Risky Business News Summary
Podcast Title: Risky Business News
Host/Author: risky.biz
Episode Title: Risky Biz News: US charges five Scattered Spider members
Release Date: November 22, 2024
Prepared by: Catalyn Kimpanu
Read by: Claire Aird
1. US Department of Justice Charges Five Scattered Spider Members
In the episode's opening, Claire Aird reports a significant crackdown on the Scattered Spider hacking group. The US Department of Justice (DOJ) has unsealed charges against five suspected members, including the group's alleged leader—a 22-year-old from Great Britain currently in custody. The remaining four suspects are American nationals.
Key Activities:
Since September 2021, Scattered Spider has orchestrated extensive phishing and smishing campaigns targeting employees of major corporations. Their modus operandi involved hacking into companies to steal confidential and personal identifying information, which was subsequently used to access other individuals' online accounts and siphon cryptocurrency.
Financial Impact:
The DOJ asserts that the group has embezzled approximately $11 million from at least 29 victims.
Notable Quote:
“The US Department of Justice has unsealed charges against five suspected members of the Scattered Spider hacking group,” Claire Aird [00:04].
2. Zero-Day Exploits in Palo Alto Networks Firewalls
The Shadow Server Foundation has uncovered evidence indicating that over 2,000 Palo Alto Networks firewalls have been compromised using two recently disclosed zero-day vulnerabilities. These compromised systems had PHP web shells installed, facilitating initial unauthorized access.
Details:
- The reported number is likely an underestimation, relying on a limited set of Indicators of Compromise (IOCs) released by Palo Alto Networks last week.
- Palo Alto Networks issued a preliminary warning about a potential zero-day earlier in the month, confirmed the attacks the following week, and released patches on the recent Monday.
Notable Quote:
“Shadow Server foundation has found evidence that at least 2000 Palo Alto Network's firewalls have been compromised using two recently disclosed zero days,” Claire Aird [00:04].
3. T-Mobile Halts Security Breach Before Data Compromise
T-Mobile, the US wireless carrier, announced that it detected and thwarted a security breach before any customer data was accessed. According to Bloomberg, hackers infiltrated the company's edge routing infrastructure, attempting to access nearby devices. The breach marks the ninth public security incident T-Mobile has faced since 2019.
Security Measures:
T-Mobile's security team identified reconnaissance activities from the compromised devices and swiftly evicted the malicious actors, preventing further intrusion.
Notable Quote:
“T Mobile's security team evicted the hackers after detecting reconnaissance activity from the compromised devices,” Claire Aird [00:04].
4. Finastra Data Breach Exposed for Sale on Hacking Forums
Earlier this month, a threat actor successfully infiltrated Finastra, a UK-based fintech company, stealing a substantial batch of files. Infosec reporter Brian Krebs highlights that, unlike typical breaches, the attacker did not deploy malware or manipulate customer files. Instead, the exfiltrated data was promptly listed for sale on a hacking forum just a day after the breach.
Company's Statement:
Finastra asserts that no malware was deployed and that customer files remained untampered during the breach.
Notable Quote:
“The company claims the attacker did not deploy malware or tamper with customer files,” Claire Aird [00:04].
5. Underground Recruitment of Chinese State Surveillance Insiders
SpyCloud, a security firm, has identified advertisements from at least three underground data traders actively recruiting insiders from Chinese state surveillance agencies. These ads offer lucrative payments ranging from $1,500 to $10,000 per day for access to government accounts.
Implications:
This illicit recruitment strategy poses significant risks, potentially compromising sensitive personal information of Chinese nationals. Additionally, SpyCloud researchers obtained extensive data on Chinese individuals charged in the US for cybercrimes through these underground brokers.
Notable Quote:
“Underground data traders are recruiting insiders at Chinese state surveillance agencies and using their access to obtain personal information,” Claire Aird [00:04].
6. Crum & Foster Introduces Liability Protection for CISOs
Crum & Foster, an insurance company, has launched a new policy tailored to shield Chief Information Security Officers (CISOs) from professional liability claims. This coverage safeguards executives against allegations of negligence or inadequate performance related to their cybersecurity roles.
Policy Highlights:
- Previously, such policies primarily protected high-ranking executives like CEOs and CFOs.
- The new coverage extends protection to executives in cyber, fintech, and multimedia sectors, recognizing the unique risks associated with these roles.
Notable Quote:
“The new Crum & Foster policy extends the protection protections to executives working cyber, fintech and multimedia roles,” Claire Aird [00:04].
7. DOJ Seizes Popeye Tools Carding Portal
The DOJ has successfully seized Popeye Tools, a notorious marketplace facilitating the sale of stolen credit card information and hacking utilities. Authorities have confiscated relevant domains and cryptocurrency accounts, and indicted the platform's administrators, including two Pakistani citizens and an Afghan national.
Revenue and Operations:
Since its inception in 2016, Popeye Tools generated a minimum of $1.7 million in revenue.
Notable Quote:
“US Authorities have seized Popeye Tools, a notorious marketplace that sold access to stolen credit card information and hacking tools,” Claire Aird [00:04].
8. Microsoft Takes Down Onix Phishing Domains
Microsoft's legal team has dismantled 240 domains associated with the Onix phishing-as-a-service operation. These domains were reportedly registered by an Egyptian individual named Abu Nub Nadi, who operated online under the alias Mr. Coda, serving as the main administrator.
Collaboration Efforts:
The takedown was facilitated with assistance from the Linux Foundation, the holder of the Onix trademark, which stands for Open Neural Network Exchange.
Notable Quote:
“Microsoft's legal team has seized 240 domains used by the Onix phishing as a service operation,” Claire Aird [00:04].
9. Meta Removes 2 Million Scam Accounts from Facebook and Instagram
Meta, the parent company of Facebook and Instagram, has eliminated over 2 million accounts this year that were implicated in pig butchering scams. These scams involve deceptive tactics to defraud individuals, often through prolonged relationship-building schemes.
Geographical Insights:
Some of the more recent scam operations are traced back to the United Arab Emirates.
Notable Quote:
“Meta says it has taken down over 2 million Facebook and Instagram accounts this year that were used in pig butchering scams,” Claire Aird [00:04].
10. FBI Attributes Bian Lian Ransomware Group to Russia
The FBI has clarified that the Bian Lian Ransomware group, despite its Chinese-sounding name, and many of its affiliates are actually Russian. This revelation is part of a broader pattern where ransomware groups adopt misleading names to obfuscate their true origins, a tactic increasingly prevalent in the cybercrime landscape.
Trend Analysis:
Other groups employing similar deceptive naming conventions but likely operating out of Russia include Nokoyama, Karakurt, and Cuba operations. Additionally, the FBI notes that Bian Lian has transitioned to exclusively exfiltration-based extortion as of January, moving away from traditional data encryption attacks.
Notable Quote:
“The FBI says the group is part of a recent trend in the ransomware ecosystem where groups try to mislead investigators about their location and nationality by using foreign language names,” Claire Aird [00:04].
11. Apple Releases Security Patches for macOS Zero-Days
Apple has issued security updates addressing two zero-day vulnerabilities exploited in attacks against Intel-based macOS systems. These vulnerabilities targeted users via the WebKit browser engine.
Discovery and Response:
- The zero-days were identified and reported to Apple by Google's TAG Security team, renowned for its expertise in tracking advanced persistent threats (APT) and surveillance vendor operations.
- Apple promptly released patches on Monday to mitigate these threats.
Notable Quote:
“Apple released security updates this week to fix two zero days being used in attacks against intel based macOS systems,” Claire Aird [00:04].
12. Qualys Identifies Vulnerabilities in Ubuntu's 'Need Restart' Component
Qualys, a security firm, has discovered five local privilege escalation vulnerabilities within the 'need restart' component of Ubuntu Linux servers. This component, installed by default, scans local services to determine if they require restarts post-update.
Vulnerability Details:
- These flaws can be exploited by unprivileged users to gain full root access without necessitating user interaction.
- The vulnerabilities affect all Ubuntu versions dating back to 2014, posing a widespread security risk.
Notable Quote:
“Security firm Qualys has discovered five local privilege escalation vulnerabilities in need restart a component in store installed by default on Ubuntu Linux servers,” Claire Aird [00:04].
13. Thai Court Dismisses NSO Group Lawsuit
A Thai court has dismissed a lawsuit filed by activist Jatupat Bun Pater Araks against the Israeli spyware company NSO Group. The lawsuit alleged that NSO’s Pegasus spyware infected Araks' smartphone in June and July. However, the court ruled in September that the plaintiff failed to provide sufficient evidence to support his claims, despite support from an amicus brief filed by Amnesty International.
Legal Implications:
This dismissal underscores the challenges plaintiffs face in proving cyber-intrusion cases, even with backing from human rights organizations.
Notable Quote:
“A Thai court has dismissed an activist lawsuit against Israeli spyware vendor NSO Group,” Claire Aird [00:04].
14. Japan Advises on Digital Asset End-of-Life Planning
Japan's National Consumer Affairs Agency has issued guidance urging citizens to develop end-of-life plans for their digital assets. This includes strategies for:
- Transferring usernames and passwords to family members or friends posthumously.
- Creating comprehensive lists of online subscriptions to enable relatives to cancel them, thereby preventing additional costs.
Rationale:
As digital presence becomes integral to personal and financial lives, proactive management ensures that digital legacies are handled securely and efficiently after one's passing.
Notable Quote:
“Japan's national consumer Affairs Agency has advised citizens to create end of life plans for their digital assets,” Claire Aird [00:04].
15. Repo Swatting Attacks on GitHub and GitLab Accounts
Security researcher Paul McCarty highlights a concerning technique known as repo swatting targeting platforms like GitHub and GitLab. This method exploits a hidden feature that allows users to:
- Open an issue in the target repository.
- Upload a malicious file.
- Abandon the issue without publishing it.
Attack Mechanics:
The malicious file remains attached to the victim's account. The attacker can then report this hidden, non-public file for violating terms of service, prompting the platform to remove the repository for hosting malware. This indirect approach can lead to unwarranted account suspensions or deletions.
Notable Quote:
“Threat actors can abuse a hidden feature to take down GitHub and GitLab accounts in what security researcher Paul McCarty calls a repo swatting attack,” Claire Aird [00:04].
16. Mitre's Annual List of Top 25 Most Dangerous Software Weaknesses
Mitre has released its annual Top 25 Most Dangerous Software Weaknesses list. Notably, Cross-Site Scripting (XSS) has reclaimed the top spot for the first time since 2020. Last year's number one, Use After Free vulnerabilities, has dropped to the eighth position.
Compilation Method:
The list was derived from analyzing over 31,000 vulnerabilities reported throughout the year, providing a comprehensive overview of prevalent and critical software weaknesses.
Notable Quote:
“Mitre has published its annual list of the top 25 most dangerous software weaknesses. Number one was cross site scripting,” Claire Aird [00:04].
Conclusion
The episode of Risky Business News delivered a comprehensive overview of the latest developments in the cybersecurity landscape. From significant law enforcement actions against hacking groups and data breaches in major corporations to emerging threats and defensive strategies, the news encapsulates the dynamic and ever-evolving nature of cybersecurity threats and responses. Listeners are kept informed about both the vulnerabilities they face and the measures being taken to mitigate these risks.
For more detailed discussions and updates, consider tuning into future episodes of Risky Business News.