Cybersecurity

Cross-posted to: https://sh.itjust.works/post/15859253

From other conversations that I've read through, people usually say "Yes, because it's easy on Windows", or "Yes, because they simply don't trust the webcam". But neither of these arguments are enough for me. The former I feel is irrelevent when one is talking about Linux, and the latter is just doing something for the sake of doing it which is not exactly a rational argument.

Specifically for Linux (although, I suppose this partially also depends on the distro, and, of course, vulnerabilites in whatever software that you might be using), how vulnerable is the device to having its webcam exploited? If you trust the software that you have running on your computer, and you utilize firewalls (application layer, network layer, etc.), you should be resistant to such types of exploits, no? A parallel question would also be: How vulnerable is a Linux device if you don't take extra precautions like firewalls.

If this is the case, what makes Windows so much more vulnerable?

Indicators of Compromise

Filename	SHA256
cronb.sh	d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e
ar.sh	64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5
fkoths	afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4
s.sh	251501255693122e818cadc28ced1ddb0e6bf4a720fd36dbb39bc7dedface8e5
bioset	0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87
d.sh	0c3fe24490cc86e332095ef66fe455d17f859e070cb41cbe67d2a9efe93d7ce5
h.sh	d45aca9ee44e1e510e951033f7ac72c137fc90129a7d5cd383296b6bd1e3ddb5
w.sh	e71975a72f93b134476c8183051fee827ea509b4e888e19d551a8ced6087e15c
c.sh	5a816806784f9ae4cb1564a3e07e5b5ef0aa3d568bd3d2af9bc1a0937841d174
Paths
/usr/bin/vurl
/etc/cron.d/zzh
/bin/zzhcht
/usr/bin/zzhcht
/var/tmp/.11/sshd
/var/tmp/.11/bioset
/var/tmp/.11/..lph
/var/tmp/.dog
/etc/systemd/system/sshm.service
/etc/systemd/system/sshb.service
/etc/systemd/system/zzhr.service
/etc/systemd/system/zzhd.service
/etc/systemd/system/zzhw.service
/etc/systemd/system/zzhh.service
/etc/…/.ice-unix/
/etc/…/.ice-unix/.watch
/etc/.httpd/…/httpd
/etc/.httpd/…/httpd
/var/.httpd/…./httpd
/var/.httpd/…../httpd
IP Addresses
47[.]96[.]69[.]71
107[.]189[.]31[.]172
209[.]141[.]37[.]110
Domains/URLs
http[:]//b[.]9-9-8[.]com
http[:]//b[.]9-9-8[.]com/brysj/cronb.sh
http[:]//b[.]9-9-8[.]com/brysj/d/ar.sh
http[:]//b[.]9-9-8[.]com/brysj/d/c.sh
http[:]//b[.]9-9-8[.]com/brysj/d/h.sh
http[:]//b[.]9-9-8[.]com/brysj/d/d.sh
http[:]//b[.]9-9-8[.]com/brysj/d/enbio.tar

Cisco Talos reports a surge in malicious activities by hacking group GhostSec, including the development of GhostLocker 2.0 ransomware using Golang. Collaborating with Stormous, GhostSec conducts double extortion ransomware attacks globally, targeting sectors like technology and education. They've launched a RaaS program, STMX_GhostLocker, and introduced new tools for website attacks: GhostSec Deep Scan tool and GhostPresser for XSS attacks. GhostSec's evolving tactics now feature .ghost file encryption, updated ransom notes, and enhanced C2 panel capabilities, indicating increased sophistication in compromising websites. No CVEs are mentioned.

Researchers at Georgia Tech have developed a proof-of-concept malware demonstrating the threat of remote attacks on PLCs with embedded web servers, a common component in ICS within critical infrastructure. The malware can manipulate outputs, falsify sensor readings, and disable safety systems, potentially causing devastating effects. It leverages web-based vulnerabilities, offering platform independence and persistence, unlike traditional PLC malware that targets firmware or control logic.

The NSA has issued guidance on adopting zero-trust principles to counter internal network threats. Zero-trust architecture prevents unauthorized access and movement within networks by assuming threats exist and enforcing strict access controls. The approach includes data flow mapping, segmentation, and software-defined networking to minimize breach impacts. No CVEs are associated with this guidance.

Cybercriminals exploited the open-source hypervisor QEMU to create a stealthy network tunnel in an attack against a large company. QEMU, typically used for running guest operating systems, was manipulated to establish a covert channel to a remote server. Kaspersky analysts discovered the attack, which used minimal resources to avoid detection. The attackers also employed 'Angry IP Scanner' for network scanning and 'mimikatz' for credential theft. Kaspersky emphasizes the need for multi-level protection, including 24/7 network monitoring, to detect the use of legitimate tools for malicious purposes.

The RA World ransomware group, previously known as RA Group, has rapidly expanded its attacks globally, targeting healthcare in Latin America and industries in the US, South Korea, Germany, India, and Taiwan. Trend Micro reports the group's sophisticated multistage cyberattacks manipulate group policy settings for maximum damage and evasion. Originating from leaked Babuk ransomware code, RA World uses double-extortion tactics and has evolved to deploy scripts that attempt to disable security measures like Trend Micro defenses and remove traces of the malware post-attack.

Several undersea cables in the Red Sea have been severed, disrupting 25% of data traffic between Asia and Europe. HGC Global Communications rerouted traffic after four of the fifteen cables were cut. The cause is unclear, with speculation about deliberate sabotage or accidental anchor damage. Yemen's government previously warned of potential Houthi sabotage, while the Houthis denied targeting cables, blaming US and British strikes. The US military is investigating, and the incident's impact on data flow has necessitated traffic rerouting through alternate paths.

A 227 GB AlgoSec database with customer data and 7K contact records is reportedly for sale on a hacking forum for $2500 by a threat actor "Ddarknotevil." AlgoSec, a New Jersey-based network security software company specializing in firewall policy management, has not yet verified the breach claims.

Apple released iOS 17.4 and 16.7.6, patching four vulnerabilities, two exploited in the wild. CVE-2024-23225, a privilege escalation issue, affects both iOS 17 and 16. CVE-2024-23296, another exploited flaw, affects only iOS 17. Both are rated "important" for privilege escalation. Additional fixes include a privacy issue in Accessibility (CVE-2024-23243) and a logic issue in Safari Private Browsing (CVE-2024-23256).

Cybercriminals from GhostSec and Stormous have released GhostLocker 2.0 ransomware, targeting multiple sectors in the Middle East, Africa, and Asia. Cisco Talos reports this RaaS program threatens data leaks and encrypts files, urging updated security measures. No CVEs are linked to the attacks.

Lotus Bane, an advanced persistent threat group active since at least 2022, targeted a Vietnamese financial entity in March 2023. Techniques used, such as DLL side-loading and named pipes for malicious executable execution, suggest links to OceanLotus (APT32). Group-IB notes the group's sophistication and potential for wider APAC attacks. No CVEs are associated with this new threat actor's activities.

VMware issued patches for critical flaws in ESXi, Workstation, Fusion, and Cloud Foundation, with a focus on two use-after-free vulnerabilities in the XHCI USB controller (CVE-2024-22252, CVE-2024-22253) scoring 9.3 CVSS. These allow local admin privilege escalation and code execution on the host. An ESXi out-of-bounds write and an information disclosure vulnerability in the UHCI USB controller were also noted.

Over 225,000 OpenAI ChatGPT credentials were compromised and sold in underground markets by October 2023.

Samip Aryal, a Nepali cybersecurity researcher, discovered a zero-click flaw in Facebook's password reset system that bypassed rate-limiting and allowed brute-forcing of 6-digit security codes. His findings, which could enable account takeovers, earned him a top spot in Facebook's Hall of Fame for White-Hat Hackers 2024. Aryal responsibly disclosed the vulnerability, which was promptly fixed. Users are advised to enable two-factor authentication and use strong passwords to protect against such threats.

South Korea's National Intelligence Service (NIS) warns of increased cyber espionage attacks by North Korean hackers on domestic semiconductor manufacturers. These attacks exploit known vulnerabilities in internet-exposed servers for initial access and use "living off the land" tactics to avoid detection. The aim is to steal sensitive data, including product designs and facility photos, to support North Korea's own chip-making and military needs amidst international sanctions. NIS advises firms on detection and prevention, emphasizing the need for security updates and strict access controls.

American Express is alerting customers of a data breach through a third-party service provider affecting credit card details. The breach, external to American Express systems, compromised card numbers, names, and expiration dates. Customers are advised to monitor their accounts for fraud and use the American Express Mobile app for alerts. The incident highlights the need for stringent access controls and service provider accountability in data security.

The ALPHV/BlackCat ransomware gang has shut down its servers after an affiliate accused them of stealing a $22 million ransom from Optum. BleepingComputer confirmed the closure of their negotiation sites, suggesting a deliberate takedown of their infrastructure. The situation remains unclear, with potential implications of an exit scam or rebranding. The affiliate, "notchy," claims to possess 4TB of critical Optum data. UnitedHealth Group, Optum's parent company, is focused on the investigation. This follows a pattern of rebranding from DarkSide to BlackMatter to ALPHV/BlackCat, with past disruptions and re-emergences in their operations.

Researchers created "Morris II," a computer worm targeting GenAI applications, capable of spreading malware and stealing data. It exploits GenAI systems' retrieval augmented generation (RAG) for "0-click propagation." The Israel Institute of Technology, Intuit, and Cornell Tech researchers emphasize the need for secure GenAI ecosystem design to prevent such threats.

Hacking group TA577 targets NTLM hashes via phishing, enabling account hijacks and network breaches. Phishing emails with ZIP attachments trigger NTLM hash theft, posing significant security risks. Proofpoint advises firewall configuration and email filtering to mitigate threats.