Cyber News Roundup for June 7, 2024

Welcome to our latest cybersecurity roundup. This week, hackers bricked over 600,000 routers targeting Windstream customers with malware, Senator Gary Peters proposed legislation to streamline federal cybersecurity regulations, aiming to reduce compliance burdens, Ticketmaster suffered a massive breach affecting 560 million customers, with third-party vendor Snowflake denying responsibility, and the NSA published best practices for mobile device security. Stay informed on these pressing cybersecurity developments.


1. Hackers brick over 600,000 routers

Last October, subscribers of the ISP Windstream, which serves residential customers in 18 states, reported that their ActionTec T3200 routers suddenly stopped working, showing a steady red light and not responding to resets. Users blamed Windstream for pushing updates that bricked the devices. The ISP sent new routers to affected customers. Black Lotus Labs later revealed that malware took out over 600,000 routers, including those from Windstream, using Chalubo malware to permanently overwrite firmware. This attack, named Pumpkin Eclipse, was deliberate and targeted a single ISP’s autonomous system number. The incident raised concerns about the impact on rural communities and critical services. Researchers found no evidence of nation-state involvement and advised standard cybersecurity measures to prevent future attacks. Researchers noted that the attack was deliberate, with the threat actor using common malware instead of custom-developed tools to cover their tracks. Despite extensive analysis, the initial infection method remains unclear, though weak credentials or exposed administrative panels are possible entry points. (arstechnica)


2. Draft legislation looks to streamline federal cybersecurity regulations

Senator Gary Peters (D-MI) is proposing a bill to create an interagency committee to streamline federal cybersecurity regulations. The Office of the National Cyber Director (ONCD) would lead this effort, aiming to reduce compliance burdens for industries. This committee would identify and resolve conflicting cybersecurity requirements within a year and ensure regulatory updates are aligned. The draft legislation mandates a pilot program for at least three regulatory agencies to work with the committee on harmonizing rules. The bill also grants ONCD more authority in setting and coordinating cybersecurity regulations, which has support from industry and some experts who see a need for centralized oversight.

The proposal follows recent cybersecurity regulations from the Cybersecurity and Infrastructure Security Agency (CISA) and the Securities and Exchange Commission (SEC), highlighting the need for regulatory harmonization. Key challenges include managing jurisdictional conflicts among various congressional committees overseeing cybersecurity. However, Peters has a history of successfully passing cybersecurity legislation, and the bill has bipartisan appeal. If passed, the legislation would bolster ONCD’s efforts to streamline cybersecurity rules, ensuring better coordination across federal agencies. (The Record)


3. Ticketmster hack affects 560 million customers, third-party denies liability

The attack, which occurred on May 20, has been confirmed by its parent company, Live Nation, as having been the result of “unauthorized activity within a third-party cloud database environment containing company data.” A week later the threat actor ShinyHunters offered the data, which is alleged to contain PII and partial payment details of up to 560 million customers up for sale if a ransom payment of over $500,000 is not made. This is the same threat actor group who breached the Spanish bank Santander around the same time.

Meanwhile, the third-party vendor in question, cloud storage provider Snowflake has denied that its products were to blame for the Ticketmaster breach, or the Santander Bank, for that matter. According to a since-removed post on the website of security firm Hudson Rock, “the intruders were able to sign into a Snowflake employee’s ServiceNow  account using stolen credentials, and from there were able to generate session tokens,” however Snowflake, while acknowledging that a former employee’s demo account was accessed through stolen credentials, said it did not contain sensitive data, and that there was “no pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”   (The Guardian and The Record)


4. NSA shares mobile device best practices

The NSA has published a handy Mobile Device Best Practices report, offering tips to better protect those ubiquitous gadgets.  A simple method to thwart hackers is restarting your phone weekly, making it harder to steal information, due to many malware packages not having persistence. However, this won’t always prevent attacks. The NSA also highlights threats like malicious apps, Wi-Fi networks, spyware, and physical access. It’s a nice collection of best practices, easy to share with friends, family and coworkers. (Zdnet)


5. Authorities unmask criminals behind malware loaders

As part of Operation Endgame, law enforcement agencies in 13 countries have revealed the identities of eight Russians linked to the distribution and administration of malware loaders including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot. The loaders have been used for years to steal user data, distribute other malware, and propagate phishing campaigns. Forty-two-year-old Airat Rustemovich Gruber, has been identified as the administrator of the Smokeloader botnet, which first appeared in 2011. Seven other Russian nationals (Oleg Vyacheslavovich Kucherov, Sergey Valerievich Polyak, Fedor Aleksandrovich Andreev, Georgy Sergeevich Tesman, Anton Alexandrovich Bragin, Nikolaevich Chereshnev, and Andrei Andreyevich) are wanted for their ties with the TrickBot operation. Germany’s federal police authorities (BKA) have listed the suspects on their website along with information about the harmful loaders and the joint operation. (SecurityWeek)


6. Atlassian Confluence bug allows code execution

Researchers at SonicWall Capture Labs have discovered a remote code execution vulnerability (CVE-2024-21683) in the Atlassian Confluence Data Center and Server. The bug is assigned a CVSS score of 8.3 out of 10, and can be exploited by uploading a forged JavaScript language file containing malicious code. A proof-of-concept (PoC) exploit code has already been made available so admins should upgrade to the latest versions of Confluence as soon as possible. The researchers have published the indicators of compromise (IoCs) for the bug so admins can check for signs of exploitation. (Dark Reading)


7. Utah student floods hackers with false info to thwart Phishing

A Davis County high school junior, Charles Mortensen, developed a program dubbed VEGA (Victims’ Empowerment Guard against Attacks), which aims to take down phishing sites by flooding them with fake usernames and passwords. Mortensen said the program can send about half a million requests to a hacker site within a night, typically taking the site offline by the morning. Mortensen was motivated to create VEGA when a friend residing in foster care fell victim to an Instagram phishing attempt, jeopardizing her only means of contacting her mom. Mortensen said VEGA has enabled him to take down thirty phishing sites within a month. He is seeking a sponsor to help him to scale the operation to potentially dismantle much larger volumes of phishing sites. (The Cyber Express)


8. A report finds Rural hospitals vulnerable to ransomware

A new report from CSC 2.0, an offshoot of the Cyberspace Solarium Commission, warns that rural hospitals are particularly vulnerable to ransomware attacks due to their limited resources and outdated technology. The report finds that federal funding is crucial to addressing this issue, as it will allow for major cybersecurity investments. The threat is no longer theoretical, with recent attacks on large healthcare providers, including Ascension and Change Healthcare, disrupting patient care and medical procedures. The report recommends increasing funding for the Department of Health and Human Services, updating cybersecurity objectives, and encouraging health care providers to invest in basic cybersecurity measures such as employee training and managed IT services. (Cyberscoop)


9. Ransomware attack forces London hospitals to cancel operations

Several of London’s largest hospitals were forced to cancel operations and declare critical incident emergency status after Synnovis, a third-party provider, experienced a ransomware attack. A spokesperson for the region said the attack left multiple hospitals without access to pathology services, with “blood transfusion being particularly affected.” According to The Register, all of Synnovis’s IT systems are believed to be impacted, and as of this recording, there is no timeline for when operations are expected to be back online. (Infosecurity Magazine)(The Register)(The Record)


10. Christie’s stolen data sold to highest bidder

Going once, going twice, Christie’s stolen data has been sold. The world-renowned auction house fell victim to a second ransomware attack this year in early May, resulting in the theft of personal information from their high-profile clients. The ransomware group RansomHub set a June 3rd deadline for Christie’s to pay the ransom. When Christie’s failed to comply, the group announced on their website that the stolen data had been sold to an anonymous third party for an undisclosed amount. RansomHub claims to have stolen information from at least 500,000 of Christie’s clients, including full names, passport details, and home addresses, though this number has not been confirmed. (The Register)


11. A TikTok zero-day targets high profile accounts

Threat actors exploited a zero-day vulnerability in TikTok’s direct messages feature to hijack high-profile accounts, including those of CNN, Paris Hilton, and Sony. The malware spreads by simply opening a direct message within the app. TikTok spokesperson Alex Haurek stated that their security team has stopped the attack and is working with affected users to restore access. The extent of the impact remains unclear. No technical details about the vulnerability were disclosed. (Security Affairs)


12. OpenAI insiders describe a culture of recklessness and secrecy

A group of OpenAI insiders, including nine current and former employees, is exposing what they describe as a culture of recklessness and secrecy at the company, The New York Times reports.  The insiders claim OpenAI prioritizes profits over safety in its race to develop artificial general intelligence (AGI). The insiders accuse the company of using restrictive nondisparagement agreements to silence concerns. Former researcher Daniel Kokotajlo, a leading whistleblower, criticized OpenAI for its aggressive pursuit of AGI without sufficient safety measures. The group recently published an open letter calling for greater transparency and protections for whistleblowers in AI companies. They demand an end to restrictive agreements and advocate for a culture that allows open criticism and anonymous reporting of safety issues.

OpenAI is also dealing with several controversies, including legal battles over copyright infringement and backlash from its recent voice assistant launch. The company has faced internal turmoil, including the departure of senior AI researchers Ilya Sutskever and Jan Leike, who left due to concerns over safety being neglected in favor of rapid development. OpenAI has responded, claiming a commitment to safety and transparency and announcing new safety initiatives. The whistleblowers, however, remain skeptical and are urging regulatory oversight to ensure responsible development of powerful AI systems. (NY Times)


13. AI leveling up unsophisticated threat actors

Speaking at an event in Washington, US Treasury CISO Sarah Nur and FBI cyber division deputy assistant director Cynthia Kaiser both said that new AI tools made it easier for less sophisticated threat actors to become “at least mildly better,” allowing for things like performing scripting tasks and finding coding errors. Also at the event, assistant secretary for cyber and technology security in the State Department’s Bureau of Diplomatic Security Gharun Lacy said he’s seen AI used as an amplifier by threat actors, used to improve their best skills. All said the government needs to improve information sharing and coordination with partners across public and private sectors. (FedScoop)


14. Researchers find Chinese espionage operation

Security researchers at Sophos detailed an operation dubbed “Crimson Palance” operating in Southeast Asia throughout 2023, with unmanaged access likely starting in early 2022. This used three distinct clusters of intrusion activity that showed signs of coordination. Attack techniques and infrastructure align with Chinese state-sponsored actors. The operators primarily looked to prolong access to networks to collect sensitive military and technical information from victims. (Infosecurity Magazine)


15. Interpol makes cyber sabotage arrests

Moldovan authorities coordinated with French prosecutors and the FBI to detain four people suspected of attempting to sabotage Interpol’s Red Notice system. Red Notice is used to alert 195 member countries of wanted individuals. The suspects allegedly paid intermediaries millions of dollars to inform people listed on Red Notice as well as attempting to delete notices. The UK National Crime Agency also said it uncovered the names of other individuals accepting bribes for similar actions. Interpol said it added “additional measures” to ensure the system could not be abused with similar incidents going forward. (The Record)


16. Commando Cat targets Docker servers to deploy crypto miners

Researchers at Trend Micro describe Commando Cat, a campaign that exploits exposed Docker remote API servers to deploy cryptocurrency miners. Active since early 2024, attackers use the image to gain access to the host system. They create containers that bind the host’s root directory, allowing unrestricted access. The attackers download and execute a malicious binary, often employing sophisticated techniques to evade detection. This campaign underscores the importance of securing Docker configurations, using trusted images, and performing regular security audits to prevent such attacks. (Trendmicro)


17. FCC moves forward with BGP security measures

The Federal Communications Commission unanimously voted to advance a proposal to improve the security of the Border Gateway Protocol (BGP) for the internet. Under this proposal, broadband providers must develop and maintain private BGP security plans, with the top nine providers submitting quarterly progress reports to the FCC. The commission highlighted current BGP vulnerabilities that have been exploited by a Chinese telecommunications company to misroute U.S. internet traffic multiple times. Additionally, the FCC approved a $200 million pilot program to help schools and libraries purchase cybersecurity equipment, despite opposition. (CyberScoop)


18. LockBit ransomware gang victims get lifeline from FBI

Are you or someone you know a victim of the LockBit ransomware gang? The FBI’s Cyber Division says they can help. A spokesperson for the agency said they have obtained more than 7,000 LockBit ransomware decryption keys and are urging victims to reach out to the FBI’s Internet Crime Complaint Center (IC3).  The report asks for information such as which version of LockBit was used to encrypt your system, what files were encrypted, and a copy of the ransom note. (IC3 Reporting Form)(Security Week)


19. Apple to debut rival password management app

Apple is saying move over 1Password and LastPass. According to Bloomberg, the tech giant plans to launch its competing password management app as early as next week. The new app, called Passwords, is similar to iCloud Keychain in that it will sync passwords the same way, but the new app will separate logins into different categories, including accounts, Wi-Fi networks, and passkeys. The new app is expected to be introduced on June 10 and available in iOS 18, iPadOS 18, and macOS 15. (The Verge)(Bloomberg)


Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.