In this issue:

Crowdstrike - a failed update crashes Windows, invites hackers; 
Play / VMware ESXi - ESXi vulnerability exploited by a vicious ransomware;
Telegram / Android - a raging malware campaign endangers Telegram users; 
Land Registry of Greece - hackers 400 cyberattacks and exfiltrate 1.2 GB of data; 
KnowBe4, North Korea - security company accidentally hires a N. Korean spy; Hamster Kombat - popular play-to-earn game targeted by a spyware campaign;
Verizon / TracFone Wireless - $16m settlement over three data breaches;
Lockbit - two Russian nationals plead guilty for taking part in Lockbit operations; 

Vulnerability of the Week - Crowdstrike failed update

Although not a vulnerability in the classical sense, the CrowdStrike incident on July 19, 2024, caused major disruptions due to a faulty update affecting Windows workstations. Cybercriminals exploited the chaos, distributing Remcos RAT via a fake "crowdstrike-hotfix.zip" file targeting Latin American users. 

As for the initial incident, CrowdStrike has deployed a fix for its Falcon Sensor product. Impacted users should delete the file "C-00000291*.sys" from the CrowdStrike directory in Safe Mode and restart. The outage also impacted Google Cloud Compute Engine, crashing Windows VMs using csagent.sys. Airlines, banks, retail chains, hospitals, and telecom firms were affected, leading to a 15% drop in CrowdStrike shares in U.S. premarket trading.

[Ransomware]
Play / VMware ESXi

Play ransomware now targets VMware ESXi virtual machines with a new Linux locker. Trend Micro reports this variant checks for ESXi environments before executing and evades detection on Linux systems. This move indicates a broader attack strategy, exploiting the shift of enterprises to ESXi for critical data storage and hosting.

[Vulnerability]
Telegram

A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious APKs disguised as video files. Discovered by ESET researchers and disclosed in June 2024, it was patched in version 10.14.5 on July 11, 2024. Threat actors exploited the flaw for at least five weeks

[Data Breach]
Land Registry of Greece

Greece's Land Registry experienced a limited data breach following 400 cyberattacks over a week. Hackers stole 1.2 GB of non-sensitive administrative data but failed to access or exfiltrate key databases. Emergency measures include password resets and mandatory two-factor authentication. Operations remain unaffected and ongoing attacks are unknown.

[Malware]
KnowBe4, North Korea

KnowBe4 accidentally hired a North Korean threat actor as a software engineer. Despite thorough pre-hiring checks, the individual used a stolen identity and AI-enhanced photo. Upon receiving his workstation, he attempted to load malware. The company detected and contained the threat without any data breach or loss

[Cryptocurrency]
Hamster Kombat

Cybercriminals are exploiting the popularity of the Hamster Kombat game, which has over 250 million players, by distributing fake Android and Windows apps that install spyware and information-stealing malware. Launched in March 2024, the game involves earning fictional currency and has significant growth due to a new crypto token. 

[Legal]
Verizon TracFone Wireless

Verizon Communications will pay $16 million to settle FCC charges over three data breaches at its subsidiary, TracFone Wireless. The breaches, from 2021 to 2023, involved unauthorized access to customer data due to security vulnerabilities. The settlement mandates improved data security measures by TracFone.

[Legal]
Lockbit

Two Russian nationals, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, have pleaded guilty in the U.S. for their roles in the LockBit ransomware scheme. Astamirov, arrested in May 2023, and Vasiliev, extradited from Canada, face significant prison sentences. LockBit has attacked over 2,500 entities globally, demanding substantial ransoms.

Resources

• The Hacker News: Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

• Bleeping Computer: Telegram zero-day allowed sending malicious Android APKs as videos

• Bleeping Computer: Greece’s Land Registry agency breached in wave of 400 cyberattacks

• Bleeping Computer: New Play ransomware Linux version targets VMware ESXi VMs

• Dark Readings: Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

• The Hacker News: Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

• Bleeping Computer: Hamster Kombat’s 250 million players targeted in malware attacks

• Bleeping Computer: Verizon to pay $16 million in TracFone data breach settlement

• The Hacker News: Two Russian Nationals Plead Guilty in LockBit Ransomware Attacks