Risky Bulletin: Germany's BSI sinkhole BADBOX malware - Risky Bulletin

Summary6 min read

Risky Bulletin: Germany's BSI Sinkholes BADBOX Malware – December 13, 2024

Hosted by Risky Business Team | Released on December 13, 2024

1. Germany's BSI Tackles Bad Box Ad Fraud Malware

Germany's Federal Office for Information Security (BSI) has successfully sinkholed the notorious Bad Box malware, a significant development in combating ad fraud. According to BSI, the sinkhole has intercepted traffic from approximately 30,000 devices. The agency plans to collaborate with Internet service providers to inform affected device owners about the breach.

Claire Airdrop highlights, “[...] the BSI has received traffic from 30,000 devices and plans to work with Internet providers to notify the device owners” (00:04).

The Bad Box malware, initially detected last year by Human Security, was part of a sophisticated botnet comprising over 280,000 systems. This botnet infiltrated devices by embedding malware within malicious Android and iOS applications, as well as the firmware of Android TV streaming boxes. Human Security attributed the operations to a group likely based in China, leveraging hardware supply chains to preload malicious firmware onto streaming devices.

2. Incoming Trump Administration Plans Leadership Split of Cyber Command and NSA

In a significant policy shift, the incoming Trump administration intends to separate the leadership of the U.S. Cyber Command and the National Security Agency (NSA). Historically, these two entities shared leadership since the establishment of Cyber Command in 2010, with General Timothy Hogg holding the dual role since last year.

Claire Airdrop explains, “The split will allow President Elect Trump to nominate different leaders for each agency” (00:04). This move is aimed at enhancing the strategic focus and operational efficiency of both organizations by providing them with distinct leadership.

3. Global Law Enforcement Dismantles DDoS-for-Hire Services

Law enforcement agencies worldwide have razed 27 DDoS-for-hire services, continuing an annual crackdown tradition executed before the holiday season. This proactive approach stems from attacks targeting gaming services during Christmas and New Year festivities since the mid-2010s.

Among those arrested is Ricardo Cezacoli, a Brazilian national accused of operating the security-hired booter service. The coordinated efforts involved 15 countries, leading to the shutdown of three major scam call centers across Myanmar, Peru, and Russia. Notably, Russia’s FSB reported dismantling a call center generating over a million dollars daily, with connections to former Georgian Defence Minister David Kesarashvili.

4. Let's Encrypt Shortens TLS Certificate Lifespan

In a move to enhance security, Let's Encrypt announced the introduction of TLS certificates with a maximum lifespan of six days, set to be implemented next year. This change aims to reduce the window of vulnerability for encrypted communications.

Claire Airdrop notes, “Existing customers won't have to change anything if they choose to go with the shorter certificates” (00:04). This initiative underscores Let's Encrypt's commitment to fostering more secure internet practices by encouraging frequent certificate renewals.

5. FCC Targets Voice Service Providers Over Robocall Blocking Failures

The U.S. Federal Communications Commission (FCC) has identified 2,400 voice service providers that have failed to implement robocall blocking measures. In response, the FCC plans to impose a ban on these companies unless they register with the Robocall Mitigation Database within the next two weeks.

Failure to comply will result in traffic blocking by other telecommunications providers, effectively cutting off their service capabilities. This enforcement action aims to curb the rampant issue of unsolicited robocalls affecting consumers nationwide.

6. SEC's Cyber Incident Reporting Shows Limited Impact Disclosure

Under the Securities and Exchange Commission's (SEC) new cyber incident reporting requirements, only 71 security incidents have been filed this year. Surprisingly, few of these reports indicate a material impact on the affected organizations.

Claire Airdrop observes, “Less than half of filings provided insights into a company's response procedures” (00:04). Additionally, many filings merely reiterated generic cyber risks and incident response strategies, offering little actionable information for stakeholders.

7. Byte Federal Suffers Server Breach via GitLab Vulnerability

Byte Federal, a Bitcoin ATM operator, disclosed that a threat actor exploited a vulnerability in GitLab to access one of its servers. While no customer assets were compromised, the attacker obtained some customer information affecting roughly 58,000 users. The incident, occurring last month, underscores the ongoing risks associated with software vulnerabilities in critical infrastructure.

8. Krispy Kreme Experiences IT System Disruption Due to Cyberattack

The doughnut chain Krispy Kreme reported a cyberattack that disrupted one of its IT systems, impacting online ordering services in parts of the United States. The attack occurred on November 29, but the company has withheld further details, assuring that restaurant operations and other retail activities remain unaffected.

9. Lynx Ransomware Group Attacks Romania's Electrica

Romania's largest electricity provider, Electrica, fell victim to the Lynx Ransomware Group, as confirmed by Romania's cybersecurity agency. Lynx, a rebranded version of the Older Inc. Ransomware group, has been implicated in at least 78 attacks since its emergence in August this year.

The group’s activities include a notable incident where the Japanese company Kadokawa Corporation paid $3 million to the Black Suit ransomware gang, only to have employee data leaked online. This breach has likely discouraged other organizations from yielding to such extortion tactics.

10. Clio Zero Day Vulnerability Exploitation Surges

The number of organizations compromised through the Clio Zero Day vulnerability has exceeded 50, with exploitation intensifying following the public disclosure of the vulnerability. Attackers deployed a Java-based backdoor on Clio file transfer servers. While Clio released a patch on Wednesday, the rapid exploitation highlights the challenges of mitigating zero-day threats promptly.

11. New Chinese Law Enforcement Tool Discovered on Android Devices

Security firm Lookout has identified a new surveillance tool, Eagle Message Spy, utilized by Chinese law enforcement to extract information from Android devices. The toolkit, which necessitates physical access for installation, has been active since 2017 and can harvest chat messages, record audio and screen activity, and track device location and network movements.

Eagle Message Spy was developed by Wuhan China Soft Token Information Technology, raising concerns over privacy and unauthorized surveillance.

12. Coretto APT Group Resurfaces with Enhanced Operations

Kaspersky reports renewed activity from the Coretto Advanced Persistent Threat (APT) group, also known as the "Mask." Originating around 2007 and believed to operate from a Spanish-speaking nation, Coretto has revitalized its campaigns targeting organizations in Latin America. Notably, one mission targeted the same victim as in 2007, demonstrating the group's sustained and sophisticated attack methodologies.

13. Russian Military Hacking Unit Exploits Cybercrime Infrastructure Against Ukraine

A Russian military hacking unit, identified as Turla APT, has been utilizing the infrastructure of the cybercrime group Storm 1919 to deploy malware targeting Ukrainian military systems. Turla specifically targeted devices with Starlink IP addresses, indicative of their association with Ukrainian frontline operations. Additionally, Turla has collaborated with another Russian APT group, Storm 1837, previously active against Ukrainian military drone pilots.

14. Security Flaws in Koda Car Infotainment Systems Exposed

At the Black Hat Europe Security Conference, PCA Automotive revealed 12 vulnerabilities in the infotainment systems of Koda cars, which can be exploited to track vehicle locations, alter system displays, and eavesdrop on in-car conversations via microphones. Tested on a Skoda Superb, these flaws affect other Volkswagen group vehicles equipped with the MIB3 infotainment system. Volkswagen has confirmed that all identified issues have been patched.

15. Photobucket Faces Lawsuit Over Privacy Policy Update

A group of plaintiffs has initiated a lawsuit against Photobucket, challenging a recent update to its privacy policy. The lawsuit seeks to prevent Photobucket from selling user photos to AI companies for training models that analyze biometrics, such as facial and iris scans. Citing various U.S. state privacy laws, the plaintiffs demand that Photobucket obtain explicit written consent from users prior to selling their photos, thereby enhancing user privacy protections.

Conclusion

This episode of Risky Bulletin delivered a comprehensive overview of the latest developments in cybersecurity, spanning malware eradication, policy shifts, global law enforcement actions, emerging vulnerabilities, and privacy concerns. From Germany’s proactive measures against the Bad Box malware to the intricate maneuvers of state-sponsored hacking groups, the discussions underscore the dynamic and multifaceted nature of cybersecurity threats and responses in today's digital landscape.

Summary Prepared by Risky Business Team

Timestamp Reference

00:04 - Introduction and Top Stories by Claire Airdrop

Loading summary

Transcript1 lines

[00:04]
Claire Airdrop
Germany's cybersecurity agency sinkholes the Bad Box malware scam centres raided in Myanmar, Peru and Russia Researchers uncover a new Chinese state surveillance tool and the incoming Trump administration wants to separate CyberCom and NSA's leadership this is Risky Business news prepared by Catalyn Kimpanu and read by me, Claire Airdrop. Today is the 13th of December and this podcast episode is brought to you by Proofpoint. In today's top story, Germany's cybersecurity agency has sinkholed the Bad Box ad fraud malware. The BSI says the sinkhole has received traffic from 30,000 devices and plans to work with Internet providers to notify the device owners. The malware was first spotted last year by Human Security. The company said the Bad Box group assembled a botnet of over 280,000 systems by hiding its malware in malicious anders, Android and iOS apps and in the firmware of Android TV streaming boxes. Human Security said the group likely operated out of China and had access to hardware supply chains where its members could preload the malicious firmware on streaming boxes. In other news, the incoming Trump administration wants to split the leadership of U.S. cyber Command and the National Security Agency. The split will allow President Elect Trump to nominate different leaders for each agency. General Timothy Hogg was appointed last year as the leader of both agencies. Cybercom and the NSA have had shared leadership since Cyber Command was established in 2010. Law enforcement agencies across the globe have taken down 27 DDOs for hire services. The takedown is part of an annual tradition of seizing DDoS infrastructure before the Christmas holidays. The tradition started in the mid 2010s after several DDoS groups launched attacks against gaming services over Christmas and New Year. Officials have also arrested and charged two suspects who ran the services. One of them was identified as Ricardo Cezacoli, a Brazilian national who allegedly ran the security hired booter. Law enforcement agencies from 15 countries took part in the takedowns. Three separate scam call centres have been shut down by law enforcement around the world. Authorities in Myanmar, Peru and Russia have arrested over 200 people. The various operations were all involved in online scamming at scale. Russia's FSB said the operation they shut down was making over a million million a day and had ties to former Georgian Defence Minister David Kesarashvili. Let's Encrypt has announced plans to start issuing TLS certificates with a maximum lifespan of just six days. The new certs are coming next year. Let's Encrypt says existing customers won't have to change anything if they choose to go with the shorter certificates. The U.S. federal Communications Commission says 2,400 voice service providers have failed to implement robocall blocking. The agency says it plans to ban the companies if they don't register with the fcc. Robocall mitigation database within the next two weeks, voice providers not in the database will have traffic blocked by other telcos. The SEC's new cyber incident reporting rules have generated filings for only 71 security incidents this year. Very few of the filings identified a material impact from the incidents. According to Breach Rx, less than half of filings provided insights into a company's response procedures. Most filings described an organisation's cyber risks and incident response procedures in nearly identical generic terms. Bitcoin ATM operator Byte Federal says a threat actor gained access to one of its servers through a vulnerability in GitLab. No customer assets were compromised, but the threat actor was able to collect some customer information. Byte Federal says the hack took place last month and impacted roughly 58,000 users. Doughnut chain Krispy Kreme says cyberattack is disrupting one of its IT systems, including online ordering in parts of the United States. The company says the attack took place on November 29, but declined to provide any other details. It said restaurants and other retail activities were not affected. Romania's cybersecurity agency says the Lynx Ransomware Group is behind the attack on Electrica, the country's largest electricity provider. The group was first spotted in August this year and has taken credit for at least 78 attacks, according to Palo Alto Networks. The Lynx ransomware is a rebrand of the Older Inc. Ransomware group, a Japanese game and film publisher, paid $3 million to the Black Suit ransomware gang, but their employee data leaked online anyway. A payment by the Kadokawa Corporation was allegedly made in June and the leak occurred in September. It's unclear if Black Suit tried to re extort the company or if the leak occurred because of a technical glitch in the group's infrastructure. The incident is likely to deter other companies from paying the group. The number of organizations hacked via a recent Clio Zero Day vulnerability is now over 50, according to security firm Sophos. Exploitation intensified this week after news of the Zero day became public. The attacks involved dropping a Java based backdoor on Clio file transfer servers. The vendor released a patch for the bug on Wednesday. Security firm Lookout has discovered a new tool used by Chinese law enforcement to collect information from Android devices. The Eagle Message spy toolkit requires physical access to install and appears to have been in use since 2017. It can collect chat messages, record audio and the screen, as well as track the device's location and network activity, Lookout says. Eagle Message Spy was developed by a company named Wuhan China Soft Token Information Technology. Russian security firm Kaspersky says it spotted new activity from Coretto, one of the oldest known APT groups. Also known as the Mask, the group was first seen in 2007 and is believed to operate from a Spanish speaking country. Recent campaigns targeted organizations in Latin America. One of the victims was the same as back in 2007, Kaspersky says. The group employs sophisticated infection techniques and complex multi component malware. One of Russia's military hacking units has leveraged the infrastructure of a cybercrime group to deploy malware targeting the Ukrainian military. The Turla APT searched through the infrastructure of Cybercrime Group Storm 1919 for systems located in Ukraine and then deployed its own custom backdoor. Microsoft says Turla specifically searched for devices with Starlink IP addresses, a common sign of Ukrainian frontline devices. Turla also appears to have collaborated with another Russian APT group named Storm 1837, which previously carried out campaigns targeting Ukrainian military drone pilots. Microsoft says Terla has hacked at least six other APTs over the past seven years, including Iranian and Pakistani groups. Security researchers have discovered 12 vulnerabilities in the infotainment systems used in Koda cars that can track the vehicle's locations. The bugs also allow attackers to modify infotainment system screens and even eavesdrop on conversations via the in car microphones. The vulnerabilities were tested in a Skoda superb, but the MIB3 infotainment system is also used in other cars manufactured by the Volkswagen group. The 12 bugs disclosed this week at the Black Hat Europe Security Conference are part of a set of 21 security flaws discovered by security firm PCA Automotive and reported to Volkswagen in 2022. The carmaker says all issues have now been patched. And finally, a group of plaintiffs has filed a lawsuit against photo hosting service Photobucket over a recent privacy policy update. The plaintiffs are looking for a court injunction to block Photobucket from selling user photos to AI companies so they can train their models on users biometrics such as faces and iris scans. The lawsuit cites the privacy laws of several US States and seeks to force Photobucket to obtain written consent from users before selling the photos. And that is all for this podcast edition. Today's show was brought to you by our sponsor Proofpoint. Find them at proofpoint.com thanks for your company.