New Countries Join Biden's Anti-Spyware Initiative as US Government Targets Grow

The Biden administration is welcoming six new countries to a US-led pact to crack down on phone-hacking spyware as the administration continues to find new cases of American government personnel being targeted by a technology that it deems a national security and counterintelligence threat.

A year ago, the Biden administration put the tally of US government personnel suspected of or confirmed to have been targeted by spyware at 50. It has since grown, an NSC official said, declining to quantify the growth in cases while saying that the counterintelligence and national security risks from the technology remain high.

Poland, Ireland, Finland, Germany, Japan, and South Korea are the latest countries that have pledged to an international commitment to work collectively to counter the proliferation and misuse of commercial spyware first announced on March 30, 2023.

The addition of Poland and Ireland is significant because Poland’s prime minister claimed that the previous government had used spyware on a long list of victims. This month, the US Treasury Department sanctioned an Ireland-based company for allegedly being involved in the spyware business. (Sean Lyngaas / CNN)

Related: The Record, The White House, The White House

After meeting with healthcare executives, senior Biden administration officials said that the health insurance billing system in the United States is stabilizing following an unprecedented ransomware attack on Change Healthcare last month, but smaller health clinics may still need help to ensure they can stay in business.

Ninety-five percent of Change Healthcare’s health insurance claims are now being processed, the insurance billing firm that has been roiled by the February 21 hack, a senior administration official said.

Change Healthcare restored its electronic payments platform on March 15 and “is proceeding with payer implementations,” UnitedHealthGroup said. The statement indicated that 99% of the company’s pharmacy network services are back online and that the company is working on the rest.

Change Healthcare will release “medical claims preparation software” to thousands of customers over the next several days, the parent firm said, touting an “important step in the resumption of services.” (Sean Lyngaas / CNN)

Related: UnitedHealth Group, Associated Press, CNBC, StarTribune, Wall Street Journal, Bloomberg, Reuters

A federal high court in Abuja has ordered Binance, the world’s largest cryptocurrency exchange, to provide Nigeria’s Economic and Financial Crimes Commission (EFCC) with information on all Nigerians using its trading platform.

The court said it has granted the EFCC’s demand for Binance to turn over user information as part of what it says is a more extensive investigation into alleged money laundering and terrorism financing on the Binance platform. Commission investigators say they have intelligence that suggests money laundering and terrorism financing on the platform but have not revealed any details on the evidence they allegedly have.

The court order comes as Nigeria continues to detain without charge two of the exchange’s employees, American Tigran Gambaryan, a former IRS agent who specialized in cryptocurrency tracking, and Nadeem Anjarwalla, a UK citizen who is the company’s Kenya-based regional manager for Africa.

Sources say the two men are being held in a government compound where they are only allowed to use their phones to contact lawyers and family. They have been held there, under guard, since February 26.

The two men have a court hearing set for Wednesday, and the commission has filed a petition to extend the executives’ detention. (Dina Temple-Raston / The Record)

Related: CoinDesk, CryptoSlate, Punch, Wall Street Journal, Peoples Gazette, DL News, crypto.news, Premium Times

Tom Hegel, principal threat researcher at SentinelOne, spotted in an upload to VirusTotal a new variant of AcidRain, the wiper malware used to disrupt Viasat at the outset of the Ukraine war.

Dubbed “AcidPour” by Hegel and his colleagues, the new variant is concerning because it has new features and could be used as part of a “larger service disruption by Russia” and wipe the contents of not just modems but a range of other devices.

While the original version was designed to wipe modems and routers, the updated software is far more capable. “Now AcidPour is markedly different on a technical level — it has different architecture, and new features,” Hegel said. “This time the attacker can wipe RAID arrays and UBI – which could be used for a different level of impact, and potentially even more difficult to prevent and recover from.”

RAID and UBI generally refer to a system’s memory functions, and it appears the updated malware could be used to target memory in embedded devices — components within larger systems — including IoT, networking devices and “maybe some [industrial control systems],” Juan Andres Guerrero-Saade, the associate vice president of the SentinelLabs research unit at SentinelOne, said.

“The identification of impacting RAID, and Unsorted Block Image File Systems (UBIFS) used by embedded devices — which of course can span many types of real-world devices — is noteworthy,” Hegel explained. “Embedded devices are particularly concerning as they often serve critical needs yet lack simple detection and recovery options if they were to be wiped.”

Hegel said he would expect the malware to be deployed to “many devices,” including those in data centers, network-attached storage devices or others. “It should work on them all,” he said. “Big open door for what it could be used on.” (AJ Vicens / Cyberscoop)

Related: HackRead

Researchers at Trend Micro report that a sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group known as Earth Krahang has breached 70 organizations and targeted at least 116 across 45 countries.

The campaign has been underway since early 2022 and focuses primarily on government organizations. It has compromised 48 government organizations, 10 of which are Foreign Affairs ministries, and targeted another 49 government agencies.

The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage.

Earth Krahang abuses its presence on breached government infrastructure to attack other governments, builds VPN servers on compromised systems, and performs brute-forcing to crack passwords for valuable email accounts.

Trend Micro says it initially found ties between Earth Krahang and the China-nexus actor Earth Lusca, based on command and control (C2) overlaps, but determined that this is a separate cluster.

It is possible that both threat groups operate under the Chinese company I-Soon, which functions as a dedicated task force for cyberespionage against government entities.

Also, RESHELL has been previously associated with the 'Gallium group and XDealer with the 'Luoyu hackers. However, Trend Micro's insight shows these tools are likely shared between the threat actors, each using a distinct encryption key. (Bill Toulas / Bleeping Computer)

Related: Trend Micro, Dark Reading, Security Affairs, Infosecurity Magazine

Researchers at Cyble say they observed the ransomware actor ShadowSyndicate scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library.

Aiohttp is an open-source library built on Python's asynchronous I/O framework, Asyncio, to handle large amounts of concurrent HTTP requests without traditional thread-based networking.

On January 28, 2024, aiohttp released version 3.9.2, addressing CVE-2024-23334, a high-severity path traversal flaw impacting all versions of aiohttp from 3.9.1 and older that allows unauthenticated remote attackers to access files on vulnerable servers.

On February 27, 2024, a researcher released a proof of concept (PoC) exploit for CVE-2024-23334 on GitHub, while a detailed video showcasing step-by-step exploitation instructions was published on YouTube at the start of March.

Cyble's threat analysts report that their scanners have caught exploitation attempts targeting CVE-2024-23334 starting on February 29 and continuing at an increased rate into March.

The scanning attempts originate from five IP addresses, one of which was tagged in a September 2023 report by Group-IB, who linked it to the ShadowSyndicate ransomware actor.

Cyble's internet scanner ODIN shows there are roughly 44,170 internet-exposed aiohttp instances around the world. Most (15.8%) are located in the United States, followed by Germany (8%), Spain (5.7%), the UK, Italy, France, Russia, and China. (Bill Toulas / Bleeping Computer)

Related: Cyble, BankInfoSecurity, SC Media

A critical vulnerability in the Fortra FileCatalyst managed file transfer (MFT) service could enable remote code execution (RCE) and web shell deployment by an unauthenticated attacker.

The vulnerability, which has a CVSS score of 9.8, affects versions of Fortra FileCatalyst before Version 5.1.6 Build 114. It is a directory traversal flaw that enables files to be uploaded to restricted locations via a specially crafted POST request.

On March 13, Fortra published an advisory and a full proof-of-concept (PoC) exploit for the vulnerability. Tom Wedgbury, a managing senior security consultant at LRQA Nettitude, discovered the bug in early August 2023. Fortra released a patch days later, noting “various security fixes” in its release notes.

The full disclosure and PoC release came after Fortra was first authorized as a CVE Numbering Authority in early December. The CVE for the flaw, CVE-2024-25153, was ultimately issued at Wedgbury’s request, according to Fortra.

There have been no reports of CVE-2024-25153 exploitation in the wild. (Laura French / SC Media)

Related: LRQA Nettitude, Fortra, GitHub, Security Affairs, Security Week

Documentation startup Mintlify says dozens of customers' GitHub tokens were exposed in a data breach at the start of the month, which was publicly disclosed last week.

Mintlify helps developers create software and source code documentation by requesting access and tapping directly into the customer’s GitHub source code repositories. Mintlify counts fintech, database, and AI startups as customers.

Mintlify blamed its March 1 incident on a vulnerability in its own systems but said 91 of its customers' GitHub tokens were compromised as a result.

These private tokens allow GitHub users to share their account access with third-party apps, including companies like Mintlify. If these tokens are stolen, an attacker could obtain the same level of access to a person’s source code as the token permits.

“The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify co-founder Han Wang said. (Zack Whittaker / TechCrunch)

Related: Mintlify, TechTimes, Hacker News (ycombinator)

In data breach notification filings, Nevada-based Nations Direct Mortgage said more than 83,000 customers were affected by a late 2023 data breach that leaked Social Security numbers and other sensitive information.

The company said it discovered a cybersecurity incident on December 30 that prompted an investigation. Law enforcement and other governmental agencies were notified of the cyberattack.

The company said “Based on our investigation, we understand that your name, address, social security number, and unique Nations Direct loan number may have been obtained by the unauthorized third party bad actor.”

Victims will be given two years of identity protection services from Kroll. The company posted a copy of the letter on its website as well.

Multiple law firms are seeking victims for a potential class-action lawsuit against Nations Direct Mortgage for the breach. (Jonathan Greig / The Record)

Related: Office of the Maine Attorney General, California Attorney General HousingWire, JD Supra, National Mortgage News, Teiss

The city government of Pensacola, Florida, is dealing with widespread phone outages due to a cyberattack announced over the weekend.

City spokesperson Jason Wheeler said that officials are experiencing phone issues across city departments that are causing delays in receiving service through the 311 Citizen Support system.

Emergency phone numbers like 911 are still operating, and Wheeler said non-emergency numbers can be used to contact the Pensacola Police Department and Fire Department. The city has also created alternate phone numbers for the energy department, sanitation, public works, engineering, housing, and other departments. (Jonathan Greig / The Record)

Related: Pensacola News Journal

For the first time since the war in Gaza began, social media researchers have discovered an Israeli influence operation active across several platforms using hundreds of fake accounts to advance what was termed "Israeli interests" online among young Western audiences in English.

The campaign, discovered by an Israeli online watchdog, Fake Reporter, is not pushing out disinformation but instead focuses on un-organically amplifying claims and reports regarding the involvement of UNRWA workers in the October 7 attack on Israel, and its targets include US lawmakers.

At the center of the campaign were three "news sites" that seemed to have been created especially for the operation. The sites published reports that were copied from other real news outlets, including CNN and The Guardian. Hundreds of avatars intensively promoted the "reports" from the campaign's sites and posted screen captures from real ones, such as a Wall Street Journal report on UNRWA staff members' involvement in the attack.

Over 500 different avatars were found on the three social networks. They pushed out posts with almost identical wording and links to what Fake Reporter called "the three main assets" in the influence operation: UnFold Magazine, Non-Agenda and The Moral Alliance. UnFold's X profile was created on the same date on which many avatars were also made. While the Moral Alliance only has a presence on social media, the other has two actual websites – and these two also share several technical characteristics that indicate they are linked to each other and were set up as part of the same operation.

The three assets have over 40,000 followers across social media, and according to researchers, the network includes a core group of users, a secondary group for amplification, including some Israeli avatars, though most were American (including many with Jewish and African American names), and another group for retweeting or responding.

The operation began a few weeks after the war broke out and is still active today. The campaign, researchers found, tried to inflate the exposure of its content and to artificially boost the popularity of online materials deemed to be pro-Israel or advancing Israeli interests. (Omer Benjakob / Haaretz)

The DoD Cyber Crime Center (DC3) reports that over 50,000 vulnerabilities have been submitted to the US Department of Defense (DoD) through its vulnerability disclosure program (VDP).

Unlike other bug bounty efforts, DC3’s VDP is a continuous scheme welcoming ethical hackers to find vulnerabilities within US military IT systems and report them to the DoD. (Kevin Poireault / Infosecurity Magazine)

Related: DC3, Security Week

The Connectivity Standards Alliance (CSA) announced the CSA’s IoT Device Security Specification, a baseline cybersecurity standard and certification program that aims to provide a single, globally recognized security certification for consumer IoT devices.

Device makers who adhere to the specification and undergo the certification process can carry the CSA’s new Product Security Verified (PSV) Mark. If that security camera or smart lightbulb you’re buying carries the mark, users will know it has met requirements to help secure it from malicious hacking attempts and other intrusions that could impact their privacy.

The CSA’s announcement follows last week’s news that the FCC has approved implementing its new cybersecurity labeling program for consumer IoT devices in the US. Both programs are voluntary, and the CSA says its label doesn’t compete with the US Cyber Trust Mark.

Instead, CSA says it goes a step further, taking all of the US requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The result is a single specification and certification program that can work across multiple countries. (Jennifer Pattison Tuohy / The Verge)

Related: PCMag, CSA-IOT

BigID, an AI-augmented data security, compliance, and privacy cloud-focused startup, announced it had raised $60 million in a venture funding growth round.

Riverwood Capital led the round with participation by Silver Lake Waterman and Advent. (Marc Vartabedian / Wall Street Journal)

Related: PaymentSecurity.io, PR Newswire, Pulse 2.0, FinSMEs, StartupHub.ai

Cisco Systems closed its $28 billion all-cash acquisition of cybersecurity and analytics company Splunk.

The deal, the largest in Cisco’s history, was completed months earlier than projected and reflects the extraordinary effort many companies are undertaking as they remake their businesses around data and artificial intelligence.

The combined company will use AI to help customers correlate intelligence from different vendor platforms, enabling a more predictive approach to cybersecurity.

While that predictive capability has been developing for some time, the company also plans to launch more capabilities that use generative AI to simplify their software and make it easier for people without technical training to operate the tools. (Steven Rosenbush / Wall Street Journal)

Related: Cisco, Investopedia, CRN, Fast Company, The Register, Security Week, Barron’s, USA Today, Bloomberg, GovConWire, MSSP Alert, Channel Futures, Marketwatch

Best Thing of the Day: A Good Use for AI

The US Department of Homeland Security, in partnership with OpenAI, Anthropic, and Meta, is launching several AI pilot programs and plans to hire fifty AI experts to develop solutions to keep the nation’s critical infrastructure safe from AI-generated attacks.

Worst Thing of the Day: Hard to Push the Disinformation Toothpaste Back Into the Tube

Among the Kremlin’s torrent of disinformation since the outset of the Ukraine war is a campaign to push fictitious narratives spread by fake news outlets written by made-up journalists that, once released, are difficult to eradicate from social media outlets.

Closing Thought