Iran targeting presidential administration officials
CNN reports that a threat group believed to be working at the behest of Iran’s Islamic Revolutionary Guard Corps has targeted officials in both the former Trump and Biden administrations with phishing emails since at least 2022. This included former national security advisor John Bolton and an unnamed ex-diplomat with the Biden administration. Earlier this month the FBI announced It concluded that Iranian-linked attackers successfully attacked the Trump campaign and targeted the Harris campaign with similar tactics. Despite this, U.S. Cyber Command and NSA chief Gen. Timothy Haugh said that the US is “in a really good position” to respond to hacking attempts around the election compared to 2016. He also said he expected to see an increase in hacking activity ahead of the election.
(CNN, The Record)
Iran working with ransomware gangs
In a joint advisory unrelated to our previous story, the FBI, CISA, and DoD Cyber Crime Center warned that the Iran-based threat group Pioneer Kitten began working with ransomware affiliates to extort victims across defense, education, finance, and healthcare sectors. Essentially Pioneer Kitten gains access to victim networks, then sells credentials under various aliases. The FBI identified the ransomware groups NoEscape, Ransomhouse, and ALPHV as working with Pioneer Kitten. For what it’s worth, the groups don’t have any indication they are working with Iran in these instances. In the past, the group scanned for vulnerabilities in Citrix Netscaler devices, but more recently began scanning for vulnerable Palo Alto, GlobalProtect, and Check Point Security devices.
UK Labour Party chided over cyberattack backlog
Under British privacy law, citizens have a right to request a copy of any personal information on held by an organization. This is called a subject access request, or SAR, and organizations generally must respond within a month. The UK’s Information Commissioner’s Office said it received hundreds of complaints about the length of time it takes the Labour Party to respond to SARs, specifically around an October 2021 cyberattack. An investigation by the ICO found an unmonitored inbox that received hundreds of SARs since the incident, resulting in over a year of processing delays. The ICO issued a reprimand rather than a fine to the Party, citing a senior official who “devoted considerable time to personally dealing with the subject access request backlog.”
More Telegram arrest warrants in France
According to documents seen by Politico, French authorities also issued an arrest warrant for Telegram co-founder Nikolai Durov back in March, brother of CEO Pavel Durov. The document also showed authorities issued the warrants after Telegram gave “no answer” to judicial requests to identify a Telegram user suspected in a child sex abuse case. This lack of response seems par for the course. The U.S.-based National Center for Missing & Exploited Children, the Canadian Centre for Child Protection, and the U.K.-based Internet Watch Foundation all told NBC News that outreach to Telegram about CSAM issues largely goes ignored.
Additionally, French prosecutors announced they released Pavel Durov from police custody after a 96-hour window for questioning. They plan to have him brought to court for a possible indictment shortly.
Thanks to today’s episode sponsor, Scrut Automation
Hitachi Energy urges SCADA upgrade
In a new security advisory, Hitachi Energy warned customers to update its MicroSCADA X SYS600 power monitoring systems to version 10.6 to mitigate several severe vulnerabilities. The two most critical vulnerabilities allow for an SQL injection attack due to an improper user query validation, and the other is an argument injection where attackers coil modify system files or applications on the systems. Hitachi Energy said it saw no signs of exploitation and discovered the flaws internally. Hitachi says over 10,000 substations use its MicroSCADA X systems, including critical infrastructure sites like airports, hospitals, railways, and data centers.
Fortra fixes hardcoded password issue
The company issued a warning about a critical hardcoded password vulnerability in its FileCatalyst Workflow. This allows anyone to remotely access an exposed HyperSQL database and create new admin accounts, known in the industry as “a doozy.” It’s unclear how much data this exposes. Fortra said it included HyperSQL to facilitate the installation process “and is not intended for production use per vendor guidelines.” It recommends users upgrade to version 5.1.7 or later to avoid the issue, with no other mitigations or workarounds for older versions available.
System disruption at the Dutch defense ministry
“Malfunction” and “Ministry of Defense” are words you rarely want in proximity to each other. Yet that’s how the Dutch National Cyber Security Centre described an issue causing widespread disruption across the country. This impacted air traffic control systems leading to civilian flight cancellations. It also disrupted logins for Ministry employees and crashed phone systems. The Dutch NCSC also said while the outage persists, it cannot send out security advice. Right now there is no evidence indicating a cyberattack caused the malfunction.
Google ups payouts for Chrome bugs
Google will end its Google Play Store bug bounty this month, but that doesn’t mean it won’t pay security researchers looking at other platforms. It more than doubled its maximum possible payoff in its Chrome Vulnerability Reward Program to over $250,000 for a “demonstrated RCE in a non-sandboxed process” achieved without a renderer compromise. This revamp will also see it differentiate memory corruption vulnerabilities to base payouts on the quality of the report as well as its potential impact. Outside of this revamp, Google said, “We will continue exploring more experimental reward opportunities [sic] and evolving our program in ways to better serve the security community.”