Daily Brief

Microsoft's Azure platform experienced an 8-hour outage due to a DDoS attack that was exacerbated by an error in Microsoft's defensive implementation. The attack was part of a global increase in DDoS attacks, with businesses now facing such disruptors almost monthly. Microsoft utilizes unique strategies against DDoS attacks owing to its global presence and extensive threat intelligence network. Despite correct triggering of defense mechanisms, an implementation error led to an amplified rather than mitigated impact during the incident. The outage affected various services including Azure App Services, Azure IoT Central, and parts of Microsoft 365 and Microsoft Purview. Microsoft managed to mitigate most of the impact by early afternoon, but the issue wasn’t fully resolved until late evening. A preliminary post-incident review is expected soon, with a final report to follow in the upcoming weeks to prevent future similar occurrences.

Chinese nation-state actors, attributed to the APT10 group, are targeting Japanese entities with advanced malware named LODEINFO and NOOPDOOR. Israeli cybersecurity firm Cybereason has tagged the ongoing espionage campaign as "Cuckoo Spear," indicating its stealth and prolonged presence in compromised networks. The malware is used to harvest sensitive information and maintain persistence in victims' networks for up to three years via mechanisms like scheduled tasks. Recent developments reveal the use of anti-analysis techniques in LODEINFO and exploitation of vulnerabilities in public-facing applications to install malware. Earth Kasha and Earth Tengshe, two sub-groups within APT10, have uniquely adapted their tactics, targeting different technologies and using multiple malware types. Alerts from JPCERT/CC and ITOCHU Cyber & Intelligence earlier this year highlight the ongoing risk and evolution of the targeted cyber attacks. The campaign’s sophistication includes exploiting unpatched vulnerabilities in products from Array AG, Fortinet, and Proself, marking an escalation in their operational capabilities.

Material Security offers innovative solutions to improve the efficiency of security teams in handling email threats while saving time. The concept of an "alert budget" is highlighted, which represents the maximum amount of time a team can dedicate daily to threat responses. Material's detection engine aims for high precision and recall, minimizing false positives and ensuring legitimate threats are captured. The system uses advanced techniques like message clustering and automatic remediation to streamline the process of managing phishing attacks. Implementing these solutions has led to significant time savings for security operations, with one customer reporting a three-month time saving of 300 hours. Material also optimizes user-reported phishing management, reducing the manual effort required and enhancing immediate protective measures. The article underscores the importance of continuing vigilance by employees alongside sophisticated detection systems, stressing that AI and machine learning are tools rather than complete solutions.

Cybercriminals have launched a large-scale malware campaign using over 107,000 Android app samples to intercept one-time passwords (OTPs) for identity fraud. The majority of these malware samples were not found in standard app repositories, highlighting their clandestine distribution through channels like deceptive ads and Telegram bots. Victims span 113 countries, with the highest incidences reported in India, Russia, Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. Malicious apps request SMS permissions upon installation, then connect to command-and-control servers to exfiltrate the stolen SMS messages containing OTPs. The attackers utilize stolen OTPs for various fraudulent activities, including registering for online accounts without knowledge of the phone’s owner. The malware remains discreet on infected devices, continuously monitoring incoming text messages primarily targeting OTPs. Cybersecurity researchers have not yet determined the identity of the threat actors involved, though their operations include accepting payments in cryptocurrency for services misusing stolen data.

A cyber espionage group, XDSpy, has launched phishing attacks on companies in Russia and Moldova. Security firm F.A.C.C.T. identified the campaign, which deploys malware, DSDownloader, via infected email attachments. XDSpy, first identified by Belarus's CERT in 2020, has historically focused on government entities in Eastern Europe and the Balkans. The group uses spear-phishing and malware, including a C#-based dropper and a DLL file that executes via DLL side-loading, to infiltrate systems. Recent attacks leverage agreement-themed phishing emails to distribute RAR files containing malicious and legitimate executable files. The campaign is part of a broader increase in cyberattacks in the region since the onset of the Russo-Ukrainian war in 2022. Other Russian hacking groups and pro-Ukrainian hacktivists have also escalated their cyber operations, indicating an intensifying cyber conflict arena. CERT-UA has reported a rise in phishing activities by other groups like UAC-0057, distributing malware to compromise further systems.

The UK Electoral Commission suffered a significant data breach involving the personal data of approximately 40 million voters due to cybersecurity failings. Chinese state-sponsored attackers exploited vulnerabilities in the Commission's Microsoft Exchange Server, leading to a 13-month undetected access. Failures included ineffective security patching, usage of default passwords, and inadequate password management policies. The breach was initially facilitated by the ProxyShell vulnerabilities which were already patched by Microsoft months before the attack began. The Information Commissioner's Office (ICO) issued a formal reprimand rather than fines, stressing improvements rather than financial penalties. Post-breach improvements made by the Electoral Commission as acknowledged by the ICO include implementing a modern infrastructure plan and enhanced security measures. Stephen Bonner of the ICO highlighted that the breach could have been prevented with basic security measures and urged organizations to ensure system security to protect personal data. Despite the breach's scale, there has been no evidence suggesting misuse of the stolen data or direct harm to individuals.

Meta has settled for $1.4 billion with Texas for illegally collecting biometric data without user consent. This settlement marks one of the largest penalties against Meta for privacy violations. The lawsuit stems from Meta’s use of facial recognition technology on Facebook without informing users or obtaining proper consent as mandated by Texas law. Texas Attorney General emphasized strong actions against tech giants for violating privacy and data laws. Meta, while settling, did not admit any wrongdoing related to the allegations. The settlement follows a similar $650 million payment by Meta in Illinois for comparable privacy infringements. Texas has also initiated legal actions against Google for violating biometric privacy laws. Meta has discontinued its facial recognition system and deleted extensive user data in response to growing privacy concerns.

DigiCert identified a critical flaw in its SSL/TLS certificate validation process, linked to a missing underscore in DNS CNAME records. About 0.4% of domain validations could be impacted, necessitating urgent certificate replacement to avoid revocation. The issue, originating from a change in code first implemented in August 2019, was not initially caught due to inadequate system testing. The validation error breaks compliance with CA/Browser Forum regulations, forcing a 24-hour deadline for affected users to reissue certificates. DigiCert’s discovery came after reports from a user, prompting an additional review and a string of corrective actions as per CABF guidelines. Customers must generate a new Certificate Signing Request (CSR) and follow DigiCert’s outlined steps for reissuing their certificates. DigiCert has communicated with all impacted customers and provided support options through their account managers and a dedicated hotline.

A large-scale malicious operation has infected Android devices across 113 countries, stealing SMS messages and one-time passwords. The malware, spread via Telegram bots and malvertising, impersonates official app download pages to deceive users. Over 107,000 distinct malware samples have been observed, orchestrated by cybercriminals using 2,600 Telegram bots and 13 control servers. Primary victims are found in India, Russia, Brazil, Mexico, and the United States, with motives largely tied to financial gains through phone number exploitation. Compromised devices are likely being used for authentication purposes and to anonymize illegal activities without the owner's consent. The malware fetches OTPs needed for two-factor authentication and transmits these to a centralized API, potentially implicating victims in unauthorized transactions or criminal activities. Zimperium, the cybersecurity firm tracking this malware, advises Android users to only download apps from Google Play and to keep Play Protect enabled.

A Fortune 50 company has paid a record $75 million in ransom to the Dark Angels ransomware gang. This payment surpasses the previous record of $40 million paid by insurer CNA following an Evil Corp attack. The payment details were disclosed in the 2024 Zscaler Ransomware Report and confirmed by Chainalysis via social media. Dark Angels targets large corporations, employing a “Big Game Hunting” strategy to secure significant ransoms. The group started operations in May 2022, originally using Babuk ransomware source code, but later switching to a Linux-based encryptor used by Ragnar Locker. They also operate a data leak site, ‘Dunghill Leaks’, threatening to release stolen data if their ransom demands are not met. Dark Angels’ sophisticated approach involves breaching networks, moving laterally, and obtaining administrative controls before deploying ransomware to encrypt all network devices.

A Fortune 50 company paid a groundbreaking $75 million ransom to the Dark Angels ransomware gang, the highest on record. The payment surpasses the previous largest known ransom of $40 million paid by CNA to Evil Corp. Zscaler ThreatLabz and crypto intelligence firm Chainalysis confirmed the transaction. Dark Angels, operational since May 2022, employs tactics involving data theft and encryption to leverage ransom negotiations. This ransomware group targets significant, high-value entities, focusing on fewer victims to maximize ransom payments. Details about which Fortune 50 company made the payment remain undisclosed, though speculation points to pharmaceutical giant Cencora. Dark Angels has shifted encryption tools, currently using a Linux encryptor previously utilized by Ragnar Locker.

CISA has directed all U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their VMware ESXi servers due to a vulnerability (CVE-2024-37085) exploited in recent ransomware incidents. This vulnerability was addressed by VMware in their latest ESXi 8.0 U3 update, following its discovery by Microsoft security researchers. CVE-2024-37085 allows attackers, with elevated privileges, to add a new user with full administrative rights to the 'ESX Admins' group. Despite being rated as medium-severity by VMware, the exploit has been actively used by ransomware groups like Storm-0506 and Octo Tempest to compromise sensitive data and encrypt systems. The security flaw enables unauthorized access and control over domain-joined hypervisors, leading to data theft, lateral movement within networks, and significant operational disruptions. CISA has included this vulnerability in its 'Known Exploited Vulnerabilities' catalog, urging rapid remediation by August 20 under the directive BOD 22-01. Although the directive is specific to federal agencies, CISA strongly recommends that all organizations prioritize this security issue to protect against potential ransomware attacks targeting similar vulnerabilities.

Delta Air Lines experienced extensive operational losses estimated at $500 million due to a CrowdStrike service outage on July 19. To address these financial setbacks, Delta hired David Boies of Boies Schiller Flexner, a lawyer known for notable tech sector litigation. The service disruption was linked to a defective Channel File update impacting millions of Windows machines globally, with Microsoft also blamed partially. The U.S. Department of Transportation is investigating Delta following the cancellation of nearly 7,000 flights, leading to an extensive volume of passenger reimbursement requests. CrowdStrike's standard terms and conditions generally limit liability to service fee refunds, but it's uncertain if Delta negotiated additional coverage. Microsoft and CrowdStrike have not made extensive comments about potential litigation or the specifics of the outage. The hiring of a high-profile law firm suggests Delta is exploring significant legal and recovery strategies against both Microsoft and CrowdStrike.

Black Basta ransomware has been active since April 2022, with over 500 attacks globally, employing a double-extortion tactic involving data theft and encryption. Following the disruption of the QBot botnet by law enforcement, Black Basta formed new alliances using alternative initial access vectors, including DarkGate and SilentNight malware. The group has developed and deployed custom malware such as DawnCry and DaveShell, concluding with the PortYard tunneling tool to establish C2 communications. Notable victims in 2024 include Veolia North America, Hyundai Motor Europe, and Keytronic, highlighting the group's continued impact and reach. The threat actors, tracked as UNC4393 by Mandiant, have access to exploits for critical vulnerabilities like Windows and VMware ESXi flaws. Black Basta's shift from using publicly available hacking tools to creating sophisticated, proprietary malware indicates a significant evolution in their operational tactics. The gang continues to utilize "living off the land" techniques alongside their custom tools to maintain stealth and operational security.

Google Chrome has implemented app-bound encryption to enhance cookie security on Windows, targeting protection against infostealer malware. This new feature restricts data decryption to the application to which it was originally bound, preventing unauthorized access by other applications. Chrome's app-bound encryption enhances the existing Data Protection API (DPAPI) used in Windows, which only secures data at rest and not against active malwares. Key technical detail of the system involves a privileged service that verifies app identity before encrypting or decrypting data, ensuring only designated apps can access sensitive information. The protective measure will be extended to passwords, payment data, and other persistent authentication tokens to further safeguard user data. Google adds this update alongside other recent security measures like improved download protection and enhanced threat detection mechanisms incorporated within Chrome. These developments come as part of Google’s broader effort to combat evolving malware threats and improve system-wide security protocols.