In today’s cybersecurity news…
Chinese hackers hide on military and government networks for 6 years
This threat actor, previously unknown and now dubbed “Unfading Sea Haze” has been targeting military and government entities in the South China Sea region since 2018 while remaining undetected, according to researchers at BitDefender. Its TTP and toolset appears to overlap with other activity clusters, especially APT41. Its attacks involve spearphishing emails that carry malicious ZIP archives containing LNK files disguised as documents that exploit Microsoft’s MSbuild.exe complier. The interesting twist is that the PowerShell script built into the LNK file builds a working directory on a remote SMB server, so that MSbuild will execute the code it contains entirely in memory, leaving no traces on the victim’s machine.
Microsoft outage affects Bing, Copilot, DuckDuckGo and ChatGPT internet search
The outage, which started around 3:00 a.m. EDT, largely affected users in Asia and Europe. Bing remained accessible when an alternate URL, www4.bing.com was used, but ChatGPT internet search and DuckDuckGo suffered issues because they use the Bing API. As of this recording, the cause of the outage has not been made public.
Mattis speaks out against separate military cyber service
Former Defense Secretary James Mattis said on Wednesday that the U.S. should not create a separate military cyber service, but rather should “establish a way for the Pentagon to operate inside the country in the event of a serious cybersecurity incident.” These remarks were made the same day that the House Armed Services Committee adopted into the annual defense policy bill an amendment ordering a study on the possibility of a U.S. Cyber Force, with its author citing limitations in Cyber Command’s role. Mattis said, “the problem is if you take good people and bad processes, bad processes will dominate nine times out of ten.” He added, “given DOD’s capabilities, it would be better to figure out how to let it operate in cyberspace.”
Norway warns of increase in Russia-linked sabotage in Europe
There is growing concern over threats to European countries of sabotage on orchestrated by Russia-directed agents. On Wednesday, the Security Service and the Intelligence Service of Norway suggested this heightened threat alert with the potential for aimed at organizations involved in delivering arms to Ukraine. Inger Haugland, Norway’s counterintelligence chief, points to attempts at sabotage in Poland, Germany and the United Kingdom that were conducted by non-Russian nationals to provide the Kremlin with deniability. Much of the recent activity, not limited to Norway, concerns attacks and attempted attacks on oil and gas infrastructure.
And now a word from our sponsor, Tines
Critical flaw in Replicate AI platform exposes data
Researchers at Wiz have discovered a critical vulnerability in the Replicate AI platform that could allow attackers to execute a malicious AI model within the platform for a cross-tenant attack. This would have allowed access to the private AI models of customers and potentially expose proprietary knowledge or sensitive data. Ami Luttwak, Wiz CTO and co-founder was quoted in an article in Dark Reading, “as we saw in the results of our work with Hugging Face and now in Replicate, two leading AI-as-a-service providers, when running AI models in cloud environments, it is crucial to remember that AI models are actually code, and like all code, the origin must be verified, and content-scanned for malicious payloads.”
Researcher discovers grade spyware app at Wyndham hotels check-ins
pcTattletale is a spyware app, some call it stalkerware, used mostly by parents who want to keep an eye on their kids, and managers who want to do the same with their employees. But security researcher Eric Daigle discovered it on the check-in systems of three Wyndham hotels across the U.S. The app was being used to capture screenshots of the hotel booking systems, including guest details. “Daigle also discovered a vulnerability in the monitoring software that allows anyone to access the screenshots taken by the app.” It is unclear at this point who installed the app and why.
Cloud storage used for SMS phishing scams
According to researchers at security firm Enea, “a series of criminal campaigns that exploit cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage,” is being run by unnamed threat actors. The goal of these campaigns is to redirect users to malicious websites to steal their information using SMS messages. The approach is to first ensure that scam text messages are delivered to mobile handsets without detection by network firewalls. Second, they seek to convince end users that the messages or links they receive are trustworthy. The researchers state, “by leveraging cloud storage platforms to host static websites with embedded spam URLs, attackers make their messages appear legitimate and avoid common security measures.”
Microsoft slowly phases out VBScript
Plans to deprecate Visual Basic Script were released on Wednesday, set out a timeline of mid-to-late 2024. Originally introduced by Microsoft in 1996 as a Windows system component, its role will now be filled by more powerful and versatile scripting languages such as JavaScript and PowerShell. As of late 2024, VBScript will be available only as an on-demand feature in Windows 11 24H2, and then by 2027, Microsoft will still have the feature on-demand, but no longer enabled by default.