Daily Brief

DragonForce ransomware infected a managed service provider (MSP) by exploiting vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool. The ransomware spread to multiple endpoints, involving data theft and double-extortion tactics to demand a ransom. The breach not only affected the MSP itself but extended to its numerous customers through the distribution capability of the compromised RMM tool. Researchers traced the origin of the attack to a chain of vulnerabilities in SimpleHelp, all of which had been previously patched, highlighting the importance of timely updates. The attack exemplifies a significant supply-chain risk, with attackers leveraging the MSP's infrastructure to maximize impact across multiple customer networks. Security firm Sophos initially identified the suspicious activity and has since published indicators of compromise to aid other organizations in detection and defense. Authorities in both the US and UK had previously issued warnings about attackers exploiting these specific vulnerabilities in SimpleHelp.

Apple has blocked over $9 billion in fraudulent transactions within the past five years to protect App Store users. In 2024 alone, Apple prevented fraudulent activities amounting to more than $2 billion. The tech giant has terminated around 46,000 developer accounts and rejected 139,000 developer enrollments due to security concerns. Apple also rejected approximately 711 million customer account creations and disabled nearly 129 million accounts to combat spam and manipulation of App Store operations. This extensive vigilance is in response to various threats, ranging from deceptive apps that capture personal data to fraudulent payment processes targeting users. This crackdown on fraud comes as Apple faces heightened scrutiny and legal challenges regarding its App Store policies, including a recent U.S. ruling impacting in-app purchase directions. Concurrently, Google also reported blocking millions of policy-violating apps and banning numerous developer accounts in efforts to safeguard its users on the Google Play store.

ASUS is shifting its focus towards the business PC market to climb the global PC-maker rankings, currently positioned as the fifth most prolific. Emphasizing durability, ASUS business PCs feature robust USB ports and dual sockets for memory and SSDs, aiming to reduce maintenance costs and extend product life. The company installs physical Trusted Platform Modules on business PCs and commits to updating BIOSes for five years. ASUS has developed on-device AI tools like "ExpertMeet" for meeting assistance and "AI Search" for data management, offered for free to attract small-to-medium business clients. Despite integrating AI capabilities, ASUS will remove AI features for larger buyers due to data security and privacy concerns. Shawn Chang, Head of Go-To-Market at ASUS, observes high interest in AI among businesses but notes a lack of practical application, influencing their strategy to offer PCs with or without AI. ASUS announced its inaugural range of AI PCs with various form factors and processor options at the recent Computex event in Taiwan.

Malicious actors identified as UNC6032 target users on Facebook and LinkedIn with ads for fake AI video generator tools. These ads have redirected over two million users to more than 30 fraudulent websites posing as legitimate AI services. Interaction with these sites results in the download of a ZIP file containing STARKVEIL malware, which includes keyloggers and data theft components. Mandiant, a threat intelligence team from Google, traced the campaign's origins to Vietnam, highlighting extensive reach but unclear victim count. Despite the large audience reach, the actual number of malware infections remains uncertain, as reported by Mandiant officials. Meta has taken proactive measures by removing the malicious ads, blocking URLs, and deactivating related accounts, often preemptively. The malware suite utilized in these campaigns is designed to steal sensitive information such as login credentials, credit card details, and other personal data. Mandiant praised Meta’s efforts in combatting these threats and suggested that users remain vigilant against seemingly innocuous online ads.

DragonForce ransomware breached a managed service provider by exploiting vulnerabilities in the SimpleHelp tool. The attackers used SimpleHelp for reconnaissance, gathering vital information about MSP customers, including device names, configurations, and network details. Successive data theft and ransomware deployment affected several downstream customers, leading to double-extortion scenarios. Sophos, the cybersecurity firm, was enlisted to investigate and mitigate the impact, identifying older vulnerabilities exploited by the attackers. Protective measures by Sophos blocked some attacks, but other customers experienced device encryption and loss of sensitive data. Significant ransomware incidents continue with DragonForce targeting major UK retailers, with substantial customer data breaches reported. Increased affiliation strategies and ransomware-as-a-service offerings by DragonForce indicate a shift towards a 'cartel' model aiming for broader impact across industries.

DragonForce ransomware operation compromised a managed service provider (MSP) using the SimpleHelp remote monitoring and management platform. The attackers exploited older vulnerabilities in SimpleHelp identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. Initial attack stages involved reconnaissance on MSP customer systems, collecting critical information like device configurations and network connections. Subsequent attack phases focused on data theft and deploying ransomware for double-extortion tactics; some attempts blocked by Sophos security solutions. Impact varied across affected networks, with several customers experiencing data encryption and significant data theft. Sophos has disseminated Indicators of Compromise (IOCs) to aid organizations in bolstering their network defenses. The incident underscores the heightened risk to MSPs from ransomware groups, given their access to multiple networks via a single entry point. DragonForce is increasing its market presence, partly through high-profile attacks and a ransomware-as-a-service (RaaS) model to attract affiliates.

Cybersecurity experts have uncovered a new scheme where attackers clone an antivirus website to spread Venom RAT and steal cryptocurrency. The fake site, mimicking Bitdefender, encourages downloads of a compromised “BitDefender.zip” file, initiating malware installation. The ZIP file contains Venom RAT for persistent access, StormKitty for stealing passwords and digital wallet information, and SilentTrinity to help attackers remain undetected and maintain control. DomainTools Intelligence links the false Bitdefender site to other phishing domains used for credential theft from institutions like Royal Bank of Canada and Microsoft. The approach utilizes open-source components in a "build-your-own-malware" method, increasing the attacks' efficiency and stealth. This campaign is part of a broader trend involving sophisticated modular malware and coordinated phishing attempts to exploit social media and financial accounts. Additional threats include a deceptive Google Meet page and phishing attacks leveraging Google's AppSheet platform to bypass security measures and harvest credentials and 2FA codes.

Iranian citizen Sina Gholinejad pleaded guilty to attacks involving Robbinhood ransomware. The cyberattacks, spanning from 2019 to 2024, targeted U.S. cities and health organizations. Victims included Baltimore, Greenville, and several nonprofit entities; ransom was demanded in Bitcoin. Ransomware operations involved data theft and using stolen information to pressure victims further. Attacks utilized a compromised Gigabyte driver to disable antivirus software and facilitate the malware deployment. Gholinejad and accomplices used advanced tactics like VPNs and cryptocurrency mixers to obscure their identities. The guilty plea was entered in a North Carolina federal court; Gholinejad faces up to 30 years in prison.

A new Russian cyber-spy group, referred to as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively conducting espionage since at least April 2024. The group, believed to be backed by the Russian government, has targeted Dutch police, NATO members, Western tech firms, and organizations linked to defense, aerospace, and space technology. Laundry Bear has been involved in credential-stealing attacks and has also breached several Ukrainian aviation organization user accounts. Microsoft reports that the group uses stolen credentials to access organizations' systems, where it then collects large amounts of emails and files. In a recent development, Void Blizzard has added spear-phishing with typosquatted domains to its tactics, enhancing its ability to target NGOs in Europe and the US through deceitful European Defense and Security Summit invitations. The campaign uses sophisticated methods such as the Evilginx kit to intercept data during the fake registration process, posing an increased risk to critical sectors. Microsoft has observed that, in some instances, the threat actor has accessed Microsoft Teams conversations and heavily utilized legitimate cloud APIs for extensive data extraction. Dutch and Microsoft intelligence state that while Laundry Bear shares tactics with another Russian group, APT28, they operate as separate entities.

A new self-spreading malware campaign targets misconfigured Docker API instances for cryptocurrency mining. The malware exploits insecurely published Docker APIs to initially access containerized infrastructures, then uses these to create and propagate a cryptojacking network. Designed with worm-like capabilities, the malware autonomously searches for other vulnerable Docker instances to infect and incorporate into the mining botnet. Two main components drive the attack: a propagation tool disguised as "nginx" to evade detection and a "cloud" miner specifically for Dero cryptocurrency mining. The "nginx" component not only mimics the legitimate nginx server but also generates and infects new Docker containers remotely, installing necessary tools to perpetuate further spread. This campaign includes mechanisms for persistence in infected systems, ensuring continued operation and spread of the mining malware. Overlaps with previous campaigns targeting similar infrastructures were noted, suggesting an ongoing or evolving threat targeting Docker and Kubernetes environments. Security experts warn of the increased exploitation of containerized environments and the necessity of securing Docker APIs to prevent such attacks.

Over 40,000 new vulnerabilities reported in 2024, with over 60% ranked as high or critical, raising concerns about the efficacy of current vulnerability prioritization methods. Traditional scoring systems like CVSS and EPSS may misrepresent the actual threat level to individual environments, often overstating the impact due to lack of contextual understanding. Exposure Validation approach utilizes real-world simulations to test vulnerabilities in specific network environments, determining true exploitability against existing defenses. Techniques like Breach and Attack Simulation (BAS) and Automated Penetration Testing provide detailed insights into how attacks could realistically unfold, informing more accurate risk assessments. Exposure Validation helps recalibrate vulnerability scores based on actual defense capabilities and system criticality, reducing the perceived severity when defenses are effective. Organizations using exposure validation see significant decreases in the number of vulnerabilities classified as critical, focusing efforts on genuine threats and improving overall security posture. Picus Security’s Exposure Validation solution combines attack surface management with realistic testing methods to provide a pragmatic approach to vulnerability management, emphasizing real threats over theoretical risks.

Adidas alerted customers about a data breach originating from a third-party customer service provider, disclosing that personal contact information was stolen. The compromised data primarily includes details from consumers who previously interacted with Adidas' customer support, though no highly sensitive information like passwords or payment details were exposed. Adidas is actively notifying affected customers and has involved relevant data protection and law enforcement authorities to address the incident. Immediate actions were taken by Adidas to contain the breach, including initiating a thorough investigation with help from top cybersecurity experts. The breach resembles a recent one at Coinbase, where customer and some corporate data were more extensively compromised via help desk staff. Adidas' incident seems less severe compared to Coinbase's in terms of data volume and sensitivity, but still poses potential risks such as phishing attacks using the stolen information. Despite no threat to payment information, security experts advise affected Adidas customers to remain cautious of potential scams and phishing attempts exploiting their stolen data.

MathWorks confirmed a ransomware attack caused recent widespread service outages. The incident led to disruptions in online applications and internal systems since May 18. Customer-facing services like the license center and MathWorks store experienced significant downtime. While multi-factor authentication and Single Sign-On were restored by May 21, issues persist in account creation and login abilities for some users. Federal law enforcement has been notified of the attack, although the specific ransomware group involved has not been disclosed. There is no information available about potential customer data theft or if a ransom was paid. MathWorks employs over 6,500 staff globally and provides software used by more than 100,000 organizations.

Ransomware attack targeted MathWorks, impacting its flagship MATLAB software, affecting over five million users globally. MathWorks confirmed the ransomware incident following a significant outage that started on May 18, initially reported as multiple application issues. Critical disruptions include MATLAB's Licensing Center remaining offline, severely affecting new license verifications for users. Although recovery efforts led by cybersecurity experts have restored most of MATLAB's functionalities, some services still show degraded performance or remain offline. The impact extended to educational sectors, particularly affecting students during peak exam periods, resulting in missed deadlines and forced workarounds such as software piracy. MathWorks has notified federal law enforcement and is progressing towards full recovery, albeit slowly, with ongoing updates posted on their status page. Some commercial customers were less affected, having their own MATLAB licensing servers, contrasting with the critical issues faced in educational use scenarios.

Russian-affiliated hackers, identified as Void Blizzard, have conducted espionage targeting various sectors in NATO countries and North America. The group has been active since at least April 2024, focusing on government, defense, transportation, media, NGOs, and healthcare. Attacks are primarily aimed at collecting intelligence to support Russian strategic goals, particularly targeting entities supporting Ukraine. The hackers use phishing techniques, stealing login credentials to infiltrate organizations and extract sensitive emails and files. Recent tactics include spear-phishing using fake Microsoft Entra authentication pages, targeting over 20 NGOs in Europe and the U.S. After initial breaches, the group uses automation tools to harvest data from Exchange Online and Microsoft Graph extensively. The group's activities sometimes overlap with other Russian state actors, indicating shared intelligence objectives. Microsoft has observed a shift toward more direct methods of credential theft, emphasizing the need for robust cybersecurity measures in targeted sectors.