Daily Brief

Cynet secured 100% detection visibility and protection in the 2024 MITRE ATT&CK Evaluation, perfectly detecting and blocking all test threats. The All-in-One Cybersecurity Platform demonstrated no false positives and no delays during the evaluation, setting a high standard in endpoint security. This year's evaluation involved simulating attacks over 16 steps, divided into 80 malicious sub-steps, where Cynet effectively detected and blocked all applicable steps. Unlike other vendors, Cynet experienced no technical issues during testing and was able to complete both detection and protection tests fully. The results underscore Cynet's commitment to providing top-tier security solutions and its capacity to handle real-world cyber threats effectively. MITRE's evaluation is considered the fairest and most comprehensive test of competing security solutions, focusing on real threat group techniques. Cynet's performance in the 2023 and 2024 evaluations plays a crucial role in reinforcing its standing as a leader in the cybersecurity space for SMEs and MSPs.

INTERPOL proposes the term "romance baiting" over "pig butchering" to describe certain cryptocurrency scams underpinned by fake romantic relationships. The agency highlights that "pig butchering" shames and dehumanizes victims, potentially deterring them from reporting the frauds. The fraudulent schemes often involve criminals building trust with victims through social media or dating platforms before coaxing them into false investments. These crimes are linked to organized crime groups in Southeast Asia, with operations including human trafficking and forced labor in scam compounds. Victims are deceived by sophisticated IT infrastructure that mimics legitimate investment platforms, increasing the scams’ perceived legitimacy. Earlier this year, Google also rejected the term "pig butchering," instead using "international online consumer investment fraud scheme" to label these activities. INTERPOL emphasizes that changing the narrative can lead to increased respect and empathy for victims while ensuring accountability for perpetrators.

Meta Platforms hit with a €251 million fine for a 2018 data breach that impacted 29 million Facebook accounts, including 3 million in the EU/EEA. The breach stemmed from a bug in the "View As" feature, allowing attackers to obtain user access tokens and access accounts. Personal data exposed included names, email addresses, phone numbers, work locations, birth dates, and more sensitive information. Follow-up actions by Meta included the removal of the problematic functionality that led to the breach. This fine is part of a series of penalties, with a previous €91 million fine in 2019 for storing passwords in plaintext and a separate AU$50 million settlement in Australia. The Irish Data Protection Commission (DPC) cited a violation of multiple GDPR articles, stressing the importance of integrating data protection in design and development stages. The fine highlights ongoing legal and financial repercussions for Meta concerning privacy and data protection failures.

A severe flaw, CVE-2024-53677, was found in Apache Struts, posing a 9.5 severity threat enabling remote code execution. The vulnerability allows attackers to manipulate file uploads and execute arbitrary code remotely. This issue is similar to a previously patched vulnerability CVE-2023-50164, suggesting possible flaws in prior fixes. Active exploitation attempts have been detected, with attackers initially focusing on identifying vulnerable systems. Effective exploitation can lead to data theft, unauthorized command execution, or further malicious downloads. Apache has released a fix in Struts version 6.4.0, with recommendations to update and revise relevant code. The ubiquity of Apache Struts in crucial IT infrastructures enhances the potential impact of this vulnerability across multiple sectors.

Cybercriminals are sending spoofed Google Calendar emails in a widespread phishing campaign, impersonating known contacts to increase the likelihood of engagement. Over four weeks, approximately 300 organizations have been targeted with more than 4,000 malicious emails. The phishing emails typically contain [.ics] calendar files that redirect victims to fraudulent Google Forms or Google Drawings links, disguised as reCAPTCHA or support buttons. Victims who click on these links are taken to fake cryptocurrency mining or Bitcoin support pages, where they are prompted to enter personal and payment details under the guise of authentication. Check Point researchers have informed Google about the campaign, leading to recommendations for users to enable the 'known senders' setting on Google Calendar to mitigate such attacks. Additional preventive measures recommended include scrutinizing unexpected event invites, manually entering suspicious URLs in browsers, and always enabling two-factor authentication on sensitive accounts. The FBI reported substantial losses due to phishing and spoofing scams last year, highlighting the effectiveness and financial motivation behind such cybercrimes.

Interpol is ceasing use of the term "pig butchering" for online financial scams to avoid dehumanizing victims, preferring "romance baiting" instead. The decision is based on feedback that the original term may discourage victims from reporting their experiences due to emotional distress. "Pig butchering" refers to scammers fostering a victim’s trust through feigned relationships or friendships, subsequently defrauding them, often in bogus cryptocurrency dealings. This fraudulent practice resulted in substantial financial and psychological damage to victims, who were likened to pigs that are fattened before slaughter. Interpol has modified past press releases and communications to replace the term and encourages media outlets to adopt the new terminology. Historical online records and some PDF documents still contain the original term, showing the challenges of fully implementing such language changes. Other U.S. law enforcement and financial entities continue using the term "pig butchering," while the FBI labels it a significant and prevalent fraud.

A cyberespionage group known as 'Bitter' has been targeting defense organizations in Turkey using a new malware, MiyaRAT. Proofpoint discovered the espionage campaign, noting that MiyaRAT is deployed alongside another malware, WmRAT, previously linked to Bitter. The targeted attacks used lures involving foreign investment projects to deliver malicious payloads via email attachments. Attack tactics include the use of a decoy PDF and hidden PowerShell scripts in alternate data streams of a RAR file to install malware. Once activated, the malware sets up a scheduled task to communicate with a command server every 17 minutes to receive further commands or deliver stolen data. MiyaRAT showcases advanced capabilities such as encrypted communications, remote control, and enhanced file management, indicating its use for high-value targets. Indicators of compromise and a YARA rule for detecting this threat have been published by Proofpoint.

A new phishing campaign is impersonating Ledger, a cryptocurrency hardware wallet company, with fake data breach notifications. These fraudulent emails prompt users to "verify" their recovery phrases on a deceptive website, risking crypto theft. The emails mimic official Ledger communication and direct users to an Amazon AWS-hosted website that then redirects to a phishing site registered in December 2024. The phishing site attempts to acquire user recovery phrases by making users input their keywords, which are checked against a list of valid recovery phrase words. Recipients of these emails should refrain from entering recovery phrases online and manually type the legitimate domain into their browser to avoid phishing sites. Ledger’s actual data breach from 2020, where customer contact details were exposed, has likely exacerbated the phishing problem. Ledger officially does not request recovery phrases from its users and advises ignoring any such requests received via email.

A severe vulnerability in Apache Struts 2, identified as CVE-2024-53677, is currently being actively exploited. The bug affects various versions of the Struts framework, widely used in enterprise and governmental web applications. The vulnerability involves the File Upload Interceptor component and allows attackers to execute remote code by manipulating file uploads. Apache has issued patches and advises upgrading to Struts version 6.4.0 or later, which removes the deprecated component. Successful exploitation can lead to severe consequences like data loss and complete system compromise. Attackers are utilizing publicly available proof-of-concept code to scan for and exploit vulnerable systems. The exploit follows similar patterns to CVE-2023-50164, indicating potential issues with incomplete or inadequate prior patches. Despite patches being available, updating to a safe version of Apache Struts can be complex and requires significant changes in web applications.

CISA has issued binding operational directive (BOD 25-01) mandating federal civilian agencies to implement secure configuration baselines for their cloud services, initially focusing on Microsoft 365. The directive is part of a broader effort to minimize the attack surface on federal networks by enforcing stronger security practices across cloud platforms. Agencies are required to deploy CISA-developed tools, such as ScubaGear for Microsoft 365, to conduct audits and integrate with the agency's continuous monitoring infrastructure. The initiative aims to address risks posed by misconfigurations and weak security controls in cloud environments, which can lead to unauthorized access, data exfiltration, or service disruptions. Besides Microsoft 365, CISA plans to extend these security baselines to other cloud platforms like Google Workspace, with implementation expected in the second quarter of FY 2025. Although BOD 25-01 specifically targets federal civilian agencies, CISA strongly recommends that all organizations adopt these practices to enhance their cloud security and reduce potential breach risks. Previous directives by CISA, including BOD 23-02 and BOD 22-01, have focused on securing internet-exposed or misconfigured network equipment and mitigating known exploited vulnerabilities under strict deadlines.

A critical vulnerability identified as CVE-2024-53677 in Apache Struts 2 is being actively exploited to compromise servers. Apache Struts is widely used by government bodies, financial institutions, e-commerce, and airlines to build Java web applications. The flaw relates to the framework's file upload logic, allowing for path traversal and the uploading of malicious files leading to remote code execution. This vulnerability affects versions from Struts 2.0.0 up to 6.3.0.2, with a recommendation to upgrade to Struts 6.4.0 or higher to address the issue. Attackers are employing a known exploit to upload a file named "exploit.jsp", which helps them confirm control over the infected server. Active exploitation attempts are currently traced back to a single IP address but could indicate broader unauthorized attempts to find and exploit vulnerable systems. Cybersecurity agencies from several countries have issued alerts urging immediate patching and updates in response to these threats. Apache advises that merely patching the system without switching to the new, secure file upload mechanism leaves systems at risk.

Trend Micro researchers identified a new malicious campaign exploiting Microsoft Teams for social engineering to deploy DarkGate malware. Attackers masqueraded as employees from external suppliers, initially bombarding victims' emails before making contact through Teams. Victims were deceived into installing AnyDesk, which provided attackers remote access to deploy payloads, including a credential stealer and DarkGate. DarkGate, a remote access trojan active since 2018, now operates as malware-as-a-service with features like keylogging, screen capturing, and audio recording. The deployment process in the documented attack used AutoIt scripts; however, the attack was stopped before data could be exfiltrated. Experts recommend enforcing multi-factor authentication, using allowlists for remote access tools, and vetting third-party support providers to reduce risks. Increased phishing campaigns leverage global events and emotional triggers, highlighting the need for security teams to monitor domain registrations and DNS anomalies to respond promptly to threats.

The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6 million) for GDPR violations stemming from a 2018 data breach affecting 29 million Facebook accounts. The breach involved unauthorized access to user access tokens, exposing sensitive data including names, email addresses, phone numbers, and physical locations. The breach was due to a bug in Facebook’s “View As” feature; immediate corrective actions were taken by Facebook upon discovery. Meta also settled with the Australian Information Commissioner for $50 million over the Cambridge Analytica incident, affecting privacy breaches under the Privacy Act 1988. The Australian settlement covers users who interacted with the Your Digital Life app or were connected to someone who did, during a specific window between 2013 and 2015. Meta emphasized having industry-leading protective measures currently in place and reiterated its commitment to prioritizing user privacy in their services. Both the DPC and Australian decisions highlight ongoing consequences for historical data privacy issues and emphasize the importance of regulatory compliance.

The Irish Data Protection Commission imposed a €251 million fine on Meta for violations linked to a 2018 data breach of Facebook, affecting 30 million users. Meta plans to appeal the ruling, arguing that they acted promptly to address the breach and continually informed both affected individuals and regulatory authorities. The breach, which stemmed from a vulnerability in Facebook's "View As" feature, initially risked exposing the data of up to 90 million users but was later adjusted to 30 million. Approximately three million EU-based users' access tokens were stolen, exposing sensitive PII including full names, contact details, birthdates, and workplace information. The DPC investigation concluded Meta breached several GDPR articles, specifically relating to inadequate breach notifications and not placing data protection at the core of system design. Aside from the current fine, Meta has faced multiple penalties from the DPC for various privacy violations over recent years, amounting to significant sums, including a record €1.2 billion fine in 2023. Meta defended its security protocols, highlighting measures like multifactor authentication and login alerts to safeguard user data across its platforms.

Bishop Fox identified 25,485 SonicWall SSL VPN devices vulnerable to critical security flaws. Critical vulnerabilities in these devices have already been exploited by ransomware groups such as Fog and Akira. The study found 430,363 publicly exposed SonicWall firewalls, significantly increasing cybersecurity risks. Among the exposed devices, 20,710 use end-of-life firmware with known vulnerabilities. Many devices are running unsupported or unknown firmware versions, heightening security concerns. Public access to firewall management and SSL VPN interfaces provides avenues for brute-force and vulnerability probing. The firm emphasizes slow patch adoption, noting that only some vulnerable devices have been updated to the latest, more secure firmware.