In today’s cybersecurity news…
Google’s $23 billion plan to buy Wiz falls apart
Last week, it appeared Google was poised to snap up cybersecurity start-up for $23 billion, in what would have been its largest acquisition ever. On Monday night, however, Wiz informed its employees that the deal was off and that the company would instead pursue a public listing on a stock exchange. Chief executive, Assaf Rappaport, said he was flattered by the offers the company received but plans to pursue its previously stated goal of generating $1 billion in recurring revenue ahead of an initial public offering.
(The New York Times and BBC)
U.S. government looking for answers amidst CrowdStrike aftermath
In the wake of the defective CrowdStrike update that disrupted airlines, banks, hospitals and other critical services last Friday, U.S. House leaders are calling on CrowdStrike CEO George Kurtz to testify to Congress about the company’s role in the widespread outage. Republicans who lead the House Homeland Security committee said Monday, “While we appreciate CrowdStrike’s response and coordination with stakeholders, we cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history.”
Meanwhile on Tuesday the U.S. Transportation Department said it was opening an investigation into Delta Air Lines after the carrier canceled more than 5,000 flights since Friday due to the CrowdStrike incident. While other carriers have been able to resume normal operations, Delta canceled 30% or more of its flights daily through Monday and axed or delayed over 1,000 more flights as of mid-day on Tuesday. Transportation secretary, Pete Buttigieg, said the department “will leverage the full extent” of its investigative and enforcement power “to ensure the rights of Delta’s passengers are upheld.”
(SecurityWeek and The Guardian)
dYdX exchange hacked in DNS hijack attack
On Tuesday, the decentralized finance (DeFi) crypto exchange announced its older v3 trading platform has been compromised. dYdX warned users not to interact with the hacked dydx[.] platform or withdraw assets until it is deemed safe to use. Attackers allegedly hijacked the crypto platform’s domain and deployed a copycat website to connect to user wallets. The incident is believed to be linked to a wave of DNS hijacking attacks targeting DeFi crypto platforms using the Squarespace registrar. The company has regained control of the exchange and implemented a fix but advises users to restart their browser and clear the cache before opening the website.
Hackers shut down heat in Ukrainian city
Ukraine’s Cyber Security Situation Center (CSSC) announced that Windows-based malware, dubbed FrostyGoop, has been linked to a heating outage in Lviv, Ukraine back in January. The Russian-linked malware was used to attack a municipal district energy company and cut off heat to over 600 apartment buildings for two days during sub-zero temperatures. FrostyGoop is designed to target Modbus TCP communications, a standard industrial control systems (ICS) protocol. An investigation showed that attackers likely gained access to the network nine months earlier by exploiting a vulnerability in an Internet-exposed Mikrotik router. From there, attackers were able to access four management servers and the district’s heating system controllers which were not properly segmented.
(Bleeping Computer and TechCrunch)
Huge thanks to our sponsor, Vanta
Phish-friendly domain registry put on notice
On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) issued a letter to the “.top” domain registry, giving it until mid-August 2024 to establish processes for managing phishing reports and suspending abusive domains. ICANN did not disclose the registry name but indicated it is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. A new report indicates that more than 117,000 .top domains were leveraged in phishing campaigns over the last year. If the registry fails to comply with ICANN’s directive, it will be forced to forfeit its license to sell domains.
Hamster Kombat players targeted in malware attacks
Threat actors are targeting those playing the popular Hamster Kombat game, which launched back in March and now has over 250 million players. Researchers at ESET have identified numerous look-alike versions of the game surfacing in various channels including Google Play, Telegram, and GitHub. These fake distributions install malware including various versions of the Lumma infostealer for Windows and Ratel spyware for Android. The researchers say those interested in Hamster Kombat should obtain it only from the project’s official Telegram channel or website.
Researchers bypass ‘Windows Hello’ authentication
Microsoft’s Windows Hello for Business (WHfB) was introduced in Windows 10 as a phishing-resistant authentication model that uses cryptographic keys embedded in a computer’s Trusted Platform Module (TPM) and linked to biometric or PIN-based verification. Late last year, Accenture’s red-team found that WHfB is susceptible to adversary-in-the-middle (AitM) attacks where an attacker can intercept and alter POST requests to Microsoft’s authentication services, defaulting WHfB to less secure passwords or OTP methods and break into PCs and laptops. The Accenture team reported the issue to Microsoft, who has issued a fix. The Accenture team will demonstrate the attack at Black Hat USA 2024 in Las Vegas on August 8.
KnowBe4 hires fake North Korean IT worker
On Tuesday, security awareness training firm KnowBe4 said a North Korean operative posing as a software engineer slipped past its hiring background checks. The new hire spent the first 25 minutes on the job using their new Mac to download malware, manipulate session history files, and execute unauthorized software on company systems. KnowBe4 said its security team quickly detected the suspicious activity and contained the infected workstation. The worker’s identity was revealed as an AI deepfake and is one of hundreds of cases of North Korean nation-state operatives posing as an IT worker to infiltrate US companies.