Zero-day exploited in the wild.

A zero-day affects Samsung mobile processors. A critical vulnerability is discovered in the OneDev DevOps platform. German authorities warn against vulnerable industrial routers. The Bumblebee loader buzzes around corporate networks. Ghostpulse hides payloads in PNG files. A Michigan chain of dental centers agrees to a multimillion dollar data breach settlement. A White House proposal tamps down international data sharing. Fortinet is reportedly patching an as-yet undisclosed severe vulnerability. In our Threat Vector segment, host David Moulton speaks with Nathaniel Quist about cloud extortion operations, the rise of ransomware attacks, and the challenges businesses face in securing public cloud environments. Russian deepfakes spread election misinformation.

Today is Tuesday October 22nd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A zero-day affects Samsung mobile processors. 

Google’s Threat Analysis Group (TAG) has warned of a zero-day vulnerability in Samsung’s mobile processors that has been actively exploited with a CVSS score of 8.1. This use-after-free bug can be abused to escalate privileges on vulnerable Android devices, specifically impacting Samsung’s Exynos processors (9820, 9825, 980, 990, 850, and W920).

The flaw resides in the m2m scaler driver, which handles media hardware acceleration. Attackers can exploit the bug by manipulating I/O virtual memory mapping, leading to arbitrary code execution within the privileged cameraserver process. This allows them to bypass Android’s kernel isolation protections.

Google researchers have noted that this exploit chain likely targets Samsung devices and could be linked to spyware vendors, though specific details about attacks have not been provided. The vulnerability was patched by Samsung in their October 2024 security update. However, its active exploitation highlights the ongoing risks from zero-day threats.

A critical vulnerability is discovered in the OneDev DevOps platform. 

A critical vulnerability, CVE-2024-45309, has been discovered in the OneDev DevOps platform, affecting versions prior to 11.0.9. This flaw allows unauthenticated users to read arbitrary files on the OneDev server, posing a serious risk to organizations using the platform for software development and deployment. The vulnerability could expose sensitive information, such as configuration files and source code, which attackers could exploit for further attacks or espionage. Due to the lack of credentials required to exploit the flaw, it significantly heightens the risk of unauthorized access and potential breaches. OneDev has released version 11.0.9 to address this issue, and users are strongly urged to update immediately. 

German authorities warn against vulnerable industrial routers. 

Germany’s CERT@VDE has warned organizations about critical vulnerabilities in industrial routers, including the mbNET.mini router from MB Connect Line, used for VPN access to industrial environments. Discovered by Moritz Abrell of SySS, two critical vulnerabilities (CVE-2024-45274 and CVE-2024-45275) allow unauthenticated, remote attackers to execute OS commands and take control of devices using hardcoded credentials. Three other high-severity flaws enable privilege escalation and information disclosure, with some requiring local access.

These vulnerabilities also affect Helmholz’s REX100 industrial router, likely due to shared hardware and software between the two devices. If exposed to the internet, attackers could potentially compromise industrial control systems (ICS) by exploiting these flaws. Both MB Connect Line and Helmholz have released patches, though SySS has not verified their effectiveness. 

The Bumblebee loader buzzes around corporate networks. 

The advanced malware loader Bumblebee has resurfaced, potentially posing a major threat to corporate networks. Netskope Threat Labs recently identified a new infection chain linked to Bumblebee, marking its return after a four-month absence following Europol’s Operation Endgame crackdown on botnets in May 2024. First discovered by Google in 2022, Bumblebee is used by cybercriminals to infiltrate networks, deploying dangerous payloads like Cobalt Strike beacons and ransomware. The latest campaign targets U.S. organizations via phishing emails containing LNK files that trigger the malware’s download. Unlike past attacks, this version uses MSI files disguised as legitimate software installers, running entirely in memory to evade detection. Linked to high-profile ransomware groups like Quantum and Conti, Bumblebee’s sophisticated stealth techniques and ties to ransomware operations make it a severe threat to corporate cybersecurity. Experts warn that organizations should not underestimate its potential damage.

CISA has added a critical vulnerability in ScienceLogic SL1, tracked as CVE-2024-9537, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This vulnerability, with a CVSS score of 9.3, involves a third-party component and could lead to remote code execution. ScienceLogic has issued patches for versions 12.1.3 and later, as well as older versions. Rackspace experienced unauthorized access to internal servers due to this flaw. CISA urges immediate action, with a deadline for federal agencies set for November 11, 2024.

Ghostpulse hides payloads in PNG files. 

The Ghostpulse malware strain has evolved to retrieve its payload by embedding malicious data within PNG image pixels, marking a significant change since its 2023 launch. Security experts, including Salim Bitam of Elastic Security Labs, note that Ghostpulse is often used as a loader for more dangerous malware like Lumma. This new technique makes detection even more challenging, as the malware uses Windows APIs to extract pixel data and uncover the encrypted configuration. Ghostpulse’s evasion tactics, combined with social engineering techniques like tricking victims into running PowerShell scripts, highlight the increasing sophistication of this malware. 

A Michigan chain of dental centers agrees to a multimillion dollar data breach settlement. 

Great Expressions Dental Centers, a Michigan-based practice with 250 locations across nine states, has agreed to a $2.7 million settlement after a 2023 data breach affected over 1.9 million patients and employees. The breach exposed sensitive information, including Social Security numbers, medical records, and financial details. Under the settlement, affected individuals will receive compensation based on the severity of their data exposure, with those whose Social Security numbers were compromised eligible for up to $5,000 in reimbursements. Great Expressions will also implement improved data security measures, including multifactor authentication and enhanced encryption. The breach, occurring between February 17 and 22, 2023, compromised unencrypted data. Attorneys are set to receive $900,000 in fees. Despite agreeing to the settlement, Great Expressions denies any wrongdoing.

A White House proposal tamps down international data sharing. 

The Biden administration is cracking down on data transfers to countries like China and Russia with a new set of proposed rules. These are all about keeping sensitive personal and federal data out of the hands of foreign adversaries. Under the plan, U.S. companies would be blocked from sending specific types of data—like genomic, biometric, and geolocation info—when certain limits are hit. For example, no more than 100 Americans’ genomic data or 1,000 people’s biometric data can be shared with companies in those nations. The rules also aim to stop data brokers from selling this information to foreign governments, which could use it for cyberattacks or surveillance. Businesses will have to comply with new standards from CISA, and violations could mean serious penalties. There are a few exceptions, like personal communications and clinical trial data, but overall, this is about tightening security and keeping American data safe.

Fortinet is reportedly patching an as-yet undisclosed severe vulnerability. 

Fortinet has released critical security updates for FortiManager to address a severe vulnerability, reportedly being exploited by Chinese threat actors. The company privately notified select customers and recommended mitigations, including restricting device registrations to known serial numbers and isolating access to trusted networks. While specific details about the vulnerability haven’t been disclosed, the issue seems related to “Fortigate to FortiManager” communication. If you are a user of the affected products, this may be a good opportunity to reach out to your contacts at Fortinet to check in on the latest. 

On our Threat Vector segment, we share an excerpt of David Moulton speaking with Palo Alto Networks’ Nathaniel Quist about the cloud threat landscape. We’ll be right back.

Welcome back. You can find a link to the full discussion between David and Nathaniel in our show notes. Be sure to catch new episodes of Threat Vector every Thursday on your favorite podcast app. 

Russian deepfakes spread election misinformation. 

In the run-up to the 2024 U.S. presidential election, combating misinformation remains a significant challenge, as seen in the latest case involving false claims about Minnesota Governor Tim Walz. A Russian-aligned network, Storm-1516, is believed to be behind the spread of these fabricated sexual abuse allegations. The campaign gained traction after the release of a deepfake video, a tactic common in Russian disinformation efforts. Darren Linvill, of Clemson University’s Media Forensics Hub, points out that Storm-1516 typically plants fake stories and AI-altered videos, which are then amplified by other online networks. Once viral, these false claims are shared by unsuspecting users, sometimes even picked up by mainstream outlets. This strategy aims to manipulate public perception and undermine political figures like Walz. Experts warn that this disinformation campaign, linked to pro-Kremlin and QAnon influencers, is part of a broader effort to sway opinions ahead of the November election.

For further insights into Disinformation and Misinformation in the U.S. election, check out our 3-part mini-series, DisMis. Rick Howard sits down with election experts to navigate the 2024 Presidential election's information storm, offering a toolkit to help you distinguish between deceptive narratives and legitimate content in today’s rapidly shifting election security landscape. It is worth your time. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.