Infosec in brief Australia’s Signals Directorate (ASD) last Friday warned that attackers are installing an implant named “BADCANDY” on unpatched Cisco IOS XE devices and can detect deletion of their wares and reinstall their malware.
The ASD’s advisory says unknown actors go looking for Cisco devices susceptible to CVE-2023-20198, a 2018 bug rated 10.0 on the CVSS scale that allows attackers to exploit the web UI feature in Cisco’s IOS XE software and take control of a system. The flaw is a favorite of the notorious Salt Typhoon gang.
Rebooting an infected device removes BADCANDY, the ASD says, but warns “rebooting will not reverse additional actions taken by the threat actor and will not remedy the initial vulnerability exploited to gain access.”
Worse, rebooting may alert attackers that they need to hack harder.
“ASD believes actors are able to detect when the BADCANDY implant is removed and are re-exploiting the devices,” the advisory states. “This further highlights the need to patch against CVE-2023-20198 to avoid re-exploitation.” – Simon Sharwood
Defense contractor exec admits selling cyber-tools to Russia
A former executive at a defense contractor has pleaded guilty to selling secret exploits to a Russian company that does business with the Kremlin.
Peter Williams, an Australian citizen working in Washington, D.C. as the general manager of defense contractor L3Harris’ cyber subsidiary Trenchant, last week admitted to two counts of theft of trade secrets after being arrested and accused a week earlier.
According to the Justice Department, Williams sold national-security-focused software to an unnamed Russian cyber tools broker that included at least eight “sensitive and protected cyber-exploit components” that were meant exclusively for sale to the US government and a few select allies.
Williams was arrogant enough to enter into written contracts with his Russian co-conspirator, who promised up to $4 million in cryptocurrency for the stolen secrets, plus ongoing support for Russian use of the misappropriated exploits. Court documents suggest he received payments of around $1.3 million from his crimes – enough to buy a number of expensive watches, handbags, jewelry, and clothes, as well as a house in Washington, D.C., all of which he’s agreed to forfeit to the US government.
Each of the charges Williams faces carries a maximum sentence of ten years. Court documents suggest the DoJ wants Williams to spend 11 years and three months in prison.
The DoJ cited Williams’ cooperation once he was caught as the reason for its recommended sentence, despite the fact that he spent months working alongside internal investigators at Trenchant who were looking into the theft and continued to sell secrets to the Russians after the company was aware someone was making off with software related to national security.
Nation-state likely behind supply chain attack on Omnissa
Palo Alto Networks is warning of a new dangerous strain of Windows malware it suspects is being used by a nation-state actor to create a command and control channel inside Omnissa’s (formerly VMware’s) Workspace ONE endpoint management and application publishing suite.
Dubbed Airstalk for the software’s former name (AirWatch API for MDM), Palo Alto said attackers are using the API to exfiltrate cookies, browsing histories, and bookmarks from Chrome, as well as to take live screenshots of infected devices.
Palo Alto found Powershell and .NET variants of the malware and says both can evade detection, but the .NET version is more sophisticated.
Palo Alto didn’t detail how the malware’s authors distribute their evil code. At the time of writing, Omnissa’s security advisories don’t mention a patch for this problem.
Google decides Chrome should always warn you of HTTP
With the plateauing of HTTPS adoption at around 95 percent, Google has decided that the world’s most popular browser should always warn people when sites require insecure HTTP connections.
Starting next October with Chrome 154 (yes, you have a year to prepare for this), Chrome’s Always Use Secure Connections setting will be on by default, meaning that the first time a user visits a plain old HTTP page, even as a quick hop between secure connections, the browser will warn them and ask them if they want to proceed.
“Many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites,” Google said in its update. “HTTP navigations remain a regular occurrence for most Chrome users.”
Google admits this will add a little friction for Chrome users, but the company feels it’s in a good cause.
Of course, because this is an on-by-default setting, one need not accept the new Chrome normal when it arrives in a year’s time – just toggle it off if you prefer to browse dangerously.
No, LastPass is not checking to see if you’re dead
If you’re a user of password manager LastPass and you receive an email asking you to confirm you’re not dead, don’t fall for this new phishing campaign.
LastPass has warned users of the phish that appears in the guise of a message informing users that someone in their family has submitted a death certificate in order to gain access to their account. The email asks users to submit proof of life in the form of a login that, naturally, directs users to a phishing domain instead of a real LastPass URL.
LastPass said the group behind these emails appears to be seeking cryptocurrency account credentials stored in its users’ vaults, and it’s not the first time the same group has targeted LastPass users. The initial phishing site behind the campaign has gone down, the company said, but that’s usually not enough to end a campaign, so keep an eye out for an “Are you dead?” message – and delete it.
Secure your WhatsApp chats with a passkey
Meta’s encrypted chat app WhatsApp gets used for plenty of sensitive communications worthy of preservation, and Zuck’s chat service therefore offers encryption of backup files stored in the cloud – secured by a password or encryption key to store those secrets.
Now, Meta will let users secure backups with a biometric passkey.
“Passkeys will allow you to use your fingerprint, face, or screen lock code to encrypt your chat backups instead of having to memorize a password or a cumbersome 64-digit encryption key,” the WhatsApp team noted in a blog post last week.
The new feature is rolling out gradually to users over the coming “weeks and months,” WhatsApp said. To switch from a password to a key, open WhatsApp and navigate to Settings > Chats > Chat Backup > End-to-end Encrypted Backup and follow the onscreen prompts. ®
