Daily Brief

Zero Trust security requires continuous verification of all users and devices within an organization, removing implicit trust and replacing it with continuous assessment. Organizations adopt Zero Trust frameworks to combat sophisticated cyber threats and mitigate the limitations of traditional, perimeter-based security systems. Wazuh, a free open-source security platform, supports the implementation of Zero Trust by offering robust XDR and SIEM functionalities suitable for both cloud and on-premise environments. Wazuh facilitates detection of malicious activities such as abuse of legitimate tools, initial access breaches, and vulnerabilities, enhancing proactive defense mechanisms. By leveraging Wazuh’s capabilities, organizations can monitor system calls and configurations, enabling the identification and prevention of potential security threats. Wazuh’s incident response tools help automate security processes, allowing for swift action on detected anomalies, thus reducing the burden on security teams. Using Wazuh, companies can equip themselves with a stronger defensive posture against data breaches, ransomware, and other emerging threats.

Synology, a Taiwanese NAS appliance maker, has patched a critical security flaw identified as CVE-2024-10443, impacting DiskStation and BeePhotos. The zero-day flaw, named RISK:STATION, allows unauthenticated zero-click root-level code execution on millions of Synology NAS devices. The vulnerability was exposed during the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager. No user interaction is needed to exploit this flaw, significantly increasing the risk of unauthorized access, data theft, and further malware installation. Between one and two million Synology devices connected to the internet are at risk due to this vulnerability. Additional details about the flaw are withheld to allow time for users to apply the necessary patches. Concurrently, QNAP addressed three critical vulnerabilities in different services, which were also highlighted during Pwn2Own.

Google's AI tool, Big Sleep, discovered a previously unknown stack buffer underflow in SQLite, marking a significant achievement in AI-driven bug detection. The vulnerability was identified before the official release of the buggy code, allowing SQLite developers to fix the issue promptly. Big Sleep, developed in collaboration between Google's Project Zero and DeepMind, builds upon an earlier project named Naptime. The stack buffer underflow could have led to arbitrary code execution or system crashes, but was deemed challenging to exploit. This instance marked the first use of an AI to detect a memory-safety vulnerability in widely-used software that fuzzing methods missed. Fuzzing, a common bug detection method, involves feeding random or crafted data to software but failed to identify this specific bug. The LLM-based tool is still experimental and its effectiveness in real-world applications is continuously evaluated against traditional methods like fuzzing. Google highlights the defensive potential of AI in cybersecurity, suggesting a shift towards AI-augmented vulnerability detection techniques.

An active malware campaign is exploiting npm developers using typosquatted packages that mimic popular libraries like Puppeteer and Bignum.js. The attackers employ Ethereum smart contracts to distribute command-and-control server addresses, making the infrastructure hard to block or take down. Over 287 typosquatted packages have been identified, deploying cross-platform malware that establishes persistence and exfiltrates data. The malware retrieves IP addresses via Ethereum smart contracts, using the ethers.js library, complicating traditional cybersecurity countermeasures. This method reflects a trend similar to the "EtherHiding" tactic, which involved using blockchain technology for resilient malware command-and-control. The decentralized, immutable nature of blockchain allows attackers to dynamically change IP addresses to evade detection and maintain operations. The nationality of the attackers is hinted to be Russian, based on the language used in error messages and logs. The innovative use of blockchain for C2 infrastructure emphasizes the need for heightened vigilance and security measures in the open-source software supply chain.

Canadian Alexander Moucka, alias "Judische" or "Waifu," was arrested related to the breach of cloud data warehousing service Snowflake and subsequent extortion attacks on multiple companies. The arrest occurred on October 30, 2024, following a U.S. provisional arrest warrant, with crimes linked to the financial threat group UNC5537, targeting around 165 organizations including major corporations like AT&T, Neiman Marcus, and Ticketmaster. AT&T reportedly paid $370,000 to the hackers to destroy stolen data, highlighting the severity and impact of the extortion attempts. The attackers used stolen customer credentials, primarily obtained through malware infections on systems handling pirated software and games, to facilitate initial access to victim networks. This breach was initially detected and disclosed by Snowflake in June 2024, who described the attacks as targeted toward a limited number of its customers. It was later discovered that Moucka might be a part of a broader cybercrime network known as the Com, which involves physical and digital crimes, including aggressive tactics against rivals. Moucka is also believed to have collaborated with John Binns, a fellow hacker arrested earlier in May 2024 in Turkey.

Google has issued a warning about an actively exploited privilege escalation vulnerability in Android, identified as CVE-2024-43093. The flaw allows unauthorized access to sensitive Android directory subfolders, posing significant privacy and security threats. There is limited information on the real-world deployment of this exploit, though it is believed to be part of targeted attacks. Google also mentioned CVE-2024-43047, another recently addressed vulnerability in Qualcomm chipsets that has been exploited. CVE-2024-43093 marks the second significant breach in Android's security protocols, following CVE-2024-32896, affecting the broader Android ecosystem. It remains unclear if CVE-2024-43093 was used in conjunction with other vulnerabilities to facilitate more extensive attacks or to circumvent security measures on devices. Google has not disclosed specific details or the origins of the attack, and it’s uncertain how these vulnerabilities were patched across different Android devices.

Nokia is exploring a possible security breach after a hacker claimed to have stolen company source code through a third-party vendor. The hacker, known as IntelBroker, advertised the sale of a large collection of Nokia’s source code, acquired from a subcontractor involved in Nokia's development projects. The compromised data reportedly includes SSH keys, RSA keys, BitBucket logins, and other sensitive credentials. IntelBroker allegedly accessed the data by exploiting default credentials on a SonarQube server managed by the third-party, which stored Nokia’s Python projects. Despite the claims, Nokia's ongoing investigation has not yet confirmed any impact on their own systems or data. BleepingComputer has communicated with Nokia, providing a tree structure of the supposedly stolen data but has not obtained confirmation if the data belongs to Nokia. This incident is part of a series of breaches linked to IntelBroker, affecting several high-profile companies and organizations worldwide.

Cybercriminals are exploiting the DocuSign Envelopes API to generate forged invoices posing as those from reputable brands such as Norton and PayPal. The abuse involves creating realistic invoices using DocuSign's legitimate infrastructure, thereby evading traditional email security measures. By leveraging real DocuSign domains and a sophisticated document design, the attackers enhance the perceived legitimacy of their false invoices. Victims are prompted to e-sign these fraudulent invoices, which attackers then use to authorize or request unauthorized payments outside typical billing controls. Wallarm, a security firm, has observed such fraudulent activity and reported it to DocuSign, noting the sophisticated use of the API and significant automation in the attacks. The realistic fees listed and other details in the invoices contribute to the trustworthiness of the fraudulent emails. DocuSign forum users have reported frequent instances of these phishing attempts, though effective channels to report such abuse appear limited. Recent incidents highlight broader vulnerabilities with APIs where even with legitimate access, bad actors can cause significant damage.

Schneider Electric has confirmed a breach on its developer platform, specifically a JIRA server, following claims by a hacker. A threat actor named "Grep," reportedly stole 40GB of data including 400,000 rows containing 75,000 unique email addresses and names of employees and customers. Grep, who leads a new hacking group called International Contract Agency (ICA), accessed the server using exposed credentials and utilized a MiniOrange REST API to extract data. Following the incident, Schneider’s Global Incident Response team was mobilized to address the breach. The stolen data encompasses critical internal information including project details and user data. Grep humorously asked for a ransom of $125,000 in "Baguettes" on a dark web site and threatened to leak the data if the breach was not acknowledged within 48 hours. Schneider Electric's products and services have reportedly remained unaffected by the breach. This incident follows a previous breach earlier in the year involving Schneider Electric’s "Sustainability Business" division by Cactus ransomware.

The UK National Cyber Security Centre (NCSC) analyzed a Linux malware named "Pygmy Goat," specifically crafted to penetrate Sophos XG firewall devices. This malware emerged as part of a broader series of attacks named "Pacific Rim" by Sophos, which the company attributed to Chinese threat actors over a five-year period. "Pygmy Goat" functions as a rootkit, emulating Sophos's file naming conventions, and provides advanced persistence, evasion, and remote access capabilities. The malware utilizes a sequence of "magic bytes" in SSH traffic to enable backdoor functionality and facilitates Command and Control (C2) communication via TLS, mimicking legitimate network operations. The malware was executed using CVE-2022-1040 and was identified in critical government and related technology partner networks. NCSC's report provides detection tools, including file hashes and YARA and Snort rules, to help in identifying and mitigating threats posed by "Pygmy Goat." Defensive recommendations include manual checks of specific system files and monitoring unusual environment variables and encrypted payloads for potential signs of infection.

Columbus, Ohio confirmed that 500,000 residents were affected by a ransomware attack by Rhysida, leading to a large-scale data breach. Rhysida exposed around 3 TB of stolen files on the dark web after Columbus refused to pay the ransom. Sensitive data from city prosecutor's and crime databases were accessed; included personal information of domestic violence victims, police officers, and crime witnesses. Security researcher Connor Goodwolf downloaded the files, identifying domestic violence victims among the exposed, leading to legal action from the city. The data breach comprised not only names but also addresses, potentially endangering the safety of the individuals involved. Columbus offered all city residents two years of free credit monitoring through Experian following the breach. Local authorities and Mayor Andrew Ginther have been criticized for their handling of the breach notification process.

A phishing campaign named 'CRON#TRAP' introduces a backdoored Linux virtual machine into Windows systems to access corporate networks. Attackers use phishing emails disguised as a "OneAmerica survey" containing a 285MB ZIP archive that installs a Linux VM equipped with a pre-installed backdoor. This ZIP file includes a Windows shortcut and a 'data' folder with the QEMU virtual machine application, running disguised as fontdiag.exe. Once initiated, the malicious shortcut executes commands to set up a Linux VM named 'PivotBox' that has a persistent command and control (C2) communication backdoor. The backdoor operation in the Linux VM employs 'Chisel,' a network tunneling program for secure C2 communications, even across firewall-protected networks. For persistence and remote access, attackers utilize automatic VM startup on system reboot and upload generated SSH keys to access without re-authentication. QEMU's legitimate signature and operational integration into system processes allow it to avoid detection by Windows security mechanisms. Recommendations for defense include monitoring and blocking qemu.exe processes, blacklisting virtualization suites, and disabling virtualization on critical devices from BIOS settings.

Researchers at Securonix have identified a novel phishing campaign labeled 'CRON#TRAP' that installs backdoored Linux virtual machines on Windows systems via phishing emails pretending to be a "OneAmerica survey". The emails include a deceptive 285MB ZIP archive which, when executed, installs a Linux VM using a Windows shortcut and the QEMU virtual machine application to provide attackers with stealthy network access. The Linux VM, called 'PivotBox', comes preloaded with a backdoor enabling attackers to establish persistent command and control (C2) communication, even bypassing firewall protections through encrypted channels. Attackers leverage the Chisel tool within the Linux VM for secure data tunneling over websockets, which facilitates remote command execution, surveillance, and data extraction without detection. For persistence, the setup modifies start-up scripts to automatically launch the QEMU environment after the host reboots and manages authentication via generated SSH keys. The article suggests that defensive measures include monitoring qemu.exe processes, blocking QEMU and other virtualization suites, and disabling virtualization on critical systems to mitigate threats from such sophisticated attacks.

Passwords remain the primary defense for 88% of global online services, highlighting their continued importance despite the talk of a passwordless future. Many users still rely on easy-to-remember, often reused passwords, making them susceptible to hacks due to human predictability and the limited variety of characters used. Various tools, such as specialized spreadsheets and online strength checkers, aid in analyzing and strengthening password policies without compromising actual password data. Implementing Multi-factor Authentication (MFA) significantly bolsters security, with Microsoft reporting a 99% reduction in compromised accounts when MFA is used. Password managers optimize security by generating and storing complex passwords, thus preventing the use of compromised credentials. Specops Password Policy offers custom rules, compliance assurance, and continuous scanning of passwords against a database of over 4 billion compromised credentials. Employee education is critical; informed employees are a key element of a robust cybersecurity defense strategy, enhancing overall protection from potential threats. Specops Software advocates for bolstering organizational security through stringent, well-managed password policies combined with the use of modern security tools and employee training.

The City of Columbus, Ohio faced a ransomware attack on July 18, impacting 500,000 individuals with their personal and financial information stolen. The Rhysida ransomware gang, responsible for the attack, claimed they obtained 6.5 TB of data from city servers, including sensitive personal details. Despite initial claims from city officials that no data was compromised, the gang began publishing stolen data—including 3.1 TB—to a dark web portal. Security researcher David Leroy Ross demonstrated that the published data was not encrypted or corrupted, contradicting the city's earlier statements. The City has initiated legal action against Ross, acquiring a temporary restraining order to halt further data dissemination and seeking damages. Columbus city officials are now providing two years of free credit monitoring and identity restoration services to affected residents, encouraging vigilance in monitoring financial accounts for fraud. No evidence has been found yet that the leaked data has been misused, although monitoring and investigation continue.