Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s roundup, we explore cyber news from across the globe. Beginning in Ukraine, a targeted operation exposes a 7-year-old Microsoft bug. Next in the UK, password standards are enforced, while Google aims to revolutionize ads. Across the pond in the US, phishing sites mimicking the Post Office receive as much traffic as the real one, the CISA unveils AI guidelines for critical infrastructure, and Honeywell has released its annual report on USB-borne malware to industrial organizations.

Targeted Operations Against Ukraine Exploited 7-Year-Old MS Office Bug

A recent hacking campaign targeting Ukraine has been uncovered by security experts at Deep Instinct Threat Lab. This campaign exploits a seven-year-old vulnerability in Microsoft Office to deliver Cobalt Strike, a potent post-exploitation tool. The campaign involves the use of a malicious PowerPoint Slideshow (PPSX) file, masquerading as an outdated US Army manual for tank mine clearing blades. This file contains a remote link to an external OLE object, exploiting the vulnerability CVE-2017-8570 to bypass CVE-2017-0199. The remote script hosted on “weavesilk[.]space” is heavily obfuscated, complicating detection and analysis. The second stage of the attack involves an HTML file with JavaScript code executed via Windows cscript.exe. This script sets up persistence and saves the embedded payload to disk, disguised as a Cisco AnyConnect VPN file. The payload includes a dynamic-link library (DLL) that injects Cobalt Strike Beacon into memory, allowing threat actors to await commands from the command-and-control (C2) server.

Despite efforts to attribute the attacks, the source remains unclear. Evidence suggests the sample originated from Ukraine, with a Russian VPS provider hosting the second stage, and the Cobalt beacon C&C registered in Warsaw, Poland. The lure of military-related content in the malicious files suggests a targeting of military personnel. However, the use of domain names like “weavesilk[.]space” and “petapixel[.]fun,” disguised as unrelated sites, raises questions about the attackers’ motives and tactics.

This campaign underscores the persistent threat posed by sophisticated cyber adversaries exploiting long-standing vulnerabilities to deploy powerful malware tools, emphasizing the importance of robust cybersecurity defenses and proactive threat intelligence efforts.

UK Legislation: Ban on Crummy Default Device Passwords

Starting today, smart device manufacturers in the UK are subject to new regulations aimed at enhancing cybersecurity and protecting consumers from cyber threats. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) mandates minimum security standards for all smart devices, with a focus on eliminating easily crackable default passwords, which have been a notorious vulnerability exploited by cybercriminals.

Under the PSTI Act, manufacturers are prohibited from shipping devices with default passwords that are easily discoverable online. This move addresses a longstanding issue highlighted by cybersecurity experts, including Professor Alan Woodward from the University of Surrey, who emphasizes the importance of basic security hygiene, particularly regarding password strength. In addition to addressing default passwords, the PSTI Act requires manufacturers to provide a point of contact for reporting security concerns and to disclose the minimum period for which devices will receive security updates. While there are no specific guidelines for the duration of security support, transparency in communication with consumers is mandated.

The legislation applies to various consumer smart devices, including entertainment devices, home surveillance systems, home appliances, and wearables. To support consumers in bolstering device security, the UK’s National Cyber Security Centre (NCSC) has issued guidance emphasizing the use of strong, unique passwords. While the PSTI Act has been hailed as a crucial step in enhancing IoT security, some experts, like Tim Callan from Sectigo, believe that it falls short of European standards and leaves significant gaps in cybersecurity defenses. The Office for Product Safety and Standards (OPSS) is responsible for enforcing these regulations, with penalties for non-compliance including hefty fines of up to £10 million or 4% of qualifying worldwide revenue.

Despite the positive reception, skepticism remains regarding the UK government’s enforcement efforts. However, the introduction of the PSTI Act marks a significant milestone in strengthening cybersecurity measures and protecting consumers from the growing threat landscape posed by cybercriminals targeting smart devices.

WatchDog Uncovers Lingering Concerns with Google Privacy Sandbox

The UK Competition and Markets Authority (CMA) remains concerned about Google’s Privacy Sandbox advertising toolkit due to privacy and competition issues. Google’s plan to discontinue third-party cookies in Chrome has been delayed until 2025, reflecting ongoing regulatory scrutiny.

Google aims to revolutionize online ad targeting by replacing cookies with its Privacy Sandbox APIs. However, concerns persist about the software’s privacy implications and competitive impact. Ad industry rivals fear losing access to valuable data, essential for effective ad targeting.

The Privacy Sandbox rollout began with early versions of specific APIs, like the Topics API, introduced in Chrome and Android. This API targets users based on inferred interests derived from browsing activity. While Google asserts its privacy benefits, skepticism remains, given the company’s past privacy controversies. The CMA’s latest update outlines nearly 80 unresolved issues with Google’s technology, including concerns about user consent and potential misuse of Topics data. The report highlights the need for improved transparency and governance in Google’s ad regime. Critics argue that Google’s proposed ad targeting scheme lacks adequate governance and stifles competition. They advocate for fair competition and transparency in the digital advertising market.

Despite Google’s assurances, regulatory scrutiny persists, with the Information Commissioner’s Office (ICO) expressing doubts about the Privacy Sandbox’s efficacy. The CMA’s report underscores the need for significant improvements to address privacy and competition concerns. Google maintains its commitment to enhancing user privacy through the Privacy Sandbox but faces pressure to address regulatory concerns. As the company navigates regulatory scrutiny, it must balance innovation with user privacy and market fairness.

US Post Office Phishing Sites Equally Trafficked as Authentic Ones

Security researchers have uncovered a concerning trend in phishing campaigns targeting the United States Postal Service (USPS), revealing a surge in malicious activity during the holiday season. Akamai Technologies, analyzing DNS queries to fake USPS domains, found that traffic to these fraudulent sites mirrors legitimate USPS traffic, especially during holidays. These phishing operations aim to steal sensitive information like account credentials and payment details or deceive users into making payments for fictitious fees. The design of these fake USPS sites closely resembles the authentic USPS site, featuring convincing tracking pages for package status updates.

Akamai’s investigation, initiated after an employee received a suspicious SMS redirecting to a malicious site, identified numerous domains employing the same malicious JavaScript code. These phishing sites even included a fake postage item shop that gained traction during the holiday shopping season. From October 2023 to February 2024, Akamai identified nearly half a million queries to the most popular malicious domains, with some surpassing 150,000 queries each. These malicious domains primarily utilized .com, .top, and .shop top-level domains (TLDs), mimicking legitimate USPS addresses.

Despite efforts to mimic legitimate USPS traffic, Akamai’s analysis revealed that traffic to malicious domains surpassed that of the legitimate USPS site during the holiday season. This increased activity underscores the heightened risk of phishing attacks during the winter holidays.

While Akamai’s research focused on USPS, the prevalence of these phishing campaigns likely extends to other brands. Consumers are advised to exercise caution and skepticism when receiving SMS or email messages regarding package shipments. To verify the legitimacy of such communications, individuals should manually visit the official USPS website rather than clicking on suspicious links.

This research highlights the importance of remaining vigilant against phishing scams and underscores the need for robust cybersecurity measures, especially during peak shopping seasons.

The most popular top-level domains (TLDs) associated with phishing USPS-themed domains were:

.com – 4459 domains and 271,278 queries
.top – 3,063 domains and 274,257 queries
.shop – 566 domains and 58,194 queries
.xyz – 397 domains and 30,870 queries
.org – 352 domains and 16,391 queries
.info – 257 domains and 7,597 queries

CISA Unveils Guidance for AI in Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) has issued comprehensive guidelines addressing the integration of artificial intelligence (AI) into critical infrastructure operations, following the directives outlined in the Biden administration’s executive order on AI. These guidelines aim to help owners and operators of critical infrastructure sectors, spanning 16 industries such as agriculture and information technology, to leverage the opportunities presented by AI while mitigating potential risks. CISA’s guidance emphasizes the importance of governance, mapping, measurement, and management of AI usage within critical infrastructure, aligning with the National Institute of Standards and Technology’s AI risk management framework. It underscores the need for critical infrastructure stakeholders to understand AI dependencies, inventory use cases, establish procedures for reporting security risks, and conduct regular vulnerability testing of AI systems.

While AI offers transformative benefits such as operational awareness, customer service automation, and enhanced security measures, the guidelines also highlight associated risks. These risks include potential AI-facilitated attacks, vulnerabilities in AI systems, and failures in AI design and implementation, which could result in critical failures or unintended consequences.

Homeland Security Secretary, Alejandro Mayorkas, emphasizes the department’s commitment to identifying and mitigating AI-related threats to critical infrastructure. DHS has been proactive in its approach to AI, releasing an AI roadmap and appointing Michael Boyce to lead its AI Corps, tasked with hiring 50 AI experts by 2024. Additionally, the department has enlisted technology industry leaders like Sam Altman and Sundar Pichai to support its newly formed board, focused on AI and critical infrastructure.

CISA’s guidelines provide a framework for critical infrastructure stakeholders to harness the benefits of AI while addressing associated risks, aligning with the government’s broader efforts to safeguard national security and resilience in the face of evolving technological challenges.

Honeywell: Increasing Sophistication of USB Malware Attacks on Industrial Organizations

Honeywell, a leading industrial conglomerate, has released its sixth annual report on the threat of USB-borne malware to industrial organizations, highlighting an alarming rise in sophistication. The report, based on analysis by Honeywell’s Global Analysis, Research, and Defense (GARD) team, indicates that while some data has remained consistent over the past year, there are concerning trends worth noting. Key findings reveal that a significant portion (31%) of malware detected on USB drives is associated with campaigns targeting industrial systems. Additionally, over half of the malware is designed to spread via USB drives, aiding its transmission across air gaps, and approximately half can connect to remote command and control servers. Moreover, 80% of the detected malware poses a tangible threat to operational technology (OT) processes, capable of causing disruptions such as loss of view, control, or system outages. Notably, ransomware and malware specifically engineered to manipulate or disrupt control systems, such as Industroyer and Black Energy, are among the identified threats.

Honeywell’s report highlights a shift towards adversaries employing living-off-the-land (LotL) strategies to evade detection, combining sophisticated detection avoidance techniques with system-specific execution methods. Approximately 20% of USB-borne malware utilizes content-based attacks, exploiting existing document and scripting functions rather than relying on new vulnerabilities. Furthermore, there’s been a notable increase in malware targeting Linux and other platforms, specifically tailored for industrial facilities. The frequency of malware attacks has surged, with a 33% increase in blocked malware compared to the previous year, marking a concerning 700% year-over-year rise.

The report underscores the growing sophistication and frequency of cyber threats facing industrial and OT environments, with USB-borne malware emerging as a significant component of larger cyber attack campaigns. This assertion is supported by the analysis of attack techniques, along with the presence of malware associated with major cyber-physical attacks like Stuxnet, Triton, and Industroyer. As USB-borne malware continues to evolve and pose increasingly severe risks to industrial operations, Honeywell emphasizes the critical importance of robust cybersecurity measures to defend against these threats effectively.

References:

Canary Trap’s Bi-Weekly Cyber Roundup