WPS Office Exploit, Notion Exits Russia, Uber’s $325M Fine – Cybersecurity News [August 26, 2024]

by Duocircle

 

We’re back with the latest cybersecurity scoop of the week that will keep you privy to the latest attacks and help you stay safe. This week, we’ll take a look at how hackers are leveraging the WPS office to spread malware, the withdrawal of Notion from Russia, how Uber was fined $325 million for illegal data transfers, the Tickler malware attacking US government systems, and the FBI’s report on RansomHub ransomware’s 210 victims and the tactics used. Let’s take a look!

South Korean Hackers Leveraged WPS Office Vulnerability to Spread Malware

APT-C-60 hackers have been leveraging zero-day code execution flaws in WPS Office for Windows systems and installing the SpyGlace backdoor.

The threat actor group is a South Korea-aligned cyberespionage group and is targeting East Asians. The flaw that they are using is the CVE-2024-7262, which has been popular in attacks since February this year. The patch was patched by Kingsoft back in March, the Chinese enterprise behind WPS Office. However, they did this silently, without informing its customers, and researchers at ESET were able to investigate the vulnerability and the exploitation. ESET shared that the vulnerability lies where the software handles custom protocol handles. There’s improper validation of the URLs used within documents that allows threat actors to craft and use malicious links, leading to code execution. APT-C-60 has been misusing this and embedding malicious hyperlinks in decoy images that trigger exploits whenever a victim clicks on said images. An encoded command is triggered that loads malicious DLLs with the threat actor’s code and installs SpyGlace, their custom backdoor.

 

WPS Office Vulnerability

 

ESET also shared how Kingsoft’s attempt at fixing the flaw failed and they released an incomplete patch. Threat actors can still exploit the vulnerability via local systems or network sharing.

 

Notion Withdraws From Russia, Plans to Shut down Accounts by September

Notion released an announcement sharing that they are exiting Russia and will terminate all accounts linked to Russian users.

Notion’s decision came after the US government-imposed restrictions on software service providers, so Notion will stop all activity and end-user access to its platform on 9 September 2024. The application has been a great productivity tool for document creation and task management, with tons of collaboration tools and databases that are used by millions globally. They will delete all Russian-based accounts and have given time till 8 September to extract all data, after which it will no longer be possible. If the admins have imposed exporting restrictions, you may not be able to download any internal data. However, if there are massive files, you will not be able to download them directly from the platform, and Notion will send a download link to your email.

All the impacted users were already sent closure notices of their accounts. You can find all help in this guide that shows how you can export the data in PDF, HTML, or CSV files.

 

export the data

 

Uber Faces $325 Million Fine for Illegally Transferring Driver Data From Europe to the US

In other news, the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) fined Uber over GDPR (General Data Protection Regulation) €290 million ($325 million).

This is the third fine by the authority on Uber, following €6 million and €10 million fines from November 2018 and January 2024, respectively. Autoriteit Persoonsgegevens has been investigating the organization’s data practices for quite a while and noticed complaints from French drivers. According to the Schrems II ruling, the EU-US privacy shield was invalidated because the data protection standards in the US are not enough. Uber did not follow the ruling and continued to transfer personal data to the US without implementing proper safeguards. In response, Uber argued that no data transfers occurred as all data was uploaded directly to US-based servers via the application, but these arguments were rejected.

Uber has filed for an appeal against the decisions, which might take as long as four years, so the fine is suspended for this duration.

 

 personal data

 

Tickler Malware Targets US Government and Defense Organizations for Unauthorized Access

The APT33 Iranian threat actors (also called Peach Sandstorm) have been installing backdoors onto US and UAE government, defense, oil, gas, and other sectors using the new Tickler malware.

Microsoft’s security researchers have been observing the attack tactics where these threat actors use the infrastructure of MS Azure for C2 (Command and Control) via fraud subscriptions. APT33 carried out many organizations of said sectors between April and May this year and gained access to accounts by leveraging commonly used passwords. They used the same tactic to deploy FalseFont backdoor malware on defense contractor devices back in November 2023, but now they seem to have switched to Tickler.

Microsoft also shared that APT33 has been targeting accounts of defense, pharma, and satellite organizations using password spray attacks, and they will mandate MFA for all Azure sign-ins from 15 October 2024 to protect all users.

 

 password spray attacks

 

FBI Reports RansomHub Ransomware Attacked 210 Victims Since February

Affiliates of the RansonHub ransomware have attacked nearly 210 organizations since February, most of which are critical infrastructure enterprises in the US.

RansomHub is a new Raas (Ransomware as a Service) operation that steals files for demanding ransoms, and if they are not paid, the data is sold to the highest bidders. This is slightly different as they do not always encrypt the data like other ransomware do and just steal it. FBI released a joint advisory with CISA, HHS (Department of Health and Human Services), and MS-ISAC (Multi-State Information Sharing and Analysis Center) and also highlighted that many of these are also double-extortion attacks. Since February, RansomHub has targeted 210 organizations in water, IT, government, facilities, healthcare, public health, food and agriculture, financial services, critical manufacturing, communications, and transportation sectors. To stay safe against the threat, it’s best to implement the recommendations shared in the advisory.

Most of these are straightforward, like implementing MFA and strong passwords and using VPNs on critical system accounts. You should also keep all software updated and carry out vulnerability assessments regularly.

Pin It on Pinterest

Share This