Infosec in Brief Microsoft has spotted a malvertising campaign that downloaded nastyware hosted on GitHub and exposed nearly a million devices to information thieves.
Discovered by Microsoft Threat Intelligence late last year, the campaign saw pirate vid-streaming websites embed malvertising redirectors to generate pay-per-view or pay-per-click revenue from malvertising platforms.
“These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub,” according to Microsoft’s threat research team.
GitHub hosted a first-stage payload that installed code that dropped two other payloads. One gathered system configuration info such as data on memory size, graphics capabilities, screen resolution, the operating system present, and user paths.
Third-stage payloads varied but most “conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.”
The attackers built four to five redirect layers in the campaign, each of which followed on from the GitHub dropper to install more nastiness that it appears were designed to steal information including stored browser credentials.
Microsoft noted that the malicious repos have since been taken down, and provided plenty of indicators of compromise and other valuable information in its report to aid in hunting down and stopping related campaigns.
Critical vulnerabilities of the week: Put a Red Hat on that CVE
Future open-source software vulnerabilities might come with a fedora, as Red Hat is now a CVE numbering authority of last resort.
“For over two decades, Red Hat has actively contributed to the goals and initiatives of the CVE Program,” Red Hat’s Pete Allor and Yogesh Mittal wrote in a recent blog post. “This milestone reflects our relentless pursuit of excellence, strong collaborations and impactful contributions to industry standards and best practices.”
Now have some vulnerabilities, all of which are being actively exploited:
- CVSS 9.8 – CVE-2024-4885: Progress Software’s WhatsUp Gold network monitoring software, prior to version 2023.1.3, contains an unauthenticated RCE vuln. Given Progress’ other software issues, this deserves attention.
- CVSS 9.8 – CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2 allow security restriction circumvention when using non-canonical URLs.
- CVSS 8.8 – CVE-2022-43769: Those same versions of Hitachi Vantara Pentaho Business Analytics Server contain a special element injection vulnerability allowing web services to set property values.
- CVSS 8.8 – CVE-2022-43769: Those same versions of Hitachi Vantara Pentaho Business Analytics Server contain a special element injection vulnerability allowing web services to set property values.
Cisco warns old CVE being exploited
Cisco last week warned that CVE-2023-20118 has been added to the US Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability list.
The flaw was one of several vulns in small business routers that Cisco announced in 2023 but will not fix as it deems the flawed hardware tool old to upgrade and suggested owners buy new kit instead. Remember that next time Cisco trumpets its environmental credentials.
Shocker: Phone cleaner apps collect, sell your data
This week’s “totally not a surprise” infosec news comes in the form of a Surfshark report that claims all of the top 10 most popular phone cleaning apps on the Apple App Store shared user data with third parties.
Data shared by the cleaning apps included user and device IDs, location data, product interactions, purchase history, usage history and the like. In short, everything that a data broker might want to use to compile a thorough advertising profile for those unwise enough to install one of the useless bits of code.
“Once shared, this data can potentially end up in the hands of hundreds of partners, who are free to use it for their own purposes,” VPN vendor Surfshark pointed out as part of its endless quest to find scary stuff that gives people a reason to acquire its wares.
These apps are obvious rubbish to our sophisticated readers, but for those worried about device security among their users and loved ones, a link to instructions on how to clean up iPhones and Android devices can go a long way to prevent installation of such unnecessary privacy violating apps.
US House does something useful, passes contractor security bill
Don’t say they never do anything, because last week the US House of Representatives passed a bill that would require covered federal contractors to implement vulnerability disclosure policies. If passed, it would close what bill sponsor Congresswoman Nancy Mace’s (R-SC) office described in a press release as a “critical loophole in federal cybersecurity standards.”
The rule applies to any federal contractor with a contract worth more than $225,000 or any that “use, operate, manage or maintain a federal information system on behalf of an agency.”
Current infosec rules don’t apply to contractors, which Mace said means a gap in national security.
This isn’t the first time Mace has introduced such a bill – she tried in 2023 to pass a near identical version, and in 2024 the Senate tabled its own version. Neither went anywhere, so Congress passing this one along to the Senate is definitely a step in the right direction.
YouTube CEO impersonated by AI to phish creators
YouTube CEO Neal Mohan’s face was apparently cloned and used by scammers in AI-generated videos to phish YouTube creators.
Google said the AI-generated video was shared with YouTube creators as a private video that announced monetization changes for the platform. It’s not clear what information the scammers behind the campaign were trying to steal, or how they attempted to do it, with Google only noting that creators shouldn’t click on private videos “claiming to be from YouTube.”
“YouTube and its employees will never attempt to contact you or share information through a private video,” Google noted in a support post last week. “Many phishers actively target Creators by trying to find ways to impersonate YouTube by exploiting in-platform features to link to malicious content.”
Singaporean cyberscammers are in for a beating
Cybercriminals facilitating scams in Singapore might want to reconsider: In addition to stiff jail terms, they could soon be facing a stiff rattan rod to the bare behind along with their time behind bars.
Singapore Minister of State for Home Affairs Sun Xueling said (12:08) that the government was considering caning scammers, per the recommendation of a Singaporean parliamentarian, in addition to continuing to hand out long prison sentences.
“We will consider … for caning to be proscribed for certain scam-related offenses recognizing the serious harm they can cause,” Sun said.
Singapore has become a hotbed of online scamming, with more than $1.1 billion dollars lost by Singaporeans falling victim to scams in 2024.
Sun specifically called out Telegram for facilitating scams in Singapore, noting that the number of scams reported on the platform nearly doubled last year.
“We will explore further measures to address the scam situation on telegram, including making use of our legislative levers to ensure compliance,” Sun said. ®