Russia hacks, WiFi breaches

CybersecurityHQ News

Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

Updates:

Happy Thanksgiving! 🍁🍂 Grateful for your support and dedication to staying ahead in cybersecurity. Wishing you a day filled with joy, family, and good food. Stay secure and enjoy the holiday! 🦃✨

Thank you for sharing your thoughts in our recent poll! Your feedback helped us shape our product roadmap, and we’ll be creating new tools based on your input.

Our first tool, the AI Resume and Cover Letter Builder, is almost ready! We're finishing up some minor UI fixes and doing final tests. You can check it out here.

We’re planning to raise funds by giving a small group of people special annual or lifetime access to all our tools. The money we raise will help us create new tools, building on our AI Resume and Cover Letter Builder, which will be included in our premium membership. Stay tuned!

Which city would you choose for our first laidback meetup, food, drinks and good conversation. No sales.

Login or Subscribe to participate in polls.

Weekly Headlines

RomCom Exploits Firefox, Windows Zero-Days

A Russia-linked advanced persistent threat (APT) group, known as RomCom (also tracked as Storm-0978, Tropical Scorpius, and UNC2596), has been exploiting two recent zero-day vulnerabilities in Firefox and Windows to deploy a backdoor, according to ESET. The group conducts both espionage and cybercrime campaigns, targeting sectors such as government, defense, energy, pharmaceuticals, and insurance across the US and Europe.

The exploited vulnerabilities include CVE-2024-9680, a critical use-after-free flaw in Firefox, Thunderbird, and Tor Browser, and CVE-2024-49039, a high-severity Windows Task Scheduler issue. By combining these vulnerabilities, RomCom crafted an attack that required no user interaction. Victims visiting a malicious website were redirected to a legitimate page after the exploit, concealing the attack. The exploit chain installed a backdoor, using shellcode to escape Firefox’s sandbox and elevate privileges via a Windows RPC interface flaw.

ESET flagged most victims in North America and Europe between October 10 and November 4, 2024. Mozilla patched the Firefox flaw on October 9, and Microsoft addressed the Windows bug on November 12. ESET attributes the group’s sophistication to its links with the Russian government, noting its history with Cuba ransomware and its focus on espionage and financial gain.

Hackers Exploit WiFi, Bypass MFA

More Russia news this week—this time from hackers tracked as APT28, also known as Fancy Bear. They have developed a sophisticated "Nearest Neighbor Attack" method, exploiting vulnerable WiFi networks to infiltrate organizations. Cybersecurity firm Volexity reports that attackers chained multiple nearby WiFi networks to bypass robust defenses like multifactor authentication (MFA) at their ultimate target, Organization A.

Starting from Organization C, the attackers breached WiFi and VPN credentials at Organization B before accessing Organization A. This method, conducted from thousands of miles away, relied on compromised wireless credentials and “dual-homed” systems with both wired and wireless connections. The attackers used a PowerShell script to identify accessible networks and connected to the target’s enterprise WiFi.

APT28 employed advanced tactics, such as using built-in Windows tools for erasing evidence, creating shadow copies of critical files, and employing a zero-day privilege escalation tool called GooseEgg. They also exfiltrated data through public-facing servers.

The breach revealed weak security in WiFi systems, prompting Volexity to recommend segregating wired and wireless networks and implementing MFA or certificate-based authentication for WiFi access. The attack demonstrates how proximity-based strategies can be executed remotely with significant impact.

Operation Serengeti Nets 1,006 Arrests

'Operation Serengeti,' a coordinated effort by Interpol and Afripol, led to the arrest of 1,006 individuals across 19 African countries involved in cybercrimes causing nearly $193 million in global financial losses. Conducted between September 2 and October 31, the operation targeted ransomware, business email compromise (BEC), online scams, and digital extortion.

Authorities dismantled 134,089 malicious networks and infrastructures linked to 35,224 victims, recovering $44 million. Key cases included:

  • Kenya: $8.6 million lost in online credit card fraud involving SWIFT transactions.

  • Senegal: A $6 million Ponzi scheme dismantled, affecting 1,811 victims; eight arrests made.

  • Nigeria: A cryptocurrency investment scam netted $300,000 for a single suspect.

  • Cameroon: A marketing scam trafficked victims from seven countries, collecting $150,000 in membership fees.

  • Angola: An international virtual casino fraud led to 150 arrests.

Operational partners like Cybercrime Atlas, Fortinet, and Kaspersky supported the effort.

Nuclear Cybersecurity Efforts Intensify Globally

The push for protecting infrastructure from cyberattack continues. The Nuclear Decommissioning Authority (NDA) in England has launched the Group Cyberspace Collaboration Centre (GCCC) at Herdus House near the Sellafield nuclear plant in Cumbria to bolster defenses against evolving IT threats. The facility aims to enhance knowledge-sharing among experts to protect nuclear sites from cyber risks.

This initiative follows a £332,500 fine issued to Sellafield for breaches in IT security regulations, which left systems vulnerable to unauthorized access and data loss. While no successful cyber attacks have occurred, Sellafield reports significant improvements in its security measures.

The NDA, responsible for cleaning up the UK’s early nuclear sites, also opened a cyber security operations facility in Warrington earlier this year. NDA CEO David Peattie emphasized the agency’s commitment to continuously strengthening its technological and expertise-based defenses. Sellafield reaffirmed its dedication to meeting stringent standards in collaboration with the nuclear regulator to address ever-evolving threats.

Ransomware Disrupts Blue Yonder Operations

A ransomware attack on Blue Yonder, a supply chain management software provider, has disrupted operations for several major clients, including Starbucks, Morrisons, and Sainsbury’s. The Arizona-based company disclosed the attack on November 21, reporting service disruptions in its managed services hosted environment.

Blue Yonder has launched an investigation with the help of a cybersecurity firm and is working to restore services but has not provided a timeline. No ransomware group has claimed responsibility, which often happens only if victims refuse to negotiate or pay.

Blue Yonder serves over 3,000 customers in 76 countries, including retailers, manufacturers, and logistics firms. Starbucks reported issues with payroll and scheduling, while Morrisons reverted to manual systems for warehouse management, impacting product deliveries. Sainsbury’s confirmed disruptions but cited mitigating procedures. Other major clients like Albertsons, Kroger, Ford, and Procter & Gamble have not confirmed impacts.

Bootkitty: Linux's First UEFI Bootkit

Cybersecurity researchers have identified Bootkitty, the first Unified Extensible Firmware Interface (UEFI) bootkit targeting Linux systems. Developed by a group known as BlackCat, the bootkit is considered a proof-of-concept with no evidence of real-world deployment. Uploaded to VirusTotal on November 5, 2024, Bootkitty disables kernel signature verification and preloads two unknown ELF binaries during system startup.

Bootkitty broadens the UEFI bootkit threat landscape, previously thought to be limited to Windows systems. While it uses a self-signed certificate, it cannot operate on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate is pre-installed. The bootkit bypasses UEFI and GRUB integrity checks to patch the Linux kernel in memory.

Researchers discovered a related unsigned kernel module capable of deploying a binary, BCDropper, which loads another kernel module with rootkit-like features such as hiding files and opening ports. This highlights the evolving sophistication of Linux-targeted threats.

U.S. Targets China Cyber Threats

  • Multiple stories out of China this week as the United States intensifies efforts to counter cybersecurity and privacy threats linked to the country.

First off, the Federal Communications Commission (FCC) proposed a $735,000 fine against Eken, a Chinese-based video doorbell manufacturer, for providing false information and exposing users to severe privacy risks. Investigations revealed that Eken's devices allowed access to home IP addresses, WiFi network names, and camera footage through minimal effort.

The FCC also discovered the company’s U.S. agent used a false address. Major retailers like Amazon and Walmart had sold the devices, prompting calls for greater oversight. FCC Chair Jessica Rosenworcel highlighted the potential for misuse, from domestic abuse to state-sponsored surveillance, and announced an audit of other certifications linked to Eken’s designated agent.

And the Salt Typhoon saga—where Chinese-backed hackers gained access to major American telecoms—continues. Senior White House officials met with telecommunications executives on Friday to address China’s “significant cyber espionage campaign targeting the sector,” according to a White House statement.

Hosted by National Security Adviser Jake Sullivan and Deputy Adviser Anne Neuberger, the meeting focused on strengthening collaboration between the government and private sector to defend against sophisticated state-sponsored attacks.

Earlier this month, U.S. authorities revealed China-linked hackers intercepted surveillance data intended for law enforcement after breaching multiple telecom companies. Senator Mark Warner called it the “worst telecom hack in our nation’s history.” Beijing denies the allegations, dismissing claims of cyber operations targeting foreign systems.

Upgrade your subscription for exclusive access to member-only insights and services.

Interesting Read

[Source: Kristen Radtke and The Verge]

A recent online comic by Kristen Radtke (and published on The Verge) explores the evolution of baby monitors—and yes, it has gotten as creepy as you might imagine in the year 2024. Gone are the days of little walkie-talkie-style contraptions. Now, you can get live video feeds, motion sensors, the works.

But beyond the infosec level of the story, what does the hyper-rich information do to a parent? Yes, we can track the baby’s breathing at all times of day, but is that actually good information to have swirling in your head?

The comic ends up exploring not only the data capture of these devices but also the psychological impact such data has on us. A fascinating read.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team

Reply

or to participate.