In today’s cybersecurity news…
State Department’s disinformation office to close after funding terminated
Congressional lawmakers have excluded any new funding for the office responsible for fighting global disinformation beyond this year. Known as The Global Engagement Center, it actually lost its authority on Dec. 24, despite a concerted push by State officials to lobby Congress for an extension. This has proven to be a source of frustration given the increasing activities of nation states delivering misinformation to countries around the world, especially where elections are occurring.
Pittsburgh Regional Transit suffers ransomware attack
This attack, which was first detected on December 19, caused disruptions to public transportation including on some parts of the city’s rail service and some rider services. According to The Record, “IT officials at PRT are still examining whether data was stolen and pledged to provide public updates as the investigation evolves.” The agency has declined to answer questions about what group was behind the attack and when full service would be restored.
Another Mirai botnet targets NVRs and TP-Link routers
This particular botnet is “actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.” This attack campaign started in October. It seeks out network video recorders and TP-Link routers that have outdated firmware. The vulnerability exploited to compromise DigiEver NVRs is a remote code execution (RCE) flaw. Compromised devices are then used to “conduct distributed denial of service (DDoS) attacks or to spread to other devices by leveraging exploit sets and credential lists.”
Critical SQL injection vulnerability in Apache Traffic Control demands urgent patch
According to The Hacker News, “the Apache Software Foundation has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. This vulnerability has a CVSS rating of 9.9. Users are recommended to update their instances to the latest versions of the software as soon as possible.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
North Korean hackers seen using new tools on employees of nuclear-related organization
According to Kaspersky, this campaign has been attributed to the Lazarus Group and occurred earlier this year using an array of malware, including newly identified tools. The attack on the unnamed nuclear organization involved what was referred to as “alarming twists” on the their usual approaches, including “a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group’s evolved delivery and improved persistence methods.”
Charming Kitten deploys C++ malware
According to Kaspersky, the hacking group based out of Iran “has been observed deploying a C++ variant of a known malware called BellaCiao.” This new version, named BellaCPP, was found inside a system in Asia that had also been infected with the BellaCiao malware. BellaCPP does not use a web shell as does BellaCiao to upload and download arbitrary files as well as run commands. This new variant represents one of many custom malware families that Charming Kitten actor has developed.
Ruijie Networks’ cloud platform flaws could expose devices to remote attacks
Researchers at Claroty discovered the flaws that they say affect both the Ruijie platform, as well as Reyee OS network devices.” If exploited, they could “allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.” Of the 10 vulnerabilities discovered by Claroty, three are rated critical in severity with CVSS scores of 9.4, 9.8 and 9.8. Their research also found that it would be easy to break MQTT authentication by knowing a device’s serial number, which could subsequently exploit access to Ruijie’s MQTT broker in order to receive a full list of all cloud-connected devices’ serial numbers.
European Space Agency’s official store hacked to steal payment cards
The hack occurred at the Agency’s official online merchandise store and included a malicious script that sought to collect customer information, including payment card data provided at the final stage of a purchase. “E-commerce security company Sansec noticed the malicious script on December 23 and warned that the store appeared to be integrated with ESA systems, which could pose a risk to the agency’s employees.” The web store is currently unavailable, showing a message that it is “temporarily out of orbit for some exciting renovations.”