Daily Brief

Threat actors used swap files on compromised Magento e-commerce sites to hide and maintain a credit card skimmer. The malicious skimmer captured payment information on the website's checkout page and sent the details to a fake domain resembling Amazon. Sucuri researchers discovered this tactic after noting the skimmer withstood several cleanup efforts due to its stealthy placement in swap files. Swap files were manipulated to load malicious code while maintaining the appearance of unaltered original files, effectively bypassing standard detection. It remains unclear how attackers initially accessed the compromised system, but SSH or similar protocols are suspected entry points. Associated risks highlighted include the ability of such malware to serve as a reinfection vector, using compromised administrator accounts. Security recommendations include restricting protocol use to trusted IPs, maintaining updated systems and plugins, employing 2FA, and implementing strict firewall rules and additional WordPress configurations.

Organizations traditionally share first-day passwords with new employees via email or SMS, exposing them to security risks like interception and misuse. Temporary passwords often remain unchanged by the users, becoming vulnerable targets for attacks, and sometimes lead to large-scale breaches, as illustrated by the SolarWinds incident. The sharing of passwords, whether in plain text or verbally, introduces significant risks of unauthorized access and potential data breaches. Specops Software introduces a First Day Password feature in its uReset tool, eliminating the need to share initial passwords directly and enhancing security. The new system allows employees to set their own passwords via a secure link, ensuring compliance with the organization’s password policies and reducing risks. This solution integrates with Specops' Password Policy and Breached Password Protection, blocking the use of over 4 billion known compromised credentials. By adopting this tool, companies can secure the onboarding process, protect against cyber threats, and ensure a smooth start for new employees.

The European Commission has given Meta a deadline until September 1, 2024, to address concerns about its "pay or consent" model violating consumer protection laws. Utilizing this model, Meta offered users the option to either pay a subscription fee or allow their data to be used for targeted advertising, raising potential coercion concerns. Meta's advertising model could infringe on the EU Digital Markets Act (DMA), which mandates gatekeepers to obtain explicit user consent before data utilization for non-core services. The European Commission criticized Meta for unclear terms and misleading branding which describes the service as "free" while still conditioning on data consent for personalized ads. The Commission emphasized the necessity for transparency in how consumer data is utilized, highlighting it as a fundamental consumer right. This issue with Meta follows recent fines in Nigeria and Turkey for similar data-sharing violations involving users' consent on Facebook and WhatsApp platforms. Meta’s defense references a European Court of Justice ruling that supports charging a fee for services that do not rely on advertising; however, the applicability of this ruling remains uncertain in this context. The situation underscores ongoing global regulatory scrutiny concerning user data privacy and the ethics of consent-based advertising practices.

The Computer Emergency Response Team of Ukraine (CERT-UA) reported a spear-phishing attack targeting a scientific research institution using HATVIBE and CHERRYSPY malware. The attack utilized a compromised email account to distribute macro-enabled DOCX files to multiple recipients. Enabling macros in the document triggers the execution of HATVIBE, establishing persistence through scheduled tasks and leading to the deployment of the CHERRYSPY Python backdoor. CHERRYSPY facilitates remote command execution, increasing the threat actor’s control over compromised systems. The malware exploits a critical vulnerability in HTTP File Server (CVE-2024-23692) for initial access, signifying its high-risk level (CVSS score: 9.8). CERT-UA attributes these attacks to UAC-0063, identified as a Russian nation-state group APT28, with links to Russia's military intelligence. In a related campaign, Ukrainian defense enterprises were targeted with rigged PDFs leading to the deployment of a Lua-based loader, DROPCLUE, via another threat actor cluster, UAC-0180.

The webinar focuses on securing AI technologies against cyber threats in the Middle East. Industry leaders like Intel, DETASAD, Juniper Networks, and Arqit will discuss AI security issues. Key points include exploring AI threat landscapes such as data poisoning and adversarial attacks. The event will cover the importance of regulatory compliance and best security practices. Strategies to build public trust and uphold ethical AI practices will be examined. Attendees will learn about enhancing AI security through measures like encryption and continuous monitoring. The webinar is designed for professionals in sectors such as telecoms, finance, security/defense, and critical national infrastructure. Registration is open for the July 31st event aiming to advance AI security knowledge and implementation.

Google has reversed its decision to phase out third-party cookies in Chrome, opting instead to introduce a user-choice prompt. The original plan was part of the controversial Privacy Sandbox initiative intended to balance privacy concerns with the needs of digital advertisers. Leading browsers like Apple Safari and Mozilla Firefox have already abolished third-party cookies, citing privacy enhancements. Privacy advocates and regulators, including the Austrian non-profit noyb, criticized Google's approach, suggesting it still allows extensive user tracking. Apple criticized the Privacy Sandbox's Topics API for not fully informing users about how their data is categorized and used for advertising. The U.K. Competition and Markets Authority is now reassessing Google's revised approach in collaboration with the Information Commissioner's Office. Google's change of course highlights the complexities of achieving consensus on privacy standards in the ad-supported internet ecosystem.

Google has decided not to phase out third-party cookie support in Chrome, contrary to earlier plans aimed at enhancing user privacy. Anthony Chavez, VP of Google's Privacy Sandbox, cited significant work and implications for online advertisers as reasons for maintaining third-party cookie support. New proposed approach introduces a choice for Chrome users to either engage with the Privacy Sandbox or continue allowing third-party cookies and data surveillance. This announcement follows criticism and regulatory pressure, including an investigation by the UK's Competition and Markets Authority (CMA). Critics, such as the Electronic Frontier Foundation, argue that Google's decision favors profit over privacy, highlighting ongoing concerns with user surveillance through advertising. The UK's CMA is reevaluating its stance and has invited public comments on Google's revised approach to understanding potential market and consumer impacts. In response, privacy advocates urge users to adopt tools like the Privacy Badger browser extension to better control online tracking and enhance privacy.

Greece's Land Registry experienced a data breach after facing 400 cyberattacks targeting its IT infrastructure over the past week. Hackers compromised employee terminals and stole 1.2 GB of data, which is approximately 0.0006% of the total data managed by the agency. The stolen data consisted of administrative documents and did not include any personal information of citizens. Attempts by attackers to create a malicious user and access the central database were thwarted, though one backup was accessed. No ransomware was detected on the systems according to the internal investigation supported by the Cybersecurity Directorate of the General Staff of National Defense. Emergency measures included terminating all VPN access and resetting passwords, with mandatory two-factor authentication for employee accounts. All attacks, including the last recorded attempt on July 19, 2024, were successfully repelled; normal operations and secure public transactions remain unaffected. These incidents follow major cyberattacks on other Greek state-owned entities in previous years, including ransomware attacks on the postal service and the country's largest natural gas distributor.

Google has reversed its decision to phase out third-party cookies in Chrome by early 2025, and instead will roll out a new feature that lets users control cookie settings. Third-party cookies are widely used for tracking users' online activities, raising privacy concerns addressed by regulations like the GDPR. Competitors Mozilla Firefox and Apple Safari have blocked these cookies by default since 2020, putting pressure on Google to follow suit. Google's proposed alternative, the Privacy Sandbox, aims for a less intrusive way to gather user data but has seen slow adoption and remains in beta testing. The new Chrome experience outlined by Google will offer users enhanced choices regarding third-party cookie use, with adjustable settings at any time. Privacy advocacy groups like the EFF criticize Google's decision, highlighting the continued prioritization of advertising revenue over user privacy. This development may impact publishers and advertisers who rely heavily on cookie-related data for targeted advertising campaigns and user tracking.

Global law enforcement agencies, including the UK's National Crime Agency (NCA), Police Service of Northern Ireland (PSNI), and FBI, collaborated on Operation Power Off, resulting in the shutdown of the notorious DDoS-for-hire service, digitalstress.su. The joint operation led to the arrest of the suspected administrator of digitalstress.su on July 2, though the identity of the suspect remains undisclosed. Digitalstress.su was implicated in orchestrating tens of thousands of DDoS attacks weekly, leveraging its platform as an accessible tool for aspiring cybercriminals. The takedown included typical law enforcement tactics such as displaying a splash page indicating police control and targeted messaging to users of the dismantled site, warning and deterring further illicit activities. Law enforcement's innovative strategies have extended to controlling communication channels used by digitalstress.su, potentially leading to broader investigations and additional arrests. The operational success demonstrates the vulnerability of criminal operations even under supposedly secure domains like the old Soviet Union (.su) and asserts that online criminals can no longer expect anonymity or impunity. The operation is contemporaneous with similar actions in Spain against the hacktivist group NoName057(16), highlighting a sustained and coordinated international effort against cybercrime, particularly DDoS attacks.

The US has imposed sanctions on Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, members of the hacktivist group Cyber Army of Russia Reborn (CARR). CARR has escalated its cyberattacks since 2022, initially focusing on DDoS attacks and later targeting critical infrastructure in the US and Europe. In a recent operation, CARR compromised the SCADA systems of a US energy firm and manipulated a water storage unit in Texas, demonstrating their capabilities with a published video. Although the attacks did not result in major damages, they posed significant risk to US critical infrastructure, prompting legal and sanction actions. The sanctions prevent any US-based financial interactions with the targeted individuals and aim to isolate and reduce their cybercrime activities. Similar sanction strategies have been implemented against other international cybercriminals, supporting the US stance on combating global cyber threats and securing critical infrastructures. Treasury officials emphasized the necessity of these actions to protect national security and prevent potential catastrophes from cyber intrusions.

Los Angeles County Superior Court, the largest trial court in the U.S., temporarily shut all 36 courthouses due to a significant ransomware attack. The malware attack, reported on Friday, compromised every electronic platform used by the court, including internal systems, external communications, and internet-connected devices. Court officials and IT professionals have been working intensively to reconfigure and restore servers and databases since the attack. As of Sunday evening, many critical systems were still offline, leading to the closure of court services on Monday with plans to reopen by Tuesday. Presiding Judge Samantha P. Jessner emphasized the unprecedented nature of the attack and the ongoing efforts to protect data integrity and secure the network. Recovery efforts have faced multiple obstacles, making it impossible for legal proceedings to occur as scheduled. The cyberattack is noted to be unrelated to the simultaneous CrowdStrike incident affecting Windows systems globally.

Play ransomware now specifically targets VMware ESXi virtual machines on Linux, expanding attack possibilities across the platform. Trend Micro reported the ransomware checks for ESXi environments to execute and remains undetected on Linux systems. This strategic focus follows a broader trend where ransomware groups increasingly target virtualized environments used by enterprises for efficient resource management. Disruption from these attacks includes major business operations outages and restricted data recovery options due to encryption of VMs and backups. The ransomware leverages tools from a threat actor known as Prolific Puma and shuts down all VMs before encryption. The malware places a ransom note within the ESXi client and console, demanding payment to decrypt data. High-profile victims of Play ransomware include Rackspace, the City of Oakland, Arnold Clark, the City of Antwerp, and Dallas County. Agencies like the FBI and CISA recommend enforcing multi-factor authentication, maintaining updated offline backups, and implementing robust recovery strategies to mitigate risks.

Europol reports significant disruption of ransomware-as-a-service groups, leading to fragmented cybersecurity threats. Increased individual operations noted, as cybercriminals use modified tools independently due to diminished trust in large groups. The takedown of major groups like ALPHV/BlackCat and LockBit has encouraged talented affiliates to develop their own malware and operate solo. There is evidence of affiliates moving away from group affiliations to mitigate risks, especially following law enforcement successes. Attribution challenges are growing as the landscape of cybercrime becomes less centralized and more populated by independent actors. AI tools are proving beneficial for solo operators, allowing them to quickly create and refine malicious code without extensive resources. Shift in target preference from large enterprises to small and medium-sized businesses, exploiting weaker defenses for easier payouts. Reliance on multi-layered extortion methods continues, emphasizing the importance of robust cybersecurity practices and backup systems.

UK's National Crime Agency (NCA) led a joint operation to dismantle the DDoS-for-hire service DigitalStress. The owner of DigitalStress, known by the alias Skiop, was arrested earlier in the month by the Police Service of Northern Ireland. Agents from the NCA infiltrated DigitalStress’s communication services to gather intelligence on users and plan follow-up actions. Law enforcement intends to use the acquired data to assist global police efforts in targeting users and administrators of this criminal marketplace. Individuals in the UK who engaged with the DigitalStress platform will be contacted by law enforcement. Conspirators involved in the operation confirmed the owner’s unavailability and cautioned against accessing a related site, suspecting it to be a law enforcement trap. DigitalStress's disruption is part of the broader Operation PowerOFF, targeting various DDoS-for-hire platforms since December 2018. The takedown reflects ongoing international efforts to combat cybercrime, notably the use of DDoS attacks by various criminal elements.