Daily Brief

Cybercriminals are using a fake video conferencing app, dubbed "Meeten," to infect devices of Web3 professionals with crypto-stealing malware. The malware campaign targets both Windows and macOS systems, stealing cryptocurrency, banking information, and browser-stored data. Malicious actors use varied fraudulent software names like "Clusee" and "Meetio," along with AI-generated content on official-looking websites and social media for legitimacy. Victims are lured through phishing and social engineering techniques, often involving impersonation via platforms like Telegram. The macOS version of the malware asks users for system passwords, leading to data theft under the guise of connection error messages. The Windows variant uses a more sophisticated infection method involving digitally signed files and a Rust-based executable that collects and sends data remotely. Cado Security Labs emphasizes the importance of verifying software authenticity and using antivirus tools, noting the high vulnerability of individuals working in the Web3 space.

The 2024 IBM Cost of the Data Breach Report found that 40% of data breaches involved multi-environment data storage, such as clouds. Breached data stored in public clouds accumulated the highest average cost of US$5.17m during March 2023 to February 2024. Data breaches not only lead to financial damages but also to serious reputational harm for the affected organizations. The complexity and variety of breach sources, including cyber attacks, unauthorized access, skill shortages, and misconfigurations, underscore the critical need for comprehensive security strategies. SANS offers specialized webcasts aimed at enhancing organizational defenses in cloud environments and advocating for modern security approaches. These webcasts provide a roadmap for creating effective cloud security strategies, modifying default settings for better protection, and updating identity management practices. Access to SANS cloud security resources and live or on-demand webinars can help organizations protect their off-premise mission-critical data and applications.

More_eggs malware-as-a-service (MaaS) operation linked to two new malware families: RevC2 and Venom Loader. RevC2, an information-stealing backdoor, communicates using WebSockets and is capable of cookie theft, password exposure, network traffic proxying, and remote code execution. Venom Loader customizes its payloads based on the victim's computer name, enhancing its stealth and effectiveness. Both malware types are distributed using VenomLNK, which facilitates the delivery of these malwares through deceptive PNG images. Campaigns involving these malware were active between August and October 2024, primarily facilitated by the Venom Spider (aka Golden Chickens) threat group. The operation continues to evolve, introducing new techniques and tools, despite previous disclosures identifying individuals involved with More_eggs. Related, ANY.RUN reported on a fileless loader malware, PSLoramyra, indicating continued innovation and activity in the malware domain.

Gamaredon, a group affiliated with Russia's Federal Security Service, has intensified its cyber-attacks on Ukraine, using Cloudflare Tunnels to hide their malware infrastructure. The campaign involves spear-phishing with HTML attachments that employ HTML smuggling techniques to deploy GammaDrop malware. Recorded Future identifies these tactics as part of an effort to complicate tracking and retain access to compromised systems using DNS fast-flux and multiple backdoors. GammaDrop serves as a HTA dropper that uses a custom loader, GammaLoad, to establish C2 communications and fetch additional malicious payloads. The attacks target data from web applications, email clients, and messaging applications, enhancing the risk of significant data theft and further malware spread. The use of legitimate services like Cloudflare and encrypted DNS queries (DoH) makes detection and mitigation more challenging for security defenses. Continued advancements in HTML smuggling and DNS-based evasion methods are expected to pose growing threats, particularly to organizations with inadequate threat detection mechanisms.

A zero-day vulnerability in Mitel MiCollab could allow attackers to access sensitive files through an arbitrary file read flaw. The vulnerability has remained unpatched for over 100 days, despite Mitel being notified by security firm watchTowr. The exploit combines two vulnerabilities: an already-fixed critical SQL injection and an authentication bypass flaw, enabling deeper system access. Mitel MiCollab is widely used for enterprise collaboration with features like messaging and video conferencing, and hosts over 16,000 instances globally. This unpatched vulnerability, coupled with its widespread use, makes Mitel MiCollab an attractive target for cybercriminals, including ransomware gangs. While Mitel promised a patch in early December, the security update has not yet been released, raising risks for users and businesses.

Charles O. Parks III, alias "CP3O", pleaded guilty to running a large-scale cryptojacking operation, causing losses of $3.5 million. Parks utilized cloud computing resources from two unnamed major providers, likely Amazon and Microsoft, without payment to mine cryptocurrencies. He managed to mine about $970,000 worth of cryptocurrencies such as Ether, Litecoin, and Monero using illicitly obtained computing power. Through multiple identities and corporate entities, Parks manipulated cloud service providers to access significant computing capabilities and defer billing. To conceal the origins of his mined cryptocurrency, Parks laundered money through various platforms including crypto exchanges and an NFT marketplace. His illicit gains funded luxury expenditures, such as first-class travel, a high-end vehicle, and jewelry. Facing up to 20 years in prison, his guilty plea highlights the Justice Department's focus on prosecuting sophisticated cryptocurrency-related cybercrimes.

A Chinese government-linked cyber-espionage group, known as Storm-0227, has recently targeted US critical infrastructures and government agencies. The espionage activities by Storm-0227 have been persistent since at least January, focusing on sectors such as defense, aviation, telecommunications, finance, and legal services. Microsoft's threat intelligence highlights that Storm-0227 uses tactics like exploiting vulnerabilities in public-facing applications and spear-phishing to deploy malware, specifically SparkRAT, for sustained access. The group’s method of operation includes stealing credentials to cloud applications like Microsoft 365 and eDiscovery, and using legitimate user activities to avoid detection. The information gathered from these intrusions provides deep insights into the operations and communications within the targeted organizations. Sherrod DeGrippo, a director at Microsoft, notes a significant shift in espionage tactics with nation-state actors frequently using easily available malware to conduct operations. The threat from Chinese cyber-espionage, particularly groups like Storm-0227, is expected to persist as they continue to seek valuable intelligence from US interests.

Charles O. Parks III pleaded guilty to running a substantial cryptojacking operation that illegally used rented cloud computing power to mine cryptocurrencies. Parks did not pay for services amounting to $3.5 million from cloud providers possibly identified as Amazon and Microsoft, based in Seattle and Redmond. Using aliases and fake companies, he manipulated cloud services to mine Ethereum, Litecoin, and Monero, accumulating around $970,000 in cryptocurrencies. He exploited these cloud platforms by enhancing service levels, delaying billing, and avoiding detection for his disproportionate data usage. His illegal activities extended to laundering the proceeds through cryptocurrency exchanges, a New York City NFT marketplace, and other online services to conceal their origins. Lavish spending of the laundered money included high-end travel, a luxury vehicle, and expensive jewelry. A federal court is considering a sentence of up to 20 years for Parks, emphasizing the legal actions against such sophisticated cybercrimes.

Romania’s election infrastructure suffered more than 85,000 cyberattacks, traced back to 33 countries, ahead of the presidential elections. The attacks aimed at obtaining access, compromising systems, altering public election information, and restricting systems access. A server hosting electoral mapping data linked to Romania’s public and internal electoral networks was compromised. Access credentials for pivotal Romanian electoral websites were leaked on a Russian hacker forum shortly before the elections. The Romanian Intelligence Service suggests the scale and nature of the attacks point to involvement by a state actor. A related influence campaign manipulated over 100 Romanian TikTok influencers to promote presidential candidate Calin Georgescu, potentially impacting millions of viewers. Strong implications of foreign interference in the election, with historical context pointing towards Russian involvement, although direct attribution remains unstated by Romanian agencies.

Solana's web3.js library was tampered with to include malware, potentially affecting anyone using automated bots with stored private keys. Advisory CVE-2024-54134 issued, noting a hijacked npm account led to publishing malicious @solana/web3.js library versions. The modified packages were designed to extract private key data and drain funds from decentralized applications that manage private keys directly. Impacted were versions 1.95.6 and 1.95.7, available for a few hours on December 3, 2024; all later unpublished. Estimates indicate a financial impact around $130,000 due to the unauthorized transactions facilitated by the malware. Early analysis points to a spear phishing incident capturing detailed login credentials of an npm org member with publish access. Additional security advice includes checking for compromised packages using tools like the free command-line utility from Socket.dev. The core information was uncovered after unauthorized transactions were detected following the installation of the tampered version by an ecosystem team.

A significant U.S. organization with operations in China experienced a security breach by China-based hackers from April to August 2024. The intrusion was detected by Symantec, highlighting the use of compromised Exchange Servers for intelligence gathering and potential data theft. The breach involved sophisticated methods including "Kerberoasting" via PowerShell, and data exfiltration tactics using FileZilla and PuTTY components. Multiple machines within the organization were compromised, with attackers employing techniques such as registry manipulation and Windows Management Instrumentation (WMI) for persistence and lateral movement. The attackers also utilized common administrative tools and open-source software in their operations, a tactic commonly associated with Chinese cyber espionage groups. This breach comes after a similar attack from the same China-based ‘Daggerly’ threat group in the previous year, suggesting a targeted pattern against this organization. Symantec’s report indicates the use of malware and tools that have been linked in prior research to other Chinese cyber activities.

U.S. authorities have arrested 19-year-old Remington Goy Ogletree, a member of the Scattered Spider cybercrime gang, for hacking a financial institution and two telecom companies. Ogletree executed these breaches by using stolen credentials obtained through phishing attacks that impersonated the companies' IT support. The phishing campaign targeted 149 employees of the financial institution, redirecting them to fake websites to harvest their system access credentials. From October 2023 to May 2024, Ogletree exploited telecom systems to send over 8.6 million phishing texts across the U.S., trying to steal cryptocurrency by targeting users of Gemini and KuCoin platforms. The FBI's February raid on Ogletree's residence uncovered evidence of his involvement, including screenshots of phishing attempts and cryptocurrency wallet details. Ogletree admitted to knowing key members of Scattered Spider and acknowledged the group’s focus on targeting less secure business process outsourcing firms. Scattered Spider, also known as 0ktapus and other names, is linked to various high-profile attacks and partnerships with Russian ransomware gangs. The group is known for its fluid structure and coordination through social media platforms.

Tim Phillips from The Register and Harman Kaur from Tanium are hosting a webinar on the strategic application of automation in endpoint management. The webinar, scheduled for December 9th, aims to address the increasing complexity of managing numerous devices and frequent software updates in modern IT environments. Discussion points will include the challenges of endpoint complexity, the benefits of automating routine tasks like patch management, and the adoption of real-time solutions for better endpoint visibility and control. Attendees will learn how automation can enhance security by maintaining updated protections and managing vulnerabilities efficiently, thus freeing up IT resources. The session is targeted at IT leaders seeking to minimize operational overhead and enhance their organization's security posture through strategic automation. Registration is encouraged for those looking to gain insights from industry experts and stay informed about advancements in IT management techniques.

German police have seized over 50 servers running the Manson Market, a notorious cybercrime marketplace. Two principal suspects believed to be the operators of Manson Market were arrested in Germany and Austria under European arrest warrants. The investigation uncovered over 200 terabytes of data linking thousands of users to fraudulent transactions, culminating in significant financial losses for victims. The operation was a joint effort involving multiple European countries and coordinated by Europol, indicating a significant crackdown on international cybercrime. Seized evidence reveals Manson Market facilitated the sale of stolen online banking credentials, credit card information, and personal data. Authorities also shut down over 63,000 stolen records traded on Manson Market and dismantled fake online shops used in phishing scams. Additional related actions included the shutdown of "Crimenetwork," another major cybercrime platform, and the capture of its administrator. This marks a substantial effort by German law enforcement in combating cybercrime, reflecting successful international collaboration and a warning to cybercriminals about the increasing effectiveness of law enforcement agencies.

Kirill Parubets was detained by the Russian FSB, accused of supporting Ukraine, and his phone was confiscated. Upon its return, Parubets suspected tampering due to unusual device behavior and an odd notification. Citizen Lab confirmed the existence of new spyware disguised as the popular Android app 'Cube Call Recorder.' This spyware grants broad permissions, allowing complete access to monitor the device's activities. The malware is believed to be an updated version or a derivative of Monokle, initially identified in 2019 and linked to a St. Petersburg-based tech company. Updated features include enhanced encryption and new permissions, such as 'ACCESS_BACKGROUND_LOCATION' and 'INSTALL_PACKAGES.' References to iOS in the code suggest a potential variant targeting Apple devices. Recommendations include using burner devices, engaging anti-spyware measures, and expert analysis for confiscated devices.