Cyber Bakery Chronicles

Keeping Up with Cybersecurity News with CyberBakery.net....Your Weekly Update.

Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (29 November 2024)

  • Russian Cyberspies Exploit Nearby Building for Sophisticated Wi-Fi Attack on Target
  • VulnCheck warns ProjectSend Vulnerability may be Exploited in the Wild
  • U.S. Seizes Notorious PopeyeTools Marketplace, Charges International Operators
  • Australia Passes Landmark Cyber Security Legislation
  • Ransomware Attack on Supply Chain Software Disrupts Major Retailers During Holidays
  • Sextortion Scams Abuse Microsoft 365 Admin Portal to Bypass Email Filters

Russian Cyberspies Exploit Nearby Building for Sophisticated Wi-Fi Attack on Target

In a sophisticated cyber-espionage operation, Russian state-sponsored hackers, identified as APT28 (also known as Fancy Bear), breached a U.S. organisation’s network by exploiting Wi-Fi connections of neighbouring entities. This method termed the “Nearest Neighbor Attack,” involved compromising a nearby organisation’s system to gain proximity to the target’s Wi-Fi network. The attackers then leveraged this access to infiltrate the primary target’s network, all while operating remotely from Russia.

Credits: Volexity

The attack was uncovered in early 2022 by cybersecurity firm Volexity, which noted that the hackers initially obtained credentials through password spraying attacks. However, due to multi-factor authentication (MFA) protections, direct access was thwarted. Consequently, the attackers compromised a neighbouring organisation’s network, utilising a device with both wired and Wi-Fi capabilities to connect to the target’s Wi-Fi from across the street.

This incident underscores the evolving tactics of cyber-espionage groups, highlighting the necessity for robust Wi-Fi security measures, including the implementation of MFA for Wi-Fi access and the segregation of Wi-Fi and wired networks. Organszations are advised to monitor for unusual activities and ensure that devices with multiple network interfaces are appropriately secured to prevent such lateral attacks. 

VulnCheck warns ProjectSend Vulnerability may be Exploited in the Wild

A critical vulnerability in ProjectSend, an open-source file-sharing application, is being actively exploited by threat actors. Identified as CVE-2024-11680, this improper authentication flaw allows remote, unauthenticated attackers to modify the application’s configuration by sending crafted HTTP requests to the options.php endpoint. Exploitation can lead to unauthorized account creation, webshell uploads, and the embedding of malicious JavaScript.

Discovered by Synacktiv in January 2023, the vulnerability was patched in May 2023. However, a CVE identifier was assigned only in November 2024, delaying widespread awareness of the issue. Despite the availability of the patch, adoption has been minimal; VulnCheck reports that approximately 99% of public-facing ProjectSend instances remain unpatched, leaving them susceptible to attacks.

The release of public exploits by platforms like Metasploit and Nuclei in September 2024 has facilitated increased exploitation. Indicators of compromise include altered landing page titles with random strings and the unexpected enabling of user registration features. These signs suggest that attackers are not only testing for vulnerabilities but are actively compromising systems, potentially installing webshells to maintain persistent access.

Timely patching and proactive monitoring are essential to safeguard systems against this active threat.

Given the critical nature of CVE-2024-11680 and the ongoing exploitation, it is imperative for organisations using ProjectSend to:

Update Immediately: Upgrade to version r1720 or later to mitigate the vulnerability.

Conduct Security Audits: Examine systems for unauthorized changes, such as unexpected user accounts or unfamiliar files in the upload/files/ directory.

Monitor for Indicators of Compromise: Be vigilant for signs like altered site titles or enabled user registration prompts, which may indicate exploitation attempts.

US seizes PopeyeTools cybercrime marketplace, charges administrators

The U.S. Department of Justice (DOJ) has seized the illicit website PopeyeTools, a marketplace dedicated to selling stolen credit cards and tools for cybercrime and fraud. Criminal charges have been unsealed against three administrators: Abdul Ghaffar, 25, and Abdul Sami, 35, both from Pakistan, and Javed Mirza, 37, from Afghanistan.

Since its inception around 2016, PopeyeTools operated as a significant online marketplace, offering sensitive financial data and other illicit goods to thousands of users worldwide, including those associated with ransomware activities. The platform provided unauthorised payment card data and personally identifiable information (PII) of at least 227,000 individuals, generating approximately $1.7 million in revenue.

This Website Has Been Seized Operation Shipwrecked The PopeyeTools Marketplace and information on PopeyeTools customers and victims have been seized by the FBI pursuant to a seizure warrant issued by the United States District Court for the Western District of New York as part of a joint law enforcement operation and action by: Federal Bureau of Investigation United States Attorney's Office for the Western District of New York National Crime Agency

The DOJ obtained judicial authorisation to seize the domains www.PopeyeTools.com, www.PopeyeTools.co.uk, and www.PopeyeTools.to, which facilitated access to the PopeyeTools website. Additionally, approximately $283,000 worth of cryptocurrency was seized from an account controlled by Abdul Sami.

The administrators face charges of conspiracy to commit access device fraud, trafficking access devices, and solicitation of another person to offer access devices. If convicted, each defendant could face up to 10 years in prison for each of the three offenses.

Australia Passes Landmark Cyber Security Legislation

Australia has taken a significant step in bolstering its cybersecurity defences with the passage of new legislation.

The Cyber Security Bill, a key component of the government's 2023-2030 Australian Cyber Security Strategy, aims to enhance the nation's resilience against cyber threats.

Key Provisions of the Bill:

  • Mandatory Ransomware Reporting: Organisations that pay ransomware demands will be required to report the incident to the government.
  • Enhanced Information Sharing: The National Cyber Security Coordinator and the Australian Signals Directorate (ASD) will have increased authority to share information with victims during cyberattacks.
  • Mandatory Security Standards for Smart Devices: The bill introduces mandatory security standards for internet-connected devices.

The legislation addresses a critical gap in Australia's cybersecurity framework by improving information sharing and enabling a more coordinated response to cyber threats. It reflects the growing recognition of cyber security as a national security priority.

Ransomware Attack on Supply Chain Software Disrupts Major Retailers During Holidays

A ransomware attack on Blue Yonder, a software provider critical to supply chains, is causing disruptions for major retailers and manufacturers during the busy holiday season. The attack, which began on 21st November, targeted Blue Yonder's managed services infrastructure used by many large companies.

Supermarkets Impacted:

Supermarket chains in the UK, including Morrisons and Sainsbury's, are reportedly experiencing difficulties keeping shelves stocked due to the Blue Yonder attack. The attack is impacting the smooth delivery of goods, potentially leading to reduced product availability.

Starbucks Affected:

In the US, Starbucks is facing challenges with employee scheduling and time tracking due to the attack. However, there are no widespread disruptions reported so far. Other Blue Yonder customers in the US include Kimberly-Clark, Anheuser-Busch, and Best Buy.

Holiday Season Vulnerabilities:

The Blue Yonder attack highlights the increased risk companies face during holidays when IT security staffing may be reduced. Research shows 86% of ransomware attacks last year occurred on holidays or weekends, with attackers targeting periods of potentially weaker defences. Experts recommend maintaining strong cybersecurity measures throughout the year, including sufficient staffing and robust backups.

Sextortion Scams Abuse Microsoft 365 Admin Portal to Bypass Email Filters

Cybercriminals are exploiting a weakness in the Microsoft 365 Admin Portal to bypass email security and deliver sextortion scams directly to inboxes.

The Scam:

Sextortion emails claim to have compromising videos or photos of the recipient and demand a ransom in Bitcoin to prevent them from being shared. These scams are prevalent but are usually caught by spam filters.

The Abuse:

Attackers are abusing the "Share" feature within the Microsoft 365 Message Center, which allows authorized users to share service advisories with others.

  • Exploiting Character Limit: The "Personal Message" field for sharing advisories has a 1,000 character limit. Attackers use browser developer tools to bypass this limit and enter their entire sextortion message.
  • Automated Attacks: The attackers likely use an automated script to exploit this vulnerability and send these malicious messages at scale.

Microsoft has been notified of this vulnerability and is investigating the issue. However, as of now, a server-side check to prevent messages exceeding the character limit hasn't been implemented.

Staying Safe:

  • Be Wary of Unexpected Emails: Even emails seemingly from legitimate sources like Microsoft 365 can be scams.
  • Do Not Engage: Never respond to sextortion emails, click on any links, or send money.
  • Report Phishing Attempts: Report suspicious emails to Microsoft or the relevant security platform.


Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2024 the year of shared knowledge and community growth!