Skip links

China-linked Budworm burrows hole in US legislature systems

In brief Advanced persistent threat group (APT) Budworm has shifted targets after hitting the Middle East, Europe and Asia, and was caught this week trying to break into the systems of an unnamed US state legislature.

Symantec’s Threat Hunter team reported the intrusion, saying it has all the hallmarks of an attack from Chinese-linked Budworm gang, which is thought to be state-sponsored. 

Budworm’s main tool is known as HyperBro, but it has been spotted abusing a number of legitimate security tools recently, Symantec said, including using CyberArk Viewfinity endpoint privilege management software, penetration testing tool Cobalt Strike, credential harvesting tool LaZagne, proxy and port forward tool IOX, Fast Reverse Proxy, and Fscan. 

“Budworm is known for mounting ambitious attacks against high-value targets,” Symantec said, pointing to attacks against an unnamed Middle Eastern government and East Asian hospital as evidence.

While it didn’t include details of those incidents, Symantec did link to a report from the Cybersecurity and Infrastructure Security Agency (CISA) about an APT campaign against an unnamed US defense contractor earlier this year. CISA notes HyperBro was used in the attack, which means it’s likely the group was involved – but it wasn’t acting alone. 

“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” the agency said. 

That’s not great news, as Symantec sees it: With two high-value US targets attacked in a few months, “a resumption of attacks against US-based targets could signal a change in focus for the group.”

Senator Warren sounds the Zelle’arm, shames banks over EFT fraud

US Senator Elizabeth Warren (D-MA) says big banks are ignoring growing fraud on the Zelle’s online payments platform they run and are failing to reimburse users who fall prey to scams.

If you haven’t heard of Zelle, you’re not alone – the embattled Venmo competitor is owned by Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank, US Bank, and Wells Fargo. Now the senator is claiming the system is selling consumers short.

According to Warren’s data, which she said was provided by four of the seven banks in the consortium on request in September, fraud claims on the platform were in excess of $90 million (£80.5 million) in 2020, and were on track to exceed $255 million (£228 million) by the end of 2022.

To make matters worse, Warren said that banks reported only repaying 9.6 percent of scam claims, amounting to just $2.9 million. 

Zelle, on the other hand, said that 99.9 percent of the transactions on its network are sent without fraud or scam reports and that “any external analysis done is incomplete and does not reflect the efforts and data reported by more than 1,700 financial institutions on the Zelle Network.” 

Airtag aids Democrat dumpster discovery

A Pennsylvania political lawn sign bandit has been foiled thanks to some savvy use of an Apple Airtag.

While the suspect remains at large, Democratic Pennsylvania state representative Melissa Shusterman tweeted that an Apple tracker was precisely what was needed to make the thief’s efforts a vain exercise. 

“Local Republicans thought they could throw away [Josh Shapiro], [Chrissy Houlahan], and my signs without getting caught. Luckily a community member put an airtag in one [of] the signs and it led us to this dumpster,” Shusterman tweeted along with a photo of a trash bin filled with campaign signs.

Law enforcement officers in Tredyffrin Township, PA, said they were reviewing video footage of a truck pulling up to the dumpster and someone unloading the signs. The officers also claimed that there was no targeted party affiliation among those found in the trash, but one former Democratic committee member who reported pulling 118 signs out of the dumpster said all were for Democratic candidates, with US Senate candidate John Fetterman’s signs also found in the trash. 

Undeterred, Shusterman said the items had been recovered and campaign workers were out in force. “Double the amount of signs taken will go back up,” she tweeted

Fortinet triple-whammy CVE gets PoC, deep dive explanation

A critical flaw in Fortinet’s FortiOS, FortiProxy and FortiSwitchManager has been patched, but for those of a curious nature security firm has released a proof of concept for the exploit, as well as explaining how it works. 

As The Register reported earlier this week, the bug could allow “an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” but now we have a better understanding of just what happened.

By running a diff command on vulnerable and patched versions of FortiOS, wrote in its deep dive, it found some strings in the installer’s init binary that pointed to headers in the installer’s NodeJs file. 

“This init binary is rather large and appears to have a lot of functionality including Apache hooks and handlers for various management REST API endpoints,” noted. 

Long story short: Those forwarded headers could be abused by an attacker to set the client IP to, which fools the trusted access authentication agent and gives the attacker the ability to perform API requests, no authentication needed.

“An attacker can use this vulnerability to do just about anything they want to the vulnerable system,” noted, including adding new users, changing network configurations and other malicious activities. 

Bad news: The researchers said this isn’t new, and that they’ve noticed “a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted.” 

Install those patches, folks. ®