In today’s cybersecurity news…
Medusa ransomware continues to attack infrastructure
In a joint alert released March 12, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning that as of February of this year, “Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” The group, which is unrelated to MedusaLocker, engages in double extortion, and use phishing and unpatched vulnerabilities for initial access. The group’s practices include “disabling security software, terminating processes related to backups, security, data sharing, and communication, and erasing shadow copies to prevent file recovery.” A link to the alert is available in the show notes to this episode.
(Security Week and CISA)
DoJ seeks to break up Google
As posted in The Cyberwire, “on Friday, the Department of Justice (DOJ) submitted a request that would aim to break up Google by forcing the company to sell Chrome. In its filing, the DOJ stated that Google’s illegal conduct has created an economic goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins.” These filings follow a 2023 antitrust case in which “Google was found guilty of monopolistic practices regarding the company’s search engine services,” as well as a second antitrust lawsuit from 2024 that is “examining whether the company has also engaged in monopolistic behaviors related to its advertising business.” The ruling, expected this summer, “has the potential to significantly impact how Google operates, how users interact with its services, and the overall landscape of the search engine business.”
Another phishing campaign hits Booking.com
Employees at hotels around the world are being tricked once again by cybercriminals impersonating the reservations portal Booking.com. The gang behind this attack is Storm-1865, who in 2023 and again in 2024, used faked customer complaints and other messages as lures. This year, according to Microsoft, the attackers are using a technique called “ClickFix” that “attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware,” using a fake Captcha overlay that asks users to prove their humanity by pressing the Windows key, followed by CTRL-V and Enter, which actually triggers the download of malicious code.
(The Record and Microsoft)
Grafana vulnerabilities possibly targeted in large scale SSRF exploitation campaign
Researchers from security intelligence firm GreyNoise are reporting on a campaign that spiked over the past weekend in which server-side request forgery bugs (SSRF) in multiple popular platforms were exploited to allow threat actors to “map internal networks, identify vulnerable services, and steal credentials for cloud services.” SSRF vulnerabilities “played a major role in the 2019 Capital One breach, which impacted over 100 million people.” GreyNoise said more than 400 IPs were observed targeting products from GitLab, VMware, Ivanti, and others. The attacks focused on organizations in the U.S., Germany, India, Japan, and Singapore, Israel and the Netherlands.
Thanks to today’s episode sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, And helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
Chinese spy group exploits Juniper Networks routers
Researchers at Mandiant are warning of a state-backed espionage group operating out of China, UNC3886, targeting routers made by Juniper Networks. This is a group we reported on in June 2023, when they were exploiting a VMware ESXi zero-day. In this latest report Mandiant says the group was involved in a project to deploy custom backdoors on Junos OS routers and that the group’s focus is “mainly on defense, technology, and telecommunication organizations located in the U.S. and Asia.” They pointed out that the affected routers were running end-of-life hardware and software, but also that the malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals.”
Update Firefox before certificate expires, says Mozilla
This warning is intended to help Firefox users avoid disruption and security risks “caused by the upcoming expiration of one of its root certificates,” which is happening today, Friday. March 14. The certificate “was used to sign content, including add-ons for various Mozilla projects and Firefox itself. Users should “update their browsers to Firefox 128 (released in July 2024) or later and ESR 115.13 or later for ‘Extended Support Release’ (ESR) users.”
ScarCruft deploys new Android spyware KoSpy to target Korean and English-speaking users
The threat actor, based in North Korea, is apparently behind a previously undetected Android surveillance tool named KoSpy that was used to target Korean and English-speaking users. We have reported on this group before, most recently last October. Threat intelligence group Lookout Research say this is a “relatively new malware family with early samples going back to March 2022,” adding, “KoSpy has been observed using fake utility application lures, such as “File Manager”, “Software Update Utility”, and “Kakao Security,” to infect devices.” It was distributed through the Google Play Store and Firebase Firestore, but have since been removed from Google Play, and associated Firebase projects have been deactivated by Google.”
Historic $40M USF gift hopes to solidify Tampa Bay as “Cyber Bay”
In the good news department, a record-setting gift of $40 million from Arnie and Lauren Bellini intends to establish the Bellini College of Artificial Intelligence, Cybersecurity and Computing, part of the University of South Florida, as the first named college in the U.S. dedicated exclusively to the convergence of AI and cybersecurity. Arnie Bellini is “a tech entrepreneur and investor who built ConnectWise into a billion-dollar cybersecurity and IT services leader before it was sold in 2019,” and was thus instrumental in helping Tampa’s tech boom. He’s now the CEO of Bellini Capital, where he continues to champion Florida’s transformation into a global technology powerhouse.”
(USF/NPR)