Welcome to the first edition of Nomios Weekly CyberWednesday, where we bring you the most important cybersecurity and networking updates from around the world. This week, we explore major incidents, new vulnerabilities, and evolving threats that could affect IT professionals and large enterprises across Europe.
1. Microsoft reduces cloud attack surface with Secure Future Initiative
Microsoft has taken decisive steps to improve its cloud security by removing 730,000 unused apps and deactivating 5.75 million inactive tenants. These actions are part of the company’s Secure Future Initiative (SFI), launched in November 2023 after high-profile breaches by Chinese and Russian threat actors. Notably, Microsoft’s cloud infrastructure was infiltrated by Storm-0558, allowing access to email accounts of senior government officials, sparking serious security concerns.
Microsoft has also strengthened its identity management with updates to Entra ID, implemented video-based identity verification for 95% of its production staff, and deployed 15,000 hardened devices for production teams. These sweeping changes underscore Microsoft’s dedication to reducing attack surfaces and protecting sensitive cloud environments. Source: Dark Reading
2. MoneyGram Suffers Service Outage Following Cyberattack
Money transfer giant MoneyGram has been grappling with a cyberattack that began on September 22, 2024, and has caused significant outages across its services. The company proactively took its systems offline to contain the incident, resulting in continued service disruption and making the MoneyGram website inaccessible for three days. While no details have been confirmed, speculation surrounds the possible involvement of ransomware, though no group has claimed responsibility.
The attack underscores the ongoing trend of financial institutions being frequent ransomware targets, with such incidents costing the sector hundreds of millions of dollars globally in 2024. Source: SecurityWeek
3. US Commerce Department Proposes Ban on Automotive Software and Hardware from China and Russia
The US Department of Commerce has proposed a ban on software and hardware from China and Russia used in connected vehicles, citing national security concerns. The move aims to prevent unauthorized surveillance and remote control of vehicles on US roads. The ban would affect nearly all Chinese-made vehicles, and also prohibit the testing of self-driving cars by foreign adversaries.
The proposal includes provisions for foreign automakers to seek special exemptions, and the ban is expected to be phased in with software restrictions starting in the 2027 model year and hardware restrictions by the 2030 model year. The public has 30 days to comment before the proposal is finalized. Source: Dark Reading
4. Kaspersky Exits U.S., Automatically Migrates Users to UltraAV, Sparking Concerns
Due to national security concerns, Kaspersky has begun withdrawing from the U.S. market, automatically transitioning its users to the U.S.-based antivirus service UltraAV. The Russian company, which faced a ban effective September 29, 2024, facilitated the transition starting on September 19 to avoid any gap in security coverage. However, some users expressed concerns about the sudden software switch, claiming they were not adequately informed despite Kaspersky stating they had sent communications beginning September 5. UltraAV, owned by Pango Group, offers antivirus protection along with identity theft safeguards, including real-time fraud alerts and $1M identity theft insurance. Source: The Hacker News
5. Windows PowerShell Phishing Campaign Targets GitHub Users with Malware
A phishing campaign has been targeting GitHub users by sending fake security alerts that trick them into running password-stealing malware through Windows PowerShell. The attack disguises itself as a CAPTCHA test, which prompts victims to follow a three-step process that results in the execution of a malicious PowerShell script. The malware, called Lumma Stealer, is designed to steal credentials from the victim’s computer.
While developers may recognize the dangers, this method could be highly effective against less tech-savvy users. This incident highlights the need for user education on security risks, especially concerning phishing and the use of automation tools like PowerShell. Despite the risks, Microsoft advises against disabling PowerShell, as doing so could disrupt core system processes. Source: Krebs on Security
6. Mandiant Exposes North Korean Fake IT Worker Scheme Targeting Western Companies
Mandiant has uncovered a North Korean scheme in which fake IT workers infiltrate Western companies by using stolen identities and fraudulent resumes. Facilitated by intermediaries, these workers have generated millions in illicit revenue for the North Korean regime, helping to fund its nuclear and missile programs. The operation, tagged as UNC5267, has seen individuals based in China and Russia posing as remote IT workers. These workers often gain elevated access to company systems, posing long-term cybersecurity risks.
The scheme employs sophisticated evasion tactics, such as the use of AI-generated profile pictures, fabricated resumes, laptop farms, and remote management tools like GoToRemote, AnyDesk, and TeamViewer to access corporate devices. In one case, KnowBe4 discovered a North Korean operative trying to plant malware on a company workstation. Mandiant recommends organizations conduct stricter background checks, including biometric verification, and on-camera interviews to spot potential red flags in the hiring process. Source: SecurityWeek
7. Critical Vulnerability Found in Microchip’s Advanced Software Framework (ASF)
CERT/CC has issued an advisory warning of a serious vulnerability (CVE-2024-7490) in Microchip’s Advanced Software Framework (ASF), which could allow remote code execution on IoT devices. Discovered by Andrue Coombes of Amazon Element55, the flaw stems from input validation failures in the implementation of the Tinydhcp server. This vulnerability affects all versions of ASF up to version 3.52.0.2574 and can be triggered by sending a specially crafted DHCP Request packet to a multicast address. As ASF is widely used in IoT solutions, the flaw could have significant consequences for industrial and embedded systems.
Microchip has urged users to migrate to newer software, as the affected version is no longer supported. CERT/CC notes that no practical fix is available, and replacing the Tinydhcp service is recommended. Source: SecurityWeek
8. Chinese APT ‘Earth Baxia’ Targets APAC Organizations
The Chinese APT group Earth Baxia has been targeting government agencies and critical infrastructure in Taiwan, Japan, the Philippines, and South Korea. The group primarily uses spear-phishing and exploits a vulnerability in the open-source GeoServer platform (CVE-2024-36401) to compromise its targets. Earth Baxia leverages public cloud services to host malicious files and uses advanced techniques like GrimResource and AppDomainManager injection to further infiltrate systems. The group has deployed custom backdoors such as EagleDoor and pirated versions of the Cobalt Strike tool, making it difficult to attribute the attacks specifically. These efforts are part of broader Chinese espionage activities in the Asia-Pacific region, with attacks focusing on governments, telecommunications, and energy sectors. Source: Dark Reading
9. Necro Trojan Infects Popular Google Play Apps
Two Android apps with over 11 million downloads, including the popular Wuta Camera, were recently found to be infected with the Necro Trojan and have since been removed from the Google Play Store. Discovered by Kaspersky, this malware allows attackers to perform various malicious actions, such as downloading additional payloads, displaying invisible ads, subscribing users to paid services, and using infected devices as proxies. The trojan has targeted tens of thousands of users globally, especially in Russia, Brazil, Vietnam, Ecuador, and Mexico. This incident underscores the persistent risks of malware, even in official app stores, and the need for stronger mobile security measures. Source: SecurityWeek
10. Vice Society Shifts to Inc Ransomware in Healthcare Attacks
Vice Society, a Russian-speaking ransomware group tracked by Microsoft, has shifted its tactics to utilize Inc ransomware in its attacks on the healthcare sector. Active since July 2022, Vice Society has previously employed various ransomware strains but is now leveraging Inc ransomware, which is gaining prominence in the ransomware-as-a-service (RaaS) ecosystem. Healthcare remains a prime target due to its outdated technology and the high value of sensitive patient data, making it particularly vulnerable to double extortion tactics. Recent campaigns have involved the use of the Gootloader backdoor for initial access, followed by tools such as AnyDesk and MEGA’s data synchronization to deploy Inc ransomware effectively.
Inc ransomware is noted for its structured negotiation style, which minimizes threats and maintains control over ransom processes, distinguishing it from other ransomware actors. Despite some organizations being able to recover without paying the ransom, the threat of sensitive data leaks often pressures victims into negotiations. This double extortion methodology continues to make groups like Vice Society and Inc ransomware significant players in major cyberattacks. Source: Dark Reading
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.