Read Time: 6 minutes

Howdy friends!

Happy 4th of July to my USA friends and Canada Day to my Canadians. I’m still living on Europe time and been up way earlier than I ever get up usually. It’s been interesting, and I’m going to try to keep it up.

Hope you’re all staying safe from the hurricanes and cool from the heatwaves. Just a ton of the weather trying to kill us lately; if you need me, I’ll be inside in the A/C for a few more months.

ICYMI

🎧️ Something I heard: I heard IOActive is throwing their IOAsis event in Vegas again this year. I always spend a bunch of time here as it’s a good solid event away from the conference crowds filled with smart folks (and free food and drinks).

🎤 Something I said: Walked through a new Airpod vulnerability. Who knew you could even upgrade Airpod firmware?

🔖 Something I read: This great thread on the Oxford Cyber Forum

Vulnerable News

regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

This felt like it could’ve been THE big one. The vuln of the year. SSH is obviously installed absolutely everywhere, and if full RCE was possible, we’d be in a patching and exploit frenzy. However, the exploitation was only working on certain window of versions, questionable on 64-bit systems, and taking 6-8 hours in a lab. It probably makes mass exploitation less likely, but still, if vulnerable and on the Internet, you have some patching to do (and honestly, some log checking to do; this isn’t a super new bug).

Good writeups from Wiz - https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh

Threat Brief from Palo Alto Networks - https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/

I’m keeping an eye on this from from an Internet at large exploitation sense, but most modern shops should be relatively ok. If you have a golden image process that keeps OpenSSH up to date, you’re all good. If not, get to patching! (read more)

TeamViewer's corporate network was breached in alleged APT hack

TeamViewer, the popular remote desktop software company, had its corporate network breached in an alleged APT hack.

"TeamViewer’s internal corporate IT environment is completely independent from the product environment.” - The breach happened and was detected last week but the company says there is no customer data stolen.

Given what TeamViewer offers, this breach could’ve been a lot worse. I’ve seen a few folks who are actually skeptical of the statement of scope of the incident and still concerned about customer impact. (read more)

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

Absolutely wild research. Going back many decades, the fight against CSAM is often at the tip of the spear of infosec. The bad guys in this scenario have a lot of motivation to stay hidden.

Recorded Future did some amazing research using malware infostealer logs to track down purchasers of CSAM. The report highlights how these stolen credentials, often gathered from unrelated data breaches, were being used to log into CSAM sites. (read more)

Sanctioned and exposed, Predator spyware maker group has gone awfully quiet

The spyware maker Cytrox, known for its Predator spyware, has suddenly gone quiet. This comes after a series of exposés and sanctions. Cytrox, based in North Macedonia, was outed for selling its spyware to authoritarian regimes, which used it to target journalists, dissidents, and activists. Not exactly the best customer base if you're aiming for positive press.

The crackdown started when the U.S. sanctioned Cytrox, freezing their assets and cutting them off from American technology. What’s interesting is how Cytrox has practically disappeared off the radar since then. They haven’t issued any statements, and their usual shady operations seem to have come to a standstill. (read more)

Yieldstreet says some of its customers were affected by the Evolve Bank data breach

When we covered LockBit claiming to have hacked the Federal Reserve, it turned out to just be Evolve Bank. Well, now we’re finding out the ripple effects of that one.

Yieldstreet, the investment platform, has confirmed that some of its customers got swept up in the Evolve Bank & Trust data breach.

Evolve Bank got hit by LockBit, compromising a bunch of sensitive data. Since Yieldstreet uses Evolve for some of its banking services, their customers' info got caught in the crossfire. Yieldstreet is now busy notifying affected users and trying to figure out the extent of the damage. (read more)

ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

So, here's a wild one for you: state-backed hackers from China or North Korea are now using ransomware as their exit strategy. SentinelOne, along with Team T5 and Recorded Future, discovered that these cyber spies, particularly a group called ChamelGang, are hitting big targets like the All India Institute of Medical Sciences (AIIMS) and the Brazilian Federal Executive Branch with ransomware.

It seems like this is all about money, chaos, distraction, and covering their tracks. Some of these state-affiliated hackers operate on a “hack now, sell later” model, which makes ransomware a quick payday.

But this strategy can backfire. Take the 2022 attack on AIIMS: it messed up patient care and lab services, and Delhi Police called it "cyber terrorism." This almost sparked a bigger conflict with China, considering their rocky relationship with India. Despite the risks, as long as these hackers remain poorly paid and loosely managed, they’re probably going to keep pulling these risky stunts. (read more)

Dozens of Arrests Disrupt €2.5m Vishing Gang

Here’s a bit of good news: law enforcement just disrupted a massive vishing operation, leading to dozens of arrests. This scam was pulling in around $25 million by tricking people over the phone into handing over their personal and financial info.

The operation spanned multiple countries and targeted people by pretending to be legitimate entities like banks or government agencies. Victims were duped into revealing sensitive information, which was then used to empty their accounts or steal their identities. It’s classic social engineering but with a phone call instead of an email. (read more)

Latest Intel CPUs impacted by new Indirector side-channel attack

Intel's newest CPUs are vulnerable to a fresh side-channel attack dubbed "Indirector." Researchers have found a way to exploit this vulnerability to leak sensitive data. Side-channel attacks, for the uninitiated, are eavesdroppers who pick up on your conversations by reading your lips, except here, they’re spying on your CPU's operations.

Intel has had its share of side-channel issues over the years, and Indirector is just the latest headache. The attack takes advantage of how CPUs handle indirect branches, allowing attackers to infer data they shouldn’t have access to. (read more)

Gamers' Data Exposed in RPG Platform Roll20 Breach

Gamers! Heads up! A popular RPG, Roll20 platform has just had a data breach, exposing the personal information of millions of users. The breach leaked usernames, email addresses, and hashed passwords.

While hashed passwords offer some level of protection, they’re not foolproof, especially if users haven’t opted for strong, unique passwords. Hackers could potentially use this information to break into other accounts if users have reused passwords elsewhere.

If you’re a user of Roll20, now’s the time to change your passwords, not just on the RPG site but on any other site where you might have used the same credentials. (read more)

South Korean ISP ‘Infected’ Torrenting Subscribers with Malware

KT, formerly known as Korea Telecom, has been accused of infecting 600,000 of its customers with malware to curb peer-to-peer (P2P) file sharing. According to South Korean media outlet JTBC, this malware disabled webhard software (Korean cloud storage services), caused files to disappear, and even crashed computers. The operation allegedly involved a specialized team for malware development, distribution, and wiretapping. KT claims this was the work of a small, rogue group, but the alignment with the company's financial interests is hard to ignore. Thirteen KT employees and contractors are now facing prosecution.

This strange incident highlights the impact of South Korea's unique 'sender pays' internet regulation, where ISPs must pay for traffic they send to other ISPs. This model discourages ISPs from hosting popular content to avoid hefty fees. For example, KT once hosted a Facebook cache but had to shut it down due to rising costs, resulting in slower access for users. This regulatory environment inadvertently encourages P2P solutions, which save bandwidth costs but still incur inter-ISP traffic fees. (read more)

4TB of data allegedly leaked in Australian healthcare breach

An Australian healthcare provider just suffered a massive data breach, leaking a whopping four terabytes of data. This breach exposed a ton of sensitive information, including patient records, medical histories, and personal details.

The breach is one of the largest in the country's history, and it’s a nightmare for everyone involved. Cybercriminals gaining access to such a huge trove of data means there could be long-term consequences, from identity theft to targeted scams against patients. (read more)

EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent

Here's a crafty new technique to watch out for: security researchers have found a new method they call EDRPrison, that uses legitimate drivers to silence EDR agents. This sneaky approach essentially borrows trusted drivers to bypass security measures, making it harder for EDR systems to spot malicious activity.

Attackers exploit legitimate, signed drivers to disable EDR functions, effectively putting the system’s security on mute. This tactic allows malicious operations to go undetected, posing a serious risk to any organization relying on EDR for defense. (read more)

Twilio says hackers identified cell phone numbers of two-factor app Authy users

Hackers exploited an API to gather the phone numbers linked to Authy accounts. While Twilio assures that no authentication tokens or other sensitive data were accessed, this exposure still poses a risk. Attackers could potentially use this information for targeted phishing attacks or SIM-swapping scams, which can lead to more severe compromises.

If you’re an Authy user, now’s a good time to double-check your security settings and stay vigilant for any suspicious activity on your phone. (read more)

Miscellaneous mattjay

This looks cool from TrustedSec

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay