In today’s cybersecurity news…
Julian Assange to plead guilty and return to Australia
On Wednesday, WikiLeaks founder Julian Assange is scheduled to plead guilty to a single criminal charge in a District Court on Mariana Island, a US territory in the western Pacific Ocean. In 2010, Assange released around 750,000 classified or sensitive documents on WikiLeaks, representing one of the largest leaks of state secrets in US history. Initially, the US filed 18 charges carrying a maximum penalty of 175 years in prison. Assange is expected to admit to unlawfully obtaining and disseminating classified information relating to U.S. national defense. The plea deal will end a long extradition battle with the United States government and reportedly allows Assange to avoid further jail time. Assange is then expected to reunite with his wife in his home country of Australia.
Fresh MOVEit bug under attack just hours after disclosure
A new high-severity vulnerability in Progress Software’s MOVEit Transfer software (CVE-2024-5806) is being actively exploited just hours after it was made public. Researchers determined that attackers could exploit the bug in two ways. The first mehtod uses a “forced authentication” attack with a malicious SMB server and a valid username. In the second scenario, a threat actor could impersonate any user on the system by uploading their own SSH public key to the server without logging in, then use that key to authenticate. Admins should move to patched versions as soon as possible. MOVEit Transfer was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, and UCLA.
Criminal claiming to sell Neiman Marcus customer info for $150K
A threat actor named Sp1d3r is claiming they’ve stolen personal information of Neiman Marcus customers and are selling it on the dark web for $150,000. The fancy department store chain appears to be the latest victim to have data swiped from its cloud-based Snowflake storage system. The company’s disclosure indicates that, between April and May, an intruder accessed personal info of more than 64,000 shoppers including names, contact information, dates of birth, and gift card numbers (but not the gift card PINs). The company declined to answer whether it had turned on multi-factor authentication (MFA) for that database, a common oversight among victims of the recent rash of Snowflake account raids.
New Microsoft Management Console attack found in wild
Threat actors are using a new attack technique, dubbed GrimResource, that allows them to gain full code execution of Microsoft Management Console. Researchers at Elastic Security Labs uncovered the new technique after a sample was uploaded to VirusTotal on June 6. GrimResource leverages specially crafted MSC files to execute arbitrary javascript code in Microsoft Management Console (mmc.exe). The attack takes advantage of an old XSS flaw present in the apds.dll library. While the attack leverages obfuscation techniques to evade ActiveX security warnings, there is hope. The researchers have published detection rules and guidance to help organizations identify signs of the new attack.
And now a word from our sponsor, Prelude
Plugins on WordPress.org backdoored in supply chain attack
A threat actor successfully altered the source code of at least five plugins hosted on WordPress.org. The infected plugins attempt to create new admin accounts and inject Search Engine Optimization (SEO) spam into the compromised website. The attack was discovered by Wordfence researchers on Monday, but the malicious injections appear to have occurred between June 21 and June 22. Plugin developers have already released patches for most products as of Monday. The five plugins have been installed on more than 35,000 websites and the researchers said anyone using them should consider them compromised and upgrade immediately to the patched versions.
(Bleeping Computer and Dark Reading)
New Medusa trojan variant emerges
Last week, researchers at Cleafy published an analysis which revealed new fraud campaigns featuring an updated version of the Medusa (TangleBot) banking Trojan. The campaigns target Android users to install the malware known for its remote access Trojan (RAT) capabilities, including keylogging, screen control and SMS reading/writing. However the updated Medusa samples use a more lightweight permission set and new features like full-screen overlay displays and remote uninstallation of applications. Medusa was first discovered in 2020 and targeted Turkish financial institutions. However the new campaigns have expanded their scope to include targets in France, Italy, the United States, Canada, Spain, and the United Kingdom.
(Bleeping Computer and Infosecurity Magazine)
Former Federal CISO DeRusha lands at Google Cloud
According to a press release on Tuesday, former federal chief information security officer and deputy national cyber director, Chris DeRusha, is joining Google Cloud to lead the tech giant’s global public sector compliance work. In more than three years in the federal CISO role, DeRusha was pivotal in the development of the White House’s artificial intelligence executive order, as well as the 2021 executive order on cybersecurity and the subsequent national cybersecurity implementation plan. He also led the 25-member council of agency CISOs and oversaw agency-wide implementation of multifactor authentication. DeRusha will report to Google Cloud’s global director of security and compliance, Jeanette Manfra. He is expected to lead the expansion of Google Cloud’s suite of artificial intelligence, cloud computing and security products within the public sector, both in the United States and abroad.
(FedScoop)
Meta’s VR headset vulnerable to ransomware attacks
Spatial computing attacks targeting VR headsets are rare. Possibly the first ever such hack against Apple’s Vision Pro became public knowledge just a couple of weeks ago. But now, researcher Harish Santhanalakshmi Ganesan has demonstrated a method of delivering any malware to Meta’s Quest 3 headset without using developer mode. Meta uses a restricted version of Android Open Source Project (AOSP) which allows installation of any Android Package (APK) just like installing apps on an Android phone. He then used an app from Meta’s App Lab to install CovidLock ransomware on his headset. CovidLock masquerades as a COVID-19 tracker app and tricks users into gradually granting enough permissions to lock users out of the device and display a ransom note. Ganesan doesn’t expect a response or patch from Meta because the attack doesn’t exploit a vulnerability in Meta Quest 3. Rather, the research demonstrates that people could be tricked into sideloading malware onto the device.