Daily Brief

StreamElements confirmed a data breach at a third-party service provider, impacting user data but not their own servers. The breach exposed older data including full names, addresses, phone numbers, and emails of StreamElements customers. A hacker using the nickname "victim" leaked samples of the data on a hacking forum, claiming data theft from 210,000 StreamElements customers from 2020 to 2024. Twitch-focused journalist Zach Bussey verified the data's authenticity by requesting his personal details from the hacker. The threat actor alleged that they gained access through an information-stealing malware and breached a StreamElements internal account. Users of StreamElements are urged to be vigilant against potential phishing and scamming attempts following the breach. StreamElements has initiated contact with affected customers, though official data breach notifications are yet to be issued. The company is currently conducting an investigation into the incident, with the responsible hacker's forum post now deleted.

A new cybercrime platform, Atlantis AIO, is facilitating credential stuffing attacks on 140 online services, including major banks, email providers, and e-commerce websites. Atlantis AIO automates brute force attacks, CAPTCHA circumvention, account recovery exploitation, and monetization of stolen accounts through pre-configured modules. Credential stuffing involves using stolen usernames and passwords to access and hijack accounts that lack multi-factor authentication. The platform is identified as a Credential Stuffing as a Service (CSaaS), allowing cybercriminals to pay for automated attacks. Commonly attacked brands in the past include Okta, Roku, Chick-fil-A, and PayPal, among others. The compromised accounts are often sold in bulk on underground forums, with prices as low as $0.50 per account. Effective countermeasures include using strong, unique passwords and multi-factor authentication, alongside technological measures like rate limiting and advanced CAPTCHAs.

Approximately 9,000 files were stolen from the New South Wales Online Registry Website, impacting civil and criminal court cases. The stolen data includes affidavits and apprehended violence orders (AVOs), critical for protecting victims of domestic violence and other abuses. The breach was identified last Tuesday, with ongoing investigations led by cybercrime detectives and the Department of Communities and Justice. The data theft poses significant risks, potentially exposing personal details of victims and alleged offenders, making them targets for extortion or further victimization. Australian law enforcement is actively contacting potentially affected individuals and advises anyone concerned to report via Australia’s cybercrime reporting service. NSW's attorney general confirmed the severity of the breach and emphasized government efforts to manage the situation and maintain system integrity. This incident follows a similar cyberattack on Victoria's court system suggesting a regional challenge in securing judicial data systems.

FamousSparrow, a Chinese threat group, has recently targeted a US trade group and a Mexican research institute using advanced variants of the SparrowDoor backdoor and the newly added ShadowPad malware. Observed in July 2024, this marks the first use of ShadowPad by FamousSparrow, aligning with tactics commonly employed by Chinese state-sponsored actors. ESET researchers reported that the new SparrowDoor variants show significant enhancements, including command parallelization, which allows the execution of multiple tasks simultaneously. The attacks involved compromised web servers using Internet Information Services (IIS), where the attackers deployed a web shell to execute further malicious activities including malware deployment. Both targeted entities were using outdated versions of Windows Server and Microsoft Exchange Server, which likely contributed to their vulnerability. This latest incident highlights the continuous evolution and sophistication of FamousSparrow's cyber capabilities, indicating active development and deployment of new malicious tools. The linkage between FamousSparrow and other Chinese cyber espionage groups, such as Earth Estries and Salt Typhoon, suggests a broader strategy or cooperation among these actors, despite FamousSparrow being treated as a distinct entity by cybersecurity professionals.

Rachel Kroll, a respected sysadmin and blogger, posted an enigmatic advisory suggesting users terminate the use of the Linux monitoring tool, atop. Despite the lack of detailed explanation or context, the warning has significantly alarmed the Linux community. Kroll's credibility, based on her extensive background in tech, having worked with major companies and spoken at numerous tech conferences, adds weight to her stark warning. Atop, while being a valuable system monitoring tool, also logs performance data, which can be critical should an exploit or vulnerability be discovered within it. Tech forums and communities are abuzz with speculation and concern regarding potential unpublicized vulnerabilities in atop. The Register attempted to reach out to Kroll and atop's author, Gerlof Langeveld, for further details, but there has been no response yet. Users are advised that they can safely uninstall atop without harming their systems, with updates expected to be included in upcoming versions of various Linux distributions.

The Specops Breached Password Report revealed that even complex passwords meeting organizational standards are vulnerable, with 230 million such credentials compromised. Verizon's Data Breach Investigations Report 2024 indicates stolen credentials lead to 44.7% of breaches, underscoring the need for enhanced security measures. Alternatives like biometric authentication, behavioral biometrics, and blockchain offer potential password replacements but come with their own risks and limitations, such as vulnerability to spoofing and privacy concerns. Newer methods like Zero-knowledge Proof (ZKP) and Passkeys provide more secure authentication options by not transmitting actual credentials and using public key cryptography, respectively. Passphrases offer a user-friendly and secure option against brute-force attacks but require careful construction to avoid predictability. The emergence of security keys and expanded support for password-less logins across major platforms enhances user authentication without reliance on traditional passwords. Despite advancements in authentication technology, passwords remain foundational to security strategies, with multi-factor authentication (MFA) providing reinforced protection against vulnerabilities. As cyber threats evolve, maintaining robust password policies and integrating new authentication technologies are crucial for safeguarding digital identities.

RedCurl, a group known for corporate espionage since 2018, has started deploying ransomware in compromised networks, a shift in their usual operations. Bitdefender researchers have observed attacks particularly targeting Hyper-V virtual machines with "QWCrypt" ransomware, which differentiates from the common focus on VMware ESXi servers. Initial infection vectors include phishing emails with .IMG attachments, camouflaged as CVs, enabling DLL sideloading through legitimate Adobe executables to introduce malware. The attackers employ various stealth tactics, using "living-off-the-land" tools, a custom wmiexec for lateral movement, and the 'Chisel' tool for secure RDP access. QWCrypt ransomware features advanced options for targeted encryption, supporting command-line arguments to tailor attacks specifically to Hyper-V environments and offers selective encryption strategies to speed up the encryption process. Financial motives behind using ransomware could be multifaceted: it might serve as a distraction during espionage, a method for monetization after data theft, or possibly as a false flag operation. No dedicated leak site for double extortion indicates possible private negotiations for ransom rather than public demands, suggesting a quieter, potentially more strategic approach to ransomware deployment by RedCurl.

EncryptHub exploited a patched Windows zero-day vulnerability to deploy malware, including Rhadamanthys and StealC. The malware manipulates Microsoft Console (.msc) files and the Multilingual User Interface Path to maintain persistence and steal data. The zero-day exploit, tagged as CVE-2025-26633 by Microsoft, was part of an improper neutralization flaw in Microsoft Management Console. Microsoft addressed the vulnerability in a recent Patch Tuesday update. Trend Micro has named the exploit MSC EvilTwin and tracks the suspect under the name Water Gamayun, with ties to Russia. Attackers use digitally-signed installer files mimicking legitimate software like DingTalk to initiate the infection. The campaign involves sophisticated delivery mechanisms and custom payloads aimed at data theft and establishing control over victim systems. The attacks, still under active development, started in April 2024 and show evolving techniques.

Russian-speaking hacking group RedCurl, historically known for corporate espionage, has initiated a ransomware campaign using a new strain called QWCrypt. Romanian cybersecurity firm Bitdefender has identified this as the first instance of ransomware deployment by RedCurl, marking a significant shift in the group's operations. The ransomware was delivered through phishing attacks employing ISO files disguised as CVs, a continuation of RedCurl's established use of deceptive files. The attack involves multi-stage infection mechanisms, including the use of legitimate Windows executable files for malicious purposes (DLL side-loading) and social engineering to distract the victim. The implant from the initial loader sets the stage for further network infiltration and data collection, which ultimately leads to ransomware deployment. The ransomware not only encrypts virtual machines to paralyze hosted services but also attempts to disable endpoint security through BYOVD (bring your own vulnerable driver) techniques. The ransom note associated with the attack mimics those used by other ransomware groups such as LockBit, HardBit, and Mimic, suggesting a possible diversion or deeper strategic intentions by RedCurl.

Cybersecurity parallels boxing, where continuous active testing or "sparring" is crucial for maintaining effective defense strategies. Traditional penetration testing in organizations is infrequent, leading to potential security gaps due to configuration drift and lack of adversarial challenge. Infrequent testing can lead to undetected vulnerabilities and over time, the natural drift in IT environments can cause previously secure systems to become exposed. The article emphasizes the value of recurring, real-world scenario tests to identify and address security vulnerabilities efficiently. Automated pentesting offers a more frequent, cost-effective solution for testing compared to traditional methods, mimicking real-world attacks continuously. Contextual prioritization of fixes is important; not all detected vulnerabilities pose the same level of risk, depending on the network environment. Continuous testing helps organizations adapt quickly to new threats and improve their defenses proactively, minimizing potential exposure and costs from breaches.

Cybersecurity researchers identified two malicious npm packages, ethers-provider2 and ethers-providerz, which target the locally installed 'ethers' npm package for modifications to facilitate further malware attacks. ethers-provider2, downloaded 73 times, modifies 'ethers' by injecting a file that launches a reverse shell, allowing hackers to control the infected system remotely. Even after the removal of ethers-provider2, the malicious modifications within the 'ethers' library persist, potentially leading to re-infection if the original library is not thoroughly cleaned or reinstalled. The attack involves multiple stages, with the initial payload downloading and executing further malicious content from a remote server, designed to hide traces by deleting temporary files post-execution. The threat maintains a presence on compromised systems by continuously monitoring and modifying the 'ethers' library whenever it is present or re-installed. Despite the limited number of downloads, the impact of such packages is significant due to their ability to maintain persistence and control over affected systems. This incident highlights the sophistication of software supply chain attacks and underscores the importance of thorough verification and handling of third-party open-source packages.

Two harmful npm packages, 'ethers-provider2' and 'ethers-providerz,' were uncovered, containing code that patches other legitimate packages to introduce backdoors. The malicious packages exploit legitimate local installations by inserting a reverse shell backdoor, ensuring persistence even after the original malware is removed. Reversing Labs identified the attack during a routine security review, noting the sophisticated nature of the threat due to its covert operations and persistence mechanisms. The reverse shell patches legitimate files within the npm ecosystem, with 'ethers-provider2' targeting the 'ssh2' package and 'ethers-providerz' aiming at the @ethersproject/providers. Even if the original malicious package is uninstalled, the patched legitimate package retains the malware, continuing to compromise the system. Some earlier versions of these packages contained flaws that prevented full functionality, but corrections and reintroductions seem likely in the future. Reversing Labs also developed a YARA rule to aid developers in scanning their environments for remnants of these and related threats. General advice given includes stringent verification of package legitimacy and scrutiny of package code for any suspicious elements like obfuscated commands or external calls.

Ransomware attacks progress through stages, each offering a crucial window for detection and prevention. Most organizations miss early indicators, such as shadow copy deletion and process injections, allowing attackers to escalate their efforts quietly. Continuous ransomware validation is essential, simulating attacks to ensure systems detect and respond appropriately before actual ransom demands occur. The three stages of a ransomware attack include pre-encryption groundwork, encryption lockout, and the post-encryption ransom demand. Key indicators of compromise (IOCs) to monitor include shadow copy deletion, mutex creation, process injection, and service termination. Automated security validation tools can seamlessly integrate into security workflows, reducing the burden on IT teams while ensuring defenses are robust against evolving threats. Regular, continuous testing is critical as annual testing is insufficient against the fast-evolving ransomware tactics.

The UK's National Cyber Security Centre (NCSC) has employed popular social media influencers to promote two-factor authentication (2FA) as a part of its Stop! Think Fraud campaign. Influencers from various backgrounds, including comedy and personal finance, are creating content to demonstrate the effectiveness of 2FA in preventing unauthorized access. One skit by thesquidvids humorously illustrates how cybercriminals are thwarted by 2FA, showcasing its importance in securing accounts. This approach aims to reach a broader audience and enhance public awareness about the benefits of enabling strong account protections. NCSC's initiative reflects a broader strategy, which includes podcasts, blog posts, and other social media engagements, to bolster national cybersecurity. The campaign is supported by Action Fraud and the National Crime Agency (NCA) to combat fraud, which has been described as a life-ruining crime. This marks the second instance where NCSC has utilized influencer marketing, following a previous campaign about Christmas scams.

Insider threats pose significant financial and reputational risks to organizations, often leading to serious data breaches. Privileged Access Management (PAM) is crucial in controlling and monitoring access to sensitive systems, effectively mitigating insider risks. Insider incidents, especially those involving privileged accounts, are among the most costly, averaging USD 4.99 million per attack. Advanced PAM solutions automate the discovery and management of privileged accounts, reducing the opportunity for insider abuse. Implementing PAM practices like least privilege and just-in-time access can drastically limit unauthorized access and potential damage. PAM technologies ensure that remote access and third-party interactions are secure, minimizing risks from external collaborators. The combination of user activity monitoring and automated responses is effective in detecting and mitigating insider threats promptly. Beyond preventing insider threats, PAM enhances overall operational efficiency, compliance, and security of organizational systems.