This is your easyDNS #AxisOfEasy Briefing for the week of July 22nd 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.

In this issue: 

• Company Thwarts North Korean Espionage Plot
• USPS Shares Customer Addresses With Tech Giants
• Revolver Rabbit Gang Registers 500,000 Domains for Malware
• Microsoft Reveals CrowdStrike Outage Impact on 8.5 Million Windows Devices
• Google Drops the Ball on Chrome Tracking
• CVE-2024-6387 regreSSHion bug – root RCE

Elsewhere Online:

• Google Backpedals on Third-Party Cookie Ban
• Docker Users Urged to Update After Critical Flaw Found
• Cybercriminals Create Fake GitHub Profiles to Distribute Malware
• Organizations Scramble After Twilio Authy Exploit
• Popular AI Framework Found Vulnerable

Company Thwarts North Korean Espionage Plot

KnowBe4, a cybersecurity firm, recently encountered a sophisticated breach attempt during their hiring process. They posted a job for their IT AI team, conducted extensive interviews, and performed background checks and reference verifications, ultimately hiring a candidate. Upon receiving their Mac workstation, it immediately started loading malware. This incident, which occurred on July 15, 2024, triggered an investigation by KnowBe4’s Security Operations Center (SOC).

The SOC detected suspicious activity at 9:55 PM EST and contacted the new hire, who claimed to be troubleshooting a router issue. When further details were sought, the new hire became unresponsive, prompting SOC to contain the device at 10:20 PM EST. The investigation revealed the employee was an impostor from North Korea using a stolen, AI-enhanced identity. The attacker manipulated session history files and used a Raspberry Pi to download malware, coordinating with Mandiant and the FBI to corroborate these findings.

The impostor operated from an “IT mule laptop farm,” using VPNs to appear as if they were working in the US during the day, while actually located in North Korea or China.

The incident serves as a stark reminder of the evolving tactics employed by cybercriminals. It underscores the critical need for organizations to implement robust identity verification, advanced threat detection, and incident response capabilities. As the digital landscape continues to expand, so too does the complexity of the threats it poses.

Read: https://blog-knowbe4-com.cdn.ampproject.org/c/s/blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

USPS Shares Customer Addresses With Tech Giants

TechCrunch revealed that the U.S. Postal Service (USPS) shared customer addresses with companies like Meta and LinkedIn. The USPS announced on Wednesday that it had stopped sharing this data, claiming ignorance of the practice.

USPS used tracking pixels on its website to collect user information. This data included postal addresses of Informed Delivery customers. These customers use the service to preview photos of their incoming mail.

A USPS statement read, “The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services.” They added, “The Postal Service does not sell or provide any personal information to any third party, and we were unaware of any configuration that shared it without our knowledge.”

A Facebook spokesperson commented, “We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies.”

TechCrunch’s analysis showed that the USPS shared logged-in users’ postal addresses and other data with Meta, LinkedIn, and Snap. This included computer and browser information, partially pseudonymized but still potentially identifiable.

Tracking numbers entered on the USPS site were also shared with advertisers like Bing, Google, LinkedIn, Pinterest, and Snap. The extent of the data collection is unclear, but Informed Delivery had over 62 million users as of March 2024.

Read: https://www.zerohedge.com/markets/usps-caught-sharing-customer-addresses-tech-giants-including-meta-and-linkedin

Revolver Rabbit Gang Registers 500,000 Domains for Malware

A cybercriminal group named Revolver Rabbit has registered over 500,000 domain names for malware campaigns. This gang targets Windows and macOS systems using a technique called registered domain generation algorithms (RDGAs).

RDGAs allow them to register many domain names quickly. These domains are used to distribute the XLoader info-stealing malware. Researchers at Infoblox, a DNS-focused security company, discovered this activity.

Renée Burton, VP of Threat Intel at Infoblox, explained, “The .BOND domains related to Revolver Rabbit are the easiest to see, but they have registered more than 700,000 domains over time.” The gang has spent nearly $1 million on domain registrations for their operations.

The domains follow a pattern of dictionary words followed by a five-digit number, making them easy to read. Examples include “usa-online-degree-29o.bond” and “yoga-classes-35904.bond.” Infoblox has tracked Revolver Rabbit for nearly a year. The use of RDGAs made it challenging to understand their objectives until recently. The gang uses these domains for command and control servers, making it difficult for researchers to trace them.

Revolver Rabbit’s large-scale operation highlights the need to understand RDGAs as a tool used by cybercriminals. Other threat actors also use RDGAs for malware, phishing, and spam campaigns.

Read: https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

Microsoft Reveals CrowdStrike Outage Impact on 8.5 Million Windows Devices

Microsoft disclosed that a recent CrowdStrike outage affected 8.5 million Windows devices globally. This outage, caused by an update to CrowdStrike’s cybersecurity software, led to crashes on Windows machines. Mac and Linux devices were not affected.

David Weston, Microsoft’s VP of enterprise and OS security, shared these details in a blog post. Although the number of affected devices was less than 1 percent of all Windows machines, the impact was significant. It disrupted banks, retailers, brokerage firms, rail networks, and airlines worldwide.

“While the percentage [of affected devices] was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” Weston wrote.

The exact percentage of Windows devices with CrowdStrike software affected remains unknown. Even a single crashed computer could potentially bring down an entire network or data center.

Weston emphasized, “although this was not a Microsoft incident,” the company is assisting CrowdStrike in resolving the issue. Recovery may be slow if manual fixes are needed for each affected computer. However, Microsoft and CrowdStrike have created “a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix.” They are also working with Amazon Web Services and Google Cloud Platform to speed up the recovery process.

In response to the widespread public outcry following the outage, CrowdStrike offered affected partners a $10 UberEats gift card as a token of apology. This gesture, intended to compensate for the inconvenience caused by the incident, has been widely criticized as insufficient given the scale of the disruption. The offer has sparked debate about corporate responsibility and the appropriate response to such major technological failures.

Read: https://techcrunch.com/2024/07/20/microsoft-says-8-5m-windows-devices-were-affected-by-crowdstrike-outage/

Google Drops the Ball on Chrome Tracking

Google confirmed on Monday that its plan to remove tracking cookies from Chrome has failed. The announcement comes after struggles to find a balance with regulators. This impacts Chrome’s 3 billion users worldwide.

Google suggested a new approach, offering user choice between tracking cookies, Google’s Topics API, and semi-private browsing. However, this proposal is not yet finalized. The U.K.’s Competition and Markets Authority is still reviewing it. Google stated, “We are discussing this new path with regulators.”

This news is disappointing for Chrome users, as most will not change their settings. Apple has criticized Chrome’s privacy measures, promoting Safari as a more private option in an ad depicting users being spied on.

The Electronic Frontier Foundation (EFF) also criticized Google’s Privacy Sandbox, saying it allows advertisers to continue tracking users. The EFF stated, “Privacy Sandbox is Google’s way of letting advertisers keep targeting ads based on your online behavior.”

Google’s failure to remove tracking cookies is seen as prioritizing profits over user privacy. Safari and Firefox have blocked third-party cookies since 2020, while Google has delayed its promise multiple times. Google’s decision is a significant setback for privacy advocates. Further analysis is expected in the coming days.

Read: https://www.forbes.com/sites/zakdoffman/2024/07/22/new-google-chrome-warning-microsoft-windows-10-windows-11-3-billion-users/

OpenSSH Remote Code Execution Vulnerability

A significant security flaw (CVE-2024-6387) was found in OpenSSH’s server on glibc-based Linux systems. The issue stems from a regression of a 2006 vulnerability (CVE-2006-5051) that allows a remote attacker to execute arbitrary code by exploiting a signal handler race condition. This vulnerability affects versions of OpenSSH starting from 8.5p1 up to 9.8p1, after a faulty commit reintroduced the unsafe code. OpenSSH versions below 4.4p1 are vulnerable if not patched, while versions between 4.4p1 and 8.5p1 are safe due to previous patches.

Exploiting this vulnerability involves manipulating the SSH server’s heap during specific timing windows, particularly targeting malloc and free operations. The advisory details how this was achieved across various OpenSSH versions, including Debian 3.0r6, Ubuntu 6.06.1, and Debian 12.5.0, each with different methods to win the race condition and achieve remote code execution. Patches have been issued to fix the vulnerability by removing the unsafe code from signal handlers or setting LoginGraceTime to 0 as a temporary mitigation.

But wait, there’s more.

A circulating proof-of-concept (POC) exploit for the vulnerability, known as RegreSSHion, has been found to be fake and contains malicious code aimed at security researchers, according to Kaspersky. This bogus exploit, which masquerades as a real POC, actually installs malware that targets the researchers’ systems. Meanwhile, a new OpenSSH race condition vulnerability, CVE-2024-6409, has been disclosed, adding to the concerns. Despite these developments, experts suggest no immediate panic is necessary, as exploiting these vulnerabilities is highly complex and requires significant effort and specific conditions.

Read: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt?ref=thestack.technology
Also read: https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/

Elsewhere Online:

Google Backpedals on Third-Party Cookie Ban
Read: https://www.theregister.com/2024/07/23/google_cookies_third_party_continue

Docker Users Urged to Update After Critical Flaw Found
Read: https://www.securityweek.com/docker-patches-critical-authz-plugin-bypass-vulnerability-dating-back-to-2018/

Cybercriminals Create Fake GitHub Profiles to Distribute Malware
Read: https://www.darkreading.com/application-security/stargazer-goblin-amasses-rogue-github-accounts-to-spread-malware

Organizations Scramble After Twilio Authy Exploit
Read: https://www.securityweek.com/organizations-warned-of-exploited-twilio-authy-vulnerability/

Popular AI Framework Found Vulnerable
Read: https://unit42.paloaltonetworks.com/langchain-vulnerabilities/