Governments are taking new actions against cyber criminals. Meanwhile, threat actors go after more and more important targets. Read on for the news we’ve been following this month.
A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries
A new APT group, ChamelGang, was identified recently. This group uses a trending penetration method—supply chain— to steal data from compromised networks. The gang targets various industries across Russia, the U.S., India, Nepal, Taiwan, and Japan by disguising its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The gang appears to have been working since March 2021, when they launched an attack notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company’s network by exploiting a flaw in Red Hat JBoss Enterprise Application (CVE-2017-12149). They then remotely executed commands on the host and deployed malicious payloads that enable them to launch the malware and laterally move across the network to perform reconnaissance.”
“This attack once again underscores the need for critical infrastructure and the companies they do business with to strengthen their security posture. OT environments are in general complex and difficult to penetrate, but the IT portion of their networks is a vulnerable target due to lack of patching, proper configuration, and nonexistent integrations. The need to take a proactive cybersecurity approach instead of reactive is now. They need to tighten up their SOPs, SLAs, and Policies around cybersecurity. Otherwise, the implications of another breach could have far-reaching results that affect the general population.” — Shunta Sanders, Lead Senior Architect
Source: The Hacker News October 4
A Simple Linux Bug Can Lead to Complete System Compromise
This blog post from Google’s Project Zero team describes a straightforward Linux kernel locking bug and how author, Jann Horn, exploited it against Debian Buster’s 4.19.0-13-amd64 kernel. It goes on to explore options for security mitigations that could prevent or hinder exploitation of issues similar to this one.
“This is an excellent write-up detailing the whole cycle of building an exploit. It describes the bug and the fix and goes step by step explaining the exploit stages. The author evaluates the current mitigation mechanisms and proposes some improvements that would have helped to prevent this type of exploitation. One of the conclusions of the article is that this type of attack could have been prevented if the operating system would provide a memory-safe language such as Rust.” — Alonso, Security Software Engineer
Source: Project Zero, October 19
U.S. Pursues a Unique Solution to Fight Hackers
The United States has announced a novel approach to harnessing the skills of some of the country’s most promising young minds for the purposes of cybersecurity. The U.S. Cyber Games, a project founded in April and funded by the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education, has assembled a team of 25 Americans, ages 18 to 26, who will compete against other countries in the inaugural International Cybersecurity Challenge, scheduled to be held in Greece in June 2022. This approach mirrors competitive video gaming, and its goal is to identify and train candidates for careers in cybersecurity.
“I found this interesting as it shows that governments are actively searching for new cybersecurity experts to fight always-rising (both in number and sophistication) cyberthreats. If we don’t want to lose the battle we will need both more people and new tools that help with fighting advanced cyberattacks.” — Fernando, Founder
Source: Washington Post, October 15
Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites
Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. Before 2018, Kape Technologies was called Crossrider and it was an infamous player in the malware industry. You can still find numerous articles about Crossrider’s malware and adware infecting various devices. In studying Crossrider’s business, it appears that Crossrider profited from infecting devices with malware, which would then use browser hijacking to direct traffic to partner advertisers. This pernicious line of work earned Crossrider a notorious reputation. This business model goes hand-in-hand with data collection, while also abusing the privacy and security of the end-user who suffered the misfortune of being infected with Crossrider malware. Crossrider began purchasing VPN services, then changed its name to Kape Technologies. Kape purchases a collection of VPN “review” websites for $149 million, then changes the rankings.
“This is a very suspicious movement from a very suspicious company, and as the article says, many VPN users have no idea who the real owners of their VPN are, which is really bad from a security point of view.” – Ander Garmendia, Full Stack Engineer
Source: Restore Privacy, October 15
U.S. to Tell Critical Infrastructure Companies to Report Hacks
TSA will make it mandatory for critical travel companies to have a chief cyber official and disclose hacks to the government. An increase in attacks on critical infrastructure has prompted this move, led by the Transportation Security Administration and Homeland Security. This is the first move of its kind with respect to the cyber focus in the aviation and train industries.
“The US government keeps pushing new policies to fight targeted attacks against critical infrastructure companies which will need to increase their efforts to detect breaches as soon as possible.” — Fernando, Founder
Source: Reuters, October 6