The Daily Decrypt The Digital Security Collective

In today’s episode, we explore the FlyingYeti campaign exploited by using a WinRAR vulnerability (CVE-2023-38831) to deliver COOKBOX malware in Ukraine, detailed by Cloudflare’s Cloudforce One: https://thehackernews.com/2024/05/flyingyeti-exploits-winrar.html. Next, we discuss the unprecedented mystery malware attack that destroyed 600,000 routers from ISP Windstream, reported by Black Lotus Labs: https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/. Finally, we dive into the Trend Micro study on CISOs facing pressure from corporate boards to downplay cyber risk: https://www.cybersecuritydive.com/news/cisos-pressure-boards-downplay-cyber-risk/717497/.



Tags: WinRAR, COOKBOX, FlyingYeti, Cloudflare, cyber warfare, Ukraine, phishing attacks, malware, routers, ISP, threat actor, Trend Micro, CISOs, cyber risks, organizational security



Search Phrases:




WinRAR vulnerability explained



COOKBOX malware detection and removal



FlyingYeti cyber attack details



Cloudflare security advisories



Protecting against phishing attacks



Malware impact on routers



ISP security breach cases



Trend Micro cybersecurity reports



CISO corporate board pressure



Organizational cybersecurity best practices




May31



An unknown threat actor recently unleashed a devastating malware attack that obliterated over 600,000 routers from a single internet service provider in just 72 hours.



Forcing the company to replace all of the affected devices, leaving their patrons in digital darkness.



What the heck happened here and how will we recover from this?



Under mounting pressure from corporate boards, nearly four and five chief information security officers or CSOs are being pushed to downplay the severity of cyber risks.



As revealed by a recent trend micro study..



How can CSOs navigate the pressure from corporate boards while also maintaining robust security posture?



And finally, sometimes I pick stories simply because the name is too good. So flying Yeti is exploiting a WinRAR vulnerability to deliver cookbook malware in Ukraine marking another alarming chapter in Russia, aligned cyber warfare.



You're listening to the daily decrypt..



And just over 72 hour time period malware called Chalubo



Rendered more than 600,000 routers permanently unusable.



All of these routers belonged to a single internet service provider named Windstream.



And this ISP is now forced to replace every single one of these routers.



Now that is not a small task. And a lot of these routers live in rural areas, which would be a long drive for.



ISP technicians to make.



And there were only so many ISP technicians. Out there. Sure they can ship you these routers, but that's going to take a long time because no supply chain is equipped to handle a random 600,000.



Product order.



Overnight. So who knows how long these people will be without internet?



The specific routers that were affected are action tech T 3,200 and Sage com.



And users are reporting a static red light on their routers, which indicates failure.



Wow. Black Lotus labs utilize the census search engine.



To track these affected router models and noted that.



Throughout that 72 hour time period.



There was a 49% drop in connections for these routers. So almost half of these routers on the public internet.



Went offline.



And I had mentioned that a lot of these routers lived in rural areas.



But the spread of this disaster is, is pretty wide and vast because.



This internet service provider provided service specifically to.



Rural areas. And what is out in rural areas, a lot of farming and agriculture. So who knows what sort of impact this will have? Over.



Our food source in the coming months.



' cause even tractors nowadays rely on wifi.



Which is a whole nother wormhole. That I won't get to on this episode, but if you're interested, go ahead and look up John De

In today's episode, we explore how cybercriminals exploited StackOverflow to promote the malicious Python package "pytoileur" aimed at cryptocurrency theft (https://thehackernews.com/2024/05/cybercriminals-abuse-stackoverflow-to.html). We also examine the FBI's takedown of the 911 S5 botnet and its massive impact on online fraud and cybercrime (https://krebsonsecurity.com/2024/05/is-your-computer-part-of-the-largest-botnet-ever/). Lastly, we introduce RansomLord, an open-source anti-ransomware tool that leverages DLL hijacking to block ransomware attacks pre-encryption (https://github.com/malvuln/RansomLord).



FBI Botnet: https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors



00:00 Introduction to Ransomware Defense



01:12 Ransom Lord: A Game Changer



03:55 How to Check for Botnet Infections



06:47 Malicious Python Package Alert



09:19 Conclusion and Final Thoughts



Tags:



Cybercriminals, Python Package Index, pytoileur, cryptocurrency theft, malicious packages, StackOverflow, open source security, botnet, VPN, YunHe Wang, 911 S5, cybersecurity, RansomLord, exploits, vulnerabilities, ransomware protection



Search Phrases:




Cybercriminal infiltration of Python Package Index



pytoileur malicious package on StackOverflow



Cryptocurrency theft using pytoileur



How to protect against malicious Python packages



Largest botnet disguised as VPN service



Arrest of YunHe Wang for cybercrime



911 S5 botnet detection methods



Protecting computers from 911 S5 botnet



RansomLord tool against ransomware



Ransomware vulnerabilities exploited by RansomLord




May30



There is a new proof of concept. Open source tool called ransom Lord.



attacks, the malware that launches ransomware.



In order to defeat it before it can encrypt your files.



I'm a little blown away by this one, but we'll get to that in a sec. How can ransom Lord change the game for ransomware defenders? And what tactics does it use to defeat ransomware?



The largest botnet ever operating under the guise of free VPN services. Has been dismantled with the arrest of its alleged mastermind for orchestrating cyber crimes, totalling billions of dollars in fraudulent losses. How can you check if your computer is part of the nine 11 s5 botnet and what steps can you take to protect yourself in the future?



The Python package index has been infiltrated with a malicious package named PI told earlier. Which has now found to facilitate cryptocurrency theft by leveraging reputable platforms, such as stack overflow. What measures can developers take to protect themselves from being deceived by malicious packages?



Like this one.



You're listening to the daily decrypt. .



Alright. So as defenders, we are constantly thinking about how to defeat ransomware. But I haven't seen much come out other than detection capabilities. So we're still focused on detecting.



Indicators of compromise that might lead to ransomware.



But just yesterday health net security released an article on an open source. Anti ransomware tool that essentially attacks the ransomware malware Using DLL hijacking.



and automates the creation of PE files. Which are used to exploit.



Ransomware before it can encrypt your files.. So even the thought of this type of defense makes me so excited.



The idea that there can be more than just detecting indicators of compromise for ransomware prevention. When we can actually go in and attack the ransomware itself.



And get rid of it before it even has the opportunity to encrypt your files.



It's a breath of fresh air.



So.



This tool, which is free and open source and available on get hub. The link is in the show notes below. Deploys exploits in order to defend the network. Which is a novel strategy for defeating ransomware.



It also uses vulnerability intelligence.



That maps, threats to vulnerable DLLs.



In order to target specific thr

In today's episode, we discuss the White House's call for critical cybersecurity assistance for sectors like healthcare and water utilities (https://www.cybersecuritydive.com/news/white-house-seeks-critical-cyber-assistance-for-water-utilities-healthcare/716942/), analyze the compromise of JAVS Viewer software by loader malware (https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/), and explore how rising cyberattacks are driving the growth of the cybersecurity industry, affecting companies like AWS, Cisco, and CrowdStrike (https://www.cybersecuritydive.com/news/attacks-fuel-cyber-business/716782/).



Full Coker Speech: https://www.youtube.com/watch?v=1yR3kfajhk0



00:00 Introduction to the Cybersecurity Boom



01:04 The Economics of Cybersecurity



03:22 National Cyber Director's Keynote Highlights



04:14 The Cost of Cybersecurity Measures



05:19 Teenagers in Cybercrime: A Growing Concern



06:13 JAVS Viewer Malware: What You Need to Know



07:50 Conclusion and Call to Action



Tags: Harry Coker Jr, healthcare, water utilities, ransomware, National Cyber Director, critical infrastructure, cyber threats, innovative strategies, cybersecurity, administration initiatives, Lapsus, teenage cybercrime, JAVS, recording software, loader malware, security risks, courtrooms, prisons, compromised software, cybersecurity vendors, digital threat landscape, market complexity



Search Phrases: Initiatives by Harry Coker Jr in cybersecurity Healthcare cyber threat protection strategies Water utilities ransomware defense National Cyber Director's speech on cyber threats Administration measures against teenage cybercrime Compromised JAVS software security risks Immediate actions for JAVS Viewer users Cybersecurity vendors' role in digital threat evolution Increasing complexity in the cybersecurity market Global spending on cybersecurity in 2023



May24



Cyber attacks are propelling the cybersecurity industry to new Heights with global spending on security projected to hit in astonishing. $215 billion this year.



How are cybersecurity vendors adapting to the constant evolution of cyber threats while also contributing to increased complexity in the market?



National cyber director, Harry Coker Jr.



Announced a sweeping initiative to fortify healthcare and water utilities against cyber threats.



Highlighting a commitment to strengthen America's critical infrastructure. At a keynote speech on Wednesday. What measures is the administration taking to deter teenagers from join me, joining cyber criminal groups. Like Lapsis.



Threat researchers have discovered that legitimate recording software from JAVS has been compromised with loader malware directly from the developers own site.



If you're using the jabs viewer, what actions can you take?



If you suspect your version has been compromised.



You're listening to the daily decrypt.



The cybersecurity industry is thriving.



Thanks to the rise in cyber attacks.



Now this makes sense. Supply and demand is the foundation of capitalism.



And cyber attacks are on the rise. So of course, cybersecurity is booming, but this reminds me sort of eerily of the show fallout, which is on Amazon prime, highly recommend one of my favorite TV shows of all time.



But go ahead and skip the next 15 seconds if you don't want any spoilers, but.



One of the most fascinating aspects of that show is how.



Valtech the maker of these volts.



Was one of the top companies in the country.



Because one, they preyed on citizens, fear of a nuclear war. So they made these vaults.



To keep people safe in the impending nuclear bomb drop. But in order to stay on top in order to stay.



Relevant.



They needed that nuke to drop.



And I don't think we're at that point yet with cybersecurity, I believe.



The volume of cyber attacks is enough to sustain a $200 billion industry. But who knows what will happen in 10, 20, 30 years, maybe in ord

In today's episode, we discuss Microsoft President Brad Smith's upcoming testimony before Congress regarding security shortcomings (source: https://www.cybersecuritydive.com/news/microsoft-president-congressional-hearing/716847/), dive into the privacy concerns surrounding Windows 11's new Recall feature (source: https://www.helpnetsecurity.com/2024/05/22/windows-recall-security-privacy/), and detail Rockwell Automation's advisory on disconnecting internet-facing ICS devices amid rising cyber threats (source: https://thehackernews.com/2024/05/rockwell-advises-disconnecting-internet.html).



00:00 Introducing Windows 11's Recall Feature: A Privacy Concern?



01:11 The Risks and Protections Against Windows 11's Recall Feature



04:44 Microsoft's Response to Security Breaches and Future Plans



06:41 Advisory on Industrial Control SystemsAmid Cyber Threats



07:36 Wrapping Up and How to Stay Connected



Tags List



Microsoft, Brad Smith, Cybersecurity, Congress, Windows, Recall, AI, cybercriminals, Rockwell Automation, Industrial control systems, Cyber threats, Vulnerabilities



Search Phrases




Microsoft cybersecurity measures



Brad Smith congressional testimony



Impact of recent cyberattacks on Microsoft



Security risks of Windows Recall feature



Protecting against cyber intrusions



Rockwell Automation cybersecurity advice



Industrial control systems cyber threats



Geopolitical tensions and cyber vulnerabilities



Scanning for public-facing assets in cybersecurity



Mitigating cyber risks in industrial control systems




may23



Microsoft windows has introduced a new feature in windows 11 powered machines called recall, which takes screenshots of your open applications, every couple of seconds and uses AI to analyze them.



This is obviously stirring fears among security experts who are warning that it could become a goldmine for cybercriminals if misused. How can users protect themselves from these potential security and privacy risks posed by windows. Recall.



Speaking of Microsoft. On June 13th, Microsoft president Brad Smith will face Congress to address a cascade of security failures. That led to their recent cyber intrusions.



And finally Rockwell automation is advising urgent disconnects of internet facing industrial control systems, amid rising cyber threats, linked to geopolitical tensions and exploited vulnerabilities in these ICS devices.



.



What immediate actions can administrators take?



To not only check if their devices are publicly accessible, but also remediate it.



You're listening to the daily decrypt.



Hey, no press is bad. Press.



And today. Microsoft windows is getting a lot of press.



So just recently, Microsoft has introduced a new feature called recall in windows 11. That captures screenshots every few seconds.



And then uses AI.



To search through these screenshots and interact with specific content.



Essentially indexing, everything that you do on your computer.



This could be very useful for those of us like myself who have a terrible memory.



And want to remember what we were just doing. Users can go in and search through the, their history on their computer to see, Hey, what was I doing? 10 minutes ago that I need to continue doing? Sure. Sounds great. You know, who else can search through your whole history? Anyone who's compromised your system. So this feature can be disabled.



Which is great.



You can also specify apps that you want to exclude from this. So if that app is open, it will stop taking screenshots. But what's key to understand is that if you're compromised, an attacker can covertly enable this feature using PowerShell.



And so once they have that enabled, they can just sit back and wait.



For you to do something that jeopardizes your privacy, like entering your social security number.



See what banks you use.



Maybe use those screenshots to extort you, maybe you're doing something you woul

In today's episode, we explore a critical GitHub Enterprise Server vulnerability (CVE-2024-4985) that allows authentication bypass and the necessary updates for protection (https://thehackernews.com/2024/05/critical-github-enterprise-server-flaw.html), EPA's enforcement actions against water utilities lacking cybersecurity measures (https://www.cybersecuritydive.com/news/epa-enforcement-water-utilities-cyber/716719/), and newly discovered security flaws in the Python package llama_cpp_python (CVE-2024-34359) and Firefox's PDF.js library (CVE-2024-4367), highlighting potential risks and the importance of vigilant security practices (https://thehackernews.com/2024/05/researchers-uncover-flaws-in-python.html).



00:00 Cybersecurity Threats to US Water Utilities



01:02 Deep Dive into Water Utility Cybersecurity Flaws



03:26 Strategies for Enhancing Cybersecurity in Water Utilities



04:49 EPA's Enforcement Actions and the Importance of Cybersecurity



06:38 GitHub Enterprise Server's Critical Security Flaw



08:00 Emerging Cybersecurity Threats and Updates



Tags: GitHub, Enterprise Server, CVE, SAML SSO, cybersecurity, vulnerability, GitHub updates, EPA, cyberattacks, water utilities, vulnerabilities, security enforcement, Checkmarx, Llama Drama, Mozilla, PDF.js



Search Phrases:




GitHub Enterprise Server CVE-2024-4985 vulnerability



SAML SSO security breach in GitHub



How to secure GitHub Enterprise Server



EPA cyberattack vulnerabilities in water utilities



Steps to mitigate water utility cyber threats



Llama Drama security flaw in llama_cpp_python



High-severity vulnerability in Mozilla PDF.js



Protecting systems from PDF.js exploits



Checkmarx reports on Llama Drama



Latest cybersecurity vulnerabilities December 2023




May22



The EPA has announced that over 70% of us water utilities inspected are vulnerable to cyber attacks due to outdated security measures like default passwords and single log-ins.



What specific vulnerabilities put major water utilities at risk. And how is the EPA planning to address them?



A high severity vulnerability in Mozilla's PDF dot JS have been uncovered allowing threat actors to execute arbitrary code and. Compromise millions of systems globally. What methods can users implement to help protect their systems from these vulnerabilities?



And finally an alarming get hub enterprise server vulnerability now threatens unauthorized administrative access through.



SAML single sign-on prompting crucial updates. From GitHub to prevent exploitation.



How can organizations secure their get hub enterprise server instances against this vulnerability?



You're listening to the daily decrypt.



The environmental protection agency or EPA announced that the majority of us water utilities.



The inspected are vulnerable to cyber attacks due to using default passwords and single log-ins.



And to get a little more specific over 70% of water utilities that were inspected since September of last year, failed to comply with the safe drinking water act. By commonly using single log-ins for multiple employees. And not revoking access for former employees.



So being a cybersecurity professional, it's really hard for me to even imagine using the same login as somebody else. This is such a terrible idea for many reasons.



Some of which are obvious and some of which might not be like, first of all, multiple people know your password.



Which is kept. Under wraps. Like if it's kept locked down, that's not a huge issue, but it's not being kept locked down. If this is a practice it's not being kept, locked down.



So what if one of the people who's using that log in?



Already has that password memorized and they decide to use it on a different site.



Maybe even with that same email address and that site gets breached.



And the email address is probably water company related.



So any attacker that comes across these credentials will ins

In today's episode, a UK engineering firm Arup was scammed of £20m through a deepfake incident where an employee fell victim to AI-generated video calls. The incident sheds light on the increasing sophistication of cyber attackers and the need for better awareness on deepfake technology. Meanwhile, the Jumio 2024 Online Identity Study reveals consumer concerns over deepfakes, with a call for more governmental regulation of AI to combat cybercrime. The US Justice Department exposed a scheme enabling North Korean IT workers to bypass sanctions, highlighting the risks associated with remote work and the importance of identifying potential threats. Original URLs: 1. https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video.2. https://www.helpnetsecurity.com/2024/05/20/consumers-online-identity-fraud/.3. https://www.helpnetsecurity.com/2024/05/17/north-korean-it-workers/



Arup, Engineering, Deepfake, Cyberattacks, deepfakes, generative AI, digital security, identity fraud



Search Phrases:




Arup deepfake cyber-attacks



How to protect companies from deepfake scams



Consumer awareness about deepfakes and generative AI



Collaborating to enhance digital security measures



Preventing identity fraud with advanced technology



North Korean IT workers evasion scheme



Sanctions evasion by North Korean IT workers



Identifying and protecting organizations from North Korean IT workers



Deceptive employment schemes by North Korean workers



US companies and North Korean IT worker sanctions




May21



The us justice department has uncovered a scheme involving north Korean. It workers evading sanctions by working remotely for us companies under assumed identities, which has resulted in millions of dollars generated for the DPRK.



What signs can help companies identify north Korean it workers posing as us freelancers.



Consumers consistently overestimate their ability to spot deep, fake videos with 60% believing they could detect one. Despite rising concerns over the risks posed by generative AI.



How can businesses and consumers collaborate to enhance digital security measures and prevent identity fraud in the face of increasing deep fake technology.



And in that same realm Arup,



which is a leading UK engineering firm. Fell prey to a 20 million euro, deep fake scam where AI generated video calls, duped a Hong Kong employee into transferring vast sums to criminals.



How can businesses protect themselves from sophisticated schemes?



Involving deep fake videos.



You're listening to the daily decrypt.



The us justice department has uncovered a scheme.



Where individuals from North Korea.



Are posing as us freelancers and getting jobs at us companies under these false identities.



These individuals will utilize us payment platforms, online job sites and proxy computers within the U S to deceive.



The United States employers. They particularly target fortune 500 companies. Like major television networks. Silicon valley tech firms. And they've even attempted infiltration of us government agencies.



So these individuals have been aided by.



A few different us citizens. Including one that would create accounts on us job sites and then sell them to north Koreans.



Or another us woman who operated a quote laptop farm, where she essentially just had a bunch of laptops and let. Adversaries remote in looking like they were in the United States.



This scheme ran from 2020 all the way to 2023. And amassed over $6.8 million for North Korea.



But. Officially both of the individuals who are responsible for all of these fake employments have been apprehended.



And are awaiting extradition to the United States for their trial.



So, obviously this is going to be pretty tough to spot.



Because first of all, resumes for these fraudulent. Applicants are going to look really good. So they're probably going to get the interview based on their resume