UK network outage grounds flights
On August 28th, the UK’s National Air Traffic Service, or NATS, announced a “technical issue” caused it to apply “traffic flow restrictions to maintain safety.” This resulted in flight controllers having to input flight plans manually, resulting in a trickle of usual air traffic volume. Through mid-afternoon roughly 500 flights saw cancellations or multiple hour delays, most from London’s Heathrow airport. NATS announced it “identified and remedied” the issue at 3:15pm local time, but flight disruptions could persist for days. NATS announced no further details on what caused the issue at the time of recording.
The malware loader Big 3
A new report from the security firm ReliaQuest claims that the malware loaders QBot, SocGholish, and Raspberry Robin account for 80% of observed attacks in 2023. The three remain fairly close in marketshare, with QBot the most common, used in 30% of attacks. After the top three, the report four the remaining top 7 used in low single digit percentages. QBot also proved the most adaptable, perhaps why the one-time banking trojan has been around for 16-years. SocGholish targets Windows and showed ties to the Russian-linked group Evil Corp in the past. Raspberry Robin also targets Windows, starting out as a USB drive worm. Since then both Clop and LockBit used it to load ransomware.
Another spyware firm breached
Earlier this month, we covered the shutdown of LetMeSpy, a Polish spyware developer, after attackers breached its servers and deleted customer data. Now TechCrunch received a message from an unnamed hacker group describing how it compromised another spyware vendor, the Brazilian-owned WebDetetive. Using a flaw in its client dashboard layout, the attackers proceeded to download every dashboard record, letting them delete enrolled devices and view customer email addresses. An analysis by DDoSecrets of an exfiltrated dataset shows the service had over 76,000 devices enrolled. A further analysis by TechCrunch showed the app to largely represent a repackaged version of the spyware OwnSpy.
Microsoft Entra ID privilege escalation exploit
Researchers at Secureworks released a technical report detailing the exploit. This allows a threat actor to redirect authorization codes from an abandoned URL, which they could use to obtain access tokens. From there, they could call the Power Platform API to elevate privileges. Microsoft patched the issue and Secureworks released an open-source tool to let organizations scan for abandoned reply URLs used in the approach. No evidence attackers used this method in the wild.
Thanks to our sponsor, AppOmni
Malicious packages found in Rust registry
We’ve covered a number of malicious npm packages in the past, but this latest finding shows exploiting the software supply chain knows no programming language bounds. Researchers at Phylum discovered 7 libraries uploaded to the Rust crate registry. Once installed, all the packages transmitted OS-level data to hard-coded Telegram channels. It seems this was part of an early stage campaign in an attempt to get the packages installed on a wide variety of environments. The packages appeared in the registry in mid-August and subsequently removed.
BlackBerry and SentinelOne could be acquired
Over the weekend Reuters’ sources said the private equity firm Veritas Capital made an acquisition offer for BlackBerry, the once iconic phone maker turned security vendor. No word on the offer but the stock market reacted to the news by raising BlackBerry’s market cap to $3.1 billion. Meanwhile SentinelOne hired the bank Qatalyst Partners to advise on acquisition talks with several prospective buyers. The cloud security startup Wiz confirmed its considering a big for the company.
OpenAI launches ChatGPT Enterprise
While many organizations and employees already tried OpenAI’s ChatGPT, the release largely only offered consumer-grade tooling. The new enterprise-focused offering will offer the same capabilities, but provides a new admin console. This offers the ability to manage employees, see usage statistics and set up templates. The tier also offers unlimited access to Advanced Data Analysis, with more data analysis features. This comes after Microsoft released Bing Chat Enterprise back in July.
KmsdBot malware expands to new audience
The KmsdBot botnet first appeared in November, largely targeting cloud providers and private gaming servers before transitioning to targeting educational institutions. An analysis of an update to the botnet by Akamai researcher Larry W. Cashdollar shows it recently added new capabilities to target IoT. It added support for several new CPU architectures and supports Telnet scanning. KmsdBot uses brute force password attacks using a list of common passwords to get into IoT devices with default credentials.