Daily Brief

Mysterious $1 or $0 charges from Shopify-charge.com reported by credit card users worldwide, despite no purchase attempts. Charges appeared on both physical and virtual cards from major providers, including Discover, Monzo, and Visa, starting about ten days ago. Some reports indicate attempts on deactivated cards, suggesting unauthorized use of card information. Incidents linked frequently to individuals who set up new virtual cards, pointing to possible security vulnerabilities during card setup. While shopify-charge.com confirms charges should relate to shopping activities, some affected users claim never to have interfaced with Shopify-enabled sites. Shopify suffered a recent third-party data breach, though it reported that no payment information was compromised. Attempts to reach Shopify for comments were unsuccessful; inline investigations hint at involvement of unrelated debt collection firm Halsted Financial. Shopify's backend usage by various online stores might confuse customers who are unaware of Shopify's role in the transaction process.

Over 83,000 SSL/TLS certificates issued by DigiCert are impacted by a programming flaw and need immediate replacement. The error, which involves domain ownership validation issues, affects "approximately 0.4 percent" of domain validations issued by DigiCert. DigiCert has a 24-hour period setup for revoking the flawed certificates, but some customers have been granted minor extensions due to exceptional circumstances. Legal action has been taken by some clients trying to block the revocation, citing critical safety and service disruption concerns. Large organizations, particularly in essential services like healthcare and telecommunications, are struggling with the rapid replacement requirement. DigiCert is preparing a full incident report and is engaged in industry discussions about reconsidering the revocation timelines due to the severity and widespread impact. Certificates must be revoked by August 3, 2024, at the latest, regardless of circumstances, with possible extended deadlines for exceptional cases. The situation illustrates the practical challenges of strict security compliance, especially when it has potential real-world consequences on essential services.

Russia-affiliated criminals have hijacked around 30,000 web domains since 2019 by exploiting a known DNS vulnerability. The 'Sitting Ducks' technique targets weak DNS services, allowing attackers to manipulate domain records without proper identity verification. Originally identified in 2016, this DNS flaw was exploited on major platforms like AWS, Google, and Digital Ocean, and was observed again in 2019 at GoDaddy. The vulnerability stems from administrative oversight rather than coding errors, making it difficult to detect and resolve. Hijacked domains have been used for phishing, spreading malware, and other malicious activities, impacting both domain owners and online users. Despite being a known issue for years, the security industry has largely failed to address or mitigate the risks associated with the 'Sitting Ducks' technique. Infoblox and Eclypsium are collaborating with law enforcement and national CERTs to address this ongoing threat. Calls have been made for increased cooperation among domain owners, registrars, DNS providers, and regulatory bodies to minimize DNS attack surfaces and enhance security measures.

DigiCert has initiated a mass revocation of TLS certificates due to non-compliance with domain control verification. Approximately 6,807 customers are affected, needing to reissue 83,267 certificates within a strict 24-hour deadline set for July 31, 19:30 UTC. Critical infrastructure operators may request a revocation delay if immediate reissue and deployment of certificates are unfeasible, to prevent disruption of essential services. The certification issue originated from a system update in August 2019, with the underlying problem identified and corrected on June 11, as part of a project to enhance user experience. DigiCert is accommodating exceptions by engaging with browser representatives to allow additional time under exceptional circumstances where necessary. All impacted certificates must eventually be revoked by August 3, 2024, at 19:30 UTC, as part of compliance measures. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued warnings and guidance regarding the revocation, emphasizing the urgency of certificate reissue or rekeying by the deadline.

OneBlood, a major not-for-profit blood center in the U.S., experienced a ransomware attack, leading to an IT systems outage. The attack compromised the organization's VMware hypervisor infrastructure, encrypting its virtual machines and affecting operations. Due to the cyberattack, OneBlood has resorted to manual processes, slowing down its ability to collect, test, and distribute blood. Over 250 U.S. hospitals reliant on OneBlood for blood supplies have been advised to implement critical shortage protocols. A national coalition and the AABB Disaster Task Force are coordinating to reroute blood donations to mitigate the impact on OneBlood’s service areas. OneBlood continues to operate at reduced capacity and urges donations of O Positive, O Negative, and Platelets, which are urgently needed. The ransomware attack occurred over a weekend, a common tactic as fewer staff are available to counteract the intrusion immediately. OneBlood is collaborating with local and federal agencies to address the situation and plans to provide credit monitoring services to individuals potentially impacted by the data exposure.

CISA and the FBI assure that DDoS attacks on U.S. election infrastructure will not affect the security or integrity of the 2024 general election. Despite potential disruptions to public information access, core voting processes and results transmission remain secure. Authorities clarify that DDoS attacks might affect peripheral services like voter look-up tools but will not prevent voting. Official guidance emphasizes sourcing election information from state and local authorities if primary websites are down. Voters encouraged to report any suspicious activities, including potential cyber threats, to the FBI. CISA and the FBI's ongoing collaboration ensures the election infrastructure is safeguarded against both physical and cyber threats. Public reassured that while DDoS attacks are likely, they will not influence election security or outcomes.

Google's ad platform was exploited to promote a fake Google Authenticator site, distributing DeerStealer malware. Malwarebytes discovered a new malvertising campaign where threat actors used legitimate appearing ads to masquerade as the Google Authenticator download page. The deceptive ads displayed URLs mimicking Google’s domain, increasing their perceived legitimacy and effectively tricking users. Upon clicking these ads, users are redirected through several pages to fake sites that closely resemble official Google portals. The final landing page urges users to download "Authenticator.exe," a malware-infected file disguised with a credible, signed certificate. Once executed, the downloaded malware steals various sensitive data such as browser credentials and cookies. To mitigate such threats, users are advised to avoid clicking on ads for software downloads, use ad blockers, and verify URLs and domains before downloading any software.

Google has updated Chrome to enhance the security of sensitive data on Windows, combating infostealer malware targeting cookies. Chrome version 127 introduces app-bound encryption, which links encrypted data to specific applications, preventing other apps from decrypting the data. This form of encryption requires attackers to attain higher system privileges or inject code into Chrome, actions likely to be flagged by antivirus software. The new security feature builds upon previous measures like device-bound session cookies which tie user sessions to specific devices, rendering stolen cookies useless on other devices. Google aims to extend this technology to protect other types of sensitive information such as authentication tokens, passwords, and payment data in future updates. The recent security improvements also include enhancements to the Chrome downloads UI, providing more detailed explanations on why downloads are blocked to enhance user understanding and safety. While the encryption offers strong security on single devices, it may pose challenges for business users who work across multiple devices; Google advises following best practices or policy settings for those scenarios.

Fresnillo PLC, a major miner and the largest global silver producer, acknowledged that its IT systems were compromised via cyberattack. During the incident, unauthorized parties accessed certain data, though specific details about what was taken or exposed have not been released. Immediate response measures were undertaken to contain the breach, involving Fresnillo's IT team and external forensic experts. Operations remain unaffected by the incident, with no anticipated material or financial impact as per the company's assessment. Fresnillo remains steadfast in its approach to cyber security, with ongoing investigations to mitigate any potential threats. The company possesses extensive mining operations and exploration projects across Mexico, Peru, and Chile and is listed on both the London and Mexican stock exchanges.

Researchers have discovered a new Android malware called 'BingoMod' which is capable of wiping devices after draining bank accounts through fraudulent transactions. The malware, disguised as legitimate security applications through smishing (SMS phishing), manipulates Android’s Accessibility Services to gain extensive control over the device. BingoMod employs a technique known as on-device fraud (ODF) to perform almost real-time transactions by capturing screen content and executing remote commands. Advanced features include intercepting SMS messages, stealing login credentials, and enabling screen-casting to deceive anti-fraud systems. To remain undetected, BingoMod features code obfuscation and evasion tactics; it also possesses the capability to uninstall security apps and block certain apps by remote commands. The destructive feature triggers a device wipe, removing all data from external storage, post-successful fraudulent transfers; complete device reset could be executed via remote access. BingoMod is still under active development and features suggest it may be developed by a Romanian coder, possibly with international collaboration.

AI development is rapidly increasing, with expectations to reach 1 billion users by 2029. Cybercriminals are also utilizing AI, potentially leading to more sophisticated cyber attacks. Palo Alto Networks' CEO Nikesh Arora emphasized the importance of visibility, control, and governance in AI integration. The internal risk from employees not understanding AI usage and data handling within their organization is significant. Proper implementation of AI can greatly strengthen an organization’s cyber defenses. Palo Alto Networks focuses on making their cybersecurity solutions AI-driven, easy to use, and efficient in tracking data vulnerabilities. Security measures include designing AI applications to be secure from the start, ensuring safer data processing and storage.

LockBit, once a top ransomware operation, has significantly declined in activity and influence following a major law enforcement takedown led by the UK's National Crime Agency. The operation, dubbed Operation Cronos, not only disrupted LockBit's infrastructure but also exposed the identity of its alleged leader, Dmitry Khoroshev. Despite attempts to revive its operations, LockBit's reputation has suffered, leading many of its top earners and affiliates to depart for rival groups with better opportunities and technology. Recent data shows a drastic reduction in the number of attacks attributed to LockBit, with evidence suggesting some claimed attacks might be reposts of older ones, indicating a struggle to maintain influence. The exposure of affiliate identities and the subsequent reduction in their numbers from 194 to just 69 underscores the operation's impact on LockBit's network. Discussions about LockBit on cybercrime forums have diminished, indicating a loss of credibility and interest among potential new affiliates. Despite these setbacks, LockBit's core ransomware technology remains functional, and there is potential for the brand or its leadership to reemerge under a new guise following a period of reevaluation and restructuring. The future of LockBit and its leadership remains uncertain, with possibilities ranging from a complete shutdown to a rebranding or shift in criminal focus.

DigiCert, a certificate authority, will revoke over 83,000 SSL/TLS certificates within 24 hours due to a domain validation oversight. The issue arose from a failure to include an underscore prefix in DNS CNAME records used for Domain Control Validation (DCV), leading to potential ownership verification problems. This oversight stems from changes made in DigiCert’s system architecture starting in 2019, which removed the automatic inclusion of the underscore, impacting certain validation processes. The problem was identified several weeks ago when a customer reported discrepancies in the random values used for domain validation. Nearly 0.4% of domain validations conducted by DigiCert are affected, compromising around 6,807 customers. DigiCert has advised affected customers to generate a new Certificate Signing Request (CSR) and reissue their certificates after proper DCV. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of potential temporary disruptions to websites, services, and applications due to the revocations.

The "ERIAKOS" fraud campaign, involving more than 600 fake online stores, uses Facebook ads to target users, stealing personal and financial information. These counterfeit web shops promote well-known brands at heavily discounted prices but are accessible only through mobile devices to avoid detection by automated security tools. Researchers from Recorded Future identified the operation and speculate it originates in China, judging by the technical footprints such as domain registrars and IP addresses. Although many of the illicit sites have been taken offline, new ones continuously replace them, keeping the campaign active and continually trapping new victims. The fraudulent ads link only from Facebook and feature numerous fake user testimonials to appear legitimate and enhance engagement. Facebook has intermittently blocked these scam ads and related accounts; however, the scam's persistence and adaptation indicate sophisticated evasion techniques. Analysis indicated connections to infrastructure used by known malware, although direct attribution to this specific fraud campaign remains unclear. Recorded Future has reported these findings to Meta, and ongoing investigations aim to mitigate such fraudulent operations further.

North Korea-associated malware, named DEV#POPPER, targets software developers using Windows, Linux, and macOS. The malware distribution is executed through decoy job interviews offering coding tasks, delivered via GitHub. Victims are tricked into downloading a ZIP file containing malicious npm modules that activate malware named BeaverTail. The malware can identify the operating system, exfiltrate data, and deliver further malware stages, such as the InvisibleFerret Python backdoor. Enhanced attack features include sophisticated data theft from web browsers like Chrome and Opera, improved file transfer protocols, and remote desktop functionalities via AnyDesk. The campaign targets individuals in South Korea, North America, Europe, and the Middle East, revealing a broad geographical impact. Researchers highlight the campaign's evolution with advanced social engineering tactics and increased technical complexity in recent attacks.