This is your easyDNS #AxisOfEasy Briefing for the week of August 26th 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.

In this issue: 

• Telegram CEO Pavel Durov arrested in France on allegations of facilitating criminal activity
• Qilin Ransomware Group’s New Tactics: Credential Harvesting and Network-Wide Ransomware Deployment
• Uber Faces Record Fine for Data Privacy Violations
• Zuckerberg Regrets Pandemic Content Moderation and Hunter Biden Censorship Amid Government Pressure
• Volt Typhoon’s Exploitation of Versa Networks Flaw Exposes Critical Infrastructure Risks

Elsewhere Online:

• South Korean Hackers Target WPS Office Users with Remote Code Execution
• LummaC2 Malware Returns, Uses PowerShell to Steal Data
• Hundreds of LLM Servers Unintentionally Expose Private Information
• APT 33 Targets Space Industry with Sophisticated Malware
• Malicious Pidgin Plugin Steals Keystrokes, Shares Screenshots
• YouTube Deletes Simply Bitcoin’s Account Mid Stream

Telegram CEO Pavel Durov arrested in France on allegations of facilitating criminal activity.

The billionaire co-founder of the popular messaging app was detained at Bourget airport in Paris on Saturday, August 24, 2024. French authorities allege that Durov’s platform has been used to facilitate various crimes, including terrorism, narcotics trafficking, and fraud.

Durov, who faces up to 20 years in prison if convicted, has been accused of failing to do enough to moderate or cooperate in preventing these activities on his platform. The arrest has sparked controversy and concern among privacy advocates and free speech supporters.

The Russian embassy in France is reportedly taking steps to clarify the situation. Durov, who is a dual citizen of France and the UAE, has lived in Dubai since leaving Russia in 2014. He has previously stated that some governments have sought to pressure him to censor content on Telegram, but he has resisted these attempts.

Telegram is a popular messaging app with over 900 million active users. It offers end-to-end encrypted messaging and allows users to create channels for disseminating information quickly to followers. The app has gained popularity in recent years as a platform for organizing protests and disseminating information that is censored by governments.

Read: https://www.zerohedge.com/geopolitical/billionaire-telegram-ceo-pavel-durov-arrested-france

Qilin Ransomware Group’s New Tactics: Credential Harvesting and Network-Wide Ransomware Deployment.

The Qilin ransomware group has introduced a sophisticated new tactic, deploying a custom stealer to extract account credentials from the Google Chrome browser. Sophos X-Ops uncovered this during the incident response, revealing a worrying evolution in ransomware strategies. Qilin initially accessed a network via compromised VPN credentials without multi-factor authentication (MFA). After gaining entry, they remained dormant for 18 days, likely using this time to purchase network access from an initial access broker (IAB) and to conduct thorough reconnaissance, including mapping the network and identifying valuable assets.

Following this dormancy, Qilin moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script (‘IPScanner.ps1’) on every machine within the domain. This script, deployed by a batch file (‘logon.bat’), targeted Google Chrome to steal stored credentials. The stolen data was saved locally on the ‘SYSVOL’ share and then exfiltrated to Qilin’s command and control (C2) server. To cover their tracks, Qilin erased local copies and logs. They then deployed ransomware across the network using another GPO and a separate batch file (‘run.bat’).

This tactic of credential harvesting across all machines in a domain significantly complicates defense efforts. The breach’s scale means organizations must reset all Active Directory passwords and potentially change user credentials across multiple third-party services. To mitigate such risks, organizations should ban storing sensitive information in browsers, enforce MFA, and implement network segmentation. Qilin’s actions, linked to Scattered Spider social engineering experts, signal a heightened threat requiring robust cybersecurity defenses.

Read: https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-credentials-from-chrome-browsers/

Uber Faces Record Fine for Data Privacy Violations

Ride-hailing giant Uber has been fined a record 290 million euros ($324 million) by Dutch regulators for illegally transferring European taxi driver data to the United States. The Dutch Data Protection Authority (DPA) found Uber’s practices violated the General Data Protection Regulation (GDPR).

The investigation was triggered by a complaint from a French human rights group representing 170 taxi drivers. Despite Uber’s European headquarters being in the Netherlands, the DPA had jurisdiction due to the nature of the violations. The French data protection regulator, CNIL, also collaborated with the DPA.

Uber’s data transfers were deemed inadequate, failing to protect sensitive information. The company insists its practices were compliant during a period of uncertainty in EU-US relations. However, the DPA disagreed, emphasizing the importance of robust data protection measures for companies operating in Europe.

Read: https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

Zuckerberg Regrets Pandemic Content Moderation and Hunter Biden Censorship Amid Government Pressure

Mark Zuckerberg, CEO of Meta, recently expressed regret over decisions made by his company during the coronavirus pandemic and the 2020 U.S. presidential election, which he attributes partly to pressure from the Biden administration and warnings from the FBI. Zuckerberg revealed that Meta removed or demoted posts, including humor and satire, under what he describes as undue government influence to censor content deemed harmful to public health. The White House, however, defended its actions, emphasizing the importance of responsible behavior by tech companies during a health crisis.

Zuckerberg specifically addressed the temporary demotion of content about Hunter Biden, noting that the decision followed an FBI warning about a potential Russian disinformation campaign. In hindsight, Zuckerberg acknowledged this was a mistake, as the information was not part of any foreign interference effort. To prevent similar errors, Meta has since revised its content moderation policies.

The CEO also discussed his decision not to make further contributions to electoral infrastructure. In 2020, Zuckerberg, through the Chan Zuckerberg Initiative, donated $400 million to assist election offices, sparking accusations of attempting to influence the election in favor of Joe Biden. Despite insisting the donations were non-partisan, Zuckerberg now aims to avoid any perception of political bias.

Zuckerberg’s letter to Jim Jordan, chair of the House Judiciary Committee, has been viewed by Republicans as a win for free speech. Meanwhile, this episode underscores the ongoing tensions between tech companies, content moderation, and government oversight in a polarized political landscape.

Read: https://www.bbc.com/news/articles/czxlpjlgdzjo

Volt Typhoon’s Exploitation of Versa Networks Flaw Exposes Critical Infrastructure Risks

China’s Volt Typhoon group has been exploiting CVE-2024-39717, a zero-day vulnerability in Versa Networks’ Director Servers, to intercept and harvest credentials for future cyberattacks. This vulnerability, now patched, affects all versions of Versa Director before 22.1.4 and involves a customization feature of the GUI. Versa Director servers, integral to Versa Networks’ SD-WAN technology, help organizations manage network devices, routing, and security. Affected entities include ISPs, MSPs, and large organizations dependent on Versa’s infrastructure.

Lumen Technologies’ Black Lotus Labs discovered and reported the flaw on June 21, after observing Volt Typhoon’s exploitation since early June. Volt Typhoon gained access via exposed management ports 4566 and 4570, escalating privileges to harvest high-level admin credentials. They utilized attacker-controlled SOHO devices to infiltrate vulnerable systems, a known tactic of this group. Using the CVE-2024-39717 vulnerability, Volt Typhoon deployed “VersaMem,” a bespoke Web shell, capturing plaintext credentials and manipulating the Apache Tomcat server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-39717 to its catalog of known exploited vulnerabilities, mandating federal agencies apply Versa’s mitigations or cease using the technology by September 13. Despite the complexity and high privilege requirements of the vulnerability, its potential for widespread impact on unpatched systems led to a CVSS score of 6.6. Versa urges customers to update to hardened versions and follow strict security guidelines to prevent further exploitation.

Read: https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers

Elsewhere Online:

South Korean Hackers Target WPS Office Users with Remote Code Execution
Read: https://www.infosecurity-magazine.com/news/south-korean-spies-exploit-wps/

LummaC2 Malware Returns, Uses PowerShell to Steal Data
Read: https://hackread.com/lummac2-malware-variant-powershell-obfuscation-steal-data/

Hundreds of LLM Servers Unintentionally Expose Private Information
Read: https://www.darkreading.com/application-security/hundreds-of-llm-servers-expose-corporate-health-and-other-online-data

APT 33 Targets Space Industry with Sophisticated Malware
Read: https://www.wired.com/story/iran-peach-sandworm-tickler-backdoor/

Malicious Pidgin Plugin Steals Keystrokes, Shares Screenshots
Read: https://www.securityweek.com/malware-delivered-via-malicious-pidgin-plugin-signal-fork/