Daily Brief

LastPass warns users about scammers posting fake support phone numbers in Chrome extension reviews. Scammers use these numbers to trick individuals into downloading remote access software, exposing user data. False customer service numbers for other major companies like Amazon, Adobe, and Facebook are also promoted. Threat actors engage callers with detailed queries while installing additional malicious software in the background. The malicious software connects to attacker-controlled servers, further compromising user security. LastPass advises users never to share their master passwords, even with seemingly legitimate support representatives. The scam campaign spans multiple platforms, not limited to Chrome extensions, including various social and forum sites. All detected fraudulent activities are linked to a single phone number used across multiple fake company support claims.

Synology issued patches for two critical zero-day vulnerabilities discovered at Pwn2Own 2024. Security researcher Rick de Jager identified zero-click flaws in Synology Photos and BeePhotos software. The patched vulnerabilities could allow remote code execution on Synology BeeStation NAS devices. Users are urged to manually update their systems to prevent potential cyber attacks. QNAP also patched similar vulnerabilities found during the same hacking competition. The vulnerabilities could have wider implications, as Synology NAS units are used globally by police and critical infrastructure sectors. Patches issued swiftly within days, although vendors usually have 90 days to patch before ZDI publicizes the vulnerability details. The NAS devices, if internet-exposed, are vulnerable to ransomware and other types of cyber attacks.

Law enforcement recently seized the Dstat.cc website, which provided reviews and recommendations for DDoS services and facilitated the coordination of such attacks. Two suspects, aged 19 and 28, have been arrested in Germany for their involvement with Dstat.cc and an unrelated synthetic drug market, under Operation PowerOFF. Dstat.cc did not directly provide DDoS attacks but was instrumental in helping hackers demonstrate and promote their DDoS capabilities, affecting critical services including healthcare. The platform's associated Telegram channel, used for discussing attacks and offering services, has been cleared of all messages and locked to prevent further communication. The arrests and site seizure were part of broader international efforts, which included searches and seizures across multiple countries such as France, Greece, Iceland, and the USA. The suspects are charged under German law with crimes that could lead to up to ten years in prison and significant fines. Operation PowerOFF previously led to similar crackdowns in the UK and Poland, targeting other DDoS-related “stresser” or “booter” services.

A joint advisory by U.S. and Israeli cybersecurity agencies named an Iranian cyber group, Emennet Pasargad (or ASA), responsible for cyber-attacks targeting the 2024 Summer Olympics and spreading anti-Israel propaganda. Emennet Pasargad, attributed to Iran's Islamic Revolutionary Guard Corps (IRGC), manipulated commercial digital displays during the Olympics to protest Israeli participation. The group employed AI technologies like Remini AI Photo Enhancer and Voicemod to create and distribute forged images and audio contents. ASA also orchestrated cyber operations using fictitious hosting resellers to obscure its malicious activities and support Hamas-affiliated initiatives. Tactics included stealing content from IP cameras and attempting psychological warfare by contacting Israeli hostages' families post-conflict. Domains linked to ASA's cyber campaigns were seized in a law enforcement operation by U.S. Attorney's Office and FBI. The U.S. Department of State is offering a $10 million reward for information leading to the identification of members from another associated IRGC hacking group targeting U.S. infrastructure.

Multiple UK local authority websites were attacked and rendered inaccessible by a series of DDoS attacks orchestrated by the pro-Russia group NoName057(16). The attacks began in response to the UK's visible support for Ukraine amidst ongoing conflict with Russia. NoName057(16) has repeatedly targeted entities perceived as anti-Russian. Affected councils included Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford, with several websites remaining offline for extended periods. The National Cyber Security Centre (NCSC) has been involved, providing guidance and support to the affected local authorities to mitigate and prevent further attacks. Councils have experienced various technical issues post-attack, with some still facing ongoing problems in restoring full functionality to their websites. Despite clear disruptions, the actual data and essential services of the councils were not compromised during these DDoS attacks. Security experts have highlighted the importance of better DDoS protection measures, especially for services like Azure App Service, which currently lacks native DDoS defense capabilities.

Misconfigurations in SaaS applications are persistent risks, potentially leading to severe security breaches. Critical organizational assets face threats from cybercriminal groups exploiting such vulnerabilities. The MGM Resorts International cyberattack in September 2023, perpetrated by Scattered Spider using social engineering, highlights the dangers of admin privilege misconfigurations. Common misconfigurations include unchecked admin privileges, disabled multi-factor authentication for critical roles, legacy authentication vulnerabilities, excessive super admin roles, and mismanaged group settings in applications like Google Groups. Continuous monitoring and proactive management of SaaS configurations, guided by frameworks like CISA’s SCuBA, are essential to enhance security and ensure compliance. Tools like Wing Security provide real-time monitoring, compliance tracking, and actionable steps to manage and remedy critical SaaS misconfigurations. SaaS security risk assessments are advised to identify and rectify potential misconfigurations effectively, preventing catastrophic data breaches and preserving business continuity and reputation.

A large-scale cyberattack, dubbed EMERALDWHALE, has exploited Git configurations to steal credentials and clone over 10,000 private repositories. These stolen credentials and repositories were kept in an Amazon S3 storage bucket previously compromised, which Amazon has since shut down. The details compromised include credentials from cloud service providers (CSPs), email platforms, and other services, mainly used for phishing and generating spam. The attackers used specific tools such as MZR V2 and Seyzo-v2, available on dark web markets, to aid in locating and exploiting vulnerable Git repositories. Sysdig reports that the attackers also targeted Laravel .env files, extracting a wealth of sensitive information including cloud service credentials and database details. The operation’s magnitude is highlighted by a list of over 67,000 URLs linking to exposed "/.git/config" found for sale on Telegram. This breach has not been linked to any known threat actor, indicating an emerging or uncharacterized group or individual behind the attacks.

Microsoft identified a Chinese threat actor, Storm-0940, using a botnet known as Quad7 for sophisticated password spray attacks. The attacks primarily aim to steal credentials from various Microsoft customers, impacting organizations across North America and Europe. Quad7, also dubbed CovertNetwork-1658, targets routers and VPN devices by exploiting security vulnerabilities, facilitating remote code execution. The botnet has been active since at least 2021, leveraging compromised devices for brute-force entries and credential extraction against Microsoft 365 accounts. Microsoft's findings suggest that the botnet is part of a broader strategy by Chinese state-sponsored actors for network exploitation, including lateral movements and data exfiltration. Investigations revealed as many as 8,000 devices could be active within this botnet at a time, although only a fraction are used for the actual password spraying. Post-disclosure, there has been a noticeable decline in botnet activity, indicating that the operators might be regrouping with new, altered infrastructure to evade detection. The collaboration between botnet maintainers in China and other groups enhances the speed and scale of attacks, posing significant risks to targeted sectors globally.

Microsoft has delayed the release of its Recall feature for Windows Copilot+ due to privacy and security enhancements. Originally set for an October preview, the feature is now rescheduled for preview in December with Windows Insiders. Recall is designed to allow users to search through a visual timeline of their PC activity, effectively giving the machine a "photographic memory." Privacy concerns arose after initial previews, leading to the feature being disabled by default and made opt-in. Microsoft plans to include improved system architecture and "just in time" decryption to enhance security. The enhancements will utilize Windows Hello Enhanced Sign-in Security for safer access to the Recall snapshots. Microsoft assures that the ongoing development of Windows Copilot+ PCs, including the Recall feature, is governed by the Secure Future Initiative (SFI) to ensure trust and security.

A hacker named GaryOderNichts successfully breached Nintendo's new alarm clock, Alarmo, allowing custom code execution. Gary leveraged existing research by Naomi Smith who had identified Serial Wire Debug (SWD) pins and vulnerabilities in the device. Utilizing a Raspberry Pi and collaborating with researcher Mike Heskin, Gary managed to decrypt the device’s files using an obtained AES-128-CTR key. This decryption facilitated the understanding of the device's boot process, enabling the upload and execution of firmware binaries over USB. Gary's manipulation of the alarm clock allowed him to display a custom image of a cat on the device. He has released his USB payload and a project for others to brute-force the Alarmo’s encryption key, potentially leading to further custom modifications. Nintendo has yet to comment on the situation, and it remains uncertain how they will respond to such alterations of their product.

Advanced threat actors, like LUCR-3, increasingly target identity systems in major organizations, extracting sensitive data rapidly. These cybercriminals exploit vulnerabilities in SaaS and cloud environments to move laterally within networks and cause significant damage. Traditional security measures are becoming ineffective against these sophisticated and evolving threats, exposing organizations to increased risks of data breaches, financial losses, and reputational harm. Cybersecurity webinar to offer crucial insights and actionable strategies to protect organizations from identity-based cyber attacks. Ian Ahl, SVP at P0 Labs and former Head of Advanced Practices at Mandiant, will lead the webinar sharing his extensive experience in cyber defense. Participants will learn how to defend against sophisticated attacks that exploit identity-based vulnerabilities by understanding tactics from past breaches and expert responses.

Cybersecurity researchers have identified a new phishing kit named Xiū gǒu, which has launched over 2,000 phishing websites targeting users in Australia, Japan, Spain, the UK, and the US. The phishing kit is utilized across various sectors including public sectors, postal, digital services, and banking, exploiting Cloudflare's features to evade detection. Xiū gǒu is developed by Chinese-speaking threat actors, using technologies such as Golang and Vue.js, equipped with an admin panel to manage phishing operations. The phishing attacks disseminate through Rich Communications Services (RCS) messages, alerting users to fictitious parking penalties or failed package deliveries and urging them to click malicious links. Extracted credential data from phishing sites are transmitted via Telegram, while the sites themselves are hosted on the ".top" domain. Google and other tech companies are advancing their efforts in scam detection, employing on-device machine learning to filter fraudulent messages, and introducing new security features in several countries. Xiū gǒu lowers the entry barrier for cybercriminals, potentially increasing the frequency of phishing and sensitive information theft incidents.

Emeraldwhale, an unidentified cybercrime group, exploited misconfigured cloud services to steal over 15,000 credentials from cloud and email providers. The attack targeted exposed Git configuration and Laravel environment files through a massive scanning campaign using specialized tools. Stolen credentials included access to over 10,000 private repositories, containing sensitive information such as usernames, passwords, and API keys. The credentials, potentially worth hundreds of dollars each, likely aimed to facilitate spam and phishing campaigns. Sysdig's threat research team inadvertently discovered the data in an unsecured AWS S3 bucket linked to a previous victim, not Sysdig's own network. After being alerted, AWS took down the compromised S3 bucket to prevent further abuse. The tools used in the attack, MZR V2 and Seyzo-v2, were instrumental in harvesting valuable credentials and were noted to contain French-written code. The sophistication of the tools and methods suggests Emeraldwhale may be linked to a more established criminal network.

Sophos has been contending with Chinese cyber attackers targeting global network devices for over five years. Attacks centered on exploiting vulnerabilities in devices from top manufacturers like Cisco, Juniper, and Sophos itself. The Chinese groups, identified as Volt Typhoon, APT31, and APT41/Winnti, utilized custom malware, botnets, and novel exploits. Sophos's investigations began intensively after their subsidiary Cyberoam was targeted in 2018, signaling an escalation in network device attacks. Chinese researchers, suspected of collaborating with the government, have played a role in developing and sharing zero-day vulnerabilities. Scale and sophistication of attacks have increased, using tactics like memory-only malware and compromised network devices as proxies to avoid detection. Sophos deployed countermeasures, including custom implants, to gather intelligence on attackers and demonstrate defensive capabilities. Sophos has published detailed reports to aid the cybersecurity community in defending against such sophisticated threats.

Microsoft has identified Chinese threat actors using the Quad7 botnet to conduct password spray attacks and steal credentials. The Quad7 botnet, initially discovered by Gi7w0rm, primarily comprises compromised SOHO routers from various manufacturers such as TP-Link and ASUS. Hackers deploy custom malware and SOCKS5 proxy servers on infected devices to facilitate remote access and blend malicious activities with legitimate traffic. Research linked the proxy software in the botnet to an individual in Hangzhou, China, suggesting geographical origins of the cyberattacks. These threat actors make minimal login attempts per account to avoid detection, with 80% of attacks only attempting one sign-in per account each day. Acquired credentials are then used immediately for network infiltration, installing additional RATs and proxy tools to maintain presence and gather more data. Data exfiltration appears to be the main objective, likely for cyber espionage purposes. The exact method of initial device compromise remains unclear, though a significant attack leveraged an OpenWRT zero-day, suggesting sophisticated exploit use.