Shownotes Transcript
The West calls out China over hacks again. Germany has a major Microsoft exchange problem. China blocks foreign technology on government networks. And Rohammer attacks arrive on AMD Zen CPUs.
This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 27th of March, and this podcast episode is brought to you by Sublime Security, an email security platform that's not a black box. In today's top story, the governments of Australia, New Zealand, the UK, the US, and the EU have called out China again over its hacking operations.
The US has indicted seven Chinese nationals who are believed to be part of a hacking group known as APT31. Together with the UK, it also sanctioned two of the seven members and a front company from the city of Wuhan. The US says Wuhan Xiaorui-Z Science and Technology was a contractor and front company for the Hubei branch of China's Ministry of State Security.
The group allegedly hacked governments across the world, spied on dissidents and stole trade secrets from foreign companies. APT31 is believed to have hacked members of the UK, Norwegian and Finnish parliaments. In the US, the group hacked defence contractors, government officials and even their spouses.
Besides APT31, the UK also accused another Chinese hacking group of stealing data from its electoral registry in 2022. The New Zealand government accused APT40 of hacking the nation's parliament in 2021, but said it lacks the legislative framework to impose sanctions. APT40 is a front for the Hainan branch of China's Ministry of State Security, also behind a breach of Australia's parliament in 2019.
Chinese officials dismissed the accusations as usual and claimed they're the ones getting cybered by the West.
Meantime, China introduced new guidelines that block the procurement of foreign technologies for government PCs and servers. The guidelines ban the use of Intel and AMD chips, Microsoft Windows and foreign database servers. The new procurement guidelines were introduced in December of last year. Chinese officials have urged agencies to switch to domestic alternatives.
Germany's cyber security agency says that more than 17,000 Microsoft Exchange email servers in the country have critical vulnerabilities. The BSI says that more than 45,000 Exchange servers are exposed on the internet without protection. More than 5,000 of these are running outdated and end-of-life versions. According to Shodan, Germany has the most internet-connected Exchange servers in the world.
Threat actors are exploiting a vulnerability in the AnyScale Ray AI framework to compromise AI servers. The attackers are using a vulnerability disclosed in November of last year that AnyScale has yet to patch. The vulnerability allows the threat actors to run code on the server through one of the Ray API endpoints without needing to authenticate.
AnyScale disputed the vulnerability last year, claiming the Ray framework was never meant to be used on the internet and didn't need authentication.
Security firm Reversing Labs has discovered a malicious .NET library on the official NuGet repository. The package contains code to take screenshots of the infected system every minute and upload the data to a remote server. Reversing Labs says the library appears to target developers who work with industrial software from Chinese company Bosun.
A malware distribution campaign has impacted the Top.gg Discord bot distribution platform after one of its developers installed a malicious Python library. The attack was detected in its early phases before any malicious code could be distributed through Top.gg. Security firm Checkmarks says the incident was part of a larger campaign that began in November 2022. The
The campaign leveraged fake infrastructure for the PiPi portal, typo squatting and account takeovers through stolen cookies. Besides Top.gg, the attackers successfully compromised other individual developers.
Security researchers from Lumen's Black Lotus Labs have linked a malware botnet known as The Moon to Faceless, a proxy service advertised in cybercrime forums. Devices infected with The Moon malware are typically added to the Faceless service within hours or days. Lumen estimates The Moon's size at more than 40,000 infected devices. The vast majority are end-of-life SOHO routers and IoT devices.
Human Security has uncovered a broad malware operation named ProxyLib. The cybersecurity company has uncovered malware in 28 VPN-related apps uploaded on the official Google Play Store. The malware is named ProxyLib and works by turning infected devices into nodes of a residential proxy network.
Human linked the malware to residential proxy service Asox. After Google took down the malicious apps, Human found the ProxyLib malware inside an SDK named LumiApps.
Academics have developed the first version of the classic Rowhammer attack that can work on AMD processors. The new attack is named Zenhammer and was successfully tested on AMD's Zen CPU series. The attack can flip bits inside the CPU memory and modify or corrupt data. AMD has confirmed the attack and published mitigations.
The Mozilla Foundation is retiring its privacy-friendly geolocation service. Employees say the service saw a decline in accuracy after a lack of funding in recent years. The Mozilla location service launched in 2013 and operated on GPS data submitted by the community. The service will shut down in phases between March and July this year.
And finally, a threat actor has stolen $16 million worth of assets from the Curio DeFi platform. The attacker exploited a vulnerability in the platform's smart contract to mint and steal new tokens. The vulnerability was described as a permission access logic flaw. And that's all for this podcast edition. Today's show was brought to you by our sponsor, Sublime Security. Find them at sublime.security. Thanks to your company.
