T-Mobile Wards Off APT Intrusion; International Advisory Body for Submarine Cable Resilience; Costa Rican Fuel Provider Recovering from Ransomware

T-Mobile has foiled an attack by threat actors suspected to be "linked to Chinese state-sponsored operations," according to Chief Security Officer (CSO) Jeff Simon in a November 27 update. The attack "originated from a wireline provider’s network" connected to T-Mobile, but the company's defenses successfully detected the infiltration attempts, protected sensitive customer records including metadata with "information about the caller, sender and recipient," and disconnected from the compromised network. The CSO attributes this success to a "cybersecurity major transformation" undertaken by T-Mobile in the wake of previous attacks: a 2022 internal systems intrusion by Lapsus$ and a 2022-2023 data breach affecting 37 million customers are the latest of eight major breaches the provider has disclosed since 2018. The recent overhaul focused on layered defenses, proactive monitoring, rapid response and mitigation, and "constant vigilance." Simon enumerates specific security measures including: MFA and FIDO2 authentication; network segmentation; improvements to logging, patching, and security tools; and regular testing, attack simulations, and rewards for vulnerability discovery. Though T-Mobile notes that this attack differs from other recent intrusions, the statement follows confirmations by government agencies that a Chinese Advanced Persistent Threat (APT) group has compromised the wiretap systems required under US law since 1994’s Communications Assistance for Law Enforcement Act (CALEA).

The International Telecommunication Union (ITU) and the International Cable Protection Committee (ICPC) have established the International Advisory Body for Submarine Cable Resilience. The board’s 40 members “will address ways to improve cable resilience by promoting best practices for governments and industry players to ensure the timely deployment and repair of submarine cables, reduce the risks of damage, and enhance the continuity of communications over the cables.“ ICPC estimates that there are between 150 and 200 undersea cable faults every year, resulting in an average of three undersea cable repairs every week.

Costa Rican energy provider Refinadora Costarricense de Petróleo (RECOPE) reverted to manual operations last week following a ransomware attack. RECOPE “imports, refines and distributes fossil fuels across the country while also operating pipelines stretching from its Caribbean to Pacific coasts.” Cybersecurity experts from the US have been brought in to help with the situation. The attack against RECOPE systems comes just weeks after a similar attack against the country’s General Directorate of Migration.

Zabbix disclosed a critical SQL injection vulnerability (CVE-2024-42327) in the CUser.get function in their open-source network monitoring tool. The vulnerability could be exploited by anyone with “a non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access.” The vulnerability affects Zabbix versions 6.0.0 - 6.0.31, 6.4.0 - 6.4.16, and 7.0.0. Users are urged to upgrade to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1.

Malware-hunting company ANY.RUN has detected a phishing campaign that used corrupted Microsoft Office documents and archive files to avoid detection. ANY.RUN writes that in this campaign, ”threat actors attempt to conceal the file type by deliberately corrupting it, making it difficult for certain security tools to detect.” However, the files can still be opened and executed.

The Polish government is aggressively pursuing an inquiry into the previous administration’s use of Pegasus spyware against several hundred people between 2017 and 2022. Poland’s former internal security services chief was recently arrested and forced to testify before parliament about the previous administration's use of Pegasus. Earlier this year, Polish prosecutors building their case asked more than 30 Pegasus victims to share their stories.

In a joint operation aimed at disrupting multiple cybercrime schemes in Africa, INTERPOL and AFRIPOL have arrested more than 1,000 individuals and dismantled a large swath of infrastructure that was supporting cybercrime. The operation, which was active in September and October of this year, targeted individuals and campaigns involving ransomware, business email compromise, digital extortion, and online scams.

Two UK National Health Service (NHS) Foundation Trust hospitals have released statements disclosing recent cyberattacks. Alder Hey Children's Hospital is responding to online claims that patient and donor data were stolen from "systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust." Alder Hey is currently investigating the published data and working with law enforcement to "secure [their] systems," stating that "services are operating as normal, and patients should attend appointments as usual." Alder Hey believes their breach is unrelated to the simultaneous incident at Wirral University Teaching Hospital Trust, which took certain systems offline after a "targeted cybersecurity issue." The result is three associated Trust hospitals operating on "pen and paper," with disruptions to scheduled services and appointments, and postponement of certain procedures. The Trust is "working closely with the national cyber security services ... to return to normal services at the earliest opportunity."

A bootkit is malicious software that inhabits a computer at the innermost level, outside the operating system where the firmware initializes the boot process. The Unified Extensible Firmware Interface (UEFI) governs many modern boot processes, and until recently only Windows UEFI was targeted by bootkits, according to a blog post from ESET: "In November 2024, a previously unknown UEFI application, named bootkit.efi, was uploaded to VirusTotal," which is the first known UEFI bootkit designed to target Linux. Named "Bootkitty," the malware is limited to certain versions of Ubuntu, which alongside other indicators led ESET to propose that the malware is a proof-of-concept project; an update to the report adds additional evidence that it may have been created by a Korean cybersecurity training program and inadvertently leaked. While ESET notes that Bootkitty "is not capable of running on systems with UEFI Secure Boot enabled unless the attackers['] certificates have been installed," a November 29 report from Binarly shows that the malware exploits a vulnerability (CVE-2023-40238), involving a year-old flaw called LogoFAIL, "us[ing] embedded shellcode within a BMP image to bypass Secure Boot protections by injecting rogue certificates into the MokList variable." Binarly believes the malware also refines its targets to certain machines made by Acer, HP, Fujitsu, and Lenovo, and suggests users ensure their systems are patched against LogoFAIL. ESET's suggested preventions are enabling UEFI Secure Boot, and updating the OS, firmware, and UEFI revocations list.

Researchers at Nozomi Networks have identified 20 vulnerabilities version 1.6.2 of the EKI-6333AC-2G industrial-grade wireless access point device. Advantech has released firmware updates to address the vulnerabilities. Six of the vulnerabilities are rated critical, and all but one of the remaining 14 are rated high severity.