Daily Brief

Over 28,000 individuals were infected by a cryptocurrency-stealing malware campaign predominantly affecting Russia, along with several other Eurasian countries. The malware was distributed through deceptive YouTube videos and fraudulent GitHub repositories promoting seemingly legitimate software downloads. Cybersecurity firm Dr. Web reported that the malware hidden within password-protected archives, camouflaged as software tools like game cheats and trading bots, initiated the infection process unnoticeable by antivirus programs. Upon activation by the user, the malware employs various tactics such as disabling debugging tools, hijacking system services, and altering Windows registry for persistence to avoid detection and removal. Two key malicious payloads were delivered: "DeviceId.dll" for cryptocurrency mining and "7zxa.dll" for wallet address manipulation, the latter diverting $6,000 in transactions to attacker-controlled addresses. Dr. Web advises downloading software exclusively from official websites and urges caution with links on popular platforms like YouTube and GitHub to prevent such financial losses.

Marriott has agreed to a $52 million settlement and to improve its cybersecurity infrastructure after multiple data breaches impacted over 344 million people globally from 2014 to 2020. The settlement was facilitated by 49 state attorneys general and the District of Columbia following an investigation into stolen customer information, including financial details. As part of a separate agreement with the US Federal Trade Commission, Marriott must enforce enhanced security measures, certify compliance for 20 years, and allow customers to request deletion of their personal data. Major breaches at Marriott and its subsidiary Starwood included the theft of payment card information and sensitive guest account records, exposing data like unencrypted passport numbers and personal identifiers. Critics point out Marriott's settlement amount is minimal compared to their $23.71 billion revenue in 2023, suggesting the penalty might not sufficiently impact their financials. Under the terms of the settlements, Marriott will also develop a method for customers to review and report unauthorized activity in their loyalty accounts and promise to restore stolen loyalty points.

National Public Data has filed for bankruptcy following a massive data leak affecting “hundreds of millions”. A hacking group named USDoD exposed 2.9 billion personal records online, demanding $3.5 million for the data. Originally, the company claimed that only 1.3 million individuals were impacted by the security breach. The leaked information included sensitive data such as social security numbers and email addresses. Bankruptcy documents reveal the company is overwhelmed by financial liabilities and numerous class-action lawsuits. Potential legal consequences include actions from the FTC and various states, exacerbating the firm's troubles. Company assets are minimal, severely limiting compensation possibilities for the affected plaintiffs. Salvatore Verini, Jr., the sole operator, is left facing significant legal and financial challenges with limited resources.

Palo Alto Networks has alerted customers to patch critical vulnerabilities in PAN-OS firewalls potentially exploitable to hijack systems. Exploitable security flaws found in the Expedition tool, which assists in migrating configurations, can expose user credentials and sensitive data. The vulnerabilities extend to command injection, XSS, cleartext storage of sensitive information, SQL injections, and more. Zach Hanley of Horizon3.ai discovered these vulnerabilities and published a root cause analysis and a proof-of-concept exploit. While no exploitations have been identified yet, the company strongly advises upgrading to Expedition version 1.2.96 or later for fixes. Post-upgrade measures include mandatory rotation of all usernames, passwords, and API keys managed by Expedition and corresponding firewalls. In case immediate updates are unworkable, Palo Alto Networks recommends restricting Expedition's network access to authorized entities only.

Mozilla has rolled out an emergency update for its Firefox browser to fix a critical use-after-free vulnerability (CVE-2024-9680) actively exploited by hackers. The vulnerability was identified by ESET researcher Damien Schaeffer in the browser's Animation timelines, which are vital for managing web animations. This bug allows attackers to perform code execution by manipulating freed memory spaces within the browser's processes. Currently, there is limited information regarding the exact targets and the methods used by attackers to exploit this flaw. Affected versions include the latest Firefox release as well as Firefox Extended Support Releases (ESR). Users are urged to upgrade immediately to the newest versions of Firefox to mitigate the potential risks associated with this vulnerability. The update should begin automatically upon checking Firefox’s ‘About’ section under Settings, and a restart is necessary for the changes to take effect. This is the second instance in 2024 where Mozilla has needed to address zero-day vulnerabilities, following two critical issues patched in March.

Google announced a partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to address online scams through the Global Signal Exchange initiative. The initiative aims to enhance real-time insights into various forms of cybercrime by pooling threat signals from diverse data sources. Google emphasized the importance of a centralized platform for the exchange of abuse signals to quickly identify and disrupt fraudulent activities across different sectors. Over 100,000 URLs and 1 million scam signals have been shared by Google to support this new data platform. The partnership also entails granting access to the platform to qualifying organizations, overseen by GASA and DNS RF. Cross-Account Protection has safeguarded 3.2 billion users signing in with their Google Account across various sites and apps. Additional partnerships will include significant entities like Canva, Electronic Arts, Indeed, and Microsoft-owned LinkedIn. This announcement follows a similar move by Meta, partnering with U.K. banks to mitigate scams via the Fraud Intelligence Reciprocal Exchange (FIRE) program.

Today's cybersecurity landscape is marked by increasingly sophisticated threats, demanding adaptable and comprehensive cybersecurity tools like SIEM and XDR. Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) are critical in providing real-time visibility, threat detection, and automated incident response across organizational infrastructures. Open source platforms like Wazuh SIEM and XDR offer robust capabilities for analyzing log data, monitoring file integrity, detecting malware, and automating incident responses to emergent cyber threats. Wazuh tackles various cyber threats effectively, including defending against malware evasion, mitigating ransomware attacks, and detecting exploitations of vulnerabilities. The integration and automation capabilities of Wazuh enhance threat visibility, reduce manual workload on security teams, and improve overall security posture by enabling quick and effective response mechanisms. Wazuh supports customization and integration with third-party solutions, allowing for enhanced protection tailored to specific organizational needs. Utilizing open source SIEM and XDR tools like Wazuh provides community-driven innovations that continuously improve threat detection capabilities.

Pro-Ukrainian hacktivists, associated with DumpForums, claimed responsibility for breaching Russian cybersecurity company Dr.Web on September 14. After the attack, Dr.Web halted internal server connections and paused virus database updates to mitigate potential risks and conduct investigations. The attackers purportedly accessed Dr.Web’s development systems for about a month, stealing approximately ten terabytes of confidential data. Stolen data included client databases, emails, development projects hosted on various platforms including GitLab, Confluence, and RocketChat. Dr.Web confirmed the breach but denied any ransom payment or customer data theft, stating that measures were promptly taken to prevent significant damage. ReliaQuest described DumpForums as a hub that has been active since May 2022, mainly facilitating hacktivism supporting Ukraine by targeting Russian entities. Dr.Web criticized publications on Telegram regarding the hack, clarifying that the user data remained secure and unaffected by the incident. They have been in constant dialogue with law enforcement about the ongoing investigation.

Multiple severe vulnerabilities were discovered in the MMS protocol libraries used in industrial devices, potentially enabling attackers to crash systems or execute remote code. Claroty researchers identified five critical shortcomings within the MZ Automation's libIEC61850 library and Triangle MicroWorks' TMW IEC 61850 library, which have since been patched. An outdated MMS-EASE stack used by Siemens SIPROTEC 5 IED was also vulnerable to DoS attacks through a specific exploitable packet, prompting a firmware update in December 2022. These vulnerabilities highlight the challenges in aligning older industrial protocols with current cybersecurity demands, underscoring the urgency for continuous updates and adherence to CISA's security guidelines. Parallel findings from Nozomi Networks revealed significant vulnerabilities in Espressif's ESP-NOW protocol, affecting devices like building alarms and remote door openers, which could be exploited for unauthorized access or disabling security features. The broader context includes unpatched vulnerabilities in the OpenFlow libfluid_msg library, known as FluidFaults, which also pose denial of service risks to software-defined networking applications. Overall, these developments demonstrate a critical need for improved security practices and frameworks within industrial and connected device environments to prevent potentially catastrophic cyber attacks.

Microsoft successfully addressed problems from the Windows 11 Patch Tuesday preview, notably with the KB5043145 update released in late September. Users experienced multiple system restarts, blue or green screen errors, and unintended launches of the Automatic Repair tool after installing the initial update. The identified restart issue has been declared fixed in the list of known issues associated with the original patch. A critical security fix in the latest Patch Tuesday update resolves a remote code execution flaw that required local file installation by the victim. Microsoft included improvements from September's preview in the recent patch and confirmed the resolution of prior issues, including USB and Bluetooth connectivity failures. For those affected by the initial update problems, Microsoft recommended using Known Issue Rollback (KIR) or Group Policy as potential remedies. The recent updates are particularly crucial for Home and Pro users of Windows 11 22H2, as it marks their final update before the edition is phased out of servicing. The sunset of servicing for Enterprise and Education editions for Windows 11 22H2 and the end of life for Windows 10 will occur next year, aligning with the cessation of security updates for Windows 11 21H2.

Trinity, a new ransomware gang, has recently infected a healthcare facility in the U.S., exploiting sophisticated double extortion tactics. The U.S. Department of Health and Human Services issued a security alert on October 4, highlighting the significant threat posed by Trinity. Rocky Mountain Gastroenterology is reportedly one of the healthcare victims, with Trinity claiming to have stolen 330 GB of their data. Trinity also targeted the Cosmetic Dental Group in the Channel Islands, claiming theft of over 3.63TB of data. The gang uses various methods for network breaches, including exploiting unpatched software vulnerabilities, phishing, and compromised Remote Desktop Protocol (RDP) credentials. Trinity's operations show similarities with other malware, sharing code with 2023Lock and using similar encryption techniques as the Venus ransomware. No decryption tools are currently available for Trinity ransomware, putting attacked organizations at a heightened risk. Health authorities recommend robust cybersecurity measures like network segmentation, offline backups, and multi-factor authentication to mitigate ransomware risks.

North Korean hackers are exploiting job search platforms to distribute malware by masquerading as potential employers. The campaign, named Contagious Interview, employs fake online interviews to deceive job-seeking software developers into downloading malicious applications. The initial malware, BeaverTail, is a downloader and information stealer affecting both Windows and Apple macOS systems. BeaverTail facilitates the installation of the InvisibleFerret backdoor, which can steal browser passwords and harvest data from cryptocurrency wallets. Recent reports suggest that the activity continues to be a threat despite previous public disclosures, with ongoing successful attacks on developers. The campaign features cross-platform compatibility by using Qt-based fake applications, mimicking legitimate video conferencing tools like MiroTalk and FreeConference.com. The operation might be financially driven, aiming to steal credentials from 13 different types of cryptocurrency wallets to fund North Korea's regime activities.

Social media accounts are critical for brand reputation but often lack adequate security measures, leading to potential unauthorized access and significant risks. Platforms like Facebook, Instagram, and LinkedIn feature multiple access layers, each with its own set of roles, permissions, and configuration settings, often managed by both internal teams and external agencies. The dispersed nature of social media management results in risks such as unauthorized postings and comments, which can harm an organization’s reputation. Poor governance and visibility into account activities can result in operational inefficiencies and security vulnerabilities, including misuse of ad accounts and resources. SSPM (SaaS Security Posture Management) tools, though traditionally not used for securing social media, can enhance governance by providing centralized visibility into user activities and permissions. Implementing SSPM allows for stronger security measures, such as setting spending limits and monitoring access to payment mechanisms. ITDR (Identity Threat Detection and Response) capabilities are crucial for detecting unusual activities and responding to threats in real time, thus protecting the organization’s social media presence from various cyber threats.

Microsoft released security updates to fix 118 vulnerabilities; two are under active exploitation. Of these vulnerabilities, three are rated Critical, 113 are Important, and two are Moderate. The exploited vulnerabilities, CVE-2024-43572 and CVE-2024-43573, are part of ongoing attacks, possibly linked to the Void Banshee threat actor using Atlantida Stealer malware. The U.S. CISA has required federal agencies to apply these security fixes by October 29, 2024, due to the severity of the risk. The most severe vulnerability fixed is in Microsoft Configuration Manager with a CVSS score of 9.8, allowing unauthenticated remote command execution. Additional critical vulnerabilities include flaws in Visual Studio Code extension for Arduino and Remote Desktop Protocol (RDP) Server. No information was provided on the exact attackers or the scope of the impact regarding the actively exploited vulnerabilities. Microsoft and other vendors have released patches addressing various vulnerabilities, stressing the importance of timely updates for security.

Microsoft has identified a surge in cyber attacks that exploit legitimate file hosting services such as SharePoint, OneDrive, and Dropbox to conduct business email compromise (BEC) attacks. Attackers employ these trusted platforms to bypass standard security measures and perform identity theft, financial fraud, and lateral movement within networks. These campaigns use a method known as living-off-trusted-sites (LOTS), where legitimate services are used to evade email security systems and deliver malicious content discreetly. The attackers initiate contact by compromising an email account from a trusted vendor, then use this position to share malicious files with targeted entities through restricted-access files on these services. Recipients are tricked into re-authenticating their credentials under the guise of viewing a shared file, which then redirects them to phishing sites that capture passwords and 2FA tokens. This technique allows attackers not only to access sensitive information but also to use the compromised accounts to facilitate further scams and financial theft. Concurrently, a new phishing kit named Mamba 2FA has emerged, facilitating this kind of attack by impersonating login pages and bypassing non-phishing-resistant multi-factor authentication methods. Microsoft's warning highlights the complexity and sophistication of the techniques used by threat actors, necessitating heightened vigilance and advanced security responses.