Australia BadCandy warning, Cisco firewall attack, Aardvark eats bugs

The Australian Signals Directorate (ASD) is warning of cyber attacks targeting unpatched Cisco IOS XE devices within Australia, as a result of a previously undocumented implant called BadCandy. These attacks exploit a CVE numbered flaw with a CVSS score of 10.0 and which allows unauthenticated attackers to create an account with elevated privileges. BadCandy is described as a “low equity Lua-based web shell.” It lacks a persistence mechanism which means it cannot survive across system reboots, but if a device remains unpatched and exposed to the internet, “it’s possible for the threat actor to re-introduce the malware and regain access to it.”

According to experts at Palo Alto Networks’ Unit 42, hackers from China-based Storm-1849 are “scanning for and exploiting a popular line of Cisco firewalls used by governments in the U.S., Europe and Asia.” The group is targeting Cisco Adaptive Security Appliances (ASA), which, in addition to acting as firewalls, “also prevent some intrusions, handle spam, conduct antivirus checks, and more.” The researcher observed several U.S. financial institutions, defense contractors and military organizations attacked through out throughout October.

This autonomous agent, currently available in private beta, works by “embedding itself into the software development pipeline, monitoring commits and changes to codebases, detecting security issues and how they might be exploited, and proposing fixes to address them using LLM-based reasoning and tool-use.” OpenAI added, Aardvark “analyses a project’s codebase to produce a threat model that it thinks best represents its security objectives and design. With this contextual foundation, the agent then scans its history to identify existing issues, as well as detect new ones by scrutinizing incoming changes to the repository.”

This past week, the Federal Communications Commission announced plans to remove some cybersecurity regulations that had been put in place after Chinese hackers breached at least nine telecommunications giants to steal the correspondence of the President and Vice President last year. Chairman Brendan Carr released a statement that said, “the agency would reverse a declaratory ruling published in January which would have mandated telecoms to better secure their networks and submit annual certifications attesting to the creation of a cybersecurity risk management plan.” On Thursday, FCC Secretary Marlene Dortch added more context, saying that “telecoms have already taken voluntary steps to secure their networks and that the ruling was legally erroneous.”

Huge thanks to our sponsor,
ThreatLocker

More than a dozen key security recommendations for network defenders were shared between the agencies and their partners. These included “keeping servers up to date, migrating from unsupported Exchange versions, enabling emergency mitigation services, activating built-in anti-spam and anti-malware features, restricting administrative access to authorized workstations, and implementing security baselines for both Exchange Server and Windows systems.” The agencies also made recommendations around strengthening authentication by enabling MFA, leveraging OAuth 2.0, and many other procedures. The agencies also advised network defenders to “decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.”

Oleksii Lytvynenko, 43, was extradited from Cork, Ireland, to face charges of deploying Conti ransomware that extorted over $500K from U.S. victims between 2020 and June 2022. Court filings allege Lytvynenko managed stolen Conti victim data and ransom notes. Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division said Lytvynenko’s activities “defrauded victims in almost every U.S. state and from over two dozen countries worldwide. He now faces up to 25 years in prison.

Related to a story we covered in June, mobile security firm Zimperium says Near-Field Communication (NFC) relay malware has “grown massively popular in Eastern Europe with researchers discovering over 760 malicious Android apps using the technique to steal people’s payment card information in the past few months.” NFC malware takes advantage of Android’s Host Card Emulation (HCE) to emulate or steal contactless credit card and payment data. The technique was first spotted in the wild in Poland in 2023, and this was followed by campaigns in the Czech Republic, and later, more massive attack waves in Russia.

According to Aaron Walton of Expel, the prolific ransomware gang is “leveraging malicious advertisements to deliver OysterLoader malware (also known as Broomstick and CleanUpLoader).” This campaign began in June and is continuing. This is done by purchasing search engine ads – in this case in Bing – and driving people to spoofed, typosquatted sites. To ensure a lower detection rate by anti-virus engines when victims click on the links, Rhysida employs a packing tool to hide the malware’s capabilities.

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cyber Security Headlines” on your favorite podcast app.