Australia”s Signals Directorate (ASD) issued a warning last Friday regarding a malware implant called “BADCANDY.” This malware is targeting unpatched Cisco IOS XE devices, allowing attackers to detect and reinstall their malware after it has been removed.
The ASD advised that unknown perpetrators are actively searching for vulnerable Cisco devices, particularly those susceptible to CVE-2023-20198. This 2018 vulnerability, rated 10.0 on the Common Vulnerability Scoring System (CVSS) scale, enables attackers to exploit the web user interface of Cisco”s IOS XE software, gaining control over the affected systems. This specific flaw has been notably used by the infamous Salt Typhoon group.
According to the ASD, rebooting an infected device will eliminate the BADCANDY implant. However, they cautioned that this action will not undo other malicious activities performed by the attackers nor will it resolve the initial vulnerability that facilitated access. Alarmingly, rebooting the device may also alert the attackers to intensify their efforts. The advisory emphasizes the critical need to patch against CVE-2023-20198 to prevent further exploitation.
In a related incident, a former executive of a defense contractor has confessed to selling classified cyber exploits to a Russian firm linked to the Kremlin. Peter Williams, who was the general manager of L3Harris” cyber subsidiary Trenchant in Washington, D.C., pled guilty to two counts of theft of trade secrets after being arrested earlier. The Justice Department revealed that Williams sold software focused on national security to a Russian broker, which included several sensitive cyber-exploit components initially intended for U.S. government use.
Williams reportedly entered into written agreements with his Russian accomplice, who offered up to $4 million in cryptocurrency for the stolen information. Documents indicated that Williams received around $1.3 million from these illicit dealings, which he used to purchase luxury items and real estate. He faces a maximum of ten years for each charge, with the DoJ recommending a sentence of 11 years and three months, considering his cooperation after being apprehended.
In another cybersecurity development, Palo Alto Networks has raised alarms about a new variant of Windows malware, believed to be deployed by a nation-state actor. This malware, named Airstalk, targets Omnissa“s Workspace ONE endpoint management software. Attackers utilize the software”s API to extract sensitive data, including cookies, browsing histories, and bookmarks from Chrome, in addition to capturing live screenshots of infected devices. The malware is available in both Powershell and .NET variants, with the latter being more advanced and capable of evading detection.
As for web security, Google intends to enhance Chrome“s security features. Starting next October, the browser will automatically warn users when they attempt to access sites that require insecure HTTP connections. This change aims to increase user awareness of security risks, although Google acknowledges it may introduce some inconvenience.
Lastly, users of password manager LastPass should be vigilant against a recent phishing campaign. Users have reported receiving emails claiming that a family member has submitted a death certificate to access their account. These emails prompt users for proof of life, directing them to a fraudulent login page. LastPass has advised users to be cautious and delete any such messages.
In an effort to enhance the security of sensitive communications, Meta has announced that its encrypted chat application WhatsApp will soon allow users to secure their cloud backups with biometric passkeys, facilitating easier yet secure access to their chat histories.
