Daily Brief

The Philippine government has ordered the cessation of Philippine Offshore Gaming Operators (POGOs) by year's end, a move announced by President Ferdinand "Bongbong" Marcos Jr. POGOs, which serve mostly players outside the Philippines, particularly in mainland China where gambling is banned, have been implicated in illegal activities including financial scams, money laundering, and human trafficking. President Marcos cited both economic costs and severe criminal activities as reasons for the shutdown during his State of the Nation address. In a recent raid in Tarlac province, police rescued 875 workers from various countries, uncovering illegal operations including romance scams. The POGO industry was estimated to generate significant revenue for the Philippines but was also associated with substantial financial losses due to its illegal activities and reputational damage. Currently, Philippine authorities have canceled licenses for 298 POGOs, and efforts are ongoing to curb illegal gaming operations that persist despite the shutdown. The Philippine Department of Labor and Employment will aid Filipinos displaced from POGO jobs, acknowledging that the total ban will not completely eliminate the associated problems. The government emphasizes continued vigilance against illegal gaming operations that might continue underground or morph into other forms of criminal enterprises.

Evasive Panda, a Chinese hacking group, has been using updated versions of Macma macOS backdoor and Nightdoor Windows malware. The attacks targeted organizations in Taiwan and an American NGO in China, exploiting vulnerabilities like an Apache HTTP server flaw. Symantmec's investigations reveal that Evasive Panda has refreshed their modular malware framework, MgBot, to avoid detection. Recent malicious activities involved using Tencent QQ software updates to deploy MgBot malware via supply chain or adversary-in-the-middle attacks. The latest versions of Macma malware show enhancements and shared code with other tools from Evasive Panda's arsenal, indicating a sophisticated custom malware development approach. Nightdoor malware, used in conjunction, retrieves payloads from OneDrive and employs anti-VM techniques to persist undetected on the infected systems. The group’s extensive toolkit includes various malware targeting not only macOS and Windows but also Linux, Android, and Solaris OS systems. Evasive Panda has a history of both domestic and international espionage endeavors and has been active since at least 2012.

Threat actors exploit the popularity of the mobile clicker game Hamster Kombat, targeting its 250 million-strong player base with spyware and info-stealing malware. Fake Android and Windows apps related to the game are tricking players into installing malicious software, including the Ratel Android spyware and Lumma Stealer for Windows. The genuine Hamster Kombat game is only available via Telegram, not on any official app stores, which increases the risk of players encountering and downloading malicious versions. Cybercriminals use various deceptive methods including clone apps on Google Play, fake Telegram channels, and malicious GitHub repositories to distribute malware. Detailed malware functionalities include intercepting SMS, hiding notifications, redirecting users to profit-generating ads, and falsely subscribing them to premium services. ESET cybersecurity experts warn players to only download the game from the official Telegram channel and remain cautious of unverified sources. No security checks or official whitepaper have been released for the game, despite its massive user base and links to cryptocurrency earnings.

Last week, a CrowdStrike Falcon platform update led to 8.5 million Windows systems crashing worldwide. The disruption affected major logistics operations, causing global flight and shipping delays. The issue was traced back to a malformed configuration file in the Falcon system, leading to a BSOD (Blue Screen of Death) on Windows devices. CrowdStrike identified the problematic file as a Channel File, essential for detecting and managing cybersecurity threats. Experts speculate the error involved the Channel File causing unintended memory access, leading to system crashes. CrowdStrike CEO George Kurtz has been called to testify before Congress regarding the incident. The situation highlights significant flaws in quality assurance and the dangers of deploying updates without adequate testing. Recommendations include implementing gradual rollout strategies like Google's Canary releases to prevent such widespread issues.

Decentralized finance (DeFi) crypto exchange dYdX's v3 trading platform’s website was compromised due to a DNS hijack. Users were advised not to visit or interact with dydx[.]exchange and to avoid withdrawing assets until the platform is declared safe. Attackers hijacked the domain, setting up a phishing site that attempts to steal credentials by asking users to approve misleading transactions. The incident is linked to a series of DNS hijacking attacks on DeFi platforms that utilize the Squarespace registrar. Despite the DNS issues, the smart contracts and funds on the dYdX v3 platform remain secure and uncompromised. DNS resolution has been partially restored, but lingering caching issues mean some users may still face risks. This security breach coincides with reports of dYdX Trading negotiating the sale of its v3 software to potential buyers.

BreachForums v1's member data from November 2022 was leaked, revealing personal details of 212,414 users. The data was initially sold by the forum's creator, Conor Fitzpatrick, and later leaked by a threat actor named Emo. BreachForums was established by Fitzpatrick after the seizure of RaidForums by the FBI and has seen multiple versions and admin changes. Fitzpatrick was arrested in January 2024 for allegedly attempting to sell the database while on bail, violating pretrial conditions. The leaked data includes user IDs, usernames, email addresses, registration IPs, and last access IPs, important for tracking threat actor activities. Notably, the data was provided to the Have I Been Pwned service to alert affected users of the breach. This incident highlights ongoing risks associated with participation in hacking forums and the importance of robust digital identity protection measures.

FrostyGoop, a malware targeting industrial control systems, was used in a cyberattack in Lviv, Ukraine, disrupting heating for over 600 buildings. The attack occurred during extreme winter conditions, leaving residents without heat for nearly two days. Russian-linked threat actors used the Modbus TCP communication protocol to manipulate heating systems. Investigation revealed that attackers had breached the network nearly a year prior, exploiting vulnerabilities in an Internet-exposed router. Dragos, a cybersecurity firm, identified and analyzed the malware, linking it to previous attacks by Russian groups. The incident highlights significant vulnerabilities in critical infrastructure systems and the increasing specificity of cyberattacks. Recommendations for industrial organizations include implementing the SANS 5 Critical Controls for enhanced cybersecurity in operational technology.

A recent CrowdStrike update caused widespread system crashes globally, with Windows systems entering Blue Screen of Death boot loops due to a signature file update. Administrators were caught off guard as they believed their update policies of running one or two versions behind (N-1 or N-2) would prevent such incidents; however, this policy did not apply to the signature files. The signature file that caused the disruption was pushed universally on July 18th, overriding the staged deployment settings of many CrowdStrike customers. Users reported a lack of clarity and communication from CrowdStrike, with vital information being slow to release and primarily available to major partners or behind a login-walled portal. The incident highlights a key dilemma in cybersecurity: the need to quickly update malware definitions versus the risk of new updates causing system instability. Sharon Martin, CEO of Managed Nerds, expressed severe dissatisfaction with CrowdStrike, stating a preference for facing ransomware rather than using CrowdStrike if it were the only option left. Cybersecurity experts and analysts stress the importance of having effective staging and disaster planning for updates, especially when different components of a system, like software and signature files, are updated on different schedules.

Representatives from Intel, DETASAD, Juniper Networks, and Arqit will discuss AI cybersecurity in an upcoming webinar on July 30. The discussion will focus on the crucial need for robust security frameworks as AI technologies become essential across various sectors such as finance, telecom, and smart cities. Experts will address the variety and increasing frequency of cyber threats that specifically target AI systems. Key topics will include understanding industry-specific susceptibility to AI threats, and how disparities in awareness affect security measures. The webinar will also cover best practices, regulatory updates, and recommended security measures from leading technology vendors. Participants will learn practical strategies to protect AI systems by using secure data storage, comprehensive encryption, and continuous monitoring techniques. Insights from high-profile case studies on data poisoning, adversarial attacks, and model theft will be shared to illustrate the real-world impact of these threats.

Verizon Communications agrees to a $16 million settlement with the FCC due to three data breaches at its subsidiary, TracFone Wireless, following its acquisition in 2021. The breaches occurred over two years, with the initial incident self-reported by TracFone in January 2022, where unauthorized access had begun a year prior. Attackers exploited authentication vulnerabilities, gaining access to sensitive customer data including personally identifiable information and customer proprietary network information. Subsequent breaches involved TracFone's order websites, where threat actors accessed order information by exploiting a website vulnerability using two different methods. Part of the settlement includes a mandate for TracFone to implement enhanced data security measures by February 28, 2025, to prevent future incidents. Details on the number of affected customers and the specific nature of data accessed remain undisclosed as certain details were censored in the public consent decree.

Typosquatting domains have surged following the recent CrowdStrike outage, targeting IT administrators with extortion and phishing schemes. Security firm SentinelOne reports a daily increase in these malicious domains, which are used to exploit users by mimicking trusted sites with small typographical errors in the domain names. Among the tactics observed are the sales of fraudulent fixes for CrowdStrike issues, with hefty price tags, and phishing attempts to deliver malware like remote access trojans disguised as software patches. Despite the high prices and questionable domain names, the attacks continue, suggesting that some users are falling for these scams. CrowdStrike has issued warnings and guidance to its clients urging them to use official channels for communication and follow only verified technical advice. The company continues to update its remediation methods and has set up a dedicated web page for official recovery guidance.

Alphabet's $23 billion acquisition offer for cybersecurity firm Wiz was declined as Wiz aims for an IPO and $1 billion in annual recurring revenue. Wiz CEO Assaf Rappaport stated the decision was difficult but emphasized confidence in the company's exceptional team. The acquisition could have faced regulatory hurdles, considering Alphabet's existing antitrust scrutiny, particularly in its dominant search business. The decision parallels a broader trend where big tech acquisitions are scrutinized or abandoned due to regulatory pressures, as seen with Adobe's dropped Figma takeover. Wiz has undergone significant growth, relocating its headquarters to New York and was valued at $12 billion in May after raising $1 billion. The company also acquired Gem Security earlier this year, aligning with its strategy of strengthening its market position through acquisitions rather than merging with larger entities like Alphabet. This move might signal a broader year of consolidation in the cybersecurity sector as predicted by Wiz’s CEO earlier in the year.

CrowdStrike's recent Falcon update caused major IT outages globally, prompting the emergence of malicious actors exploiting the situation. Fraudulent phishing emails are circulating, offering a fake Windows recovery tool that purportedly addresses the Falcon-induced issues but actually installs the Daolpu malware. The Daolpu malware is designed to harvest sensitive data such as account credentials, browser history, and authentication cookies from browsers like Chrome, Edge, Firefox, and Cốc Cốc. The malware operates by using macros in a document that mimic a legitimate Microsoft support bulletin to download and execute a malicious DLL file. This new info-stealing threat targets data primarily from web browsers, temporarily storing stolen data before sending it to a command-and-control server. CrowdStrike has issued a warning and provided detection tools and guidelines to help users identify and mitigate the threat. This incident underscores an ongoing trend where cybercriminals rapidly leverage current events and vulnerabilities for widespread phishing and malware distribution campaigns.

Beijing-affiliated hacker group Daggerfly targeted organizations in Taiwan and a U.S.-based NGO in China using sophisticated malware tools. Daggerfly exploited an Apache HTTP server vulnerability to deliver MgBot malware, highlighting the group's ongoing espionage efforts. The hacking group, operational since 2012, has updated its toolset following exposure to continue its intelligence activities with minimal disruption. The attacks featured new malware families, including an improved Apple macOS malware, MACMA, which harvests sensitive information and executes commands. MACMA, linked to Daggerfly through source code similarities with MgBot, was initially reported by Google TAG addressing Hong Kong Safari browser security flaws. Another malware called Nightdoor uses Google Drive API for command and control, targeting Tibetan users through watering hole attacks. Symantec's findings underscore Daggerfly's capability to create malware targeting a variety of operating systems, including Android and Solaris. The episode occurs amid accusations by China's CVERC against U.S. intelligence, claiming the fabrication of the China-nexus espionage group Volt Typhoon as part of a misinformation campaign.

FrostyGoop, a new ICS malware, targeted a Ukrainian energy company, causing significant service disruption in Lviv. Identified by Dragos in April 2024, FrostyGoop uses Modbus TCP to directly impact OT networks. The malware primarily targets Windows systems connected to ENCO controllers via TCP port 502. FrostyGoop’s capabilities include reading, writing, and modifying data in ICS device holding registers. It utilizes JSON configuration files for target specification and logs actions in JSON format for review. The attack in January left over 600 apartment buildings without heating for nearly 48 hours. The initial breach was likely through a vulnerability in Mikrotik routers exploited in April 2023. Dragos stresses the importance of enhancing cybersecurity frameworks to protect critical infrastructure from such risks.