CybersecurityHQ News Roundup - November 28, 2024

News By Daniel Michan Published on November 28


T-Mobile Shares More Information on China-Linked Cyberattack

T-Mobile disclosed new details Wednesday about a cyberattack believed to involve the China-linked threat group Salt Typhoon. The telecom giant emphasized that its systems successfully blocked the intrusion.

This attack is part of a broader cyberespionage campaign targeting U.S. telecommunications companies, including Verizon, AT&T, and Lumen Technologies, as well as international service providers. Earlier reports from CISA and the FBI highlighted Salt Typhoon’s efforts to steal customer call data and compromise government communications.

In response to media speculation, T-Mobile’s Chief Security Officer, Jeff Simon, refuted claims that sensitive customer information, such as calls or texts, was compromised. Simon assured the public that T-Mobile’s defenses prevented unauthorized access and service disruptions.

The attack reportedly originated from a wireline provider’s network connected to T-Mobile’s systems. The connection was swiftly terminated, and the company states that no attackers are currently active in its infrastructure. Although T-Mobile cannot definitively attribute the attack to Salt Typhoon, the tactics align with the group’s methods.

T-Mobile has faced several major breaches in recent years, impacting tens of millions of customers. Senator Mark Warner, Chairman of the Senate Intelligence Committee, described the broader attacks attributed to Salt Typhoon as the “worst telecom hack in our nation’s history.” These breaches allegedly enabled real-time call monitoring and text interception, primarily targeting individuals in government and politics.

For more insights into the Salt Typhoon campaign, visit CISA and The Washington Post.

Microsoft Patches Exploited Vulnerability in Partner Network Website

On Tuesday, Microsoft announced it had patched several vulnerabilities across its cloud, AI, and other services, including a security flaw actively exploited in the wild.

The patched vulnerabilities include privilege escalation issues in Azure, Copilot Studio, and the Microsoft Partner Network website. Notably, customers are not required to take any action as updates are deployed automatically.

The most prominent fix addresses CVE-2024-49035, a high-severity improper access control vulnerability in the Partner Network’s partner.microsoft.com domain. Exploitation of this vulnerability was detected, though Microsoft has not provided extensive details. This flaw allowed unauthenticated attackers to escalate privileges over a network. Security researchers and Microsoft employees identified the issue, which has since been mitigated.

Another critical vulnerability, CVE-2024-49038, impacts Copilot Studio, a generative AI tool for customizing or creating copilots. This cross-site scripting (XSS) vulnerability could enable unauthorized privilege escalation via crafted web inputs.

In Azure, the patched vulnerability CVE-2024-49052 addressed missing authentication in a critical function of Azure PolicyWatch, which similarly allowed attackers to escalate privileges.

Additionally, an XSS vulnerability in Dynamics 365 Sales was patched, affecting iOS, Android, and web apps. This flaw requires user interaction, such as clicking a malicious link, to execute scripts in a victim’s browser.

Microsoft’s ongoing commitment to transparency includes assigning CVE identifiers to cloud service vulnerabilities that require no user action, aligning with similar efforts from Google Cloud.

For detailed vulnerability insights, check Microsoft’s official advisory or learn more about CVE identifiers from Google Cloud.

Over Two Dozen Flaws Identified in Advantech Industrial Wi-Fi Access Points – Patch ASAP

Nearly two dozen vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access points, with some flaws allowing attackers to bypass authentication and execute code with elevated privileges.

According to an analysis by Nozomi Networks, six of the identified vulnerabilities are critical, enabling remote code execution, backdoor creation, and denial-of-service (DoS) attacks. The flaws affect firmware versions prior to:

  • 1.6.5 for EKI-6333AC-2G and EKI-6333AC-2GD
  • 1.2.2 for EKI-6333AC-1GPO

Key vulnerabilities include CVE-2024-50370 through CVE-2024-50374 (CVSS scores: 9.8), which exploit improper OS command handling, and CVE-2024-50376, a cross-site scripting (XSS) issue. Combined with other flaws, these vulnerabilities enable attackers to execute arbitrary commands, gain persistent remote access, and infiltrate networks.

Exploitation involves setting up rogue access points, tricking administrators into triggering malicious scripts via the device's Wi-Fi Analyzer feature. Immediate patching is essential to mitigate these risks.

XMLRPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

A year-long software supply chain attack has been uncovered in the npm package @0xengine/xmlrpc, which turned malicious shortly after its initial release in October 2023. The package, downloaded over 1,700 times, was weaponized to steal sensitive data and deploy the XMRig cryptocurrency miner.

According to Checkmarx, version 1.3.4 introduced malicious code capable of exfiltrating SSH keys, bash histories, system metadata, and environment variables. This data was sent to services like Dropbox and file.io.

The malware spread through multiple vectors:

  1. Direct npm installations.
  2. Hidden dependencies in projects like yawpp (Yet Another WordPress Poster), available on GitHub.

Once installed, the malware achieved persistence, monitored user activity, and suspended operations to avoid detection. At least 68 systems have been compromised.

This attack highlights the ongoing threats in software supply chains. Developers are advised to vet dependencies rigorously and monitor updates closely.

Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

A new malware campaign dubbed GodLoader leverages the open-source Godot Engine to deliver cross-platform malware, affecting over 17,000 systems since June 2024.

According to Check Point, attackers use Godot’s GDScript code to trigger malicious commands undetected by antivirus engines. The malware employs Stargazers Ghost Network, comprising 200 GitHub repositories and over 225 bogus accounts, to distribute its payload.

Key findings include:

  • GodLoader uses custom Godot executables to drop payloads like RedLine Stealer and XMRig miners.
  • The campaign targets developers, gamers, and users across Windows, macOS, and Linux.
  • It employs techniques to bypass sandbox detection and modifies Microsoft Defender exclusions to avoid detection.

Check Point warns that attackers could escalate by tampering with legitimate Godot-built games. To counter this, developers should switch to asymmetric encryption for added security.

This campaign underscores the growing misuse of trusted platforms to propagate malware.

Ongoing Malware Campaign Targets Developers with Counterfeit Packages

Another wave of supply chain attacks is targeting developers using counterfeit packages on npm and Python Package Index (PyPI). The campaign, tracked as MUT-8694 by Datadog Security Labs, aims to deliver open-source stealers like Blank-Grabber and Skuld Stealer.

Highlights include:

  • 18 npm and 39 PyPI packages using typosquatting to impersonate legitimate libraries.
  • A focus on compromising Roblox developers by distributing malware-laden libraries.
  • Persistent attempts to infect developers’ systems with stealer malware.

Users are advised to download software only from trusted sources and verify the integrity of dependencies.

20-Year-Old macOS Vulnerability Allows Attackers to Gain Root Access Remotely

A security researcher has unveiled a critical macOS vulnerability in Apple’s MallocStackLogging framework, which remained undiscovered for nearly two decades. Tracked as CVE-2023-32428, this bug was identified in March 2023 and patched by Apple in October. The vulnerability enabled attackers to gain root access by exploiting flaws in file operations, symlink bypass mechanisms, and filename randomization.

Critical macOS Vulnerability

The MallocStackLogging framework, a longstanding debugging tool in macOS, was found to have critical weaknesses in its file handling mechanisms:

  • Insecure File Operations: The access() function was exploitable through race conditions.
  • Symlink Bypass: Misuse of the open() function allowed attackers to traverse symlinks.
  • Filename Truncation: Errors in randomization efforts made filenames predictable.

By exploiting these flaws, attackers could execute a chain of actions—manipulating environment variables, exploiting file operation flags, and leveraging the crontab utility—to gain unauthorized root access.

Fixes Implemented by Apple:

  • Strengthened file operations using O_NOFOLLOW_ANY and realpath() to thwart symlink attacks.
  • Ensured proper use of O_CLOEXEC to close file descriptors securely.
  • Addressed filename truncation issues to improve randomness.

Despite these fixes, the researcher raised concerns about the framework’s continued risks.

Learn more about Apple’s security updates here.

FTC Opens Antitrust Investigation into Microsoft’s Cloud, AI, and Cybersecurity Practices

The U.S. Federal Trade Commission (FTC) is investigating Microsoft over its practices in cloud computing, cybersecurity, and AI. This inquiry follows over a year of informal discussions with industry players and involves detailed requests for information.

Focus on Market Dominance and Security Practices

The FTC’s scrutiny centers on Microsoft’s bundling of productivity and security software with cloud services. Critics argue this disadvantages competitors in authentication and cybersecurity markets, particularly focusing on Microsoft Entra ID. The investigation also comes amid concerns over Microsoft’s role as a major government contractor and recent cybersecurity incidents.

The FTC’s probe aligns with ongoing international investigations, including the U.K.’s Competition and Markets Authority inquiry prompted by complaints from AWS.

Explore more on the FTC’s antitrust actions.

NITDA Alerts Spotify Users to Cybersecurity Risks from Malicious Content

The National Information Technology Development Agency (NITDA) has issued a warning about cyber threats targeting Spotify users. Hackers are leveraging playlists and podcasts to distribute malware, advertise pirated software, and promote spam links.

Cyber Threats on Spotify

Threat actors exploit Spotify’s platform by embedding malicious links in playlist names and podcast descriptions. These links redirect users to phishing sites and malware downloads, posing significant risks.

Safety Recommendations:

  • Avoid clicking on suspicious playlist or podcast descriptions.
  • Update the Spotify app to the latest version to mitigate vulnerabilities.

Stay updated on NITDA alerts here.

HPE Insight Remote Support Vulnerabilities Allow Remote Code Execution

Hewlett Packard Enterprise (HPE) disclosed multiple high-severity vulnerabilities in its Insight Remote Support (IRS) software. These flaws, tracked as CVE-2024-11622 and CVE-2024-53673 through CVE-2024-53676, could allow attackers to execute remote code, perform directory traversal, and access sensitive data.

Technical Analysis

The most critical flaw, CVE-2024-53676, has a CVSS v3.1 score of 9.8. These vulnerabilities:

  • Enable remote code execution.
  • Allow attackers to traverse directories and access restricted files.
  • Expose sensitive information without user interaction.

Remediation:

HPE has released version 7.14.0.629 to address these issues. Users are advised to enable automatic updates to ensure their systems remain secure.

Download the latest HPE updates here.

China Concealing State, Corporate & Academic Assets for Offensive Attacks

China’s cyber capabilities have evolved into a sophisticated and intertwined ecosystem, blurring the boundaries between state, corporate, and academic efforts to bolster offensive cyber operations.

The country’s $22 billion cybersecurity industry is heavily intertwined with state objectives. Companies like Qihoo360, ThreatBook, and Qi An Xin provide both defensive and offensive capabilities. Smaller players like i-SOON contribute specialized services, such as penetration testing and malware development.

State Actors and Structures Driving Offensive Cyber Ops Key players in China's offensive cyber ecosystem include:

  • People’s Liberation Army (PLA): Reorganized in 2024 to include the PLA Cyberspace Force. Its cyber operations are a crucial part of China’s military strategy.
  • Ministry of State Security (MSS): The MSS utilizes a combination of in-house talent and private contractors to execute cyberespionage operations.
  • Ministry of Public Security (MPS): While primarily a law enforcement entity, MPS plays a role in counterintelligence and computer crime investigations.

Additionally, academic institutions play a vital role in advancing these efforts, from talent pipelines to developing offensive tools.

China’s vulnerability disclosure ecosystem also supports state-sponsored campaigns, with databases like CNVD and CNNVD sourcing vulnerabilities for both commercial and military exploitation.

This integrated strategy illustrates China’s calculated approach to bolstering its offensive cyber capabilities while leveraging diverse resources across its ecosystem.

New Skimmer Malware Steals Credit Card Data from Checkout Pages

A newly discovered skimmer malware is targeting Magento-powered eCommerce websites, stealing credit card data from checkout pages, Sucuri reports.

How the Malware Operates

The malware dynamically injects fake credit card forms or directly extracts data from live fields. Key technical findings include:

  • Scripts activating only on pages with "checkout" in the URL.
  • APIs used to harvest customer details, such as names, addresses, and billing data.
  • Multi-layer encryption, including JSON, XOR encryption, and Base64 encoding, to obfuscate stolen data.

Sucuri’s detailed post highlighted domains associated with the malware, such as dynamicopenfonts[.]app and staticfonts[.]com.

What to Do: Regular security audits, monitoring for suspicious activity, and implementing a strong Web Application Firewall (WAF) are essential to protect eCommerce platforms.

XT Exchange Hacked, $1.7 Million Stolen in Cryptocurrency

Dubai-based cryptocurrency exchange XT.com has suspended withdrawals following a hack that resulted in $1.7 million in stolen assets.

Incident Breakdown

  • Timeline: The breach involved abnormal transfers reported by PeckShield.
  • Hacker Actions: The stolen funds were converted into 461.58 ETH and transferred to an Ethereum address.
  • Official Response: XT.com confirmed the breach and emphasized their commitment to safeguarding user assets.

The exchange is now accelerating the implementation of a Merkel Tree Asset Proof System, scheduled for December, to enhance transparency and user trust.

This attack highlights ongoing vulnerabilities in centralized crypto exchanges and the urgent need for robust security practices.

Saudi Arabia Strengthens Cybersecurity Leadership at Black Hat MENA

Black Hat Middle East and Africa showcased Saudi Arabia’s increasing prominence in cybersecurity, aligning with its Vision 2030 goals.

Event Highlights

  • Workshops and Challenges: Over 300 speakers and 350 workshops tackled diverse cybersecurity issues, from smart home security to medical device hacking.
  • Competitions: The Capture the Flag tournament awarded over SR790,000 in prizes.
  • Drone Innovation: A dedicated zone engaged youth in drone technology and associated cybersecurity challenges.

With partnerships like the Saudi Federation for Cybersecurity and global tech firms, Saudi Arabia positions itself as a regional hub for cybersecurity innovation.

As emphasized by Faisal Al-Khamisi, chairman of the Saudi Federation for Cybersecurity, the Kingdom’s efforts reflect its ambitions to lead in the digital safety sector.

This leadership further solidifies Saudi Arabia’s role as a cybersecurity pioneer in the Middle East.

North Korean Hackers Attacking Developers With Weaponized JavaScript Projects

North Korean threat actors are targeting software developers through weaponized JavaScript projects distributed via NPM packages, deploying BeaverTail malware to steal sensitive information and load additional malware stages.

The ultimate payload, a multi-stage Python-based backdoor dubbed InvisibleFerret, is capable of logging keystrokes, exfiltrating sensitive files, and downloading remote management tools like AnyDesk. In addition to these threats, the malware also targets browser credentials and credit card data.

Threat Actors’ Tactics, Techniques, And Procedures (TTPs)

The attack begins with a malicious NPM package that executes a “server.js” file, which in turn loads a JavaScript file called error.js. This file is heavily obfuscated and acts as the BeaverTail malware component, setting the stage for InvisibleFerret to be downloaded from a command-and-control (C2) server.

Researchers noted the malware’s capability to steal browser credentials, system information, and cryptocurrency wallet configurations from platforms like Exodus and Solana. Furthermore, BeaverTail targeted 21 different crypto extensions in its observed samples.

Recommendations

  1. Assume all sensitive files and credentials on compromised devices have been exposed. Change passwords and keys immediately.
  2. Install Endpoint Detection and Response (EDR) solutions on all devices.
  3. Conduct Phishing and Security Awareness Training (PSAT) for employees.
  4. Implement corporate policies for secure device usage to mitigate risks.

For a deeper dive into malware behaviors, try ANYRUN’s sandbox with their Black Friday deals offering free licenses.

Zabbix SQL Injection Vulnerability Lets Attackers Gain Complete Control of Instances

A critical SQL injection vulnerability (CVE-2024-42327) has been discovered in Zabbix, a widely-used open-source monitoring tool, potentially allowing attackers to seize full control over affected instances.

Technical Analysis

The flaw lies in the CUser class within Zabbix’s frontend, specifically the addRelatedObjects function, which is accessible to users with API access, even those with non-admin roles. This vulnerability affects Zabbix versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.0. Security researcher Mark Rakoczi reported the issue via HackerOne.

Successful exploitation could result in:

  • Unauthorized database access
  • Data exfiltration
  • Privilege escalation
  • Command execution on database servers

Mitigation Strategies

  1. Restrict API access permissions.
  2. Implement Web Application Firewall (WAF) rules to block SQL injection attempts.
  3. Audit user roles and permissions regularly.
  4. Segment networks to limit exposure.

Zabbix has acknowledged the issue and is working on a patch. In the meantime, users should monitor the official Zabbix advisories for updates.

Australia’s Cyber Defense Report Highlights Evolving Threats and Strategic Countermeasures

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recently released its 2023–24 Annual Cyber Threat Report, underscoring the growing cyber threat landscape and strategies to counter state-sponsored actors, hacktivists, and cybercriminals.

Key Insights from the Report

  1. State-Sponsored Attacks: Actors from China and Russia continue evolving their tactics, targeting critical infrastructure for espionage and pre-positioning disruptive capabilities.
  2. Cybercrime Trends: Business email compromise, ransomware, and AI-driven scams are becoming pervasive, with small and medium businesses most at risk.
  3. Hacktivism and DDoS Attacks: These low-sophistication attacks still disrupt critical services and amplify attackers’ agendas.

Over 11% of cybersecurity incidents reported in FY2023-24 involved critical infrastructure, with sectors like energy, education, and transport being the most impacted.

Government Actions

The Australian government enacted a comprehensive legislative package to bolster defenses, including the Cyber Security Act 2024 and the Critical Infrastructure Uplift Program (CI-UP). These measures emphasize securing operational technology (OT) systems and fostering public-private partnerships.

Explore the full report here.

Cybersecurity Toolkit for Boards: Updated Briefing Pack Released

The UK’s National Cyber Security Centre (NCSC) has updated its Cybersecurity Toolkit for Boards, featuring a case study from the British Library’s ransomware incident.

Lessons Learned

  1. Proactive Measures: Address vulnerabilities in legacy systems and implement multi-factor authentication for privileged users.
  2. Incident Response: The British Library’s robust plan enabled them to act decisively, avoid ransom payments, and mitigate the impact.
  3. Governance: Organizations should consider appointing board members with cybersecurity expertise.

The updated toolkit highlights the importance of senior leaders understanding cyber risks for effective decision-making.

Download the briefing pack here.

Tor Needs 200 New WebTunnel Bridges to Fight Censorship

The Tor Project is urging volunteers to help deploy 200 new WebTunnel bridges by year’s end to combat growing censorship in regions like Russia. Currently operating 143 WebTunnel bridges, the project aims to bolster its infrastructure to ensure users in heavily restricted areas can bypass internet censorship effectively.

The call comes as Russian authorities ramp up efforts to block Tor's circumvention tools, such as obfs4 connections and Snowflake. These measures, including targeting hosting providers and removing apps from stores, have disrupted Tor's built-in censorship circumvention mechanisms.

What Are WebTunnel Bridges?

Introduced in March 2024, WebTunnel bridges disguise Tor traffic as regular HTTPS traffic by operating over web servers with SSL/TLS certificates. Unlike traditional bridges, these are more resistant to detection, making them essential for users in censored regions. Volunteers can set up these bridges with a static IPv4 address, a valid SSL/TLS certificate, and at least 1 TB/month of bandwidth.

For setup instructions, check out Tor's official guide.

UK Hospital Network Postpones Procedures After Cyberattack

The Wirral University Teaching Hospital (WUTH), part of the NHS Foundation Trust in the UK, has suffered a cyberattack that disrupted its systems, forcing the postponement of appointments and surgeries. The attack affected Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children's Hospital, which collectively manage 855 beds and provide critical healthcare services.

Impact of the Attack

The cyberattack led to IT systems being taken offline and operations reverting to manual processes, delaying services and increasing emergency department waiting times.

A spokesperson said, "We have reverted to business continuity processes, using paper rather than digital systems."

No ransomware group has claimed responsibility for the attack, and the investigation is ongoing. Patients are advised to visit emergency services only in genuine emergencies.

For updates, follow coverage from BleepingComputer.

Zello Asks Users to Reset Passwords After Security Incident

Zello, the popular push-to-talk app with 140 million users, has asked customers to reset passwords for accounts created before November 2, 2024. While Zello has not confirmed the nature of the security issue, the precaution suggests potential credential compromise.

What We Know So Far

The company sent security notices urging users to reset their passwords and avoid reusing old credentials across other platforms. Zello’s support page outlines the password reset process, but the company has not disclosed further details about the incident.

This isn’t Zello’s first security issue. In 2020, the company suffered a data breach exposing customer email addresses and hashed passwords.

Users are advised to take immediate action to secure their accounts. Learn more about securing your online accounts from CyberIL.