CybersecurityHQ News Roundup - December 6, 2024

News By Daniel Michan Published on December 6, 2024

Recently Charged Scattered Spider Suspect Did Poor Job at Covering Tracks

A California teen allegedly involved in the Scattered Spider cybercrime group has been charged following a series of attacks resulting in over $4 million in damages. Court documents reveal significant errors in covering his tracks.

Remington Ogletree, 19, was arrested last month and later released on bail, according to Bloomberg (paywall). His cyber activities spanned October 2023 to May 2024, including unauthorized network access, data theft, and cryptocurrency fraud.

Ogletree reportedly used social engineering tactics, such as phishing and phone calls, to acquire credentials for attacks. One notable case involved accessing a telecom company's API keys, enabling the transmission of 8.5 million phishing texts aimed at cryptocurrency theft. Investigators tied the attacks to Ogletree through his iCloud account, phone number, and other digital footprints.

Further attacks on a financial institution and another telecom company were similarly linked to him. Incriminating evidence included email accounts, gaming platform usage, and interviews with FBI agents.

Despite admitting his involvement with Scattered Spider, Ogletree's actions continued after the FBI search, attempting to launder cryptocurrency through an undercover FBI operation. His operational missteps, such as delivering laundered funds to addresses linked to his family, ultimately sealed his connection to the crimes.

Scattered Spider, also known as UNC3944 and other aliases, has been linked to high-profile incidents, including the MGM Resorts breach and the 0ktapus campaign targeting organizations like Twilio and Cloudflare. Authorities have made multiple arrests in connection with the group.

PoC Exploit Published for Unpatched Mitel MiCollab Vulnerability

Cybersecurity firm WatchTowr has disclosed an unpatched vulnerability in the Mitel MiCollab platform, potentially exposing 16,000 internet-facing instances to attackers.

MiCollab is a widely used enterprise collaboration tool offering video conferencing, chat, and SMS functionalities. The vulnerability allows attackers with administrative access to exploit a file path traversal flaw, enabling them to read restricted files.

Though authentication is required for exploitation, the bug remains a critical concern. WatchTowr combined this flaw with CVE-2024-41713, a severe path traversal vulnerability allowing administrative access without authentication. Mitel has since patched CVE-2024-41713 but has yet to address the new flaw.

Mitel advises users to update to MiCollab version 9.8 SP2 (9.8.2.12) to mitigate existing vulnerabilities. The latest patch also resolves additional high-severity flaws, including SQL injection and authentication bypass issues. For more details, visit Mitel’s official advisory.

Google Open Sources Security Patch Validation Tool for Android

Google has open-sourced Vanir, a tool designed to accelerate security patch validation for Android developers. By automating the process, Vanir aims to improve patch adoption across original equipment manufacturers (OEMs).

Vanir uses static code inspection to identify missing patches and has demonstrated high efficiency, significantly reducing patch validation times. According to Google, the tool supports Android's C/C++ and Java codebases, covering 95% of Android vulnerabilities.

The tool has already helped engineers generate vulnerability signatures and verify patches for over 150 security issues within days. Vanir’s potential applications extend beyond patch validation, including code clone detection and license verification. For more details, visit Google’s announcement.

Atrium Health Data Breach Impacts 585,000 People

Atrium Health has disclosed a data breach affecting over 585,000 individuals, linked to the use of online tracking technologies on its patient portal between 2015 and 2019.

These tools reportedly transmitted personal information to third parties like Google and Facebook, including IP addresses, treatment data, and contact information. Atrium has stated that sensitive details such as Social Security numbers and financial data were not exposed.

While there is no evidence of misuse, the incident highlights broader concerns about the risks of tracking technologies in healthcare. Atrium has faced prior breaches, including a phishing attack earlier this year and a 2018 breach impacting 2.6 million patients.

For healthcare organizations, this serves as a reminder to review online tools and tracking mechanisms regularly to ensure compliance and security. Learn more about patient data privacy at HHS.gov.

SonicWall Patches 6 Vulnerabilities in Secure Access Gateway

SonicWall has issued critical patches for six vulnerabilities in its SMA100 SSL-VPN secure access gateway, with some flaws rated as high-severity threats capable of remote code execution (RCE).

Two of the most severe issues, tracked as CVE-2024-45318 and CVE-2024-53703, involve buffer overflow vulnerabilities. These flaws can be exploited to trigger stack-based buffer overflows, potentially allowing malicious actors to execute code remotely.

Another significant flaw, CVE-2024-40763, is a heap-based buffer overflow caused by the improper use of the strcpy function, which requires authentication to exploit.

Other patched issues include:

  • CVE-2024-38475: A path traversal vulnerability in the Apache HTTP server.
  • CVE-2024-45319: An authentication bypass flaw allowing attackers to bypass certificate requirements.
  • A cryptographically weak pseudo-random number generator (PRNG) issue (CVE-2024-53702) in the SMA100 backup code generator.

These vulnerabilities affect SMA 100 appliances running firmware version 10.2.1.13-72sv or earlier. Users are urged to update to version 10.2.1.14-75sv immediately to protect against potential exploits.

No evidence has been found of these vulnerabilities being exploited in the wild, but SonicWall cautions that attackers often target previously patched vulnerabilities. Read more about the vulnerabilities in SonicWall's advisory.

Ethyca Secures $10 Million to Boost Data Privacy Platform

Data privacy and AI governance platform Ethyca has raised $10 million in a funding round led by Aspenwood Ventures and AVP. This new funding brings the company’s total raised to over $37 million.

Ethyca’s enterprise-grade platform offers real-time visibility and governance of personally identifiable information (PII). Its Fides open-source solution helps companies scan their infrastructure for GDPR-compliant data maps, inventory workflows, and automate consent management.

This funding will help Ethyca expand its team and improve product capabilities to meet growing demand. Recent high-profile clients include Axios, Mozilla, and Remitly.

Ethyca CEO Cillian Kieran stated, “We’re tackling the most critical challenges in data governance—ethics and trust when it comes to data privacy.” Learn more on their official website.

FSB Allegedly Implants Spyware on Russian Programmer’s Phone

A Russian programmer, detained and coerced by the FSB for allegedly supporting Ukraine, discovered spyware installed on his confiscated Android device. This spyware was identified as a tampered version of the Cube Call Recorder app.

The spyware allowed the FSB to track locations, record calls, log keystrokes, and access encrypted messages. Researchers from Citizen Lab and First Department noted its similarities with the Monokle spyware, previously documented by Lookout in 2019.

This incident underscores the risks posed by losing physical custody of devices to adversarial security services. For more insights, read Citizen Lab's investigation.

Critical Vulnerabilities Found in Popular Open-Source ML Frameworks

Cybersecurity researchers at JFrog have disclosed multiple vulnerabilities in widely used machine learning (ML) frameworks like MLflow, H2O, PyTorch, and MLeap. These flaws could lead to remote code execution (RCE) and compromise sensitive data.

Key vulnerabilities include:

  • CVE-2024-27132: Cross-site scripting (XSS) in MLflow’s Jupyter Notebook integrations.
  • CVE-2024-6960: Unsafe deserialization in H2O.
  • Path traversal in PyTorch’s TorchScript, allowing arbitrary file overwrites.
  • CVE-2023-5245: Path traversal in MLeap, leading to Zip Slip vulnerabilities.

Shachar Menashe, JFrog’s VP of Security Research, warned, “Blindly loading untrusted ML models can lead to remote code execution and cause extensive harm.” Read the full report on JFrog's blog.

More_Eggs Malware-as-a-Service Expands with RevC2 and Venom Loader

The cybercrime group behind More_eggs malware has introduced two new tools: RevC2, an advanced backdoor, and Venom Loader, a customized malware loader.

RevC2 uses WebSockets for stealthy communication with its command-and-control server, while Venom Loader adapts payloads to victim-specific systems. These tools have been deployed in campaigns observed between August and October 2024.

The emergence of these tools highlights the ongoing evolution of malware-as-a-service (MaaS) platforms. For detailed analysis, visit Zscaler ThreatLabz.

FCC Proposes Stricter Cybersecurity Rules for US Telecoms

In response to the Salt Typhoon cyberattack, the FCC has proposed expanded cybersecurity requirements for US telecommunications firms.

Key measures include:

  • Annual certifications for cybersecurity risk management plans.
  • Clarification of telecom carriers’ legal obligations to secure their networks under CALEA.

The Salt Typhoon attack, attributed to Chinese state-sponsored actors, targeted major firms like Verizon and AT&T, exposing vulnerabilities in critical infrastructure.

Public comments are invited on the proposed rules, which could take effect immediately if adopted. Read the FCC's official statement.

Senators Amend Error in Cybersecurity Bill That Could Have Cancelled Half of It

The Canadian Senate has taken swift action to address a critical error in Bill C-26, a cybersecurity bill aimed at enhancing national security and protecting critical infrastructure. The legislation, introduced in 2022, seeks to implement strict cybersecurity requirements for federally regulated sectors and codify national security measures for the telecommunications industry.

However, a legislative oversight nearly nullified half the bill's provisions. Due to a drafting error linked to the government's foreign interference law (Bill C-70), the second portion of Bill C-26—the Critical Cyber Systems Protection Act—was at risk of being repealed upon the bill's enactment.

The Senate's amendment rectifies this issue, but the bill must now return to the gridlocked House of Commons for approval, further delaying its progress.

Key Provisions of Bill C-26

  1. Telecommunications Security: Amends the Telecommunications Act to empower the government to block Canadian telecoms from using products from high-risk suppliers like Huawei and ZTE.
  2. Critical Infrastructure Protection: Compels industries in sectors such as finance, energy, and transportation to enhance their cybersecurity or face penalties.

For more details, visit The Globe and Mail.

Opinion: Why Cybersecurity Awareness is Everyone’s Responsibility

In an era where cyber threats are inevitable, cybersecurity awareness is no longer optional. With the rise of phishing, ransomware, and deepfakes, understanding basic cybersecurity principles is vital for individuals and businesses alike.

What Can Individuals Do?

  • Stay updated on emerging threats like deepfakes.
  • Use platforms like TryHackMe for hands-on cybersecurity training.

What Can Organizations Do?

  • Move beyond annual training sessions to continuous, role-specific education.
  • Leverage AI tools like OpenAI to personalize learning experiences.

Cybersecurity awareness must become ingrained in workplace culture, emphasizing proactive vigilance. Read more at CSO Online.

How TikTok is Reframing Cybersecurity Efforts

While TikTok is often associated with viral dance trends and quirky videos, the platform has been making strides in cybersecurity awareness. During Cybersecurity Month, TikTok highlighted its efforts through its Global Bug Bounty Program and collaborations with creators.

Bug Bounty Success

  • Over 450 security researchers identified 1,000 vulnerabilities since the program’s launch in 2020.
  • Over $1.6 million in bounties awarded, including $720,000 at a live hacking event in Las Vegas.

Top Cybersecurity Creators on TikTok

  • Kevin (@adjacentnode): A network engineer sharing engaging cybersecurity tutorials, such as avoiding public Wi-Fi scams.
  • Marcus Hutchins (@itsmarcushutchins): Known for stopping WannaCry ransomware, Marcus educates viewers on topics like relay attacks and secure smartphone practices.

Explore TikTok’s bug bounty program on HackerOne.

Researchers Uncover Malicious Use of Cobalt Strike Servers in Cyber Attacks

Cybersecurity researchers have unveiled a malicious campaign leveraging Cobalt Strike, a popular penetration testing tool, to execute sophisticated cyberattacks. The latest discoveries emphasize how threat actors misuse legitimate cybersecurity tools for nefarious purposes.

Cobalt Strike, renowned among security professionals for its robust post-exploitation capabilities, has been co-opted by cybercriminals due to its powerful features. The latest version, 4.10, released in July 2024, introduced advanced functionalities like BeaconGate, Postex Kit, and Sleepmask-VS, designed to enhance red team operations. However, these features are also enabling attackers to bypass detection and execute stealthy attacks.

Malicious Infrastructure Identified

Researchers identified a cluster of servers configured with a unique watermark, “688983459,” found across seven IP addresses primarily hosted on Amazon and Microsoft infrastructure. These servers employed domains mimicking legitimate organizations, such as “downloads.helpsdeskmicrosoft[.]com,” suggesting targeted phishing campaigns.

Key technical indicators revealed shared SSH keys, configurations, and payloads, pointing to a coordinated effort. Another cluster using pirated versions of Cobalt Strike highlighted the ongoing abuse of cracked versions in cyber campaigns.

The findings underscore the dual-edged nature of tools like Cobalt Strike, essential for legitimate security testing yet exploited by malicious actors. Cybersecurity teams are urged to monitor such tools closely, enhance defenses, and adopt proactive threat-hunting strategies to mitigate risks.

Learn more about Cobalt Strike and its legitimate uses on Cobalt Strike’s official website.

UK Cybersecurity Agency Unconcerned About Changes to CISA Under Trump

The UK’s National Cyber Security Centre (NCSC) has downplayed concerns over potential restructuring of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under President-elect Trump’s administration. Despite fears of politically motivated leadership changes at CISA, NCSC officials assured that their deep-rooted collaboration with the agency will remain unaffected.

NCSC Chief Executive Richard Horne emphasized that the partnership between the two agencies extends beyond leadership, relying on robust working-level collaboration. This assurance comes amidst calls from U.S. lawmakers to subject CISA to increased oversight and restructuring.

Read more about NCSC’s collaboration with CISA on Gov.UK’s website.

Morrisons Recovers Warehouse Systems Following Blue Yonder Ransomware Attack

UK supermarket chain Morrisons has restored its warehouse systems after a ransomware attack targeting supply chain software provider Blue Yonder disrupted logistics and inventory management last month. The attack, claimed by the Termite ransomware group, impacted numerous retailers globally, including Starbucks.

Blue Yonder’s services, crucial for managing store inventories and logistics, suffered outages after the attack. The company has since implemented enhanced security measures and continues recovery efforts.

Learn more about ransomware prevention strategies on CISA’s Ransomware Guidance page.

Cybersecurity Stocks Outperform Amid Industry Volatility

Cybersecurity stocks remain one of the strongest-performing sectors in 2024, alongside chipmaking and artificial intelligence. Companies like CrowdStrike, Palo Alto Networks, and Fortinet have seen significant growth despite occasional disruptions, such as CrowdStrike’s August outage.

Notable Performers:

  • CrowdStrike: +616.92% over five years
  • Palo Alto Networks: +434.10% over five years
  • Fortinet: +375.19% over five years

The increasing integration of AI into business operations is expected to further bolster cybersecurity demand. However, experts recommend diversification through cybersecurity ETFs to mitigate risks from individual stock volatility.

For investment insights, visit CNBC’s cybersecurity coverage.

Strengthening Cybersecurity in Healthcare: A Policy Imperative

Cyberattacks targeting healthcare facilities pose a direct threat to patient safety. From delayed treatments to financial crises, the consequences of cyberattacks are profound, particularly for under-resourced rural hospitals.

Key Challenges:

  1. Resource Gaps: Smaller hospitals often lack the budget and personnel to implement robust cybersecurity measures.
  2. Third-Party Risks: Dependence on external vendors increases vulnerability to supply chain attacks.
  3. Equity Issues: Rural and underserved areas face the greatest risks due to limited cybersecurity resources.

Proposed Solutions:

  • Government Support: Targeted incentives and grants can help smaller facilities enhance their defenses.
  • Collaborative Frameworks: Initiatives like the Health Sector Coordinating Council’s cybersecurity guidelines offer a path forward.
  • Advanced Authentication: Implementing passwordless systems can reduce risks and clinician burnout.

Addressing these issues requires collaboration across healthcare, technology, and policy sectors. Learn more about healthcare cybersecurity from The American Hospital Association.

Rockwell Automation Vulnerabilities Let Attackers Execute Remote Code

By Tushar Subhra Dutta - December 6, 2024

Rockwell Automation, a leader in industrial automation, recently disclosed multiple critical vulnerabilities in its Arena software that could allow remote code execution by attackers. The company has urged users to update to the latest version immediately.

Key Vulnerabilities

The vulnerabilities, affecting Arena software versions 16.20.03 and earlier, include:

  • CVE-2024-11155: A “use after free” flaw.
  • CVE-2024-11156: An “out of bounds write” vulnerability.
  • CVE-2024-11158: An “uninitialized variable” vulnerability.
  • CVE-2024-12130: An “out of bounds read” issue.

Each vulnerability carries a CVSS v3.1 score of 7.8 and a CVSS v4.0 score of 8.5, highlighting their severity.

Exploitation Risks

Attackers could exploit these flaws by crafting malicious DOE files that manipulate memory and resource allocation. This could lead to:

  • Arbitrary code execution.
  • Unauthorized data access.
  • Industrial process disruption.

While exploitation requires user interaction, the consequences could be dire for affected systems.

Mitigation Steps

Rockwell Automation has released Arena software version 16.20.06, which addresses these vulnerabilities. Users are strongly advised to:

  • Update to the latest version.
  • Implement robust network access controls.
  • Monitor systems for suspicious activity.
  • Regularly update all software and firmware.

For a more detailed technical breakdown, check the Zero Day Initiative’s disclosure.

Broader Implications

This discovery underscores the cybersecurity challenges in industrial automation. As infrastructure becomes increasingly digitized, vulnerabilities like these pose significant risks to operations. For further insights, attend this free webinar on API security best practices.

Cybersecurity Triggers Professional Angst Among UK Practitioners

New research by Green Raven reveals that many UK cybersecurity professionals are grappling with feelings of helplessness and despair, leading to negative impacts on their personal lives.

Key Findings

In a survey of 200 professionals from companies with over 1,000 employees, Green Raven found:

  • 70% experience professional despair over rising cyber losses.
  • 59% report adverse effects on personal life and mental health.
  • Nearly 70% face pressure to justify annual budgets against risks.

Despite increasing budgets, fewer than half believe their organizations are investing enough in cybersecurity.

Gaps in Implementation

While most professionals understand the importance of the four-step risk management process (identify, assess, treat, monitor), only 75% execute all steps rigorously. This highlights potential gaps in understanding or application of best practices.

AI: A Beacon of Hope?

Approximately 80% of respondents believe AI-based tools can offer an edge over threat actors. These tools promise enhanced threat intelligence, pinpointing attack vectors before incidents occur.

Morten Mjels, CEO of Green Raven, commented:

“It’s alarming that many feel existing defenses are unsustainable, yet they hold high hopes for AI to change the game.”

For organizations looking to adopt AI-driven solutions, Darkscope provides predictive cyber threat intelligence, helping businesses regain control of their cybersecurity expenditure. Explore more about their solutions on Darkscope's website.

New QR Code-Based C2 Attack Bypasses Browser Isolation

Mandiant researchers have discovered a novel way to bypass browser isolation technologies, leveraging QR codes for command-and-control (C2) communication. This method exposes a major flaw in browser isolation systems, widely used to protect against web-based threats.

Understanding Browser Isolation

Browser isolation separates web activity from local devices, streaming only visual content to users. Organizations typically deploy:

  • Remote Browser Isolation (RBI): Cloud-hosted environments.
  • On-Premises Browser Isolation: Within internal infrastructure.
  • Local Browser Isolation: Containerized environments like Docker.

These systems aim to prevent attackers from exploiting browser vulnerabilities, launching phishing attacks, or establishing C2 links.

How the Attack Works

By embedding machine-readable QR codes into web pages, attackers can bypass isolation barriers. These QR codes are scanned by unwitting users, initiating malicious activity.

Implications

The attack illustrates the limitations of current browser isolation approaches. Businesses relying solely on these technologies must reconsider their strategies to include:

  • Multi-layered security measures.
  • Enhanced user awareness training.
  • Real-time threat detection systems.

Mandiant Unveils Groundbreaking QR Code Exploit

Mandiant has uncovered a sophisticated attack method that leverages QR codes to bypass even the most advanced browser isolation systems. This technique allows attackers to execute command-and-control (C2) operations using visual content streamed by isolated browsers.

How It Works

  1. Planting the Malicious Implant: Attackers deploy a compromised device with a headless browser (e.g., Puppeteer with Google Chrome) controlled through the DevTools protocol.
  2. Requesting the Web Page: The implant retrieves a webpage from an attacker-controlled server via the headless browser.
  3. Encoding via QR Code: The server sends back a page embedding command data in a QR code.
  4. Rendering and Scanning: The QR code is streamed back to the local machine, where a malicious implant decodes it.
  5. Executing Commands: The decoded commands are executed, and results are sent back to the attacker using URL parameters.

Limitations and Implications

While QR codes can only transfer limited data (2,189 bytes) and introduce latency, Mandiant demonstrated a Proof of Concept (PoC) using Chrome in headless mode, integrated with Cobalt Strike’s BEACON implant. The findings reveal a significant vulnerability in browser isolation technologies.

Mitigation Strategies

Organizations are urged to:

  • Inspect network traffic for anomalies.
  • Monitor for headless browser usage.
  • Conduct regular adversarial emulation exercises.

Learn more about the technical details and recommendations in Mandiant’s official report.

The Long, Complex Road to Securing U.S. Telcos

Legacy Systems and Cybersecurity Challenges

U.S. telecom providers are grappling with cybersecurity threats from China, exacerbated by outdated infrastructure and decades of mergers and acquisitions. The recent Salt Typhoon intrusions have exposed the vulnerabilities of these networks, with at least eight U.S. telcos reportedly compromised.

Key Developments

  • FCC Proposals: FCC Chair Jessica Rosenworcel proposed annual cybersecurity certifications for telecom companies.
  • Government Warnings: Officials from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI acknowledged that full eviction of China-backed hackers is currently unfeasible.
  • White House Confirmation: The White House confirmed that Salt Typhoon has targeted telcos globally for over two years.

Why It’s So Hard to Secure Telco Networks

  • Legacy Equipment: Systems up to 50 years old, such as landlines, were never designed for today’s security needs.
  • Missed Inventory: Mergers often result in overlooked equipment.
  • Physical Vulnerabilities: Copper lines remain susceptible to tampering.
  • Law Enforcement Access: Legal requirements for wiretap capabilities introduce additional vulnerabilities.

Case Study: T-Mobile’s Proactive Measures

Unlike its peers, T-Mobile has minimized exposure by operating a fully wireless network. By leveraging newer 5G infrastructure and maintaining vigilant monitoring, the company has mitigated risks associated with Salt Typhoon.

The Big Picture

Telcos must secure every device across legacy systems, servers, and employee endpoints to fend off sophisticated nation-state attacks. However, as experts like Cliff Steinhauer warn, even well-resourced companies face challenges against determined adversaries.

For a detailed analysis, visit Axios’ coverage.

Top Five Industries Aggressively Targeted by Phishing Attacks

Phishing Trends and Industry Risks

Phishing attacks remain a top threat across industries, with attackers employing increasingly customized tactics. According to Cofense Intelligence, these are the top industries targeted between Q3 2023 and Q3 2024:

  1. Finance and Insurance (15.5% of targeted emails): Attackers mimic business communications like invoices and forms.
  2. Manufacturing (11.3%): Vulnerabilities stem from contract-based communication reliance.
  3. Mining, Quarrying, and Oil & Gas Extraction (10.3%): Common lures include proposals and invoices.
  4. Healthcare and Social Assistance (8.2%): Phishing attempts often involve document-related subjects.
  5. Retail Trade (7.4%): Attackers focus on sales, contracts, and urgent shipment notifications.

Common Tactics

  • Subject Customization: Incorporating recipient-specific details to increase credibility.
  • Quarterly Trends: Phishing peaked in Q3 2023, with fluctuations in later quarters.
  • Malicious Attachments: Predominantly .HTML (90.3%) and .DOC(X) (9.4%) files.

Examples of Industry-Specific Lures

  • Finance: “Invoice #20248904” or “ACH Payment Notification.”
  • Manufacturing: “New Purchase Order #94153.”
  • Oil & Gas: “Contract Proposal for Service.”

Feds Find Cybercriminal Tools Used by Sextortion Group

A joint intelligence note from the Joint Regional Intelligence Center and the Central California Intelligence Center uncovered that sextortion group "764" uses traditional cybercrime tactics, including SIM swapping, social engineering, and IP grabbing. These techniques are supported by tools shared through a Telegram channel managed by "6996," a collective associated with "The Com." The FBI notes that group 764 has operated fake suicide prevention channels to exploit victims, leading to doxxing and extortion.

Read the full report on CyberScoop.

Russian Hackers Hack Hackers

In a twist of irony, Russian cyber-espionage group Turla has been leveraging the infrastructure of the Pakistani-linked group Storm-0156 for its own campaigns. Lumen’s Black Lotus Labs revealed that Turla hijacked a C2 server on an Indian government network used by Storm-0156, eventually infiltrating the group's data and tools. Turla has been using this strategy since 2022, including targeting Afghan government agencies.

Learn more about the findings on Bleeping Computer.

Amazon’s Post-Quantum Migration Plan

AWS announced its strategy for post-quantum cryptography (PQC) migration. While data at rest will continue to use 256-bit symmetric cryptography, AWS is rolling out PQC for symmetric key negotiations and as a root of trust in its services. The company also updated its open-source AWS-LC cryptographic library and published recommendations for organizations starting their PQC journey.

Check out the full details on the AWS Blog.

Chinese Group Linked to Another Long-Term Intrusion

Symantec researchers linked a Chinese threat actor to a long-term attack against a US organization, starting in April 2024. The attack leveraged DLL side-loading for credential theft and targeted Exchange servers, reminiscent of the Crimson Palance espionage campaign. The victim was previously attacked by the Chinese group Daggerfly in 2023.

Full details available on The Hacker News.

Cisco Switches Hit with Bootloader Vulnerability

Cisco has disclosed a vulnerability affecting over 100 device models across its MDS, Nexus, and UCS Fabric Interconnect lines. This flaw allows attackers with physical access to bypass bootloader verification and load malicious software. Cisco has issued patches for some devices, with updates for others expected by month's end.

More information is on Security Week.

WeChat Bug Used to Target Uyghurs

Trend Micro discovered that the Chinese group Earth Minotaur exploited a WeChat bug to deploy the Moonshine exploit kit and install the DarkNimbus backdoor. This surveillance tool was used against Tibetan and Uyghur minorities through social engineering campaigns with malicious links embedded in government-themed messages.

Details on the findings are available on Dark Reading.

Russian Authorities Install Spyware on Detainee’s Phone

Russian programmer Kirill Parubets found spyware on his phone after being detained. Analysis revealed a trojanized version of the Cube Call Recorder, capable of extensive surveillance. This highlights escalating concerns about state-led cyber surveillance in Russia.

Learn more on The Record.

Generative AI Boosting Financial Fraud

The FBI has issued an alert about the use of generative AI tools, like ChatGPT, for advanced fraud. AI tools assist scammers with translation, generating realistic social media profiles, and crafting deepfake audio. This increases the scale and sophistication of romance and investment scams.

Read the FBI’s full advisory on IC3.

Romania Annuls Presidential Election Over Alleged Russian Interference

Romania's constitutional court annulled the presidential election due to alleged Russian interference, citing declassified intelligence reports. These documents highlight Russian efforts to manipulate results through social media campaigns and cyberattacks. The election will be redone, raising questions about the global response to election interference.

Details are available on Reuters.

Teenage Hacker Charged in Scattered Spider Crackdown

19-year-old Remington Ogletree, an alleged member of Scattered Spider, faces federal charges for phishing telecom companies and financial institutions. The group is notorious for high-profile breaches, including MGM Resorts and Coinbase. Ogletree’s schemes caused $4 million in damages, and he is accused of orchestrating 8.5 million phishing texts.

Read the full criminal complaint on The Washington Post.

Russian Users Report Gazprombank Outages Amid Ukrainian Cyberattack

Ukraine's military intelligence agency (HUR) claimed responsibility for a DDoS attack on Russia’s Gazprombank, disrupting its mobile and online services. The bank, a critical channel for Russian gas payments, faced difficulties after being sanctioned by the US Treasury.

Get more insights on The Guardian.

Pirated Corporate Software Infects Russian Businesses with Info-Stealing Malware

Russian businesses using unlicensed corporate software are the latest victims of a campaign distributing the RedLine info-stealing malware, per a Kaspersky report. Since January, attackers have posed as providers of licensing bypass tools for business automation software, luring victims on local forums. They exploit this access by instructing users to disable antivirus protections.

RedLine, a known malware-as-a-service tool, exfiltrates browser, messenger, and system data. Despite international efforts to dismantle RedLine’s infrastructure in November, the campaign persists. The crackdown follows U.S. charges against its creator, Maxim Rudometov.

Learn more from TechCrunch and Kaspersky.