Risky Biz News Vo1d infects 13 million Android TV boxes

pIn other news Microsoft to move security products out of the kernel Mastercard buys Recorded Future Slovakia denies buying PegasusppThis newsletter is brought to you by Sublime Security an email security platform thats not a black box You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppA mysterious threat actor has built a giant botnet by infecting over 13 million Android TV settop boxes across the globeppThe devices were infected with a new backdoor named Vo1dppThe malwares main function is to gain reboot persistence on the device through three different methods and then watch a folder and install any Android APK file placed thereppThis suggests the botnet may be part of a payparinstall scheme for Android apps or Vo1d may still be under development and further capabilities will be added laterppAccording to data collected by Russian security firm DrWeb most of the Vo1d devices are located in Brazil which accounts for nearly a third of all current infectionsppDrWeb says it wasnt able to determine how the devices were infected but found several cases where compromised settop boxes reported incorrect Android OS versionsppIn theory this could explain how the devices were infectedwith the Vo1d gang exploiting older Android vulnerabilities since the settop boxes didnt actually have the older patches installedppVo1d is the latest in a long list of botnets that specifically target TV settop boxes Past examples include the likes of Bigpanzi Pandora Ares the Lemon Group and BADBOX Some of these botnets were used to launch DDoS attacks but the vast majority is typically used for advertising click fraud which may also be where V01d may end up operating later onppFortinet data breach Cybersecurity firm Fortinet has disclosed a data breach of its APAC division The company says that the attacker accessed customer records stored on a thirdparty cloud provider Fortinet says the incident impacted only a limited number of customers and has not seen any followup malicious activity The companys admission comes after a threat actor named Fortibitch claimed credit for the breach on a hacker forum Additional coverage in CyberDailyppTaiwan DDoS attacks Hacktivist group NoName057 has launched DDoS attacks against Taiwanese government sites after the countrys president warned that China may seek to regain lost land from Russia Oh global power drama We love it Additional coverage in Taipei TimesppIndodax cryptoheist A threat actor has stolen more than 22 million worth of cryptoassets from Indonesian cryptocurrency exchange Indodax The company has confirmed the incident and suspended all operations while it investigates the breach Blockchain security firm SlowMist believes the hackers appear to have gained access to a system that controls the exchanges hot wallet withdrawal operations Additional coverage in CoinDeskppBanking spree The Hunters International ransomware group has taken credit for attacks on two major banksMalaysias Bank Rakyat and the UK branch of the Industrial and Commercial Bank of China ICBC The ICBC is the same Chinese bank that dealt with a ransomware attack from the LockBit gang last yearppPregnancy clinic cyber wars A womens gynecological clinic from Attleboro Massachusetts is suing a neighboring pregnancy center for allegedly hacking its online reservations portal Four Women Health Services claims that staff from the Attleboro Womens Health Center next door has been contacting its patients every time they reach out via their online contact widget The lawsuit alleges the nextdoor clinic is operating as an antiabortion center and is misleading patients seeking abortion care Four Women says it does not know yet how the neighboring clinic has hacked its IT system but is now seeking an injunction to stop the Attleboro Womens Health Center from accessing its systems and contacting its patients Additional coverage in Bostoncom ht DataBreachesnetppHacks of Icelandic politicians An Icelandic businessman who was providing financial support for Assange and the WikiLeaks project has allegedly asked LulzSec to hack the emails of two Icelandic politicians Additional coverage from Emma BestppRecord settlement US healthcare provider Lehigh Valley Health Network LVHN has agreed to a 65 million settlement in a classaction lawsuit filed by former patients and employees who had their data stolen in a ransomware attack in 2023 The leak included nude photos of some of the clinics cancer patients One of the settlement terms is that any patient who had nude photos leaked would be entitled to as much as 80000 Additional coverage in DataBreachesnetppMicrosofts kernel meeting Microsoft will develop a new technical capability to allow security software to work outside of the Windows kernel The new capability is designed to avoid causing global IT outages like the one caused by CrowdStrike in July Details about how this new technical feature are still being discussed Microsoft announced the news after holding a summit with security software makers this week Government officials from Europe and the US also attendedppPlay Integrity API Google has added a new Android API that allows app makers to verify if their apps have been installed from the official Play Store The new Play Integrity API can prevent users from sideloading Android apps and using pirated or modified versions Google says the API has already been adopted by mobile games and financial apps Additional coverage in Android AuthorityppMandatory 2FA comes to WordPress repo The WordPress team will require that all WordPressorg accounts enable 2FA by October 1 this year Accounts that do not enable 2FA by next month will not be able to make any changes to themes and plugins made available through the official repository The move to mandatory 2FA is meant to put more barriers against bruteforce attacks and other supply chain attack scenariosppUK NCA ICO MOU The UKs privacy watchdog and main police agency have signed a memorandum of understanding on cybersecurity The document clarifies that the NCA wont pass data to the ICO as long as victims of cyberattacks report intrusions to law enforcement British companies have often not reported breaches to authorities because they feared data from an incident response could be used against them by the UKs privacy watchdog The ICO signed a similar agreement with the countrys cybersecurity agency last yearurging companies to report cyberattacks to the NCSC on the promise of smaller finesppUK reclassifies data centers as critical infrastructure The British government has reclassified data centers as critical national infrastructure The reclassification will allow the government to invest new resources and provide better cybersecurity services to the data center operators Data centers are the UKs fourteenth critical infrastructure sector It is the first new addition to the list since 2015 when the government added space and defense to the listppChinese crane drama Chinese cargo crane manufacturer ZPMC has pressured multiple American ports for remote access to its machines A congressional report found that several ports initially denied the request but eventually caved to the vendors pressure US officials say ZPMC focused on gaining access to its machines in American West Coast ports ZPMC currently accounts for 80 of shiptoshore cranes in operation at US ports The US Congress began investigating the issue after suspicions that China might use the cranes for espionage and sabotage Additional coverage in The RecordFull report PDFppSlovakia denies buying Pegasus Slovakias prime minister has denied allegations that the countrys intelligence service has acquired access to the NSO Groups Pegasus spyware Local media reported last week that the Slovakian government switched from a test to a full version of Pegasus this month Reporters cited four different sources in the countrys security sector The spyware has often been abused by elected governments to spy on the opposition journalists and activists A staunch Putin fan Slovakian Prime Minister Robert Fico accused without evidence the opposition the Soroscontrolled media and foreign NGOs of the assassination attempt on his life earlier this yearppAustralia introduces antidoxxing law Australias Attorney General has introduced a bill that will ban the publishing of personal information online also known as doxxing The proposed law amends Australias 1988 Privacy Act and imposes a prison sentence of up to seven years for offenders Officials introduced the bill after proPalestinian activists published the personal details of almost 600 Jewish academics and artists in February this year Additional coverage in ABCppIn this Risky Business News sponsored interview Tom Uren talks to Josh Kamdjou founder and CEO of Sublime Security about the spectrum of attacks that are taking advantage of generative AI These range from taking basic attacks with a pinch of AI pixie dust to more complex attacks where AI is used to construct message threads with multiple personas Josh also talks about how different AI models can be used to identify these attacks even when they are novelppTfL hacker arrested UK officials have arrested a 17yearold male for hacking Londons public transportation agency Transport for London TfL The teenager was detained last week on September 5 three days after the hack The NCA says it questioned and released the suspect on bail Some TfL services are still down 10 days after the attack The teen is believed to have stolen the personal data of some TfL customersppIronChat creators sentenced Dutch authorities have sentenced three men to years in prison for their role in selling a cryptophone named IronPhone and managing the IronChat encrypted IM service The groups leader was sentenced to 45 years in prison while his two accomplices will go to jail for 22 months and 18 months respectively The trio was detained in 2018 after Dutch authorities shut down the platform Officials decrypted over 258000 chat messages and disrupted several criminal organizations as a result ht Betje CppSingapore cybercrime arrests Singapore police have arrested six men for their involvement in a cybercrime operation Five Chinese nationals and one Singapore resident were detained this week following raids across the city Officials have seized laptops that stored stolen data and hacking tools and software One of the seized laptops was allegedly being used to control a copy of the PlugX malwareppUS sanctions cyber scam tycoon The US Treasury Department has imposed sanctions on Cambodian businessman Ly Yong Phat and two of his companies US officials say workers who applied for jobs at Lys companies had their passports seized and forced to work in local cyber scam compounds Local authorities rescued foreign workers on two occasions from one of Lys resorts Ly is one of Cambodias richest persons a senator and an advisor to Cambodian Prime Minister Hun ManetppRomance scammer money launderer pleads guilty A 30yearold woman from Florida has pleaded guilty to laundering over 27 million on behalf of a romance scam group overseasppFourth times a charm Dutch police arrested a teenager from the city of Amersfoort for the fourth time on phishingrelated charges He was previously convicted for all three of his previous chargesppTor node raids German authorities have raided the home and offices of a Tor exit node operator No reasons were given and Tors German team is holding a meeting on how to deal with the incidentppHikkiChan exposé CodeAIntel has published a report on HikkiChan a threat actor who has recently claimed credit for several hacks and leaks The companys investigation has found that HikkiChan is repurposing old leaks or misrepresenting the value of unrelated datappAppleCare scam campaign Malwarebytes researchers have uncovered a malvertising campaign that uses Google Ads to lure users to GitHub pages listing fake AppleCare support services and phone numbersppOlympics typosquatting Sekoia looks at all the Olympicsrelated typosquatted domains the company saw over the summerppNew SecondEye members Security firm HudsonRock claims to have identified two new members of the SecondEye cybercrime group The company found the members while searching infostealer logs sold on the underground market The credentials belonged to two Pakistani men and were for old SecondEye infrastructure The US charged two Pakistani men in 2021 for running SecondEye a web service that sold counterfeit IDs and government documentsppKiosk mode abuse Malware authors have developed a new technique that can force users into sharing credentials for a desired website The technique works by forcing a victims Chrome browser into the fullscreen Kiosk Mode from where users cannot escape until they log into a specific website Once the user logs in the password is stored inside Chromes local database from where an infostealer can easily extract it According to OALABS the technique is currently used by infostealer strains such as Amadey and StealCppDragonRank group A Chinese cybercrime group named DragonRank is hacking IIS servers to modify web pages as part of a large SEO poisoning operation The modified pages redirect users to various types of online scams Cisco Talos says the group appears to be made up of Chinesespeaking users based out of mainland ChinappLynx ransomware Rapid7 has published a report on Lynx a ransomware group that started operations in July this year and already has 24 victims listed on its leak siteppmacOs infostealer SentinelOne looks at several of the recent infostealers targeting macOS users over the past few monthsAmos Banshee Cthulu Poseidon and RodrigoStealerppTrickMo Mobile security firm Cleafy has found a new variant of the TrickMo Android banking trojan with a new antianalysis mechanismppHadooken AquaSec has discovered Hadooken a new Linux malware found infecting Linuxbased Oracle WebLogic servers The malware seems to function as a downloader and is currently being used to drop secondary payloads such as cryptominers and the Tsunami DDoS botppSublime Security shares a recent payroll fraud campaign likely produced using generative AIppOperation WordDrone The Acronis security team has published a report on a new cyberespionage campaign targeting Taiwans drone industry The report comes days after Trend Micro published a report on TIDRONE a suspected Chinese APT targeting the same sectorppKimsuky AhnLab researchers have uncovered a Kimsuky operation using a lure a paper on the RussiaNorth Korea partnership Also CyFirma has published a profile on the same threat actor hereppLazarus fake recruiter attacks ReversingLabs has discovered a repository containing malwarelaced coding tests that North Korean hacking group Lazarus uses for its fake recruiter social engineering campaigns The company says the tests appear to be part of a campaign they discovered last year named VMConnectppAPT34 targets Iraq APT34 an Iranian MOISaffiliated threat actor is behind a recent espionage operation targeting Iraqi government infrastructureppMOBI TLD hijack watchTowr security researchers could have hijacked thousands of MOBI websites after they registered a sensitive domain that used to be part of the MOBI TLD core infrastructure The domain dotmobiregistrynet was used in the past to process WHOIS queries for MOBI websites but was replaced with a new WHOIS server at whoisnicmobi watchTowr says it registered the domain after it was allowed to expire last December Over the course of a week the old domain still received WHOIS queries from more than 135000 systems from across the globe watchTowr says the domain could have been used as a springboard for attacks on these systems by using vulnerabilities in WHOIS clientsppAdobe zeroday patch Adobe has patched an Adobe Reader zeroday CVE202441869 that can be used for remote code execution attacks Security researcher Haifei Li discovered archived the zeroday earlier this year while scanning public PDF files for potential exploit code Adobe was initially scheduled to fix the bug in August but delayed the update to create a more complete patch Li says the exploit appeared unfinished and did not deliver a payloadppWindows zeroday writeup SEC Consult has published a writeup of CVE202438014 a Windows zeroday patched this month that was abused in the wild The zeroday abuses the repair function of MSI installers and can allow threat actors to elevate privileges to SYSTEM The company also published a tool to scan for MSI installers vulnerable to this bug on GitHubppVeeam RCE writeup Orange Cyberdefense has published a technical writeup on CVE202327532 a bug that can be used for RCE attacks against Veeam backup solutionsppCisco security updates Cisco has released eight security advisories for multiple productsppGitLab security updates Source code management system GitLab has released patches to fix 17 security updatesppFeeld security flaws Security firm Fortbridge has discovered eight vulnerabilities in the Feeld dating app that could allow threat actors to access and perform sensitive operations This includes reading other users private chats viewing their private photos forcibly updating their profiles or accessing their match history Fortbridge says it notified Feeld but the app maker has failed to fix any of the issues over the past six monthsppPIXHELL attack A team of academics from Israel has devised a new method to transfer data from airgapped computers using noise generated by LCD screens Named PIXHELL the attack uses malicious modulated pixel patterns to make LCD screens generate sounds in the 022 kHz range These sounds can be picked up by a nearby attacker and then demodulated to recover the transmitted datappGAZEploit attack A team of academics has found a way to analyze eye movements and extract passwords entered inside Apples VisionPro VR headset Named GAZEploit the attack works by tracking and mapping a users eye movements to the devices virtual keyboard Researchers say GAZEploit has an accuracy rate from 85 to 97 Additional coverage in WIREDppThreattrend reports Abnormal Security AU10TIX the International Telecommunication Union ITU and Recorded Future have recently published reports covering infosec industry threats and trendsppNew toolBomctl The Open Source Security Foundation has released Bomctl a tool for working with SBOM files The tool is intended to help users retrieve manipulate and push multiple SBOM documents that represent a systemppNew toolChromeKatz Finnish security researcher Aleksi Vepsäläinen has released ChromeKatz a redteam tool for dumping sensitive information from the memory of Chromiumbased browsersppMastercard buys Recorded Future Mastercard has agreed to buy threat intelligence company Recorded Future from private equity firm Insight Partners for 265 billion Insight Partners acquired a controlling interest in the threat intel firm in 2019 for 780 million Mastercard had previously collaborated with Recorded Future to detect and identify compromised payment cards Recorded Future cofounder and CEO Christopher Ahlberg says the company will operate as an independent subsidiary inside MastercardppIn this edition of Between Two Nerds Tom Uren and The Grugq dissect an FBI advisory about North Korean groups targeting cryptocurrency firms with social engineeringppIn this podcast Tom Uren and Patrick Gray talk about the structure of the spyware ecosystem Its concentrated with lots of vendors in India Israel and Italy And its a small pool of talent with many companies being founded by just a few individualsppRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppIn other news Police arrest tech company CEO for building DDoS function hackers steal 17 million from Ugandas central bank Windows Server 2012 zeroday awaits patchppIn other news FTC opens Microsoft antitrust probe US court overturns Tornado Cash sanctions ESET finds first Ubuntu UEFI bootkitppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell

You can hear a podcast discussion of thisppIn other news Geico fined over 2020 security breach a new proKremlin group emerges out of India Russian group behind Firefox and Windows zerodayspp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp