Daily Brief

Russian military cyber-espionage group Sandworm is deploying trojanized Microsoft Key Management Service (KMS) activators and false Windows updates in Ukraine. Attacks show use of BACKORDER loader to deliver DarkCrystal RAT malware for data theft, with debug symbols suggesting a Russian-language development environment. EclecticIQ threat analysts linked the attacks to Sandworm based on overlapping infrastructure, consistent TTPs, and use of specific ProtonMail accounts for domain registration. Malicious campaigns began in late 2023, with multiple malware distribution efforts employing similar methods and objectives aimed at espionage and network compromise. Malware disables Windows Defender and shows a fake Windows activation interface while stealthily installing further malicious payloads. Collected data includes keystrokes, browser cookies, and credentials, which are transmitted to attacker-controlled servers. Sandworm's strategy exploits the prevalent use of pirated software in Ukraine, significantly increasing the risk and impact of such attacks. Sandworm is identified as part of Russia's Military Unit 74455, known for disruptive cyber activities against Ukraine since at least 2009.

Security researchers at Bishop Fox disclosed details of CVE-2024-53704, a SonicOS SSLVPN application vulnerability that allows attackers to bypass authentication. SonicWall issued a warning about the flaw on January 7, urging the upgrade of firmware to protect against potential exploits. The vulnerability permits hackers to take over active SSL VPN sessions without authorization, gaining access to the user's network. The exploit involves sending a manipulated session cookie to the SSL VPN authentication endpoint, tricking the system into assuming an active session presence. Proof-of-concept exploit code was developed by Bishop Fox, effectively hijacking an active session and accessing private network resources. Affected versions include SonicOS 7.1.x, 7.1.2, and 8.0.0 on various SonicWall firewall models; updates have been released to mitigate the issue. Approximately 4,500 internet-exposed SonicWall SSLVPN servers were still unpatched as of February 7, increasing the urgency for administrators to apply security updates.

Security researchers have detailed exploitation methods for CVE-2024-53704, a vulnerability in SonicWall's SSLVPN application. The vulnerability allows attackers to hijack SSL VPN sessions by bypassing authentication, gaining unauthorized access to networks. SonicWall alerted customers on January 7 about the high risk of exploitation and urged immediate firmware updates. Bishop Fox developed an exploit following significant reverse-engineering, releasing full details after allowing time for patches. The exploit manipulates session cookies to trick the VPN into unauthorized session access, logging out the legitimate user. Affected versions include SonicOS versions 7.1.x through 8.0.0-8035, impacting multiple firewall generations and devices. SonicWall has released patches in newer firmware versions to mitigate this vulnerability. Approximately 4,500 internet-exposed SonicWall SSL VPN servers were still unpatched as of February 7.

Eric Council Jr, 25, has pleaded guilty to SIM swapping the SEC's X account to manipulate cryptocurrency prices. The incident occurred in January 2024, when the false approval of Bitcoin ETFs by the SEC was tweeted, leading to a significant price surge. Bitcoin's value increased over $1,000 after the fake announcement and dropped more than $2,000 once the SEC corrected the misinformation. Council's role involved creating a fake ID to obtain a SIM linked to the SEC’s X account, allowing him to intercept two-factor authentication codes. Other members of the scheme accessed the SEC account and posted the false information, while Council was mainly the facilitator. Post-event, Council showed signs of paranoia, searching online for indications of being under FBI investigation. He is scheduled for sentencing on May 16, facing charges of conspiracy to commit identity theft and access device fraud.

Security researchers at Bishop Fox disclosed exploitation details for SonicWall's CVE-2024-53704, enabling bypass of authentication mechanisms in SonicOS SSLVPN. SonicWall issued a warning on January 7 about the high risk of exploitation, advising users to immediately upgrade firmware in affected SSL VPN and SSH management systems. The exploit, shared publicly by Bishop Fox on January 22 after substantial reverse-engineering, involves a malformed session cookie tricking the SSL VPN into unauthorized access. Attackers exploiting this vulnerability could take over active SSL VPN sessions, accessing internal network resources and configuration details without legitimate credentials. Versions impacted include SonicOS versions 7.1.x, 7.1.2, and 8.0.0, with patches available from SonicOS 8.0.0-8037 and later versions. Approximately 4,500 internet-exposed SonicWall SSL VPN servers were still unpatched as of February 7, significantly increasing exploitation risks. SonicWall customers are urged to apply the security updates immediately to mitigate potential unauthorized network access.

The U.S. Justice Department has charged two Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, as Phobos ransomware affiliates. Berezhnoy and Glebov were arrested in Thailand, facing 11 counts including wire fraud and computer damage for orchestrating over a thousand cyberattacks. They operated under the monikers "8Base" and "Affiliate 2803," employing Phobos ransomware to encrypt, steal data, and extort ransom from victims. Threats were made to expose stolen data publicly if ransoms were not paid, intensifying the extortion strategy. In coordination with these arrests, Europol announced the takedown of 27 servers linked to the 8Base group and warned over 400 companies about potential ransomware attacks. The impact of these law enforcement efforts on the broader Phobos ransomware operation remains uncertain, despite the significant operational disruptions.

Global law enforcement operation "Phobos Aetor" resulted in the arrest of two Russian suspects in Thailand and the seizure of dark web sites. The suspects allegedly conducted over 1,000 cyberattacks worldwide, targeting multiple sectors, including Swiss companies. Victims were extorted for approximately $16 million in Bitcoin; funds were laundered through cryptocurrency mixing platforms. The operation involved multiple countries including the USA, Germany, Japan, and the UK, coordinated through Europol and national agencies. Seized items from the suspects include laptops, smartphones, and cryptocurrency wallets, now under forensic evaluation. Ransomware used included the Phobos encryptor, which encrypts files and demands ransom payments in cryptocurrency. High-profile victims reported include the Nidec Corporation and the United Nations Development Programme. 8Base ransomware group described themselves as "pentesters," but exhibited significant sophistication and possibly linked to previous ransomware entities.

Google has clarified the functions of their new Android System SafetyCore app, emphasizing that it does not involve client-side scanning of user content. SafetyCore, designed for Android 9 and newer versions, focuses on private, secure content classification directly on devices. The tool helps users identify unwanted content like scams by classifying specific content upon request through app features that users can enable or disable. This initiative is similar to Apple's Communication Safety for iMessage, using machine learning to assess sensitivity of photos and videos without violating privacy. GrapheneOS confirms that SafetyCore is strictly for classifying potential spam and malware, without engaging in broader invasive content detection. The addition of SafetyCore addresses privacy concerns raised by alternative methods such as client-side scanning that could potentially extend beyond initial user agreements. SafetyCore is part of broader security enhancements on the Android platform, available also on Android Go, ensuring compatibility with entry-level devices.

The US, Australia, and the UK have sanctioned Zservers, a Russian bulletproof hosting provider, for aiding the LockBit ransomware gang. Zservers' key administrators were designated for managing LockBit's transactions and supporting ransomware assaults. Investigations revealed that Canadian authorities found a laptop linked to a Zservers IP address being used for running a LockBit control panel. In response to these activities, sanctions include asset freezes and prohibitions on transactions with the involved parties. Several LockBit affiliates and developers were arrested and charged by the US Justice Department for their involvement in ransomware operations. The extensive network of Zservers and associated entities provided vital infrastructure facilitating over 7,000 ransomware attacks estimated to have extorted up to $1 billion. Recent operations successfully dismantled LockBit's capabilities, seizing key servers and releasing decryption tools to affected entities.

Security expert Dawid Moczadło encountered two deepfake fraudsters posing as job applicants over the last two months. The scammers, suspected to be linked to North Korean operations, appeared to use AI tools to project altered faces during video interviews. The primary aim seemed to be gaining employment at Moczadło's AI-focused security firm to steal sensitive intellectual property. Despite initial solid interview performances, discrepancies like mismatched accents and glitchy video feeds raised suspicions. Deepfake technologies made it difficult to ensure the authenticity of the person on the other end of the video call. Moczadło speculates these incidents are part of broader schemes where fake IT workers infiltrate companies to funnel funds or steal data. The U.S. Justice Department reports such scams have funneled extensive funds to North Korea, further funding illegal programs. Growing concerns over the sophistication of AI and deepfake technologies highlight future challenges in verifying digital identities.

Multi-factor authentication (MFA) has become standard, yet the adoption varies due to its complexity and costs. Implementing MFA adds expenses, including subscription costs, training, and increased support demands, which many businesses view as a cost center rather than a security investment. User experience suffers as MFA introduces additional steps and potential friction in daily operations, which businesses try to mitigate with solutions like Single Sign-On (SSO). Deployment of MFA systems involves substantial management and scalability challenges, particularly with hybrid setups mixing on-premises and cloud solutions. MFA's effectiveness is limited if not part of a broader security strategy, as it can be vulnerable to sophisticated attacks like SIM swapping or cookie theft. Despite the challenges, integrating flexible policies and local authentication options can improve user experience and acceptance of MFA systems.

Progress Software has patched high-severity vulnerabilities in its LoadMaster software. The flaws could enable malicious actors to execute arbitrary system commands or download files. Kemp LoadMaster, affected by these vulnerabilities, is used widely as an application delivery controller and load balancer. The vulnerabilities impact multiple versions of LoadMaster software. No current evidence suggests these flaws have been exploited in the wild. Historical instances indicate that similar past vulnerabilities have been weaponized. Customers are urged to update their systems with the latest patches to ensure security.

DDoS attacks increased by 56% year-over-year in the latter half of 2024, with financial services and gaming industries most affected. The largest recorded DDoS attack hit 2 Tbps, targeting a major global gaming company, marking an 18% increase from the previous maximum attack size. Financial services experienced a significant rise in attacks, with a 117% increase, underscoring its position as a prime target due to regulatory and operational vulnerabilities. The report notes a shift in attack methods, with a rise in ACK floods and shorter, more powerful bursts of network disruption. Technological and geopolitical factors are influencing the frequency and intensity of DDoS attacks, emphasizing the need for advanced, real-time defensive strategies. Gcore's DDoS Protection now offers a 200+ Tbps filtering capacity, highlighting the escalating arms race between cyber defenses and attack methodologies. The data underscores the need for continuous improvement in DDoS mitigation strategies amidst an evolving cyber threat landscape.

Cybercriminals are increasingly targeting software supply chains as entry points into organizations, exploiting trusted repositories for malware distribution. Over half a million malicious packages were detected in open-source ecosystems last year, marking a 156% increase from the previous year, according to the 2024 Sonatype report. A major supply chain attack was observed in the Python Package Index (PyPI), involving malicious packages disguised as AI chatbot tools, capable of stealing data and executing remote commands. Product Security Testing (PST) is advocated as a structured way to assess risks in software and hardware before deployment, focusing on high-impact applications and using a mix of in-depth and automated assessment methods. The SANS SEC568 course encourages a combination of offensive learning and defensive application ("Think Red, Act Blue") to help organizations defend against supply chain attacks. Inclusion of PST in decision making helps in creating detailed security documentation such as dependency maps and threat models, improving the organization's response to vulnerabilities. A diverse range of roles within organizations, from security auditors to SOC analysts, benefit from skills in Product Security Testing to enhance security postures and risk management. An invitation to attend SEC568 training in Orlando emphasizes the importance of hands-on experience in effective software and hardware security assessments.

Threat actors are utilizing the ClickFix technique to distribute the NetSupport RAT, targeting organizations since early January 2025. NetSupport RAT allows full remote control of the victim's device including real-time screen monitoring, file management, and execution of commands. Originally a legitimate IT support tool known as NetSupport Manager, this software has been repurposed for malicious use by cybercriminals. Victims are tricked into downloading the RAT via compromised websites displaying a fake CAPTCHA page that leads to executing malicious PowerShell commands. These PowerShell commands facilitate the downloading and execution of the malware from remote servers disguised as PNG files. The same ClickFix method is also being applied to deliver a new version of the Lumma Stealer malware, highlighting an evolution in cyberattack strategies. Advanced methods such as the ChaCha20 cipher are employed by Lumma Stealer for decrypting configuration files, indicating enhanced tactics to evade detection.