In today’s cybersecurity news…
Spyware research report
A new study from the Atlantic Council’s Cyber Statecraft Initiative tracked the evolution of the spyware market, looking at larger players like NSO Group and Intellexa, but also dozens of firms that don’t make the headlines. The study authors said a primary problem with spyware regulations is they largely rely on self-reporting without wider international cooperation. The researchers also found in many instances that sanctions against a spyware firm did not extend to subsidiaries, limiting their effectiveness. The study also showed a map demonstrating that countries advocating for great spyware controls are home to many investors in these companies. The report comes after the Centre for Democracy & Technology Europe shared a joint statement from dozens of non-profits calling for a ban on spyware in the EU until a responsible framework for its use is developed.
They found a way to make Cicadas more annoying
The Cicada ransomware group first came on the scene in June 2024, hitting at least 20 victims since then, mostly SMBs. Now researchers at Morphisec say the group shows “striking similarities” with ALPHV/BlackCat, indicating a rebrand for the threat group. Like ALPHV, Cicada codes its malware in Rust and targets the Windows’ Volume Snapshot Service to hamper the creation of shadow copies used to make point-in-time file replicas. The researchers say Cicada shows signs of active development with updated obfuscation techniques to reduce the effectiveness of static detection tools.
MacroPack red teaming tool used for malware
MacroPack is a tool that can generate payloads into different file types with a single command. Cisco Talos researchers discovered that threat actors began using the payload generator framework to deliver multiple payloads. MacroPack documents were uploaded to VirusTotal beginning in May, seen using Havoc, Brute Ratel, and the PhantomCore remote access trojan. The researchers believe multiple threat actors used MacroPack for malware, finding several different countries of origin in the clusters of documents.
Latvian sites hit by politically motivated attackers
In interviews with local media, Baiba Kaskina, head of the Latvian сomputer emergency response team CERT, said that attacks against Latvian sites from threat actors linked to Russia and Belarus increased since August, just as the country inked a new aid package to Ukraine. These attacks don’t seem focused on stealing data, but rather on disrupting access to services. This includes an attack on the Unified Website Platform, which manages state and local government sites. While the attacks are “well customized” for targets, Latvian officials say they only managed to slow down operations at sites, rather than making them unavailable.
Thanks to today’s episode sponsor, Scrut Automation
Google backports actively exploited Android flaw
In June 2024, Google patched a privilege escalation flaw on Pixel devices. The company said it saw limited active exploitation with targeted attacks, mostly to stop auto-wiping tools from running. These seem to have come largely from forensics companies. The attack required user interaction so while high-severity, it had a more limited potential scope. The September 2024 Android security update now patches this flaw in versions back to Android 12.
Fear the Revival Hijack
Typo squatting is nothing new with software repositories. But researchers at JFrog warned about a new take on the approach seen on PyPI, dubbed a “Revival Hijack.” This sees threat actors creating a new project with the name of a removed one to have developers pull down the malicious code. PyPI warns about this as a theoretical possibility when you try to delete a project. JFrog found a Revival Hijack attack in the wild this past April, hijacking the pingdomv3 package to distribute a trojan. The company estimates PyPI holds over 22,000 deleted packages open to this attack method and registered the most popular under the account “security_holding.” Since setting up these packages, the researchers saw almost 200,000 downloads from automated scripts and typos.
D-Link warns about discontinued router vulnerability
If you need another reminder about why you shouldn’t use End of Life hardware, D-Link has you covered this week. The company warned of four remote code execution flaws in its discontinued DIR-846 router. The two most severe bugs represent OS command injection issues to allow for full code execution access to the router, the other two require authentication or getting past the network parameter first. D-Link discontinued the router back in 202, and “will be unable to resolve device or firmware issues” going forward. It’s unclear how many of these routers remain online.
Cisco merch store down from cyberattack
If you’ve been hankering for some Cisco merch, you’re out of luck at the moment. The company took down the store after unknown threat actors inserted malicious JavaScript into the site to steal sensitive information at checkout, including credit cards and logins. An anonymous security researcher told Bleeping Computer the threat actors used the CosmicSting vulnerability to plant the malicious code over Labor Day weekend. Since Cisco employees mostly use the merch store, it could potentially allow the attacker to harvest Cisco credentials.