The $20 WHOIS vulnerability
Researchers at watchTowr Labs discovered the WHOIS server for the .mobi top-level domain migrated domains, so they spent $20 to acquire the legacy one and spun up a WHOIS server to identify who was still using it. In a week, the researchers identified 135,000 unique systems going to the server, including certificate authorities and popular domain registrars. If abused by threat actors, such a server could be used to issue certificates to the domain, target individual communications, and co-sign malware. Instead, the team crafted a response to tell clients to switch over to the new domain. watchTowr CEO Benjamin Harris characterizes the WHOIS security challenge, saying “People are effectively treating infrastructure as temporary but with very, very permanent effects on what it gives access to, what it authorizes, where it’s trusted.”
(The Register, watchTowr Labs)
India training thousands of “cyber commandos”
India’s Ministry of Home Affairs revealed several major cyber initiatives. It plans to train 5,000 people over the next five years as part of a dedicated corps of “cyber commandos” to deploy at state governments and police organizations. The ministry also plans to create a Cyber Fraud Mitigation Centre to provide a centralized cyber rime data-sharing platform for law enforcement. This will be complemented by a Cyber Suspect Registry which does what it says on the tin, and will be interconnected across states in the country. These three initiatives will operate under the Indian Cyber Crime Coordination Centre, as a national coordination platform.
A Word of warnings for Taiwanese drone makers
Researchers at Scronis discovered an attack vector dubbed “WordDrone,” which uses a DLL sideloading technique in the Microsoft Word installation process to install a backdoor. The researchers saw this approach used in two-stage attacks between April and July 2024 against an unnamed Taiwanese drone maker. The attack uses three parts, a copy of Word 2010, a wwlib.dll file, and a randomly named file. The attackers used Word to load wwlib, which then loads the actual payload from the randomly named file. This installs the ClientEndPoint backdoor. The researchers suspect the attackers used the ERP software Digiwin for initial access. Dark Reading notes Trend Micro reported on the TIDrone threat actor using ERP software to attack a Tawainese drone company earlier this month, but there is no clear link between the two.
UK agencies to coordinate cyber reporting efforts
The UK’s Information Commissioner’s Office (ICO) and National Crime Agency (NCA) signed a memorandum of understanding to coordinate for improved resilience between the two agencies. This will see the ICO encouraging victims to engage with the NCA after incidents, the ICO will share anonymized data with the NCA to improve visibility into cyber incidents, and the two will collaborate on guidance, standards, and education around cybersecurity topics.
Huge thanks to our sponsor, Vanta
Quad7 botnet learning new tricks
The Quad7 botnet first came to light back in October 2023, named because it exposes TCP port 7777. It initially enrolling exposed TP-Link routers and Dahua DVRs into malicious service. Now researchers at the cybersecurity firm Sekoia found it expanding its list of targets, to now include a variety of SOHO routers and VPN appliances from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR. It also started deploying a new backdoor to establish a reverse shell to further execute commands from a C2 server. Right now the botnet primarily targets Bulgaria, the US, and Ukraine. The researchers suspect a Chinese state-sponsored threat actor operates Quad7, but so far have only seen it doing brute-force attempts against Microsoft services.
Gallup patches site flaws
Researchers at Checkmarx discovered two cross-site scripting flaws on the kiosk app used by Gallup, a version of their site used to launch surveys. While not high-severity flaws, they opened the door to impersonating users and accessing account data, and potentially execute arbitrary code in a victim’s navigation session to do an account takeover. The researchers found no evidence of exploitation in the wild. They notified Gallup of the flaws back in June, which received patches before Checkmarx published POCs on them.
Microsoft adds post-quantum support
The Redmond giant joined the growing number of companies preparing for the advent of practical quantum computing. It added post-quantum algorithms to SymCrypt, its open-source library used in Azure, Microsoft 365, and Windows products. Right now Microsoft added support for ML-KEM and XMSS algorithms, with plans to add 3 more in the coming months. Microsoft cautioned that these initial post-quantum algorithms shouldn’t be seen as definitive, instead part of an evolving cryptography solution.
Remote access tools plague operational technology
According to a new study by Claroty’s Team82 that looked at over 50,000 remote access-enabled devices, businesses frequently use “non-enterprise grade” tools on networked operational technology devices. These lack central management and visibility for OT network admins. The study found that 79% of organizations use two or more remote access management tools that don’t meet enterprise security standards, often consumer offerings without multi-factor authentication or just discontinued software still in use.