Tuesday 17th December 2024

Good morning everyone and thank you for joining me for the latest instalment of Cyber Daily! Today's edition is looking in the story of hackers that are not just stealing your data—they’re going after your cars, your investments, and even each other.

From a Volkswagen infotainment hack that turns GPS tracking into a security nightmare, to a PHP malware cleverly exploiting cybercriminals themselves, to a new AI-powered investment scam that’s fooling thousands with fake celebrity endorsements, the digital battleground is only getting messier.

Let’s get into it. 🚗💸💻

Cybersecurity’s Newest Villain: Glutton Backdoor

Researchers at QiAnXin XLab have uncovered Glutton, a PHP-based malware targeting systems across China, the US, Cambodia, Pakistan, and South Africa. Suspected of links to the Chinese hacking group Winnti (APT41), Glutton blurs the line between cybercrime and espionage with its unique approach: attacking cybercriminals themselves.

Glutton is a modular backdoor capable of:

- Infecting PHP frameworks like Laravel and ThinkPHP.

- Harvesting sensitive system data.

- Deploying Linux malware disguised as the FastCGI Process Manager.

The malware’s creators even advertised compromised systems in cybercrime forums to further spread infections—turning hackers’ tools against them in a poetic twist.

Despite Winnti’s alleged involvement, Glutton lacks typical stealth features like encrypted communications and obfuscation, which XLab called “uncharacteristically subpar.” Instead, the malware relies on zero-day vulnerabilities, brute-force attacks, and strategic persistence through modified system files.

Glutton’s ability to exploit cybercrime operators introduces a “no honor among thieves” dynamic, weaponizing the tools of hackers against their own networks. While crude in some respects, its recursive attack chain signals a shift in how cybercriminal infrastructure is being targeted—sometimes by other attackers.

With cyber warfare tactics evolving, malware like Glutton represents both a threat and a potential wake-up call for cybersecurity defences.

Volkswagen’s Infotainment Flaws Expose Real-Time Tracking Risks

Cybersecurity researchers have discovered 12 vulnerabilities in Volkswagen Group’s MIB3 infotainment systems, putting vehicles at risk of being tracked in real-time and allowing attackers to control certain car functions.

Uncovered by PCAutomotive and presented at Black Hat Europe, the flaws affect systems in Skoda Superb III sedans and other Volkswagen Group vehicles. Exploitable within several meters of a target, attackers can access sensitive GPS data, monitor speed, record conversations, and even manipulate the infotainment display.

- Buffer overflows (e.g., CVE-2023-28905) that enable arbitrary code execution.

- Command injection vulnerabilities for unauthorized system access.

- Clear-text data exposure of phonebook contacts.

- Exploitable Bluetooth processes during phonebook synchronisation.

While some vulnerabilities have been patched, others are still being addressed. A Skoda spokesperson emphasised that no immediate threat to driver safety exists, noting fixes are part of ongoing product lifecycle updates.

As cars become more connected, infotainment vulnerabilities pose growing risks—not just to personal data but to overall vehicle security. With attackers now capable of real-time car tracking, the need for robust cybersecurity in automotive systems has never been greater.

Your car’s infotainment system may not just play your favorite tunes; it could be a backdoor for hackers.

Scam Alert: AI and Social Media Used in New Investment Grift

Cybercriminals are upping their game with Nomani, a sophisticated investment scam combining AI-generated celebrity endorsements, fake social media ads, and phishing schemes. Researchers at ESET report a 335% surge in Nomani campaigns during the second half of 2024, with over 100 malicious URLs cropping up daily.

1. Baiting victims: Fraudsters run ads on platforms like Facebook, Threads, and Google using stolen or fake accounts. Some ads mimic Europol and INTERPOL outreach to lure victims of prior scams.

2. Phishing sites: Clicking on these ads leads users to phishing websites that imitate legitimate organizations or promote fake crypto schemes like Quantum Bumex or Bitcoin Trader.

3. Hooking investors: Stolen data is used to directly contact victims and push them into "investing." Scammers falsely promise huge profits but then demand extra fees, ID, and credit card details.

Victims lose not only their money but sensitive data, which is often leveraged for further fraud. Some are manipulated into taking loans or installing remote access apps that give scammers full control over their devices.

ESET suspects Russian-speaking threat actors, citing Cyrillic code comments and the use of Yandex tools. The scam appears well-organized, with different teams handling phishing, ad management, and call center operations.

South Korea recently dismantled a $6.3 million scam using fake trading platforms in an operation called MIDAS. These platforms, which mimic real brokerages, spy on users and refuse to return funds.

As scammers refine social engineering and leverage AI, staying skeptical of unsolicited ads and "too good to be true" opportunities is more crucial than ever.