CybersecurityHQ News Roundup - November 27, 2024

News By Daniel Michan Published on November 27


ESET Flags Prototype UEFI Bootkit Targeting Linux

Malware researchers at ESET have uncovered a prototype UEFI bootkit targeting Ubuntu Linux systems, marking a significant evolution in bootkit attacks, which have traditionally targeted Windows operating systems. The bootkit, named Bootkitty, is still in its developmental phase but signals a concerning shift in attack strategies.

According to ESET, Bootkitty disables kernel signature verification for the Linux kernel and its modules. It also patches critical processes, such as the GRUB bootloader and kernel decompression routines, bypassing UEFI Secure Boot protections. Researchers discovered the bootkit after a previously unknown UEFI application, "bootkit.efi," surfaced on VirusTotal in November 2024.

Bootkitty enables the loading of unsigned kernel modules, potentially paving the way for advanced Linux-based attacks. ESET also identified a related unsigned kernel module, BCDropper, which exhibits rootkit-like behavior, including hiding files and processes while deploying additional payloads. However, researchers caution that the exact relationship between Bootkitty and BCDropper remains speculative.

Historically, UEFI bootkits have targeted Windows systems, with notable examples like ESPecter, FinSpy, and BlackLotus—the latter being the first UEFI bootkit to bypass UEFI Secure Boot on fully updated systems. ESET's findings emphasize the need for proactive defenses as attackers expand their focus to include Linux platforms. For more details, view ESET's research here.

Source Code of $3,000-a-Month macOS Malware ‘Banshee Stealer’ Leaked

The Banshee Stealer malware operation has reportedly shut down following the public leak of its source code. Vx-Underground, a prominent threat intelligence project, reported the leak and has made the source code available on its GitHub repository.

Banshee Stealer, designed to target macOS devices, initially gained attention in August when it was advertised on cybercrime forums for a hefty $3,000 monthly subscription fee. The malware, believed to have Russian origins, collects sensitive data such as macOS passwords, keychain credentials, web browser information, and cryptocurrency wallet details.

The malware’s targets include wallets like Exodus, Ledger, and Atomic, as well as browsers like Safari, Chrome, and Firefox. Banshee Stealer also includes a mechanism to avoid infecting Russian-speaking users, highlighting its targeted development.

While its deployment methods remain unclear, researchers noted that the malware lacked advanced obfuscation, making it relatively easier to analyze. Despite its shutdown, experts warn the leaked source code could be repurposed by other threat actors. For more information, check out Vx-Underground’s analysis here.

ProjectSend Vulnerability Exploited in the Wild

A critical vulnerability in ProjectSend, a popular open-source file-sharing application, is actively being exploited by threat actors. The flaw, tracked as CVE-2024-11680 with a CVSS score of 9.8, allows unauthenticated attackers to modify the application's configuration, potentially enabling the upload of malicious webshells or embedding harmful JavaScript code.

Originally discovered by Synacktiv in January 2023, the vulnerability stems from improper authentication checks in ProjectSend’s PHP code. Although a patch was released in May 2023, adoption rates remain alarmingly low. Approximately 55% of ProjectSend instances are still running the vulnerable version r1605, according to VulnCheck.

Attackers are exploiting this vulnerability to create rogue accounts, bypass security measures, and deploy webshells. Public exploits for CVE-2024-11680 are available from sources like Metasploit and Nuclei, further accelerating attacks.

With roughly 4,000 instances indexed by Censys, organizations using ProjectSend are urged to update to the latest version immediately. VulnCheck warns that exploitation is likely widespread due to poor patching practices. Learn more about this vulnerability and mitigation steps here and here.

Bipartisan Legislation Seeks Stronger Healthcare Cybersecurity

A bipartisan group of U.S. senators has introduced the Health Care Cybersecurity and Resiliency Act of 2024, aiming to fortify cybersecurity in the healthcare sector and protect sensitive health data. Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) are leading this legislative effort.

The proposed law updates HIPAA regulations, provides financial support for under-resourced healthcare entities, and enhances sector-wide cybersecurity practices. A key component involves the Department of Health and Human Services (HHS) collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to improve incident response, information sharing, and cybersecurity training for healthcare providers.

The legislation mandates that organizations report cybersecurity incidents and share lessons learned, while rural healthcare providers receive specific guidance and grants to adopt security best practices. Read the full text of the bill.

This initiative comes amid a sharp rise in cyberattacks on healthcare organizations, endangering both patient data and lives. “Cyberattacks on our healthcare systems can have life-and-death consequences. This bipartisan legislation strengthens our cybersecurity and better protects patients,” said Senator Warner.

New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products

Researchers at AmberWolf have unveiled a new VPN attack method, leveraging vulnerabilities in widely used corporate VPN clients, including Palo Alto Networks’ GlobalProtect and SonicWall’s NetExtender. The researchers also introduced NachoVPN, an open-source tool that exploits these flaws to simulate rogue VPN servers.

In the case of Palo Alto Networks’ GlobalProtect, the attack manipulates its update mechanism to install malicious root certificates, enabling remote code execution. SonicWall’s NetExtender flaw permits attackers to execute code with elevated privileges by luring users to malicious websites.

Palo Alto Networks patched its vulnerability, tracked as CVE-2024-5921, on November 26, 2024, while SonicWall addressed CVE-2024-29014 in July. Both companies emphasized the importance of immediate updates to prevent exploitation.

These attacks highlight the risks posed by VPN software as attackers increasingly target their trust relationships. Organizations are urged to patch vulnerabilities and educate users about potential social engineering schemes. More details on NachoVPN here.

Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets

The RomCom APT group, linked to Russian espionage and cybercrime operations, has exploited two zero-day vulnerabilities in Firefox and Windows to deploy a backdoor on victims’ systems, according to a report by ESET.

The attackers chained CVE-2024-9680, a critical use-after-free flaw in Firefox, and CVE-2024-49039, a Windows Task Scheduler vulnerability. Victims were tricked into visiting malicious websites, which delivered payloads bypassing sandbox protections and escalating privileges.

ESET’s analysis revealed that most victims were based in North America and Europe. Mozilla patched the Firefox vulnerability on October 9, while Microsoft addressed the Windows flaw on November 12.

RomCom has a history of targeting sensitive sectors such as government, defense, and energy for espionage and conducting cybercrime operations against pharmaceutical and legal firms. “This level of sophistication showcases the actor’s ability to acquire or develop advanced capabilities,” said ESET. Read the full report.

Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels

Cybersecurity researchers have unveiled Bootkitty, the first-known UEFI bootkit targeting Linux systems. Developed as a proof of concept by a group known as BlackCat, Bootkitty bypasses UEFI Secure Boot to disable Linux kernel integrity checks, allowing it to load malicious code during system startup.

ESET researchers found that Bootkitty exploits vulnerabilities in UEFI protocols, hooking authentication functions and patching GRUB bootloader processes. While it has not been used in real-world attacks, its discovery signals a shift in the cyber threat landscape, traditionally dominated by Windows-targeted UEFI bootkits.

“This emphasizes the necessity of being prepared for potential future threats,” said the researchers, noting the sophistication of the tool’s design. Learn more about Bootkitty.

Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers

A critical security flaw in the open-source file-sharing application ProjectSend is under active exploitation, according to researchers at VulnCheck. The vulnerability, tracked as CVE-2024-11680, was patched in August 2024, over a year after its initial identification, but remains unaddressed in 99% of public-facing servers. With a CVSS score of 9.8, this flaw allows attackers to execute arbitrary PHP code on vulnerable servers.

Synacktiv originally reported the issue in January 2023 as an improper authorization check in ProjectSend version r1605, enabling attackers to bypass critical restrictions and perform unauthorized actions. The exploitation, which began in September 2024, involves uploading malicious web shells, escalating privileges, and embedding malicious JavaScript.

Organizations using ProjectSend are urged to update to the latest patched version, r1750, to mitigate this active threat. Read more on this vulnerability at Rapid7 or Project Discovery.

APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign

The cyber-espionage group APT-C-60, suspected of links to South Korea, has been tied to a sophisticated attack against a Japanese organization using the SpyGlace backdoor. According to findings from JPCERT/CC, the attackers leveraged legitimate platforms like Google Drive, Bitbucket, and StatCounter to deliver malware disguised as a job application.

The attack exploited a vulnerability in WPS Office (CVE-2024-7262) to distribute the backdoor, demonstrating a multi-layered approach that includes phishing emails, virtual hard disk files (VHDX), and persistence via COM hijacking. The campaign also highlights SpyGlace’s capabilities for file theft, plugin deployment, and command execution.

This campaign is part of a broader trend of attackers using non-standard delivery techniques, such as virtual disks, to evade traditional defenses. Analysts note connections between APT-C-60 and the DarkHotel cluster. Learn more at Positive Technologies and Chuangyu 404 Lab.

Opinion: Why Senior Management Must Take the Helm on Cybersecurity

In an era defined by rapid digital transformation, cybersecurity has become a boardroom priority. Incidents like the 2017 Equifax breach and the 2013 Target breach demonstrate the catastrophic consequences of inadequate security measures, from operational disruptions to reputational damage.

Executives must adopt a proactive approach to cybersecurity, integrating it into business strategy and ensuring compliance with regulatory frameworks like the GDPR, HIPAA, and PCI DSS. For example, the SEC requires public companies to disclose cybersecurity risks, underscoring its importance in corporate governance.

Action Steps for Senior Leadership:

  1. Embed Cybersecurity in Strategy: Ensure cybersecurity is part of product development and decision-making processes.
  2. Allocate Adequate Resources: Invest in tools, training, and skilled professionals.
  3. Foster a Security Culture: Train employees at all levels to mitigate human error.
  4. Adopt Industry Standards: Leverage frameworks like NIST Cybersecurity Framework or ISO/IEC 27001.
  5. Engage Experts: Collaborate with consultants and information-sharing networks.

Cybersecurity is not just an IT concern; it’s a strategic function critical to sustaining business operations and stakeholder trust. Neglecting this responsibility can result in financial losses, regulatory penalties, and customer attrition. Read insights on governance and risk management at Harvard Business Review and Deloitte.

Telecom Cybersecurity Rules 2024: Bold Step, Industry Seeks Clarity

India Takes a Stand on Telecom Security, but Concerns Remain

India has made a significant move in cybersecurity with the release of its Telecom Cyber Security Rules, 2024, highlighting its growing focus on protecting digital infrastructure. Introduced by the Ministry of Communications and the Department of Telecommunications (DoT), the rules empower government agencies to access telecom traffic data, excluding message content like text, audio, or video. This initiative aims to bolster telecom cybersecurity while ensuring critical data is accessible for analysis.

Key Requirements for Telecom Operators

The regulations demand that telecom companies establish systems to collect traffic data and provide it to the government for analysis. Additionally, operators must report cybersecurity incidents within six hours, submitting detailed reports within 24 hours—an ambitious timeline compared to the 72-hour window under U.S. and EU regulations.

Industry leaders see this as a necessary but challenging directive. According to Konark Trivedi, Founder and MD of Frog Cellsat Ltd., "The six-hour reporting timeline is achievable with efficient systems, but responsibility should also rest with the citizens experiencing cybercrime."

Meanwhile, Tony Verghese, Partner at JSA Advocates and Solicitors, pointed out gaps in clarity regarding equipment registration, especially for devices purchased abroad.

Industry Reactions

While hailed as a bold move, the rules also raised operational concerns. Ayush Jindal, an advocate at the Supreme Court, remarked that these measures are critical for the long-term security of India’s digital infrastructure but might introduce immediate hurdles for compliance.

This step marks a crucial moment in India's digital security journey, but effective implementation and clearer guidelines remain essential.

Learn more about India's telecom cybersecurity regulations

The U.S. Government Confirms It Hacked Itself—12 Times

CISA’s Red Team Simulates Real-World Attacks on Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted 12 red-team assessments, simulating real-world cyberattacks to identify vulnerabilities in U.S. critical infrastructure. These exercises revealed multiple security gaps, with one team exploiting a leftover web shell from a prior third-party security assessment to gain access.

Key Takeaways

  • The red team used tactics such as data exfiltration, ransomware simulations, and domain admin lateral movement.
  • Despite initial detection, the target organization failed to act swiftly, allowing the team to compromise sensitive systems.
  • CISA concluded that the organization over-relied on endpoint detection and lacked adequate network protections.

These findings underline the need for improved technical controls and continuous staff training to defend against sophisticated threats.

Read more about the CISA red team findings

Trio of South Dakota Politicians Poised for Cybersecurity Leadership

How South Dakota May Influence U.S. Cyber Policy in 2025

Three South Dakota Republicans are set to take prominent roles in cybersecurity policy next year:

  • Gov. Kristi Noem as the likely Secretary of Homeland Security.
  • Sen. Mike Rounds as chair of a key cybersecurity subcommittee.
  • Sen. John Thune as Senate Majority Leader.

South Dakota's Unique Approach

South Dakota’s focus on cybersecurity, especially in agriculture, will likely expand under their leadership. According to José-Marie Griffiths, President of Dakota State University, “Agriculture, a latecomer to cybersecurity, could get more attention, alongside greater emphasis on proactive measures against cyber threats.”

Expect increased focus on China-related cyber threats, workforce development in the Midwest, and initiatives addressing critical infrastructure vulnerabilities.

Explore South Dakota's impact on U.S. cybersecurity

Blue Pill Attacks: 35 Million Devices at Risk

New Threats Highlight Growing Vulnerabilities in IoT

A report by cybersecurity experts reveals that 35 million IoT devices are vulnerable to "Blue Pill" attacks. These exploits allow hackers to manipulate device firmware, turning them into conduits for large-scale attacks.

Why It Matters

With IoT adoption surging, such vulnerabilities expose critical infrastructure, homes, and businesses to unprecedented risks. Industry leaders emphasize urgent action to patch affected devices and strengthen IoT security standards.

Discover more about Blue Pill vulnerabilities

NSA Warns: Reboot Your Devices to Defend Against Zero-Click Attacks

Simple Steps to Mitigate Complex Threats

The NSA has issued a stark warning urging smartphone users to reboot their devices regularly. This measure disrupts sophisticated zero-click attacks that exploit vulnerabilities without user interaction. Such attacks are increasingly targeting both individuals and organizations.

Find out why rebooting your device is essential

The Growing Role of Cybersecurity in U.S.-China Relations

Strategic Competition Fuels New Policies

The United States continues to prioritize cybersecurity in its strategic competition with China. Recent legislation targets emerging threats in artificial intelligence, 5G, and supply chain vulnerabilities, ensuring national security remains at the forefront.

With bipartisan support, expect more initiatives to counter cyber risks emanating from China in the coming years.

Learn about U.S.-China cybersecurity policies

NIS2 and Ireland: Rethinking Cybersecurity Regulation to Meet Changing Threat Landscape

The EU’s Network and Information Security Directive 2 (NIS2) officially took effect on October 17, 2024, establishing stricter cybersecurity standards across the EU. Targeting sectors like critical infrastructure and digital services, NIS2's broad scope mandates compliance by 2028, making it essential for Irish organizations to start implementing changes now.

This directive emphasizes a risk-based approach, requiring tailored security measures aligned with operational risks, as well as supply chain security, incident response plans, and cybersecurity by design. However, its flexible framework—while adaptive to evolving threats—creates interpretation challenges for organizations.

Executives must also take note: NIS2 introduces personal liability for management. Leadership teams face legal risks for gross negligence, like failing to report breaches properly. Organizations must implement robust risk assessments, incident response protocols, and training programs to meet these demands.

Key compliance steps include conducting regular audits, following best practices like the NIST Cybersecurity Framework and ISO 27001, and proactively addressing incident reporting requirements already in effect. Read more about NIS2's compliance roadmap here.

Australia Updates Cyber Security Governance Principles to Address Emerging Cyber Threats

The Australian Institute of Company Directors (AICD) and Cyber Security Cooperative Research Centre (CSCRC) have updated their Cyber Security Governance Principles to reflect the evolving cyber landscape. Version 2 introduces measures addressing digital supply chain risks, data governance, and incident response.

Key features include tailored tools like checklists for SMEs, governance red flags, and strategic advice from corporate leaders. The principles emphasize integrating cybersecurity into risk management practices, implementing multi-factor authentication, and conducting regular phishing tests and training.

Boards are urged to map digital supply chains, adopt redundancy measures, and enhance oversight of supplier relationships. With operational and customer data increasingly critical, the updated guidelines stress the importance of robust data governance practices.

Explore the updated Cyber Security Governance Principles here.

IBM Engineering Systems Flaw Let Attackers Bypass Security Restrictions

A critical vulnerability, CVE-2024-41779, has been identified in IBM’s Engineering Systems Design Rhapsody – Model Manager (RMM), impacting versions 7.0.2 and 7.0.3. This flaw, scored 9.8 on the CVSS scale, enables remote attackers to bypass security restrictions and execute malicious code.

The vulnerability arises from a race condition in request handling, potentially compromising confidentiality and availability. IBM has released patches—iFix031 for version 7.0.2 and iFix008 for version 7.0.3. Users should avoid enabling DEBUG logging for 'IDMappingsService.verbose' to mitigate risks temporarily.

Cleo Capital Launches Cybersecurity Accelerator to Address Rising Online Threats

Cleo Capital, the venture fund known for backing high-profile startups like Groq, Ellevest, and Hill House, has announced the launch of a cybersecurity accelerator aimed at combating the growing threat of cybercrime.

This 12-week remote program offers $250,000 in funding for a 7% equity stake in selected startups. Cleo Capital plans to accept up to 10 pre-seed and seed-stage companies globally. Applications are open until January 20, with the program kicking off on February 24.

Founder and Managing Partner Sarah Kunst explained that the initiative stems from her firsthand exposure to the pervasive nature of online fraud, impacting everything from dating apps to rural communities. Kunst highlighted the staggering $12.5 billion loss Americans faced from cybercrime in 2023, per the FBI.

Cybersecurity investment has surged, driven by the rise of unicorn startups like Chainguard and Bugcrowd. Kunst aims to challenge the notion that cybersecurity is solely an enterprise domain, emphasizing opportunities for consumer-focused innovations.

Learn more about Cleo Capital’s accelerator here.

T-Mobile Blocks Cyberattack with No Customer Data Compromise

T-Mobile has confirmed thwarting a recent cyberattack linked to suspicious activity on a network connection shared with another provider. According to T-Mobile's Chief Security Officer Jeff Simon, customer data, including calls and texts, was not compromised.

The attack bears similarities to the Chinese-linked “Salt Typhoon” espionage campaign targeting U.S. telecom firms. While T-Mobile severed ties with the compromised network, investigations are ongoing, and the findings have been shared with federal authorities.

In recent months, telecom giants like AT&T and Verizon have also been targeted by state-backed threat actors. This incident underscores the critical need for robust cybersecurity defenses in the telecommunications sector.

Smartphone Users Warned to Delete Dangerous Loan Apps

Cybersecurity firm McAfee has identified 15 malicious apps, collectively downloaded over 8 million times on Android devices, as part of an alarming rise in “SpyLoan” scams. These apps, posing as quick loan providers, exploit users by accessing sensitive data, leading to financial extortion and harassment.

McAfee reports a 75% increase in SpyLoan activity over the last quarter. Users are urged to scrutinize app permissions, read reviews carefully, and report suspicious apps. To learn more about protecting your devices, visit McAfee’s detailed report here.

EPA Warns U.S. Drinking Water Systems Are Vulnerable to Cyberattacks

A recent EPA report reveals that drinking water systems serving 193 million Americans are critically vulnerable to cyber threats. The assessment identified 97 systems with high-risk vulnerabilities, impacting approximately 26.6 million people, and flagged an additional 211 systems as medium or low risk.

Cyberattacks on water infrastructure could result in massive financial losses and disruptions. For instance, a statewide attack in California could cost up to $61 billion daily. Despite these risks, the EPA lacks a dedicated incident reporting system for water systems, relying on the Cybersecurity and Infrastructure Security Agency (CISA) instead.

This report serves as a stark reminder of the growing threat to critical infrastructure and the urgent need for a national cybersecurity strategy. For further insights, read the full EPA findings here.