In today’s cybersecurity news…
SonicWall warns of critical access control flaw
SonicWall released a bulletin detailing the vulnerability that impacts SonicOS’s use on its Gen 5, Gen 6, and some Gen 7 firewalls. The vulnerability doesn’t require authentication or user interaction, allowing an attacker to gain access to the device or cause a system crash. SonicWall released a security update and said those unable to install it immediately should disable WAN management access from the internet. While the company didn’t disclose any active exploitation, CISA previously warned about active exploitation of SonicWall vulnerabilities by advanced threat actors.
Microsoft to host security summit
The world may have recovered from the massive CrowdStrike outage last month, but Microsoft is looking to make sure it doesn’t happen again. It announced it will hold an event on September 10th for government representatives and security vendors, meant to “discuss concrete steps we will all take to improve security and resiliency for our joint customers.” It’s not clear what this could entail, but Microsoft did recently tell the Financial Times it hadn’t ruled out wholesale blocking access to the Windows kernel, although it also said several other options were on the table. We’ll follow up with details next month.
More details on Telegram CEO’s arrest
French President Emmanuel Macron clarified that the arrest of Telegram CEO Pavel Durov this week did not represent a political decision and represented an ongoing judicial investigation. The arrest came as part of an investigation around “The lack of moderation and cooperation of the platform,” leading to its complicity in sharing CSAM, drug trafficking, and money laundering. The judge in the case set a 96-hour deadline to either press charges on Durov, name him as a witness in the investigation, or cut him loose.
FBI taken to task on electronic media security
A recent audit by the Department of Justice’s Office of the Inspector General found three “significant weaknesses” in policies and procedures used by the FBI for managing and disposing of electronic media containing sensitive information. These included not adequately tracking media removed from laptops, failing to consistently label media with classification levels like Top Secret, and inadequate internal access controls with media awaiting destruction. This included pallets of exposed devices sitting unsecured in waste storage facilities. The FBI issued a new directive to address the issues.
Thanks to today’s episode sponsor, Scrut Automation
Velvet Ant exploits Cisco zero-day
Researchers at the security firm Sygnia disclosed a new campaign targeting a command injection vulnerability in the operating system for Cisco’s Nexus-series switches, NX-OS, by a threat actor called Velvet Ant. Sygnia believes the group receives support from China. The attack allowed someone with valid admin credentials to execute commands on the underlying Linux OS on these switches. From there, a tailored malware called VelvetShell is deployed, which could further enroll other devices on the network for reconnaissance. The researchers say this operated as part of a multi-year intrusion campaign it first discovered last year at an unnamed organization. Cisco released a patch for the issue earlier this summer, and CISA added it to the KEV catalog.
Seattle-Tacoma International Airport hit by cyberattack
The airport confirmed the incident caused an IT systems outage, resulting in delayed flights and issues with its reservation system over the weekend. The Port of Seattle first noticed the problem on August 24th. No group has taken credit for the attack, yet. While IT systems were down, the airport used X to communicate with travelers, recommending using airline websites to check travel information. As of this recording, its website remains down. The FBI confirmed to The Seattle Times that it is working with partners to investigate.
Malware clones contactless payment cards
Security researchers at ESET published details on a novel malware called NGate, operating in campaigns against three banks in Czechia. This malware comes as a malicious Android app, able to clone NFC data from payment cards and send it to an attacker’s device. The app also prompts users to enter in authentication information for their financial institution. From there the attacker can emulate the card to withdraw funds from an ATM. The malware is based on the legitimate security research tool NFCGate. Researchers identified at least six different NGate apps since November 2023, eventually leading to the arrest of a 22-year-old using the exfiltrated cards to get cash.
American Radio Relay League paid the piper
Back in May the American Radio Relay League or ARRL experienced a ransomware attack, resulting in attackers compromising both on-prem and cloud-based systems, we covered it over the summer on this show. At the time the League described the attack as “an act of organized crime.” It took until July 1st to restore some services, with full restoration planned in the next two months. The ARRL now disclosed it negotiated with the attackers to pay a $1 million ransom, saying insurance covered most of the ransom and recovery costs. The attack did not impact its Logbook of The World server or any related user data.