Friday Five: New Malware Threats, Lingering Challenges for CISOs, & More
Emerging malware campaigns and other cyber threats dominated this week's headlines, but the ongoing fight to secure critical infrastructure remains prominent. Catch up on these stories and more in this week's Friday Five.
PRESIDENTIAL COUNCIL APPROVES RECOMMENDATIONS FOR CYBER-PHYSICAL RESILIENCE BY CHRISTIAN VASQUEZ
The President’s Council of Advisors on Science and Technology (PCAST) has approved recommendations to enhance the resilience of cyber-physical critical infrastructure. The cyber-physical resilience working group, established by PCAST in March, presented the report focusing on developing strategies to improve resilience in modern infrastructure. Key recommendations include defining minimum operating capabilities and delivery objectives, establishing a National Critical Infrastructure Observatory for research and development, clarifying the national critical functions list, providing better funds and staffing for sector risk management agencies, and increasing accountability for private sector executives. The report will be publicly released in mid-February on the PCAST website.
AS HACKS WORSEN, SEC TURNS UP THE HEAT ON CISOS BY ZACK WHITTAKER
The ShmooCon hacker conference in Washington, DC, included a panel discussion on the changing cyber-liability landscape, which focused on the increasing legal oversight and consequences for those in the cybersecurity industry. The discussion -- led by startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards, and tech investor Cyndi Gula -- covered the SEC's new cyber reporting rules that require companies to disclose "material" security incidents within four working days and the potential impact on executives. The panel emphasized the importance of transparency in reporting but also highlighted the challenges of documenting incidents in real time. The discussion acknowledged the legal risks associated with cybersecurity work but encouraged professionals not to walk away from the challenges.
FBI: ANDROXGH0ST MALWARE BOTNET STEALS AWS, MICROSOFT CREDENTIALS BY SERGIU GATLAN
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued a joint warning about threat actors using the Androxgh0st malware to build a botnet focused on cloud credential theft. The botnet targets .env files containing credentials for applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio, and is said to exploit multiple remote code execution (RCE) vulnerabilities such as CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. Androxgh0st also supports functions that abuse the Simple Mail Transfer Protocol (SMTP) and deploys web shells. The stolen credentials are used for spam campaigns, creating fake pages on compromised websites, and accessing sensitive databases. The agencies recommend several mitigation measures, and CISA added CVE-2018-15133 to its Known Exploited Vulnerabilities Catalog.
SOPHISTICATED MACOS INFOSTEALERS GET PAST APPLE'S BUILT-IN DETECTION BY ELIZABETH MONTALBANO
Increasingly sophisticated infostealers, such as KeySteal, Atomic Infostealer, and CherryPie, are targeting macOS by evading Apple's built-in malware protection, XProtect. These stealers can get past various detection engines, and recent updates to XProtect's signature database indicate that Apple is aware of the problem. However, early 2024 has seen several stealer families evading known signatures. Both KeySteal and Atomic Stealer have gone through multiple iterations, the newer of which are no longer detectable by XProtect. CherryPie, though still blocked by XProtect, remains undetected by other static-detection engines.
GOOGLE SAYS RUSSIAN ESPIONAGE CREW BEHIND NEW MALWARE CAMPAIGN BY CARLY PAGE
Google researchers have reported that the Russian-linked hacking group known as "Cold River" or "Callisto Group" is evolving its tactics to deliver data-stealing malware. The group, which has been associated with espionage campaigns against the United States and the United Kingdom, among other NATO countries, has been observed shifting from phishing to delivering malware via campaigns that use PDF documents posing as opinion-editorial pieces or other articles as lures. The malware, known as "SPICA," serves as a custom backdoor, providing attackers with persistent access to victims' machines. The group's recent activities have predominantly targeted Ukraine and its NATO allies, academic institutions, and non-government organizations. Google added the identified websites, domains, and files associated with the Cold River campaign to its Safe Browsing service to prevent further targeting of Google users.