Daily Brief

GoldenJackal, an emergent cyber threat actor, targets embassies and governmental organizations to infiltrate air-gapped systems. The attacks involve bespoke malware toolsets, including JackalWorm and JackalControl, designed to steal sensitive data from offline systems. Incidents have occurred from as early as 2019, with victims such as a South Asian embassy in Belarus and European governmental entities. The group uses sophisticated tactics similar to those seen in malware campaigns by Turla and MoustachedBouncer, but no definitive ties to a nation-state have been established. ESET traced malware artifacts back to attacks in 2019 at a South Asian embassy and observed a toolset upgrade in attacks from May 2022 to March 2023. The malware primarily spreads through USB drives, potentially leveraging trojanized software or malicious documents for initial infiltration. The threat actor has shown capability in developing and deploying advanced malware aimed at systems typically unreachable via the internet. The exact mechanisms of initial compromise and subsequent stages of the cyberattacks remain partially unknown; further analysis and vigilance are required.

Ukrainian hackers initiated a cyberattack on Russian state news agency VGTRK, disrupting its online services on Vladimir Putin’s 72nd birthday. The attack was confirmed by Kremlin press secretary Dmitry Peskov, who described it as "an unprecedented hacker attack on digital infrastructure." Despite the attack, VGTRK claimed no significant damage was inflicted on their operations. Russian Foreign Ministry spokesperson Maria Zakharova attributed the cyber attack to a broader hybrid warfare strategy by the "collective West" and promised to bring up the issue at the UN and UNESCO. The group responsible for the attack, identified as “sudo rm -RF,” has previously targeted other Russian digital platforms, including RuTube. An anonymous Ukrainian official described the attack as a symbolic "birthday present" for Putin, claiming extensive damage including the destruction of server data and backups, and the disruption of internal communications and internet services.

Ukraine acknowledged orchestrating a cyber attack on Russia's state media company VGTRK, occurring on the night of October 7, disrupting its operations but causing "no significant damage." Reports emerged from Russian sources that hackers deleted all data, including backups, from VGTRK's servers, conflicting with official statements of minimal impact. Russian officials have launched an investigation into the attack, suspecting it aligns with Western anti-Russian sentiments. The attack was attributed to a pro-Ukrainian hacker group, Sudo rm-RF, part of ongoing cyber confrontations amid the Russo-Ukrainian war. Ukraine's SSSCIP reported an increase in cyber-attacks targeting key sectors, with notable attacks being classified as critical or high in severity. The agency noted a strategic shift from destructive attacks to covert operations aimed at espionage and maintaining influence within key systems. Eight different cyber activity clusters have been identified, including threats from China-linked espionage actors and Russian state-sponsored hackers. The consistent deployment of malicious tools by groups like Gamaredon was highlighted, alongside their evolving tactics to avoid detection and enhance their operational impact.

Qualcomm has released updates to fix nearly two dozen security issues across proprietary and open-source components. A particularly severe vulnerability, identified as CVE-2024-43047, with a user-after-free error in the DSP Service has been actively exploited. This DSP vulnerability could lead to significant memory corruption issues. Google Project Zero and Amnesty International Security Lab highlighted the exploitation risks. Qualcomm recommends immediate patching by OEMs for a critical flaw affecting the FASTRPC driver due to its potential use in targeted spyware attacks. Additionally, a critical vulnerability in the WLAN Resource Manager (CVE-2024-33066) could allow memory corruption due to improper input validation. The update is part of a broader security effort that includes patches for vulnerabilities from other tech giants like Imagination Technologies and MediaTek, in collaboration with Google's Android security updates. The full extent of the attacks exploiting these vulnerabilities and their overall impact remains unclear, highlighting the need for rapid compliance with the security updates.

Google has initiated a worldwide rollout of enhanced security features for Android devices, designed to deter thieves from profiting from stolen phones. The updated security measures include a requirement for credentials to perform a factory reset, aimed at making it harder for thieves to wipe and resell stolen devices. Additional security settings being strengthened include the requirement for biometric confirmation before changing system settings like PINs or disabling the Find My Device feature. These security enhancements were first announced in May during Google's I/O developer conference and have been tested in Brazil before the global rollout. The updates are expected to continue with the general release of Android 15, scheduled for later this month. While mobile phone theft is still prevalent, the measures aim to reduce the resale value of stolen phones and protect users from potential financial theft through access to sensitive apps.

The US government has launched legal efforts to recover over $2.67 million in cryptocurrencies stolen by North Korea’s Lazarus Group. Two lawsuits for forfeiture target funds linked to the 2022 Deribit hack and a separate heist at Stake.com, involving millions in virtual currencies like Tether and Bitcoin. In the Deribit hack, Lazarus Group thieves laundered about $28 million through various crypto exchanges and mixing services, with the US recovering approximately $1.7 million in Tether. Similar laundering tactics were employed after approximately $41 million was stolen from Stake.com, with only a minor fraction (about $6,270 in Bitcoin) recovered by US authorities. North Korean hackers utilized complex money-laundering schemes like the virtual currency mixers Sinbad (now sanctioned) and Yonmix to obscure stolen funds. The FBI continues to investigate several cases of cryptocurrency heists linked to North Korea, with Lazarus Group implicated in attacks against diverse targets, including entertainment firms, banks, and virtual currency exchanges. The recent actions represent ongoing US efforts to counter North Korean state-sponsored cybercrime and financial theft to support its regime.

American Water, the largest regulated water provider in the U.S., experienced a cybersecurity breach affecting its network systems. The company detected unusual activity last Thursday and subsequently isolated parts of its network to protect customer data. Billing and the MyWater app were paused, with no late fees charged during the outage as the investigation by law enforcement and security experts continues. American Water assures that water quality and supply remain unaffected, emphasizing ongoing efforts to contain and remediate the network environment. The incident has been reported in an 8-K filing with regulators, noting that it is unlikely to have a significant financial impact on the company. There is heightened concern as the U.S. water sector, a part of critical infrastructure, faces ongoing threats, including from international actors like the Iranian CyberAv3ngers and Chinese interests. The U.S. Environmental Protection Agency has recently increased initiatives to bolster cybersecurity in the water sector, including creating a Water Sector Cybersecurity Task Force.

MoneyGram experienced a cyberattack in September, leading to a five-day service outage and significant data theft. Hackers accessed MoneyGram’s network between September 20 and 22, 2024, before detection on September 27. Stolen data includes customer names, contact details, dates of birth, Social Security numbers, government IDs, bank account details, and transaction records. The incident was initially triggered through a social engineering attack targeting MoneyGram’s IT help desk. CrowdStrike has been involved in investigating the breach, although the identity of the attackers remains unknown. MoneyGram confirmed the incident was not a ransomware attack but has not disclosed specific details regarding the volume of compromised data. Impacted customers are being notified about the specific details of their information that was stolen.

ADT reported a security breach originating from stolen credentials provided by a third-party partner. Threat actors accessed and extracted encrypted employee account data. This is the second incident in two months; previously, 30,800 customer records were leaked. ADT has terminated the unauthorized access, initiated a forensic investigation, and engaged with cybersecurity experts. Company measures to contain the breach have disrupted normal business IT operations. There is no evidence suggesting any customer data or security systems have been compromised. Federal law enforcement and the third-party business partner are involved in addressing the breach and securing the systems. ADT is taking additional countermeasures to enhance their information security posture.

Cryptocurrency scammers hacked the LEGO website to advertise a sham LEGO token. The breach occurred at 9 PM EST and lasted for approximately 75 minutes. Hackers replaced the main site banner with promotions for purchasing the bogus token with Ethereum. The link provided led to a legitimate cryptocurrency platform, Uniswap, not to a site designed to steal assets. Despite the hack, only a small amount of money was collected from the scam. LEGO confirmed the breach and assured that no user accounts were compromised and that preventive measures are being implemented. The misuse of website access for a low-yield crypto scam, as opposed to deploying stealthier and more profitable malware, was noted as unusual.

American Water detected unusual network activity and confirmed a cybersecurity breach, leading to a stoppage of their billing processes and the MyWater app. The company isolated parts of their network to safeguard customer data and collaborate with law enforcement and external security experts. There are no late fees for customers during the system downtime, and water quality and operations remain unaffected. An ongoing investigation aims to understand the incident's scope, with updates promised via the company's website. Despite the cyber-attack, American Water believes the breach will not materially impact their financial position or operational outcomes. In response to broader cybersecurity threats against water supplies, the U.S. government has been taking steps such as audits and the formation of a Water Sector Cybersecurity Task Force. The article references global tensions and the involvement of nation-state actors like Iran and China targeting the U.S. water infrastructure.

Ukrainian national Mark Sokolovsky has admitted to running the Raccoon Stealer malware operation under a malware-as-a-service (MaaS) model. Raccoon Stealer, rented for $75 weekly or $200 monthly, captured sensitive data from infected devices, including browser credentials, cryptocurrency wallets, and credit card information. The FBI and European law enforcement disrupted the Raccoon Stealer infrastructure in March 2022, which temporarily halted the operation. Despite initial suspension following a developer's death during Ukraine's invasion, the malware operation has relaunched twice with enhanced capabilities. In response to this cybercrime, the FBI has set up a website to help individuals determine if their data was stolen and provide them with recovery resources. Sokolovsky was extradited to the U.S. in February 2024 and faces charges including fraud, money laundering, and identity theft, following his indictment in October 2022. He has agreed to restitution of at least $910,844.61 and a forfeiture of $23,975 as part of his plea agreement.

Police departments across the U.S. frequently use facial recognition technology to identify suspects but rarely disclose its use to the suspects or their lawyers. Documents obtained by the Washington Post reveal that out of the "more than 100" departments contacted, only around 40 in 15 states provided information about their use of facial recognition technology. Police often obscure the use of facial recognition by describing the identification process as through generic "investigative means" and policies directing officers to avoid documenting the technology as an investigative lead. Misidentification from facial recognition has resulted in at least seven wrongful arrests of innocent individuals, predominantly affecting Black Americans, with all charges later dismissed. In Miami, the use of facial recognition led to more than 186 arrests and over 50 convictions in the past four years, but less than seven percent of those arrested were informed about the technology's role in their identification. The legality of withholding information about facial recognition from suspects challenges the Brady rule, which mandates disclosure of any exculpatory evidence in a trial. Despite the controversy and local bans, police continue to use facial recognition, sometimes outsourcing searches to circumvent local laws prohibiting their use.

Qualcomm patched a high-severity zero-day vulnerability (CVE-2024-43047) affecting numerous chipsets via the Digital Signal Processor (DSP) service. The flaw, which involves a use-after-free issue leading to memory corruption, was exploited in the wild, as per findings from Google's Project Zero and Amnesty International Security Lab. The vulnerability allows low-privileged local attackers to cause memory corruption by manipulating DMA handle FDs. Security patches have been distributed to OEMs with a recommendation for urgent deployment on all affected devices. Qualcomm also addressed another serious vulnerability (CVE-2024-33066) in the WLAN Resource Manager reported over a year ago. This breach marks a continuation of a series of zero-day exploits in Qualcomm's technology, including previous incidents involving GPU and Compute DSP drivers, Snapdragon DSP chip vulnerabilities, and others. The company remains proactive in patching reported issues to prevent exploitation and protect user data and device integrity.

American Water, the U.S.'s largest publicly traded water utility, experienced a cyberattack leading to a partial shutdown of its systems. The company has engaged third-party cybersecurity experts and informed law enforcement to assess and contain the incident. Critical customer-facing services like the 'MyWater' online portal and billing were suspended, though no late fees will be charged during the interruption. American Water assures that its water and wastewater facilities remain unaffected and operational. This incident is part of a larger pattern of targeted cyberattacks on water utilities, following recent advisories about threats from Russian-linked cyber groups. Further incidents noted include attacks by Chinese and Iranian actors on U.S. water facilities in recent months. The U.S. Environmental Protection Agency (EPA) has issued new guidelines to enhance cybersecurity defenses among water service providers.