IT security in brief The Australian Signals Directorate (ASD) warned last Friday that attackers were installing an implant named “BADCANDY” on unpatched Cisco IOS XE devices and could detect the removal of their products and reinstall their malware.
The ASD advisory states that unknown actors are searching for Cisco devices susceptible to CVE-2023-20198, a 2018 bug rated 10.0 on the CVSS scale that allows attackers to exploit the web UI functionality of Cisco’s IOS XE software and take control of a system. The Rift is a favorite of the famous Salt Typhoon gang.
Rebooting an infected device removes BADCANDY, the ASD says, but warns that “rebooting will not undo additional actions taken by the threat actor or remediate the initial vulnerability exploited for access.”
Worse, restarting can alert attackers that they need to hack harder.
“ASD believes that actors are capable of detecting when the BADCANDY implant is removed and re-exploit the devices,” the notice states. “This further highlights the need to apply patches against CVE-2023-20198 to prevent re-exploitation.” –Simon Sharwood
Defense contractor executive admits selling cyber tools to Russia
A former defense company executive has pleaded guilty to selling secret exploits to a Russian company that does business with the Kremlin.
Peter Williams, an Australian citizen working in Washington, D.C. as chief executive of Trenchant, a cyber subsidiary of defense contractor L3Harris, admitted last week to two counts of stealing trade secrets after being arrested and charged a week earlier.
According to the Justice Department, Williams sold national security-focused software to an unnamed Russian cyber-tools broker, which included at least eight “sensitive, cyber-exploit-protected components” intended exclusively for sale to the U.S. government and a few select allies.
Williams was arrogant enough to enter into written contracts with his Russian co-conspirator, who promised up to $4 million in cryptocurrency for the stolen secrets, as well as continued support for Russia’s use of the hijacked exploits. Court documents suggest he received payments of around $1.3 million for his crimes – enough to buy a number of expensive watches, handbags, jewelry and clothing, as well as a home in Washington, DC, which he agreed to forfeit to the US government.
Each of the charges against Williams carries a maximum sentence of ten years. Court documents suggest the DoJ wants Williams to spend 11 years and three months in prison.
The DoJ cited Williams’ cooperation once he was arrested as the reason for the recommended sentence, despite the fact that he spent months working alongside Trenchant’s internal investigators looking into the theft and continued to sell secrets to the Russians after the company learned that someone was stealing with software related to national security.
Nation-state likely behind supply chain attack on Omnissa
Palo Alto Networks is warning of a dangerous new strain of Windows malware that it suspects is being used by a state actor to create a command and control channel within Omnissa’s (formerly VMware) Workspace ONE endpoint management and application publishing suite.
Dubbed Airstalk for the software’s former name (AirWatch API for MDM), Palo Alto said attackers used the API to exfiltrate cookies, browsing histories and bookmarks from Chrome, as well as take live screenshots of infected devices.
Palo Alto found Powershell and .NET variants of the malware and says both can evade detection, but the .NET version is more sophisticated.
Palo Alto did not detail how the malware authors distribute their malicious code. At the time of writing, Omnissa security advisories do not mention a fix for this issue.
Google decides Chrome should always warn you about HTTP
With HTTPS adoption plateauing at around 95%, Google has decided that the world’s most popular browser should still warn people when sites require insecure HTTP connections.
Starting next October with Chrome 154 (yes, you have a year to prepare for this), Chrome’s Always use secure connections setting will be enabled by default, meaning that the first time a user visits an old HTTP page, even if it’s a quick jump between secure connections, the browser will warn them and ask if they want to continue.
“Many plain-text HTTP connections these days are completely invisible to users, because HTTP sites can immediately redirect to HTTPS sites,” Google said in its update. “HTTP browsing remains commonplace for most Chrome users.”
Google admits this will add a bit of friction for Chrome users, but the company believes it’s for a good cause.
Of course, since this is a setting enabled by default, there’s no need to accept the new Chrome standard when it arrives in a year’s time – just turn it off if you prefer to browse dangerously.
No, LastPass does not check if you are dead
If you are a user of the LastPass password manager and you receive an email asking you to confirm that you are not dead, do not fall for this new phishing campaign.
LastPass has warned users about the phishing which appears in the form of a message informing users that a family member has submitted a death certificate in order to access their account. The email asks users to submit proof of life in the form of a login which, naturally, directs users to a phishing domain instead of a real LastPass URL.
LastPass said the group behind these emails appears to be looking for cryptocurrency account credentials stored in its users’ vaults, and this is not the first time the same group has targeted LastPass users. The original phishing site that started the campaign has disappeared, the company said, but that’s usually not enough to end a campaign, so keep an eye out for the “Are you dead?” » message – and delete it.
Secure your WhatsApp chats with a password
Meta’s encrypted chat app, WhatsApp, is used for many sensitive communications worth preserving, and so Zuck’s chat service offers encryption of backup files stored in the cloud – secured by a password or encryption key to store those secrets.
Now, Meta will allow users to secure backups with a biometric password.
“Passkeys will let you use your fingerprint, face, or screen lock passcode to encrypt your chat backups instead of having to remember a password or cumbersome 64-digit encryption key,” the WhatsApp team noted in a blog post last week.
The new feature will be gradually rolled out to users over the “coming weeks and months”, WhatsApp said. To switch from a password to a key, open WhatsApp and go to Settings > Chats > Chat backup > End-to-end encrypted backup and follow the on-screen prompts. ®
