In today’s cybersecurity news…
CISA launches International Cybersecurity Plan
The plan is the first for CISA, aiming to increase international cooperation, specifically securing critical infrastructure. The plan sets out three goals to accomplish by 2026. The first is to bolster the resilience of foreign infrastructure the US demands. This will see CISA work with international partners on risk assessments and expanding visibility into shared threats. The plan also calls for working with partners to strengthen integrated cyber defenses, including steering international bodies and NGOs to adopt secure-by-design principles. The final goal calls for the CISA Stakeholder Engagement Division to create a governance structure to advise on international cybersecurity matters.
North Korean hackers tied to Play ransomware
Researchers at Palo Alto Network’s Unit 42 claim that the North Korean state-sponsored group Andariel shows links to the Play ransomware organization, likely operating as an affiliate or an initial access broker. The researchers found that a previous Andarial compromise in May precipitated a September 2024 Play ransomware attack. Both attacks used the same compromised account for initial access and the same C2 beacon until just before the ransomware was deployed. The US sanctioned Andariel in 2019, meaning many ransomware negotiators would refuse any direct payment. Working as a Play affiliate may be a way around those sanctions.
FakeCall learns new tricks
FakeCall malware has been around on Android since at least 2022, allowing malicious actors to control access to incoming phone calls and communicate back to a C2 server. Researchers at Zimperium zLabs discovered the makers of FakeCall are actively developing new features. This includes integrating with Accessibility Services to capture screen information and use overlays to impersonate sites. The researchers also note that the updates to FakeCall add to its use as spyware, with an eye for persistence and the ability to monitor mics, Bluetooth status, and screen activity.
Cloud credentials stolen from Git config files
Researchers at Sysdig discovered a large-scale campaign that scanned for exposed Git configuration files. Dubbed “EmeraldWhale,” the malicious actors scanned websites with commodity tools to see if the .git/config file was exposed, verified any tokens using curl commands, and then downloaded private repositories. These were then scanned for any authentication tokens or secrets. The researchers estimate EmeraldWhale stole 15,000 cloud credentials in this largely unsophisticated campaign.
Thanks to today’s episode sponsor, Dropzone AI
The post-quantum encryption story that wasn’t
Earlier this month, we discussed a research paper from Shanghai University published in September that showed it could attack algorithms used in AES with a D-Wave Advantage system. This story was initially published in the South China Morning Post but wasn’t linked to the paper. Dan Goodin at Ars Technica noted that other outlets mistakenly linked to an earlier paper by the same research team that also dealt with post-quantum cryptography. Goodin subsequently found the actual September research paper, which doesn’t deal with attacking AES at all. Instead, it shows a method for “ using a D-Wave-enabled quantum annealer to find ‘integral distinguishers up to 9-rounds’ in the encryption algorithms known as PRESENT, GIFT-64, and RECTANGLE.” This doesn’t represent a new capability of quantum computing, classical attacks have been able to do the same for years. Researchers contacted by Goodin for the story said the paper shows being able to perform a classical attack with the same relative efficiency on a quantum system.
US county websites vulnerable to spoofing
A report from Comaritech found that 57% out of 3,144 US county websites used a non-.gov domain, opening the door to simple domain spoofing by malicious actors. This varied wildly; all Arizona counties used .gov domains, while 72% of Michigan counties did not. 85 websites lacked an SSL certificate. Looking at contact emails on the county site, the report found that 41% lacked DMARC authentication—about 3% of sites used generic webmail addresses. The researchers warned that search engines could be gamed to push people to spoofed county sites and recommended users needing election information go to state sites.
NAS makers patch Pwn2Own bugs
At the Pwn2Own Ireland event, security researchers demonstrated several vulnerabilities that affected popular NAS hard. Synology patched two critical remote code execution vulnerabilities that affected two of its photo products. QNAP released an advisory noting that it patched a critical OS command injection vulnerability in its HBS 3 Hybrid Backup Sync disclosed at the event. TrueNAS issued an advisory with mitigations for flaws impacting its products at Pwn2Own; patches remain in development. Overall, the two-day event netted security researchers over $1 million in bug bounties.
Colorado posts voting system passwords online
Colorado’s Secretary of State’s office spokesperson, Jack Todd, confirmed that the data had been available online for several months. These were posted on a hidden tab on a spreadsheet available online; it’s unclear if anyone accessed the document. Colorado Secretary of State Jena Griswold said this leak was not a security threat, as access to any component requires two passwords “kept in separate places and held by different parties.” Griswold further said election officials are in the process of changing passwords and reviewing all access logs. The state immediately notified CISA when it discovered the leak.