Risky Bulletin: Germany's BSI Sinkholes BADBOX Malware – December 13, 2024

Hosted by Risky Business Team | Released on December 13, 2024

1. Germany's BSI Tackles Bad Box Ad Fraud Malware

Germany's Federal Office for Information Security (BSI) has successfully sinkholed the notorious Bad Box malware, a significant development in combating ad fraud. According to BSI, the sinkhole has intercepted traffic from approximately 30,000 devices. The agency plans to collaborate with Internet service providers to inform affected device owners about the breach.

Claire Airdrop highlights, “[...] the BSI has received traffic from 30,000 devices and plans to work with Internet providers to notify the device owners” (00:04).

The Bad Box malware, initially detected last year by Human Security, was part of a sophisticated botnet comprising over 280,000 systems. This botnet infiltrated devices by embedding malware within malicious Android and iOS applications, as well as the firmware of Android TV streaming boxes. Human Security attributed the operations to a group likely based in China, leveraging hardware supply chains to preload malicious firmware onto streaming devices.

2. Incoming Trump Administration Plans Leadership Split of Cyber Command and NSA

In a significant policy shift, the incoming Trump administration intends to separate the leadership of the U.S. Cyber Command and the National Security Agency (NSA). Historically, these two entities shared leadership since the establishment of Cyber Command in 2010, with General Timothy Hogg holding the dual role since last year.

Claire Airdrop explains, “The split will allow President Elect Trump to nominate different leaders for each agency” (00:04). This move is aimed at enhancing the strategic focus and operational efficiency of both organizations by providing them with distinct leadership.

3. Global Law Enforcement Dismantles DDoS-for-Hire Services

Law enforcement agencies worldwide have razed 27 DDoS-for-hire services, continuing an annual crackdown tradition executed before the holiday season. This proactive approach stems from attacks targeting gaming services during Christmas and New Year festivities since the mid-2010s.

Among those arrested is Ricardo Cezacoli, a Brazilian national accused of operating the security-hired booter service. The coordinated efforts involved 15 countries, leading to the shutdown of three major scam call centers across Myanmar, Peru, and Russia. Notably, Russia’s FSB reported dismantling a call center generating over a million dollars daily, with connections to former Georgian Defence Minister David Kesarashvili.

4. Let's Encrypt Shortens TLS Certificate Lifespan

In a move to enhance security, Let's Encrypt announced the introduction of TLS certificates with a maximum lifespan of six days, set to be implemented next year. This change aims to reduce the window of vulnerability for encrypted communications.

Claire Airdrop notes, “Existing customers won't have to change anything if they choose to go with the shorter certificates” (00:04). This initiative underscores Let's Encrypt's commitment to fostering more secure internet practices by encouraging frequent certificate renewals.

5. FCC Targets Voice Service Providers Over Robocall Blocking Failures

The U.S. Federal Communications Commission (FCC) has identified 2,400 voice service providers that have failed to implement robocall blocking measures. In response, the FCC plans to impose a ban on these companies unless they register with the Robocall Mitigation Database within the next two weeks.

Failure to comply will result in traffic blocking by other telecommunications providers, effectively cutting off their service capabilities. This enforcement action aims to curb the rampant issue of unsolicited robocalls affecting consumers nationwide.

6. SEC's Cyber Incident Reporting Shows Limited Impact Disclosure

Under the Securities and Exchange Commission's (SEC) new cyber incident reporting requirements, only 71 security incidents have been filed this year. Surprisingly, few of these reports indicate a material impact on the affected organizations.

Claire Airdrop observes, “Less than half of filings provided insights into a company's response procedures” (00:04). Additionally, many filings merely reiterated generic cyber risks and incident response strategies, offering little actionable information for stakeholders.

7. Byte Federal Suffers Server Breach via GitLab Vulnerability

Byte Federal, a Bitcoin ATM operator, disclosed that a threat actor exploited a vulnerability in GitLab to access one of its servers. While no customer assets were compromised, the attacker obtained some customer information affecting roughly 58,000 users. The incident, occurring last month, underscores the ongoing risks associated with software vulnerabilities in critical infrastructure.

8. Krispy Kreme Experiences IT System Disruption Due to Cyberattack

The doughnut chain Krispy Kreme reported a cyberattack that disrupted one of its IT systems, impacting online ordering services in parts of the United States. The attack occurred on November 29, but the company has withheld further details, assuring that restaurant operations and other retail activities remain unaffected.

9. Lynx Ransomware Group Attacks Romania's Electrica

Romania's largest electricity provider, Electrica, fell victim to the Lynx Ransomware Group, as confirmed by Romania's cybersecurity agency. Lynx, a rebranded version of the Older Inc. Ransomware group, has been implicated in at least 78 attacks since its emergence in August this year.

The group’s activities include a notable incident where the Japanese company Kadokawa Corporation paid $3 million to the Black Suit ransomware gang, only to have employee data leaked online. This breach has likely discouraged other organizations from yielding to such extortion tactics.

10. Clio Zero Day Vulnerability Exploitation Surges

The number of organizations compromised through the Clio Zero Day vulnerability has exceeded 50, with exploitation intensifying following the public disclosure of the vulnerability. Attackers deployed a Java-based backdoor on Clio file transfer servers. While Clio released a patch on Wednesday, the rapid exploitation highlights the challenges of mitigating zero-day threats promptly.

11. New Chinese Law Enforcement Tool Discovered on Android Devices

Security firm Lookout has identified a new surveillance tool, Eagle Message Spy, utilized by Chinese law enforcement to extract information from Android devices. The toolkit, which necessitates physical access for installation, has been active since 2017 and can harvest chat messages, record audio and screen activity, and track device location and network movements.

Eagle Message Spy was developed by Wuhan China Soft Token Information Technology, raising concerns over privacy and unauthorized surveillance.

12. Coretto APT Group Resurfaces with Enhanced Operations

Kaspersky reports renewed activity from the Coretto Advanced Persistent Threat (APT) group, also known as the "Mask." Originating around 2007 and believed to operate from a Spanish-speaking nation, Coretto has revitalized its campaigns targeting organizations in Latin America. Notably, one mission targeted the same victim as in 2007, demonstrating the group's sustained and sophisticated attack methodologies.

13. Russian Military Hacking Unit Exploits Cybercrime Infrastructure Against Ukraine

A Russian military hacking unit, identified as Turla APT, has been utilizing the infrastructure of the cybercrime group Storm 1919 to deploy malware targeting Ukrainian military systems. Turla specifically targeted devices with Starlink IP addresses, indicative of their association with Ukrainian frontline operations. Additionally, Turla has collaborated with another Russian APT group, Storm 1837, previously active against Ukrainian military drone pilots.

14. Security Flaws in Koda Car Infotainment Systems Exposed

At the Black Hat Europe Security Conference, PCA Automotive revealed 12 vulnerabilities in the infotainment systems of Koda cars, which can be exploited to track vehicle locations, alter system displays, and eavesdrop on in-car conversations via microphones. Tested on a Skoda Superb, these flaws affect other Volkswagen group vehicles equipped with the MIB3 infotainment system. Volkswagen has confirmed that all identified issues have been patched.

15. Photobucket Faces Lawsuit Over Privacy Policy Update

A group of plaintiffs has initiated a lawsuit against Photobucket, challenging a recent update to its privacy policy. The lawsuit seeks to prevent Photobucket from selling user photos to AI companies for training models that analyze biometrics, such as facial and iris scans. Citing various U.S. state privacy laws, the plaintiffs demand that Photobucket obtain explicit written consent from users prior to selling their photos, thereby enhancing user privacy protections.

Conclusion

This episode of Risky Bulletin delivered a comprehensive overview of the latest developments in cybersecurity, spanning malware eradication, policy shifts, global law enforcement actions, emerging vulnerabilities, and privacy concerns. From Germany’s proactive measures against the Bad Box malware to the intricate maneuvers of state-sponsored hacking groups, the discussions underscore the dynamic and multifaceted nature of cybersecurity threats and responses in today's digital landscape.

Summary Prepared by Risky Business Team

Timestamp Reference

• 00:04 - Introduction and Top Stories by Claire Airdrop