Daily Brief

DigiCert announced the mass revocation of SSL/TLS certificates affecting approximately 0.4% of domains validated from August 2019 to June 2024 due to a domain validation error. The issue involved the omission of an underscore in DNS CNAME records used for Domain Control Verification, risking potential domain and subdomain collisions. The problem originated from a system update in August 2019, which was not corrected until a recent review uncovered the error in July 2024. All impacted customers are required to log in to their DigiCert CertCentral account, generate a new Certificate Signing Request (CSR), and reissue their certificates within 24 hours. The company has installed safeguards including an enhanced random value generation process to prevent repeat incidents. Failure to reissue certificates promptly could result in connectivity loss for the impacted websites or applications. DigiCert remains in compliance with CABF standards, demanding immediate certificate revocation to heed security protocols.

EvilProxy, dubbed the "LockBit of phishing," operates as phishing-as-a-service (PhaaS), facilitating massive monthly phishing attacks utilizing legitimate services like Cloudflare. Utilized by hackers with minimal technical skills, EvilProxy aids in credential theft, ransomware attacks, and business email compromise through seemingly legitimate phishing links. Sold on dark-web marketplaces, the service includes customer support and tutorial videos on setup and disguise of phishing campaigns. Proofpoint reports approximately one million threats monthly from EvilProxy, with recent campaigns significantly leveraging Cloudflare services to bypass automated detection systems. TA4903 and TA577, notable threat actors, have recently adopted EvilProxy, with attacks targeted primarily at high-ranking business executives to steal sensitive access credentials and perpetrate further malicious activities. Proofpoint's data shows that 73% of organizations subjected to BEC attacks followed a successful phishing attempt, with 32% leading to ransomware infections. The upward trend in EvilProxy usage underscores the importance of deploying phishing-resistant MFA solutions, enhancing cloud security measures, and conducting persistent user education on phishing threats.

Organizations must measure the effectiveness of cybersecurity investments, particularly password policies. Password policies should align with broader cybersecurity KPIs to accurately gauge impact and adjust strategies. Metrics for success include compliance with standards like NIST, reduction of weak passwords, and checks for compromised passwords. Tracking KPIs such as the rate of password resets and MFA adoption provide insights into system vulnerabilities and user behavior. Regular auditing with tools such as Specops Password Auditor helps detect and address security gaps in real time. High priority is given to the security of privileged accounts through specific KPIs related to privilege management. Effective MFA implementation is crucial, measured by adoption rates, authentication success, and the ability to prevent bypass attempts. The article underscores the importance of proactive security management to prevent data breaches and unauthorized access.

A sophisticated version of Android spyware named Mandrake was found embedded in five Google Play Store applications, undetected for two years. These compromised apps accumulated over 32,000 installations, predominantly from countries including Canada, Germany, Italy, and the U.K. The spyware utilized advanced obfuscation and evasion methods, including moving malicious components to native libraries and using certificate pinning for secured command-and-control communications. The malware capability included information harvesting about the device’s status and environment, and could execute remote operations like screen sharing and data wiping. Mandrake employs multi-stage payloads that involve downloading and executing a core malware component that subsequently collects device data and performs malicious activities. Russian security firm Kaspersky highlighted Mandrake’s evolving techniques to bypass new Android security features, illustrating the continuous arms race between cybercriminals and cybersecurity measures. Google responded by reinforcing its Google Play Protect defenses, aiming to improve detection and prevention of such sophisticated threats despite the existence of features designed to secure Android users against sideloaded apps.

The UK Electoral Commission experienced a data breach in August 2021, linked to unpatched Microsoft Exchange Server vulnerabilities. The breach resulted from exploitation of the ProxyShell vulnerabilities, identified as CVEs 2021-34473, 2021-34523, and 2021-31207. Attackers gained access to the personal data of approximately 40 million people, including sensitive details not publicly available. The Information Commissioner's Office (ICO) criticized the Electoral Commission for inadequate security measures and weak password policies. Despite patch availability from Microsoft in May 2021, the Commission failed to update their systems, leading to vulnerability. The ICO issued a reprimand but found no evidence of misuse of the accessed data up to now. This breach coincided with similar global attacks linked to Chinese state-sponsored groups, suggesting a pattern or related campaign.

RMM tools allow IT professionals to manage networks remotely but can be exploited by attackers to gain unauthorized access and control. Cybercriminals use sophisticated methods like "Living off the Land" to stealthily maneuver within networks using legitimate IT tools. Real-world example showed how an RMM tool named "KiTTY", a modified version of PuTTY, allowed attackers to establish reverse tunnels, exposing internal servers. Varonis’ investigation highlighted the breach methods and security gaps, providing insights into defensive strategies against RMM tool exploitation. Suggested strategies include enforcing application control policies, continuous monitoring of RMM activity, and extensive user training and awareness programs. Continuous advancements in technology pose both opportunities and threats; robust security measures are essential in protecting critical data and systems. Varonis offers a free Data Risk Assessment to help organizations evaluate their security stance and implement effective remediation strategies.

CVE-2024-37085, a critical vulnerability in VMware ESXi, enables admin control via AD group manipulation, used actively by major ransomware gangs. The flaw allows attackers with certain AD privileges to achieve full control over ESXi hypervisors, facilitating data theft, lateral movement, and system disruption. Highlighted exploitation methods include creating or renaming AD groups to "ESX Admins," instantly granting administrative access to the hypervisor. Despite the risks, many organizations integrate ESXi with Active Directory for management convenience, increasing vulnerability. Broadcom issued patches for the vulnerability, but the approach and delayed updates attracted criticism regarding their commitment to security. Microsoft detected several ransomware variants exploiting this vulnerability, suggesting that ESXi has become a significant target for financial cybercrime. Microsoft urges all ESXi users to apply patches and improve credential security to mitigate risks and counter undetected exploitation by attackers.

Cybersecurity experts have observed extensive phishing attacks on small and medium-sized businesses in Poland during May 2024, involving malware such as Agent Tesla, Formbook, and Remcos RAT. These campaigns also affected other European countries like Italy and Romania, with attackers leveraging compromised email accounts and company servers for distributing malicious emails and hosting malware. A key feature of these attacks is the use of a malware loader called DBatLoader to distribute the final malware payloads, shifting from previously used cryptors-as-a-service like AceCryptor. The attacks typically began with phishing emails that contained malware-laced RAR or ISO attachments, which upon execution initiated the download and installation of the trojan. DBatLoader, a Delphi-based downloader, is utilized predominantly to fetch and execute subsequent stage malware from sources such as Microsoft OneDrive or servers of legitimate entities. The deployed malware variants—Agent Tesla, Formbook, and Remcos RAT—are designed to extract sensitive information, setting the stage for further malicious activities. The increasing focus on SMBs by cybercriminals is attributed to their generally weaker cybersecurity postures and limited resources, which make them attractive targets.

Cybersixgill's annual "State of the Underground 2024" report details emerging trends in cybercrime and threat actor behaviors observed within the deep and dark web during 2023. The report focuses on providing insights into the tactics, techniques, and technologies used by cybercriminals globally, highlighting the need for deep and dark web threat intelligence in preventing attacks. Cybercriminals utilize the deep and dark web to exchange tools, information, and services, making this knowledge crucial for organizations aiming to enhance their security measures. Accessing these underground sites is difficult, as they are not indexed and require specific URLs, often hosting illicit materials including compromised data and malicious programs. The webinar titled "Inside the mind of a hacker" explains the psychological and technical strategies used by hackers, using the Cyber Kill Chain framework to map successful cyber attack stages. The research also reveals the role of Wholesale Access Markets (WAMs) that sell access to compromised systems for as low as $10, potentially leading to significant security vulnerabilities for enterprises. Analysis by Cybersixgill shows that such platforms can also provide clues to enterprise vulnerabilities, with systems logged onto enterprise software being particularly revealing. By understanding and monitoring these underground activities, organizations can proactively defend against potential cybersecurity threats.

The SideWinder nation-state threat actor is targeting maritime facilities in the Indian Ocean and Mediterranean regions. Spear-phishing campaigns are being carried out against multiple countries including Pakistan, Egypt, and Sri Lanka, among others. The attacker, believed to be affiliated with India, utilizes email spear-phishing, document exploitation, and DLL side-loading to deliver malware. Lures involve emotionally charged topics like sexual harassment and salary cuts to entice victims to open malicious Microsoft Word documents. Malware exploits older vulnerabilities in Microsoft Office to execute shellcode for JavaScript attack delivery. The primary motive behind these attacks is speculated to be intelligence gathering based on SideWinder's previous operations. BlackBerry's analysis suggests that SideWinder is continuously upgrading its infrastructure and methods, indicating ongoing and future threats.

Cybersecurity researchers have identified a phishing campaign named OneDrive Pastejacking aimed at Microsoft OneDrive users. The attack involves an HTML email attachment that mimics a OneDrive error message, instructing users to manually update their DNS cache. Clicking "How to fix" on the email prompts users to launch PowerShell and execute a Base64-encoded command, leading to the download and execution of malicious files. The campaign has affected users across multiple countries, including the U.S., South Korea, Germany, and the U.K., suggesting widespread targeting. Attack techniques include creating fake error messages, mimicking legitimate troubleshooting pages, and leveraging social engineering to trick users into initiating attacks themselves. Related findings from multiple cybersecurity firms indicate an increase in similar phishing tactics, affecting various secure email gateways and platforms. Threat actors are continually refining methods to bypass security measures and deliver malware more effectively, underscoring the need for heightened alertness and robust cybersecurity defenses.

An extensive phishing campaign breached Proofpoint's email filtering systems, sending out three million spoofed emails daily from entities like Disney and IBM. The emails appeared legitimate, displaying correct Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, misleading recipients about their authenticity. Victims were tricked into visiting malicious sites and entering credit card information under the pretense of renewing subscriptions at discounted rates, subsequently facing exorbitant charges. At its peak, the campaign distributed up to 14 million fraudulent emails in a single day, exploiting a vulnerability related to the email routing feature in Proofpoint systems. Guardio Security identified the exploit, dubbed "EchoSpoofing," and collaborated with Proofpoint for mitigation; the issue was tied to insecure Microsoft 365 integrations within Proofpoint’s service. No Proofpoint customer data was exposed, and no data loss occurred, despite the abuse of customer Microsoft 365 accounts to facilitate the spam. Proofpoint has since revised their systems to allow only authorized Microsoft 365 tenants to relay messages, aiming to prevent similar security breaches in the future. Proofpoint and Guardio are continuing efforts to block the abused Microsoft tenant accounts, some of which remain active.

Multiple ransomware groups are exploiting a flaw in VMware ESXi hypervisors, CVE-2024-37085, to gain administrator privileges and deploy malware. The vulnerability involves an Active Directory authentication bypass, allowing attackers to escalate privileges by manipulating AD group configurations. Recent attacks noted include those by ransomware groups like Storm-0506, Octo Tempest, and Manatee Tempest deploying different strains such as Akira and Black Basta. Initial access in one documented attack was gained via a QakBot infection, followed by the exploitation of another Windows vulnerability (CVE-2023-28252) to escalate privileges. Attackers employed tactics such as deploying Cobalt Strike, using Mimikatz to steal credentials, and establishing persistence via SystemBC, to move laterally across networks. Methods like RDP brute-forcing and tampering with Microsoft Defender Antivirus were also observed, indicating advanced efforts to maintain access and evade detection. Increased adaptation by ransomware operators to utilize new techniques highlights the evolving threat landscape and the necessity for robust cybersecurity defenses. In response, businesses are urged to patch vulnerabilities promptly, enforce strong credential and authentication practices, and employ comprehensive monitoring and backup strategies.

Malaysia’s Law and Institutional Reform Minister announced plans to introduce legislation for an internet "kill switch" to Parliament in October, aimed at enhancing digital security. The proposed law will set guidelines on when and how the government can block internet access, though specific scenarios remain undefined. The government is also pushing for social media providers and messaging services to take greater responsibility for preventing online crimes, including fraud and cyberbullying. Controversially, starting January 2025, social media platforms and online messaging platforms must secure a license if they have over eight million Malaysian users to operate legally. The Malaysian Communications and Multimedia Commission claims the licensing requirement will help create a safer online environment, particularly for children and families. International human rights groups, including Article 19, have criticized the licensing requirement as an overreach of power and a threat to public participation in democracy. The country will host a conference in September with global academics and industry experts to discuss online harms and regulatory strategies.

Mandrake, a sophisticated Android spyware, was found in five apps on Google Play, downloaded 32,000 times mainly from countries like Canada, Germany, Italy, and the UK. Initial malware deployment utilizes a native library to evade detection before decrypting additional payloads that facilitate further malware activities. The spyware requests permissions under pretenses, enabling activities from data collection to simulating user interactions. Communication with the command and control server is secured, and only suitable devices receive the spyware's core component. Threat actors also used deceptive notifications mimicking Google Play to entice users into installing further malicious files. Mandrake is capable of avoiding detection from security tools and checks device integrity to tailor its operation. After the discovery, the apps carrying Mandrake were removed from Google Play, though the threat of reemergence with new, stealthier apps remains a concern. Recommendations for Android users include installing apps only from trusted publishers, scrutinizing permissions, and ensuring Play Protect is active.