the larger Evasive Panda threat actor umbrella.

Key Points:

• Attack Vectors: The campaign utilized Cobalt Strike to compromise the websites of the Tibet Post and GiuD Med Tantric University, exploiting their Jumla CMS.
• Operational Ties: Tag 112 shares similar tactics with Evasive Panda but lacks the sophistication for deploying custom malware. Notably, Evasive Panda has previously compromised the Tibet Post in other attacks.

Notable Quote:

"Tag 112 may be a subgroup of the channeling threat actor Evasive Panda, as it shows similar tactics." – Rich Stroffolino [00:00]

3. DoD Leaker Sentenced

Overview:
Former Massachusetts Air National Guardsman, Jack Teixeira, has been sentenced to 15 years in prison for leaking classified Department of Defense information.

Key Points:

• Nature of the Leaks: Teixeira disseminated classified documents via Discord in 2022, which included sensitive details such as troop movements and equipment information provided to Ukraine.
• Legal Proceedings: Discovered in March 2023, Teixeira pleaded guilty to six counts related to the leak.
• Plea Deal and Response: As part of a plea agreement in March 2024, Bitdefender released the Shrink Locker Decryptor to aid victims in recovering from attacks.

Notable Quote:

"Court documents show Teixeira shared classified documents on Discord sometime in 2022, including troop movements and information on equipment provided to Ukraine." – Rich Stroffolino [00:00]

4. Shrink Locker Decryptor Released

Overview:
Bitdefender has launched the Shrink Locker Decryptor, a tool designed to help victims recover quickly from ransomware attacks involving the Shrink Locker variant.

Key Points:

• Ransomware Details: Shrink Locker, first documented by Kaspersky in May 2024, is written in VBScript and leverages Windows' BitLocker utility to encrypt files. It primarily targets regions like Indonesia, Jordan, and Mexico.
• Attack Mechanism: The ransomware employs group policy objects and scheduled tasks to encrypt multiple systems within a network swiftly, often within 10 minutes per device.
• Preventative Measures: Kaspersky recommends proactive monitoring of specific Windows event logs and configuring BitLocker to store recovery information in Active Directory domain services to mitigate similar threats.

Notable Quote:

"Shrink Locker uses group policy objects and scheduled tasks to encrypt multiple systems within a network in as little as 10 minutes per device." – Rich Stroffolino [00:00]

5. Hamas-Affiliated Group Targets the Middle East

Overview:
Apt Wired, believed to be part of the Gaza cyber gang, has been actively conducting phishing campaigns against Israeli organizations and other Middle Eastern entities since August 2018.

Key Points:

• Campaign Tactics: The group utilizes an updated version of the Same Coin wiper, enhancing its capabilities to not only encrypt data but also overwrite files with random bytes. Additionally, it alters the system's background to display the name of Hamas' military wing.
• Geographical Targets: Beyond Israel, the attacks have extended to the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
• Toolset Versatility: Check Point researchers highlight the group's ability to iterate across multiple campaigns, showcasing a flexible infiltration and malware toolkit.

Notable Quote:

"These phishing attacks use a new version of the Same Coin wiper, which adds the ability to encrypt data on systems as well as overwriting files with random bytes." – Rich Stroffolino [00:00]

6. Amazon Leaker Claims to Be Ethical Hacker

Overview:
An individual operating under the alias "Nameless" has purportedly leaked 2.8 million lines of Amazon employee data on a dark web forum, claiming to act as an ethical hacker.

Key Points:

• Data Compromise: The leaked information includes names, organizational roles, contact details, and department assignments from various companies such as Lenovo, Delta, HSBC, and Charles Schwab, obtained through the MoveIt file transfer exploitation.
• Motivation: Nameless asserts that the data was scraped using legitimate credentials and only publicly available information. The intent behind the leak is to raise awareness about the necessity of encrypting Personally Identifiable Information (PII) within organizations.
• Future Threats: Nameless has indicated that additional data will be released in the coming days, heightening concerns over potential social engineering attacks leveraging the exposed information.

Notable Quote:

"They said they published the data to raise awareness of the need to encrypt PII at these organizations and not to hide behind blaming third parties for leaked data." – Rich Stroffolino [00:00]

7. Sheboygan Hit by Ransomware Attack

Overview:
The city of Sheboygan, Wisconsin, has been experiencing network outages since late October, which have been attributed to a ransomware attack demanding a ransom.

Key Points:

• Impact of the Attack: Officials confirmed unauthorized access to the city's network, leading to temporary network outages. Emergency services faced limited interruptions, while cloud-based services remained operational for city employees.
• Response Strategy: The city is collaborating closely with law enforcement and adhering to their guidance as part of the response to the attack.
• Status of the Attack: No group has claimed responsibility, and city officials have been reserved in disclosing detailed information about the incident.

Notable Quote:

"Officials also confirmed that the city received a ransom demand, saying, 'We are cooperating fully with law enforcement and incorporating their guidance into our response.'" – Rich Stroffolino [00:00]

8. D-Link NAS Devices Under Attack

Overview:
A critical vulnerability has been discovered in D-Link NAS devices, specifically the DNS320, DNS325, and DNS340L models, which are now considered end-of-life.

Key Points:

• Vulnerability Details: Researchers at NetSecFish identified a command injection flaw that allows unauthorized attackers to execute shell commands via GET requests. This vulnerability has been actively exploited since November 8.
• Scope of Impact: Over 41,000 unique IP addresses corresponding to vulnerable devices have been found online.
• Manufacturer's Stance: D-Link has declared that it has no plans to release a patch for these end-of-life models.
• Mitigation Recommendations: Customers are advised to either replace the affected devices or, at a minimum, restrict them from having open Internet access to prevent exploitation.

Notable Quote:

"D-Link advises customers to replace the devices or at the very least, restrict them from open Internet access." – Rich Stroffolino [00:00]

Conclusion:

This episode of Cybersecurity Headlines provided a comprehensive overview of the latest threats and developments in the cybersecurity landscape. From the resurgence of Volt Typhoon's botnet activities to the sentencing of a DoD leaker and the discovery of critical vulnerabilities in widely-used devices, each segment underscored the evolving challenges faced by organizations and individuals alike. Additionally, the discussions highlighted the imperative for proactive security measures, continuous monitoring, and robust incident response strategies to mitigate emerging threats.

For a deeper dive into any of these stories, visit CISOseries.com.

Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.