Breach Roundup: Israel Hit by Evolving BiBi Malware SurgeAlso, Clorox CISO Steps Down Amid Cyberattack Fallout
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, BiBi malware hit Israeli computers, the Clorox CISO stepped down, the FCC proposed a school cybersecurity program, U.K. ICO issued a Black Friday warning, a pro-Palestine APT group unleashed a cyberespionage campaign, the FBI dismantled the IPStorm botnet and VMware disclosed a flaw.
Israel Hit by Surge of Evolving BiBi Malware
Israel faces a surge in data-wiping attacks after hackers adapted the BiBi malware family to target both Linux and Windows systems. The attacks prompted the government's Cyber Emergency Response Team to issue identifiers for detection. The malware, linked by researchers at Palo Alto to an Iranian-backed APT group called Agonizing Serpens, erases data without encryption or ransom demands. Pro-Hamas hacktivists deploy the BiBi wiper, and the latest variant, "BiBi-Linux," was discovered by Security Joes and Eset researchers. The malware overwrites files, renames them randomly and deletes shadow copies for data recovery.
Clorox CISO Steps Down Amid Cyberattack Fallout
The attack led to a significant drop in revenue.
FCC Proposes Cybersecurity Program for Schools
The U.S. Federal Communications Commission proposed a Schools and Libraries Cybersecurity Pilot Program aimed at learning which cybersecurity and advanced firewall services have the greatest impact in protecting the networks of K-12 schools and public libraries.
American schools are typically understaffed and underfunded when it comes to cybersecurity, and they have experienced a ramp-up in ransomware attacks with consequences that include temporary closures (see: White House Pushes Cybersecurity Defense for K-12 Schools).
"We want to learn from this effort, identify how to get the balance right and provide our federal, state and local government partners with actionable data about the most effective and coordinated way to address this growing problem," said FCC Chairwoman Jessica Rosenworcel. She said a $200 million pilot program over three years would also defray the costs of deploying cybersecurity tools.
UK ICO Issues Black Friday Warning on Smart Devices
The U.K. Information Commissioner’s Office cautioned shoppers ahead of Black Friday to scrutinize sellers' privacy and security features. Tips include checking privacy policies and app store permissions. Consumer rights group Which? echoed the warning, advising buyers to research products, avoid security flaws, and control device data access. The ICO aims to provide clearer guidance in the coming year.
Pro-Palestine APT Group Unleashes Cyberespionage Campaign
A group associated with Palestinian intelligence objectives and tracked as TA402 by Proofpoint conducted a targeted cyberespionage campaign against Middle Eastern governments using a novel downloader called IronWind from July to October. Proofpoint said the group employed a complex infection chain, shifting from Dropbox links to actor-controlled infrastructure for command-and-control communication. Phishing emails sent from a compromised Palestine Ministry of Foreign Affairs account targeted government agencies with economic-themed social engineering purportedly about the Gulf Cooperation Council.
The group varied its tactics varied, using a Dropbox link in July, an attached XLL file in August and a RAR file in October. Despite the conflict in the Gaza Strip, TA402 maintains operational continuity.
FBI Dismantles IPStorm Botnet
The U.S. Department of Justice revealed that the FBI has dismantled the IPStorm botnet proxy service. IPStorm facilitated cybercriminals in anonymously directing malicious traffic through compromised Windows, Linux, Mac and Android devices globally.
Justice also said Russian and Moldovan national Sergei Makinin pleaded guilty to computer fraud charges and faces a potential 10-year prison term for controlling the botnet and selling access to infected computers from June 2019 to December 2022. Makinin promoted bot proxies on proxx.io and proxx.net, advertising that he possessed more than 23,000 "highly anonymous" proxies from all over the world.
Makinin confessed to earning $550,000 from selling proxy services and agreed to forfeit cryptocurrency proceeds.
VMware Cloud Director Flaw Exposes Authentication Bypass
VMware disclosed a severe authentication bypass vulnerability in Cloud Director appliances, affecting versions upgraded to version 0.5 from older releases. Unauthenticated attackers can exploit this flaw remotely on ports 22 - secure shell protocol - and 5480 - appliance management console - without user interaction. The bug doesn't affect fresh installs, Linux deployments or other appliances. While VMware lacks a patch, a temporary workaround exists that involves downloading a script.