Welcome to Safety Sunday – 6. Week. our weekly round-up of events in the world of cyber security (5 – 11 February 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

Chinese hackers hid in US infrastructure for 5 years

The Chinese cyber espionage group Volt Typhoon penetrated the critical infrastructure network in the United States and operated for at least five years before it was discovered, according to a joint statement from CISA, the NSA, the FBI and partner agencies Five Eyes.

The Volt Typhoon hackers are known to make extensive use of “living off the land” (LOTL) techniques in attacks on critical infrastructure organizations.

The Group focused mainly on the communications, energy, transport and water and sewerage sectors.

Its goals and tactics also differ from typical cyber espionage activities, leading authorities to conclusively conclude that the group seeks to position itself on networks that provide it with access to operational technology (OT), with the ultimate goal of disrupting critical infrastructure.

“This is something we’ve been dealing with for a long time,” said Rob Joyce, NSA’s director of cybersecurity and deputy national manager for national security systems (NSS).

“We have improved in all aspects of this issue, from understanding the scope of the Volt Typhoon, to identifying compromises that may impact critical infrastructure systems, to securing targets against these intrusions, to working with partner agencies to combat PRC cyber actors.”

The group also used a botnet of hundreds of small office/home networks (SOHO) across the United States (called the KV-botnet) to hide its malicious activity and avoid detection.

The FBI stopped the KV-botnet in December 2023, and hackers failed to recover the decomposed infrastructure after Lumen’s Black Lotus Labs destroyed all remaining C2 servers and payload.

Chinese hackers exploited FortiGate bug to breach Dutch military network

Chinese state-sponsored hackers penetrated a computer network used by the Dutch armed forces and targeted Fortinet FortiGate devices.

“The compromised computer network was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not result in any damage to the defence network.”

The intrusion, which occurred in 2023, exploited a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

This is the first time the Netherlands has publicly attributed a cyber espionage campaign to China.

The news also comes days after US authorities took steps to dismantle the botnet we wrote about above.

Raspberry Pi Pico breaks BitLocker in less than a minute

The attack technique was documented in a YouTube video over the weekend, showing how a Raspberry Pi Pico can be used to gain access to a BitLocker-secured device in less than a minute if you have physical access to the device.

In the video posted by user stacksmashing, a Lenovo laptop was used, although other hardware will also be vulnerable. This technique also relies on the Trusted Platform Module (TPM) being separate from the processor. In many cases, the two elements will be combined, in which case the technique shown cannot be used.

However, if you get your hands on a similarly vulnerable BitLocker-secured device, gaining access to encrypted storage seems embarrassingly simple. The idea is to eavesdrop on the device key as it is passed from the TPM to the processor. The key transmission is not encrypted.

This particular laptop had connections that could be used in addition to its own connector for accessing inter-chip signals.

Microsoft has long acknowledged that such attacks are possible, although it describes them as “a targeted attack with plenty of time”.

In the example above, which takes less than a minute, we would dispute the “lots of time” claim, and while the Raspberry Pi Pico is undoubtedly impressive at a price of less than $10, the hardware outlay is neither expensive nor specific.

If your hardware is vulnerable, mitigation can be achieved with a PIN.

Facebook ads spread new malware that steals passwords

The new password-stealing Ov3r_Stealer malware is spreading via fake job ads on Facebook and aims to steal account credentials and cryptocurrency.

The fake job ads are for managerial positions and lead users to a Discord URL where a PowerShell script downloads a malicious payload from a GitHub repository.

The Trustwave analysts who discovered the malware campaign note that while none of its tactics are new, given Facebook’s popularity as a social media platform, it remains a serious threat to many potential victims.

Fake LastPass password manager discovered in Apple’s App Store

LastPass warns that a fake copy of its app is circulating in the Apple App Store, possibly as a scam app to steal users’ login credentials.

The fake app uses a similar name to the real app, a similar icon, and a red-tinted interface that is meant to look similar to the brand’s authentic design.

However, the name of the fake app is “LassPass” instead of “LastPass” and its publisher is “Parvati Patel”.

In addition, it has only one rating (the real app has over 52,000) and only four reviews that point out that it is a fake.

The actual LastPass company alerted to the existence of the clone app via a warning on its website to raise customer awareness of the risk of data loss.

Apple has confirmed to BleepingComputer that the LastPass cheat app has been removed from the App Store because it violates their guidelines regarding copycat apps. The app developer has also been removed from the Apple Developer Program.

Fortinet warns of a critical FortiOS SSL VPN vulnerability that is likely being actively exploited

Fortinet has discovered a new critical security flaw in FortiOS SSL VPN that it says is likely being actively exploited.

The CVE-2024-21762 vulnerability (CVSS score: 9.6) allows the execution of arbitrary code and commands.

“A vulnerability outside the bounds of the [CWE-787] entry in FortiOS could allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests,” the company said Thursday.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 9. February 2024 in its catalogue of known exploitable vulnerabilities (KEV), vulnerability CVE-2024-21762, citing evidence of active exploitation.

The Federal Civilian Executive Branch (FCEB) has been directed to apply the corrections by the 16. February 2024 to secure their networks against potential threats.

New hidden backdoor “RustDoor” targets Apple macOS devices

Apple macOS users have been the target of a new Rust-based backdoor that has been running since November 2023.

It was discovered that the backdoor, codenamed RustDoor, masquerades as an update for Microsoft Visual Studio and targets both Intel and Arm architectures.

To date, multiple variants of the malware have been detected with minor modifications, likely indicating active development. The oldest sample of RustDoor dates from 2. November 2023 and contains a wide range of commands that allow it to collect and send files and obtain information about the compromised endpoint.

Some versions also include a configuration with details about what data to collect, a list of target extensions and directories, and directories to exclude.

The obtained information is then exfiltrated to the C2 server (command-and-control).

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.