Incident & Breach Response
,
Security Operations
Also: Microsoft Fixes 48 Flaws in January Patch Tuesday But No Zero-Days
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: Microsoft addressed 48 security flaws, AsyncRAT targeted critical infrastructure operators, the Supreme Court rejected X Corp.’s bid to disclose national security requests, hackers hit Beirut airport flight displays, the FTC banned Outlogic from sharing sensitive location data, and more.
See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Microsoft’s January Patch Tuesday Addresses 48 Security Flaws
Microsoft addressed 48 security flaws in its first monthly patch dump for 2024. Two were rated critical, and the rest were rated important. There were no zero-days recorded this month.
The critical patched flaws are a Windows Kerberos Security Feature Bypass Vulnerability tracked as CVE-2024-20674 and a Windows Hyper-V Remote Code Execution Vulnerability tracked as CVE-2024-20700. The Kerberos flaw could allow attackers to bypass authentication “as this vulnerability allows impersonation,” Microsoft wrote.
The Redmond giant also disabled the ability to insert FBX files in Office due to a security flaw, CVE-2024-20677, that could lead to remote code execution.
The fixes include nine resolved security vulnerabilities in the Chromium-based Edge browser, addressing CVE-2023-7024 – a zero-day that is being actively exploited in the wild.
AsyncRAT Campaign: Loader Tactics, 300 Unique Samples Detected
A hacking campaign employing AsyncRAT malware has persisted for 11 months, deploying hundreds of unique loader samples across more than 100 domains, said researchers at AT&T. Among the campaign’s targets are companies that manage key infrastructure in the United States.
Initially detected by Microsoft in compromised email threads, the final payload initially remained undetermined. AT&T’s Alien Labs, responding to a surge in targeted phishing emails in September, initiated an investigation into the attacks.
The malicious emails carried GIF attachments that lead to SVG files that download obfuscated JavaScript and PowerShell scripts. The loader communicates with a BitLaunch-hosted server and uses tactics to avoid detection and confuse analysis environments. The unknown threat actor behind the campaign employed 300 distinct loader samples and used a domain generation algorithm to generate new control domains weekly.
Supreme Court Rejects Bid to Disclose National Security Requests
The U.S. Supreme Court on Monday rejected a challenge by X Corp., formerly Twitter, against a lower court ruling holding that the First Amendment doesn’t permit it to reveal national security demands made by the FBI for user information.
The court’s decision to hear the case leaves standing a ruling from the U.S. Court of Appeals for the 9th Circuit. Two of three judges on a panel wrote that they were “able to appreciate why Twitter’s proposed disclosure would risk making foreign adversaries aware of what is being surveilled and what is not being surveilled – if anything at all.”
Twitter initiated the lawsuit in 2014, seeking to publish the exact number of data requests received and contending that FBI-demanded redactions violated constitutional guarantees of free speech.
Cyberattack Hits Beirut Airport Displays
Flight informational displays in Beirut-Rafic Hariri International Airport in Lebanon fell victim to a cyberattack on Sunday. The airport experienced disruptions as hackers displayed a message on screens alleging that Hezbollah and Iran were pushing the country into war against the will of the Lebanese people, reported Arab News.
The message also warned of potential airport bombings due to arms smuggling. The cyberattack affected the baggage handling system, leading airport personnel to use police dogs for baggage inspections. No hacker group has claimed responsibility for the attack. Tensions in the Middle East have risen, including along the Lebanese border with Israel, where Israeli forces skirmish with Hezbollah.
FTC Bans Outlogic From Sharing Sensitive Location Data
The U.S. Federal Trade Commission banned data broker Outlogic, formerly X-Mode Social, from sharing or selling sensitive location data with third parties. The settlement follows allegations that the company had sold precise location data, potentially enabling the tracking of individuals visiting sensitive locations such as medical clinics, places of worship and domestic abuse shelters.
Under the order, which is still subject to a final vote by agency commissioners after a 30-day comment period, Outlogic is required to destroy previously gathered location data unless it obtains consumer consent, de-identifies the data or renders it nonsensitive. X-Mode Social, known for selling location data to the U.S. military in 2020, collects data from proprietary and third-party apps that incorporate its software development kit. The FTC accused the company of lacking safeguards against downstream misuse of the data and not being transparent about data recipients. Outlogic disagreed with the FTC’s implications, stating there was no finding of data misuse.
Paraguay Warns of Ransomware as Tigo Faces Major Cyberattack
Paraguay’s military issued a ransomware warning after major internet provider Tigo reported a cyberattack causing widespread disruptions. The General Directorate of Information and Communication Technologies, which is part of the armed forces, highlighted ransomware’s significant impact on backups, web pages, emails and cloud storage. Although the warning claimed to be general information, it closely followed a ransomware attack on Tigo that affected over 300 companies. The Black Hunt group allegedly claimed responsibility for the attack.
Tigo acknowledged a security incident on Jan. 4 that had affected infrastructure and specific services for some corporate clients, but it denied the Black Hunt group’s involvement.
Threat Actors Pose as Researchers in Follow-On Extortion Scheme
Threat actors posing as cybersecurity researchers are targeting victims of the Royal and Akira ransomware gangs with fraudulent offers to delete stolen files for a fee. Arctic Wolf Labs researchers uncovered this follow-on extortion campaign, in which the impersonators claim to help victims by hacking into the original ransomware groups’ server infrastructure to delete exfiltrated data. While the exact connection between the fraudsters and the original ransomware groups remains unclear, similarities in the cases suggest a common threat actor instigating the follow-on campaign. In two instances, organizations called Ethical Side Group and xanonymoux offered to delete data or provide access to the server in exchange for about five bitcoin – approximately $180,000.
Other Coverage From Last Week
With reporting from Information Security Media Group’s Prajeet Nair in Bengaluru, India, and Mihir Bagwe in Mumbai, India.