Shortly Advanced Persistent Threat Group (APT) Budworm shifted its targets after hitting the Middle East, Europe and Asia and was caught trying to penetrate the systems of an unnamed US state this week.
Symantec’s threat hunter team reported the intrusion, saying it had all the hallmarks of an attack by a China-linked budworm gang believed to be state-sponsored.
Budworm’s main tool is known as HyperBro, but it was recently discovered misusing a number of legitimate security tools, Symantec said, including using CyberArk Viewfinity endpoint privilege management software, penetration testing tool Cobalt Strike, credential harvesting tools LaZagne, the proxy and port forward tool IOX, Fast Reverse Proxy and Fscan.
“Budworm has been known to launch ambitious attacks against high-value targets,” Symantec said, citing attacks against an unnamed Middle Eastern government and an East Asian hospital as evidence.
Although it did not provide details of these incidents, Symantec has a link to a Cybersecurity and Infrastructure Security Agency (CISA) report earlier this year on an APT campaign against an unnamed US defense contractor. CISA notes that HyperBro was used in the attack, meaning the group was likely involved — but they didn’t act alone.
“During incident response activities, CISA uncovered that likely multiple APT groups had compromised the organization’s network and some APT actors had long-term access to the environment,” the agency said.
That’s not good news, as Symantec sees it: With two high-level US targets attacked in a matter of months, “a resumption of attacks on US-based targets could signal a change in focus for the group.”
Senator Warren ushers in cell’arm, shaming banks over EFT fraud
US Senator Elizabeth Warren (DMA) says big banks are ignoring the growing fraud on the cell online payment platform they operate and will not reimburse users who fall for the scam.
If you haven’t heard of Zelle, you’re not alone — the embattled Venmo competitor is owned by Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank, US Bank, and Wells Fargo. Now the senator claims the system is short selling consumers.
Fraud claims on the platform totaled over US$90m (£80.5m) in 2020, according to Warren’s data, which she says was made available on request in September by four of the consortium’s seven banks on track to surpass $255 million (£228 million) by the end of 2022.
To make matters worse, Warren said the banks said they only pay back 9.6 percent of fraud claims, which works out to just $2.9 million.
Cell, on the other hand, said that 99.9 percent of transactions on its network are sent with no fraud or fraud reports, and that “any external analysis is incomplete and does not reflect the efforts and data reported by more than 1,700 financial institutions on the cell network.”
Airtag helps Democrats discover dumpsters
A political lawn sign bandit in Pennsylvania was foiled thanks to the clever use of an Apple Airtag.
While the suspect remains at large is Pennsylvania State Representative Melissa Shusterman tweeted that an Apple tracker was just the thing to turn the thief’s efforts into a futile exercise.
“Local Republicans thought they could throw away [Josh Shapiro], [Chrissy Houlahan], and my signs without getting caught. Luckily, a community member put an airtag in one [of] the signs and it led us to this dumpster,” Shusterman tweeted, along with a photo of a trash can full of campaign signs.
Police officers in Tredyffrin Township, PA said they are reviewing video footage of a truck driving to the dumpster and someone unloading the signs. Officials also claimed there was no targeted party affiliation among those found in the trash, but a former Democratic committee member who reported pulling 118 signs from the dumpster said all were for Democratic candidates, with the signs of the US Senate candidate John Fetterman also found the garbage.
Undeterred, Shusterman said the items had been recovered and campaign workers were on the scene. “Double the amount of characters will go up again,” she said tweeted.
Fortinet Triple-Whammy CVE receives PoC, detailed explanation
A critical bug in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager has been patched, but for the curious, security firm Horizon3.ai has released a proof of concept for the exploit and explains how it works.
As The registry The bug, reported earlier this week, could “allow an unauthenticated attacker to perform operations on the management interface via specially crafted HTTP or HTTPS requests,” but now we have a better understanding of what exactly happened.
By running a diff command on vulnerable and patched versions of FortiOS, Horizon3.ai wrote in its Deep Dive, it found some strings in the installer’s init binary that referenced headers in the installer’s NodeJs file.
“This init binary is quite large and appears to have many features, including Apache hooks and handlers for various management REST API endpoints,” Horizon3.ai noted.
Long story short, these forwarded headers could be abused by an attacker to set the client IP to 127.0.0.1, fooling the trusted access authentication agent and allowing the attacker to make API requests without requiring authentication is.
“An attacker could use this vulnerability to do almost anything they want with the vulnerable system,” noted Horizon3.ai, including adding new users, changing network configurations, and other malicious activities.
Bad news: The researchers said this isn’t new and that they “have noticed a trend in recently discovered enterprise software vulnerabilities where HTTP headers are not properly validated or are overly trusted.”
Install those patches folks. ®
https://www.theregister.com/2022/10/17/in-brief-security/ Chinese budworm APT digs hole in US state legislature • The Register