Chinese spies spent months inside aerospace engineering firm’s network via legacy IT

Chinese state-sponsored spies infiltrated a global engineering firm’s network for four months using the default credentials of an admin portal to a legacy IBM AIX server. The company, unspecified for privacy, manufactures components for public and private aerospace organizations as well as critical sectors like oil and gas.

The intrusion, suspected to be espionage and blueprint theft, was discovered in August through threat detection tools deployed by the company. After their discovery, the Chinese agents were removed immediately, but within 24 hours they attempted another attack.

These intrusions revealed the vulnerability of older technologies that are not retired or abandoned but not easily replaced and persist in a digital landscape dominated by Linux and Windows systems.

The infiltrators compromised three unprotected AIX servers belonging to the company and uploaded a web shell project that facilitated full remote access to the company’s internal network. Additionally, they established persistent access that put them in a prominent position for potential intellectual property theft and supply chain tampering.

According to Binary Defense, the AIX servers were unprotected and exposed to the open internet, one of which was running an Apache Axis admin portal with default administrator credentials. This issue allowed the intruders full access to the system and exemplified a problem with newer security tools not being backward-compatible with older machines that are essential to several systems. Following the breach, the intruders installed an AxisInvoker web shell that permitted them to harvest Kerberos data, control the box remotely, and add SSH keys for secure external logins.

This event highlights how critical it is for companies to maintain up-to-date security measures across all parts of their IT infrastructure, but particularly their supply chain systems, to prevent similar attacks.

1.3 Million Android-Based TV Boxes Backdoored

A malware infection has affected nearly 1.3 million streaming devices running an open-source version of Android, according to security firm Doctor Web. The malware, named Android.Vo1d, has infiltrated the Android-based boxes by implanting malicious components in their system storage area, potentially allowing additional malware to be installed via command-and-control servers.

Despite their extensive knowledge of Android.Vo1d, Doctor Web researchers are yet to identify the cause of the infections. They postulate two potential vectors: an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges, or the use of unofficial firmware versions featuring built-in root access. Infected device models are largely running outdated software versions that are susceptible to invasions that execute malicious code.

Some researchers suggest that the infections occurred because the devices were running outdated software versions vulnerable to malicious attacks, or were already compromised by the time they were purchased. This is more likely with open source versions which can be altered by any device maker, unlike Google’s AndroidTV that can only be modified by licensed manufacturers.

Doctor Web stated that Vo1d includes dozens of variants that all connect to the hacker’s server and install a final component that can install more malware when commanded. There are signs that the Vo1d trojan was intended to mimic system programs and embed itself into the device’s system files for auto launching. Doctor Web advises resorting to installing malware scanners to check for infections.


23andMe to pay $30 million in genetics data breach settlement

DNA testing company 23andMe has agreed to a $30 million settlement over a data breach lawsuit that affected 6.4 million customers in 2023. The lawsuit, settled in a San Francisco federal court, remains subject to judicial approval.

The agreement also calls for the implementation of stronger security protocols, such as protection against credential-stuffing attacks, obligatory two-factor authentication for all users, and yearly cybersecurity audits. 23andMe plans to create a data breach incident response plan and will refrain from retaining personal data for inactive or deactivated accounts. The company will provide an updated Information Security Program to all employees via annual training sessions.

The data breach in contention occurred when the company’s customer profiles were accessed without authorization through comprised accounts. Threat actors exploited stolen credentials from other breaches to access 23andMe accounts, leading to a leak of data profiles. The company subsequently implemented measures to prevent similar breaches. Despite this, the breach launched multiple class-action lawsuits, pushing the company to modify its Terms of Use, a move that received criticism from its customers.


Discord rolls out end-to-end encryption for audio, video calls

Discord has launched a custom end-to-end encryption (E2EE) protocol named DAVE aimed to secure audio and video calls on the platform to prevent unauthorized interception.

This system, audited by cybersecurity firm Trail of Bits, will cover private one-on-one audio and video calls, small group chats, server-based voice channels for larger group discussions, and real-time streaming. The transition to use E2EE over these channels will be gradual, and users will be able to confirm when calls are end-to-end encrypted and execute verification of other members in these calls.

Discord, originally designed to facilitate communication among gamers, has evolved into a major communication platform serving creators, businesses, communities, and groups sharing common interests. It serves an ecosystem of over 200 million users.

DAVE marks a major stride towards improving data security and privacy on this platform. Additionally, Discord has chosen to make the protocol and its supporting libraries open-source. This allows independent security researchers to scrutinize these elements, promoting transparency.


Broadcom fixes critical RCE bug in VMware vCenter Server

Broadcom has addressed a critical vulnerability in VMware vCenter Server, which could have potentially allowed attackers remote code execution on servers via a network packet.

The vulnerability was identified by TZL security researchers during China’s 2024 Matrix Cup hacking contest. This flaw is caused by a heap overflow weakness in the DCE/RPC implementation within vCenter and also impacts other products containing vCenter, such as VMware vSphere and VMware Cloud Foundation. Efficient low-complexity attacks could exploit this vulnerability without user interaction, potentially leading to remote code execution with specially crafted network packets.

Security patches to fix the vulnerability are available through the standard vCenter Server update mechanisms. Broadcom advises all users and organizations to install the necessary updates stipulated in the VMware Security Advisory to ensure full protection.