Daily Brief

The Chinese Winnti group, a state-backed cyberespionage entity, has developed a new PHP backdoor named 'Glutton,' targeting organizations in both China and the U.S. as well as rival cybercriminals. Discovered by Chinese security firm QAX's XLab in late April 2024, Glutton's deployment traces back to December 2023, indicating gradual development and operational testing. The backdoor is designed for stealth and flexibility, able to execute without leaving files behind by disguising its operations under legitimate PHP processes. Winnti utilizes Glutton to inject code into popular PHP frameworks and the Baota web panel, enabling data theft and persistent access to web development environments. The group also embeds Glutton in trojanized software sold on underground forums, targeting cybercriminals with tools that steal browser-stored credentials and sensitive data. Winnti's strategic infection of other threat actors' systems reflects a "black eats black" approach, turning cybercriminal tools against their creators. Despite its sophistication, Glutton has weaknesses in stealth and encryption that suggest it might be in an early phase of development; its initial access methods are still undisclosed.

MUT-1244, a threat actor, has stolen over 390,000 WordPress credentials in a sophisticated year-long campaign. The targeted victims include both cybersecurity professionals and malicious actors, using a trojanized WordPress credential checker. Deceptive techniques were employed, such as phishing emails and trojanized GitHub repositories with malicious proof-of-concept (PoC) exploits. The malware used in the campaign not only stole credentials but also collected SSH private keys, AWS access keys, and other sensitive data. The malicious payloads facilitated data exfiltration to platforms like Dropbox and file.io through hardcoded credentials within the malware. This operation has partly overlapped with another supply-chain attack highlighted previously which involved cryptocurrency mining and data theft. Hundreds of systems remain compromised, and the campaign is still actively infecting new targets, posing ongoing risks. This incident exploited the trust within the cybersecurity community, leading to significant data breaches and system infiltrations.

A threat actor named MUT-1244 stole over 390,000 WordPress credentials during a year-long campaign targeting other hackers. The stolen credentials included SSH private keys and AWS access keys from systems owned by red teamers, penetration testers, security researchers, and malicious actors. Victims were infected through trojanized GitHub repositories offering malicious proof-of-concept (PoC) exploits for known vulnerabilities and a phishing campaign with a fake kernel upgrade. Several of the trojanized repositories appeared legitimate, getting indexed and shared among cybersecurity information sources, increasing their spread. The malware deployed included cryptocurrency miners, backdoors, and tools for extracting sensitive data, which was exfiltrated via file-sharing services using hardcoded credentials. Besides credential theft, the campaign also caused ongoing compromises, with hundreds of systems estimated to still be infected or at risk. The attackers leveraged trust within the cybersecurity community, effectively breaching defense systems of both white hat and black hat hackers.

Germany's Federal Office of Information Security (BSI) disrupted BADBOX malware embedded in 30,000 devices across the nation. The BSI employed sinkholing techniques to sever communication links between the infected devices and their command-and-control servers. Affected devices include digital picture frames, media players, streamers, and likely phones and tablets, all featuring outdated Android versions. BADBOX, identified by HUMAN's Satori Threat Intelligence, installs Triada Android malware onto low-cost devices via supply chain vulnerabilities. The malware collects sensitive data and can install additional malicious software while creating ad revenue through a botnet named PEACHPIT. BADBOX-infected devices could also function as residential proxies, hiding internet traffic of other threat actors and facilitating the creation of fraudulent online accounts. German authorities are now directing major internet providers to divert relevant traffic to the imposed sinkhole and are advising consumers to disconnect affected devices.

Thai government officials were the focus of a cyberattack employing DLL side-loading to implant an undisclosed backdoor termed Yokai. An RAR archive was used to initiate the attack, containing shortcut files that opened decoy documents but also discreetly executed malicious activities. The campaign leveraged lures involving a wanted individual, indicating highly targeted spear-phishing as the likely delivery method. The attack mechanism included the use of a legitimate binary to sideload a malicious DLL, establishing persistence and enabling command execution via a C2 server. This event is part of a broader landscape of increasing threats, such as cryptocurrency miners and info stealers distributed through deceptive online tactics. Proactive cybersecurity measures are emphasized as critical due to the sophisticated evasion techniques employed in these and other similar malware campaigns.

An Iran-affiliated group, CyberAv3ngers, used custom malware, IOCONTROL, for targeted attacks on US and Israeli water and fuel systems. The malware specifically impacts IoT and OT devices, potentially controlling fuel pumps and stealing payment information. IOCONTROL was involved in hijacking devices across diverse makers including Baicells, D-Link, Hikvision, and more. The attacks compromised several hundred devices from Orpak and Gasboy, affecting critical operational infrastructure. The FBI identified the CyberAv3ngers' operations against PLCs in critical US infrastructures, with attacks noted from mid-October 2023 through late January 2024. IOCONTROL uses sophisticated communication techniques like MQTT and DNS over HTTPS (DoH) to avoid detection and maintain control. This campaign demonstrates a significant escalation in nation-state attacks leveraging cyber weapons against civilian infrastructure in geopolitical conflicts.

LKQ Corporation, a major provider of automotive parts, experienced a cyberattack on a Canadian business unit on November 13, 2024. Unauthorised access to IT systems led to data theft and disrupted operations within the affected unit. Immediate measures included activating incident response plans, engaging forensic investigators, and notifying law enforcement. The company managed to contain the threat, with no other business units impacted, and operations have largely resumed. The financial impact of the incident is considered non-material, with recovery efforts likely covered by cyber insurance. No specific ransomware group or threat actor has publicly claimed responsibility for the attack.

Robert Shouse, a 37-year-old from Houston, has been sentenced to 30 years in prison for running a dark web forum dedicated to the exchange of child sex abuse material (CSAM). The FBI initiated an investigation in 2018, identifying Shouse as the administrator of the illicit site accessible via the Tor network, leading to his arrest in 2019. During a raid on his home, authorities discovered over 117,000 CSAM images and 1,100 videos, including content involving very young children. Shouse was also found to have sexually abused a child over several years, created CSAM with the victim, and provided the victim's family with money and gifts. In addition to his prison term, Shouse will undergo 10 years of supervised release, pay $153,500 in restitution to his victims, and will be permanently registered as a sex offender. The case underscores the FBI's ongoing efforts to combat the spread and impact of child exploitation materials facilitated by advanced technology.

Citrix NetScaler devices are currently targeted by widespread password spray attacks, aimed at stealing login credentials. Earlier this year, similar attack strategies were reported on Cisco VPN devices and various other networking devices influencing cloud services. The attacks on Citrix utilize a wide range of dynamic IP addresses, complicating traditional IP blocking or rate limiting measures. Germany's BSI cybersecurity agency has reported an uptick in brute force attacks against Citrix NetScaler devices, largely from critical infrastructure sectors. Attackers predominantly target legacy NetScaler URLs, exploiting their compatibility with older system setups. Citrix released mitigation strategies specifically for NetScaler/NetScaler Gateway devices in on-premise or cloud setups, not affecting customers using Gateway Service. Only devices with firmware version 13.0 or higher can implement the recommended security measures. Citrix warns that these password spraying attempts can overwhelm devices configured for normal login volumes, leading to possible system outages or performance issues.

CISA confirmed a critical vulnerability in Cleo Harmony, VLTrader, and LexiCom is being exploited in ransomware attacks. The security flaw, identified as CVE-2024-50623, affects all versions prior to 5.8.0.21, allowing remote code execution on exposed servers. Cleo released updates to address the vulnerability and strongly urged customers to upgrade immediately to prevent further exploits. After the vulnerability was included in the KEV catalog, U.S. federal agencies are mandated to secure their systems by January 3, per BOD 22-01. This series of attacks shares similarities with past ransomware campaigns that exploited vulnerabilities in other file transfer software like MOVEit and GoAnywhere. Researchers from Huntress discovered that even patched Cleo servers were vulnerable, likely due to an unpatched bypass, now patched in version 5.8.0.24. The actively exploited zero-day allowed attackers to deploy a Java-based post-exploitation framework using malware named Malichus, affecting Windows and potentially Linux systems. Over 50 indicators of compromise have been found across various Cleo hosts, with ongoing investigations suggesting numerous potential victims.

Google's recent privacy update changed how Timeline location data is stored, transitioning from cloud to local device storage. The new settings automatically retain location data for just three months instead of the previous 18 months, with an option for the user to disable auto-deletion. Despite prior notices, users were unprepared for the change, leading to significant data loss and affecting many who relied on the detailed location history for personal or tax reasons. Complaints have surged on forums and Reddit, with users lamenting the loss of valuable memories and records essential for daily function, especially highlighted by a user with a severe memory impairment. Google's approach to communication and implementation of these changes has been criticized as inadequate and misleading, particularly because other Google services might still collect location data. The changes, although intended to enhance privacy, have caused substantial issues for users who valued or depended on historical location data for various personal and professional needs.

A malicious GitHub repository, posing as a WordPress tool, enabled the theft of over 390,000 credentials. The threat actor known as MUT-1244 used phishing and trojanized repositories containing fake PoC exploit code to conduct attacks. Compromised data includes private SSH keys, AWS access keys, and sensitive environment data. Security researchers, including pentesters and potential malicious actors, were primarily targeted, exploiting their interest in new security vulnerabilities. The malwares spread through this scheme also installed cryptocurrency miners and extracted system information. One significant attack vector involved fake GitHub users and repositories claiming to host exploit code for specific CVEs, using AI-generated profile pictures to appear legitimate. Additional tactics included phishing emails aimed at academics, tricking them into executing malicious kernel upgrade commands. The discovery highlights the growing trend of exploiting vulnerability disclosures and underscores the risks associated with accessing and utilizing unofficial PoC exploit code repositories.

The Federal Trade Commission (FTC) highlights a significant increase in online job scams, particularly "task scams," that resemble gambling mechanisms. Task scams involve repetitive tasks with promises of higher returns upon self-financial deposits. These scams have grown from no reports in 2020 to 20,000 in the first half of 2024. Victims reported over $220 million in losses through these scams from January to June 2024, with $41 million directly attributed to task scams. Scammers often impersonate reputable companies and contact victims through social media or messaging platforms, offering easy money for simple online tasks. Once involved, victims earn minor amounts in cryptocurrency initially, but later are deceived into making large deposits to unlock higher rewards which result in financial loss. Many victims are lured into these scams via fake success stories in group chats and the addictive nature of the task completion process, which is likened to gambling. The FTC warns that any job that involves payments for likes or ratings is illegal, emphasizing the importance of skepticism towards unsolicited job offers that require upfront payments or personal financial information. Cryptocurrency's role in these scams is noted by the FTC as a tactic to complicate the tracing of scammers.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) issued a warning to water facilities to secure exposed Human Machine Interfaces (HMIs) from cyberattacks. HMIs allow operators to monitor and control water and wastewater treatment processes. Inadequately secured HMIs are vulnerable to unauthorized access, potentially leading to operational disruptions. Recent incidents cited include pro-Russia hacktivists manipulating HMI settings at U.S. Water and Wastewater Systems, causing operational exceedances and locking out operators. Defenders of Water and Wastewater Systems are urged to implement today's advisory’s mitigations, which focus on hardening remote access to HMIs to prevent successful cyber intrusions. Past targetings include the Arkansas City water treatment facility and American Water, with both forced to revert to manual operations after cyberattacks. Additional strategic guidance was issued by the EPA earlier to help protect U.S. water plants from similar attacks, and the White House has alerted governors about the broader risk to national water infrastructure. Global threats have also been recorded, with Chinese and Iranian-linked actors found compromising U.S. water utility networks through different means.

Roskomnadzor, Russia's telecommunications regulator, has blocked the encrypted messaging app Viber, citing violations of national legislation. The ban is justified by Russian authorities as necessary to prevent the messenger's use for terrorist, extremist activities, and other illegal deeds including the sale of drugs. Viber's popularity is significant, with over 1 billion downloads on Android and substantial usage ratings on iOS. This action follows a recent fine in June 2023, where Viber was penalized for not removing content deemed illegal by Russia, including information about the war in Ukraine. Since March 2023, Russia has prohibited its government and state agencies from using several foreign messaging apps, including WhatsApp and Telegram. In addition to messaging services, Russia has also targeted VPN applications, with multiple bans implemented to restrict access to "illegal content." Apple was compelled to remove 25 VPN apps from the Russian App Store in August 2024, following orders from Roskomnadzor.