Daily Brief

A China-linked cyber espionage group named TAG-112 has infiltrated Tibetan media and academic websites to deploy information-collecting malware. The malware campaign utilized malicious JavaScript to trick visitors into downloading a fake security certificate, subsequently installing the Cobalt Strike toolkit. The affected sites included Tibet Post and Gyudmed Tantric University, both compromised via security vulnerabilities in their Joomla content management system. The JavaScript checks for the user's operating system and browser type, targeting only Windows systems with Google Chrome or Microsoft Edge. The fake TLS certificate error message prompts the fraudulent download, masquerading a legitimate executable that loads a Cobalt Strike Beacon using DLL side-loading. TAG-112, potentially a sub-group of the broader Evasive Panda (aka Bronze Highland), shows a less sophisticated setup compared to its possible parent group, which employs custom malware. Despite similar targets, TAG-112’s activities are considered less advanced than TAG-102, with no JavaScript obfuscation and reliance on known exploit tools like Cobalt Strike.

Russian-linked hackers, identified as TAG-110, have been conducting espionage in Central Asia, East Asia, and Europe using HATVIBE and CHERRYSPY malware. The campaign primarily impacts government entities, human rights organizations, and educational institutions, aiming to gather intelligence that supports Russia’s geopolitical interests. The malware tools were first detected in Ukraine by CERT-UA in May 2023, and have since been found in 62 unique victims across eleven countries. Initial attack vectors include exploiting vulnerabilities in public web applications and using phishing emails to deploy the malware. TAG-110's activities are seen as part of a larger Russian strategy to influence geopolitical dynamics and maintain leverage in post-Soviet states. Russia is intensifying sabotage operations against European critical infrastructure to destabilize NATO allies and disrupt support for Ukraine. The covert operations are part of Russia's hybrid warfare strategy, designed to weaken military capabilities and political alliances in NATO countries.

Google Workspace, serving three billion users, offers email, cloud storage, and collaboration tools but faces significant security risks due to its connectivity and flexibility. Security relies on a shared responsibility model; Google secures the infrastructure, while users manage data and access within their accounts. Users are often the weakest link in security, with studies showing errors cause most data breaches. Effective protection strategies include multilayered security with MFA, regular vulnerability assessments, and user education on phishing. Implementing zero trust principles, strengthening email security, and using cloud detection and response tools are critical. Regular automated backups and the adoption of the 3-2-1-1-0 backup rule are vital for ensuring data resilience against attacks. Backupify provides encrypted backups and immutable storage solutions to enhance Google Workspace data security.

A webinar hosted by The Register's Tim Phillips discussed crucial endpoint security strategies with Kaseya's Sam Duckett. The session addressed the challenges of managing security across an increasing number of endpoints including laptops, mobiles, and IoT devices. Sam Duckett explained the risks associated with endpoint sprawl and the inefficiencies of using disconnected security tools. The webinar emphasized the benefits of integrating endpoint security tools into a single platform to improve protection and oversight. The discussion highlighted the importance of automation in security tasks like patching and backups to minimize human error and expedite threat response. Kaseya’s strategy involves a unified solution that enhances security while simplifying the management of IT operational challenges. The on-demand version of the webinar is available for those interested in effective strategies for securing organizational endpoints.

Microsoft's Digital Crimes Unit seized 240 websites linked to an Egypt-based cybercriminal involved in phishing scams since 2017. The cybercriminal sold a phishing kit that compromised Microsoft customer accounts, particularly targeting the financial services sector. Microsoft acted under a civil court order from Virginia to disable the phishing infrastructure, aided by LF Projects, LLC. The U.S. Department of Justice shut down PopeyeTools, a marketplace for stolen credit cards and sensitive data, leading to charges against three administrators. PopeyeTools has been operational since 2016, amassing significant revenue through the sale of access devices and personal data. Meta announced the removal of over two million scam accounts from Southeast Asia involved in large-scale fraud and pig butchering schemes. Actions by Microsoft, Meta, and the Department of Justice represent coordinated efforts to disrupt extensive cybercriminal operations and protect sensitive user data.

SafePay ransomware gang claimed responsibility for an attack on UK-based Microlise, threatening to leak stolen data unless their demands were met within 24 hours. Approximately 1.2 TB of data was reportedly stolen by SafePay from Microlise, which provides vehicle tracking for companies including DHL and Serco. The attack caused significant disruptions for major customers; DHL experienced issues tracking lorries, while Serco reported disabled panic alarms in prisoner transport vans. Microlise has made public disclosures, indicating substantial progress in mitigating the threat and restoring customer systems, although some systems remained offline for security verifications. Experts suggested the possibility of a ransomware attack based on disruptions and company statements, even though Microlise did not confirm ransomware explicitly. SafePay is relatively new to the cybercrime scene, with limited victims and minimal information available about its operations or members. The attack on Microlise, given its scale and impact on critical logistics and public safety operations, marks a significant operation by the fledgling SafePay group.

Cybersecurity experts uncovered two malicious Python packages on the Python Package Index (PyPI) posing as popular AI models, seemingly offering API access but instead containing malware. The identified packages, "gptplus" and "claudeai-eng," created by a user named "Xeroline," collectively attracted over 3,500 downloads before being removed from PyPI. Both packages included hidden Base64-encoded data in the "__init__.py" file, which triggered the download and execution of a Java-based information stealer named JarkaStealer. The malware could compromise sensitive data such as web browser information, system data, screenshots, and session tokens from applications like Telegram, Discord, and Steam. JarkaStealer is sold as a part of a malware-as-a-service (MaaS) arrangement via a Telegram channel and its source code is available on GitHub. The researchers highlighted that the primary victims of this malware were located in the U.S., China, India, France, Germany, and Russia, suggesting a targeted supply chain attack. The incident underscores the importance of exercising caution when dealing with open-source components and the ongoing risk of software supply chain attacks.

A Japanese government agency assisting victims of organized crime issued an apology after a potential data breach. The Kumamoto Prefecture Violence Prevention Movement Promotion Center fears that personal information of 2,500 individuals has been compromised. The leak occurred following a phishing attack where a staff member inadvertently gave remote access to his computer. This center provides confidential consulting services for individuals threatened by gangsters, those attempting to exit organized crime groups, or relatives of individuals involved with gang members. The Yakuza is known for their severe reprisals against members trying to leave and maintaining a rigid, loyal hierarchy. Despite a significant decrease in gang membership over decades, the Yakuza remains active and influential. Following the incident, the center has begun contacting potentially affected individuals and advised the public to ignore unsolicited communication claiming to be from the center.

The U.S. Cybersecurity and Infrastructure Agency (CISA) performed a controlled red team operation, simulating an attack on a critical infrastructure provider's network. CISA exploited an old web shell and other vulnerabilities, successfully gaining access to sensitive systems and extracting crucial data such as SSH keys and domain credentials. The exercise, lasting three months, was conducted without prior knowledge of the target's tech assets, incorporating tactics like spear phishing and leveraging publicly known vulnerabilities. Despite malware defenses blocking initial payloads, CISA's continued efforts led to significant access, including root access, to multiple systems across the organization. The red team maintained persistent access, explored network defenses, and evaluated incident response capabilities without compromising the operational technology (OT) devices. CISA’s report emphasized the importance of network-layer protections, proper software configurations, and the critical role of leadership in prioritizing cybersecurity to prevent potential attacks. Key lessons highlight the need for comprehensive security measures beyond endpoint detection and the importance of timely remediation of identified vulnerabilities.

A new Linux backdoor named WolfsBane, believed to be developed by the Chinese Gelsemium hacking group, has been discovered alongside another Linux malware named FireWood. WolfsBane is described as being similar to a previously identified Windows malware and features components like a dropper, launcher, backdoor, and a stealth-supporting modified open-source rootkit. FireWood, although similar, appears to serve multiple Chinese APT groups and not exclusively Gelsemium, suggesting shared tool usage among these groups. Security improvements in Windows, including better endpoint security and disabling of VBA macros, are pushing these APT groups to target Linux systems more frequently. WolfsBane operates by disabling security settings and creating persistence through system service files modifications, while managing commands from a C2 server. FireWood is capable of performing various espionage activities, maintaining persistence, and possibly utilizing a kernel-level rootkit. These discoveries reveal an increasing trend of sophisticated attacks concentrated on Linux platforms due to their widespread use in internet-facing infrastructure. Comprehensive indicators of compromise for these threats have been detailed, providing necessary insights for defense and mitigation strategies.

Hackers exploited two zero-day vulnerabilities in Palo Alto Networks firewalls, affecting over 2,000 devices. The vulnerabilities, CVE-2024-0012 and CVE-2024-9474, allowed unauthorized administrative access and command execution with root privileges. CVE-2024-0012 involves an authentication bypass in the management web interface, and CVE-2024-9474 enables privilege escalation. Palo Alto Networks has observed attackers using these vulnerabilities to install malware and execute commands on the compromised firewalls. Shadowserver reports tracking 2,700 vulnerable devices, with approximately 2,000 confirmed hacks. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, mandating patches for federal agencies by December 9. Palo Alto Networks advises customers to secure their firewalls by restricting management interface access to trusted internal IP addresses.

DARPA-backed VotingWorks introduced a prototype for an encrypted military voting system called CACvote aimed at facilitating absentee voting for U.S. military personnel stationed abroad. The system includes voting kiosks, a secure computer system, a cryptographic protocol for transmission, and a risk-limiting audit protocol to detect and correct integrity violations. Security researchers have criticized the system's feasibility and alignment with U.S. election laws, citing unrealistic voter demands and security risks in internet voting. Researchers Appel and Stark contend the proposed system, MERGE, makes excessive demands on voters for verifying cryptographic signatures and lacks the practicality for widespread implementation. Only a few U.S. states have the necessary legal framework to accommodate the protocols demanded by CACvote, reducing its potential security benefits. The article mentions concerns about the security of electronically returned ballots, referencing insecure systems in multiple countries. VotingWorks defends the CACvote project, emphasizing its research goals to provide a secure alternative to direct internet voting, maintaining an auditable paper backup.

The BianLian ransomware operation, known for its use of double-extortion tactics, has now primarily shifted to data theft extortion. Originally, BianLian encrypted victims' systems after data exfiltration but has moved away from encryption since January 2024. The U.S. Cybersecurity & Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre have updated their advisory regarding BianLian's latest tactics, which include the exclusive use of data theft. The advisory notes BianLian's methods of obscuring their origin, such as using foreign-language names, though agencies believe the core operators and affiliates are based in Russia. Recommendations from CISA to counter the threat include limiting the use of Remote Desktop Protocol (RDP), disabling command-line/scripting permissions, and restricting PowerShell use. BianLian has been active since 2022 and has listed 154 victims on its extortion portal, predominantly targeting small to medium-sized organizations. Recent breaches attributed to BianLian include high-profile victims such as Air Canada, Northern Minerals, and Boston Children's Health Physicians, with several other prominent cases currently unconfirmed.

Researchers at Qualys have discovered five serious vulnerabilities in the Linux needrestart utility that could allow local attackers to gain root access without user interaction. The security flaws were introducted in April 2014 and remained undetected for nearly a decade, affecting all versions before 3.8 of the utility. Qualys has developed but not released exploits for these vulnerabilities, citing the ease of exploitation and the severe impact of potential abuse. The vulnerabilities exploit unsanitized environment variables and race conditions in Python, Ruby, and Perl interpreters used by needrestart. These vulnerabilities pose significant risks including unauthorized access to sensitive data, malware installation, and potential disruption of business operations. Ubuntu Server, which installs needrestart by default, could potentially have millions of vulnerable instances across its deployments. Enterprises are urged to update to needrestart version 3.8 or later, or to disable the vulnerable interpreter heuristic feature as immediate mitigation steps.

Danish and Swedish authorities are investigating after two undersea internet cables in the Baltic Sea were damaged, suspected as sabotage. The cables connect Finland to Germany and Lithuania to Sweden, integral to European telecommunications. A Chinese ship, Yi Peng 3, is under close watch by Danish naval forces after it was located near the damaged cables. China denies any involvement in the incidents, despite the ship's proximity to the cables during the time of damage. Cloudflare reported minimal impact to internet traffic in the affected regions due to Europe's robust internet infrastructure. The incident has raised international tensions, prompting discussions on the security of undersea cable systems and their implications on global internet traffic. Repair efforts for the damaged cables are underway, with completion expected by the end of November. The FCC in the US is considering new regulations for securing undersea cables, highlighting their significance in global communications.