Cyber News Roundup for May 2, 2024

From sophisticated cyberattacks crippling essential infrastructure to stealthy botnet discoveries and revelations about data breaches, this week’s roundup has something for all. Join us as we delve into the latest stories surrounding cyber warfare, emerging threats, and innovative defense strategies.

RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.


1.  A crucial Kansas City weather and traffic system is disabled by a cyberattack

Last week, the Kansas City Scout System, a crucial bi-state traffic and weather management tool operated by the Departments of Transportation in Missouri and Kansas, was disabled by a cyberattack. This outage occurred during a weekend of severe storms, posing significant risks as the system displays real-time weather and traffic updates on highway signs and through its app and website. Following the attack, all systems, including traffic cameras and message boards, were shut down as a protective measure by the IT team. Restoration efforts are underway, but there is no specified timeline for when services will resume. The disruption has raised concerns about the inability to communicate urgent weather warnings to drivers, complicating safety measures during a critical time. (The Record)


2. Muddling Meerkat uses China’s Great Firewall to manipulate DNS queries

Infoblox has published a report on “Muddling Meerkat,” a suspected Chinese government threat actor that uses China’s Great Firewall (GFW) to generate fake DNS Mail Exchange (MX) records. The group’s motivations are unclear. Infoblox explains, “The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses. This behavior, never published before, differs from the standard behavior of the GFW. These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead. This feature is truly remarkable and largely inexplicable.”

The researchers speculate that Muddling Meerkat may be pre-positioning for future DDoS attacks, creating DNS noise to cover up malicious activity, or simply conducting internet mapping and research. Renée Burton, Vice President of Threat Intelligence at Infoblox, concludes in a blog post, “In my professional experience, I have found Chinese threat actors to be extremely adept at managing, understanding, and leveraging the DNS for many purposes—whether that be censorship, cybercrime, or DDoS attacks. They also have some of the finest researchers in the field. Whatever the real goal of Muddling Meerkat is, we should not underestimate the talent and patience required to achieve it.” (Infoblox)


3. Marriott backtracks claims of encryption protection

Marriott is trying to sweep some new revelations about a 2018 breach under the rug. According to CSO Online, the hotel conglomerate has defended itself after a massive data breach, arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. It turns out, however, that the company had never used any encryption at the time but had instead implemented a hashing mechanism. Regarding the part about wanting to sweep this whole ‘miscommunication’ under the rug, Marriott has not released any updates about the misrepresentation. Instead, it has added a couple of sentences to an old article that is more than five years old. An impact statement from 2018 reveals that Marriott believes the information of approximately 500 million guests was impacted. (CSO)(Marriott Statement- 2018)


4. Massive malware campaigns infect Docker Hub

Researchers at JFrog have identified that around 20% of the 15 million Docker Hub repositories hosted malicious content, including malware and phishing sites. They discovered nearly 4.6 million repositories lacking actual Docker images, with 2.81 million linked to three major malicious campaigns initiated since early 2021. These campaigns employed various strategies, such as batch creation of fake repositories and SEO manipulation, to distribute harmful software. One prominent campaign, active in 2021 and 2023, utilized a generic Trojan to push malware through fake installation dialogs, potentially as part of a larger adware or monetization operation targeting compromised systems. (Bleeping Computer)


5. New vulnerabilities are found in Intel processors

Researchers from multiple universities, including UC San Diego and Purdue, along with industry partners such as Google, have discovered two new types of cyberattacks targeting the conditional branch predictor in Intel processors. These attacks, detailed in their upcoming presentation at the 2024 ACM ASPLOS Conference, exploit the Path History Register—a feature that tracks the order and addresses of branches, revealing more precise information than previous methods. The attacks allow for an unprecedented level of control and data extraction from affected processors, posing potential risks to billions of devices. These findings have prompted Intel and AMD to issue security advisories. The research showcases the ability to manipulate processor behaviors, potentially exposing confidential data through sophisticated techniques that outpace existing security measures. (Helpnet Security)


6. Researchers discover a stealthy botnet-as-a-service coming from China

A comprehensive botnet-as-a-service network originating from China has been identified by researchers at EPCyber. It features multiple domains, over 20 active Telegram groups, and using domestic communication channels. This infrastructure supports a botnet capable of launching coordinated attacks, including denial-of-service (DDoS) strikes that can incapacitate systems despite advanced DDoS protections from services like CloudFlare. The botnet’s efficacy in bypassing current defenses poses significant threats. Particularly at risk are European companies, as attackers target their domain names, potentially redirecting users to harmful sites. This highlights vulnerabilities in the Domain Name System (DNS), underscoring the urgent need for robust DNS security to protect online operations and maintain customer trust. (GBHackers)


7. US Department of Defense launches CORA program

The US Department of Defense Information Network, part of the Joint Force Headquarters, on March 1st launched its Cyber Operational Readiness Assessment (CORA) program following a successful nine-month pilot phase. Air Force Lieutenant General Robert Skinner, commander of the Joint Force Headquarters DoD Information Network, stated, “CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information and executing cyber orders. Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture enabling greater command and control and enhancing decision making.” (US DOD)


8. Anti Ukraine hack exploits seven-year-old Microsoft Office vulnerability

According to security experts at Deep Instinct Threat Lab, a recent campaign targeting Ukraine used a Microsoft Office vulnerability to deploy Cobalt Strike. In this case it was a malicious PowerPoint Slideshow PPSX file. Its filename included the word signal and made it look like it was shared through the Signal app. It was based on an outdated U.S. Army manual for tank mine clearing blades. The payload included a DLL file that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike. The researchers could not attribute the attacks to a known threat actor. (Security Affairs)


9. Russia-linked APT group uses GooseEgg to exploit Windows Print Spooler flaw

According to Microsoft, APT28 group who we also know as Fancybear and Strontium, has been exploiting a Windows Print Spooler flaw with the CVE code 2022-38028 using a previously unknown tool called GooseEgg. This has been going on since at least June 2020. GooseEgg modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. APT28 has been seen using GooseEgg activities against targets, including government, education, and transportation sector organizations in Ukraine, Western Europe, and North America. (Security Affairs)


Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.