Daily Brief

A Telegram zero-day vulnerability called 'EvilVideo' disguised malicious Android APKs as video files within the app. The exploit was sold on a Russian hacking forum by a user named 'Ancryno' and affects versions up to Telegram v10.14.4. Security firm ESET identified and analyzed the flaw after a PoC was publicly demonstrated. Telegram patched the vulnerability in their update to version 10.14.5 released on July 11, 2024, following ESET's disclosure. The exploit leveraged Telegram's API to deceive users into downloading and executing the malicious APK thinking it was a video. Actual exploitation required several user interactions, including disabling default security settings, reducing the risk of widespread impact. Two malicious APKs utilizing this exploit were identified, pretending to be legitimate applications like Avast Antivirus. Users are advised to scan their devices for any suspicious applications installed through Telegram.

95% of cybersecurity incidents are linked to human errors, emphasizing the significant risk posed by well-meaning employees. The average global cost of a data breach in 2023 is approximately USD 4.45 million, underscoring the financial devastation these incidents can cause. Common user mistakes include unauthorized device use, misdelivery of sensitive emails, password reuse, exposing remote interfaces, and misusing privileged accounts. Strict security measures such as password protection, two-factor authentication, and continuous cybersecurity education are crucial in mitigating risks. Implementation of data loss prevention strategies, enforced encryption on sensitive communications, and least privilege policies are recommended to safeguard company data. Regular audits and the revocation of unnecessary user permissions are essential in maintaining a secure IT environment. Comprehensive and ongoing training programs can transform employees from being potential security risks to valuable assets in preventing cyberattacks.

Oracle has agreed to pay $115 million to settle a class action lawsuit accusing the company of improperly using user data. The settlement, approved after two years of litigation, includes a commitment by Oracle not to capture specific types of electronic communications and to conduct audits ensuring customer compliance with privacy standards. Approximately 220 million individuals were represented in the class action, highlighting the scale and significance of the alleged privacy breaches. As part of a broader corporate strategy shift, Oracle announced in June it would exit its $300 million ad tech business, significantly down from $2 billion in revenue in 2022. The plaintiff group initiated the investigation in 2020, which involved extensive analysis of public records, complaints from various entities, and technical documentation from Oracle. Forensic research by computer science experts and consultations with a privacy law scholar were crucial in forming the basis of the lawsuit filed in 2022. The settlement not only provides financial compensation but also marks a transformation in Oracle’s approach toward handling consumer data and privacy.

Spanish police have arrested three individuals in Seville, Huelva, and Manacor for conducting DDoS attacks using DDoSia, a platform developed by the pro-Russian hacktivist group NoName057. DDoSia enables volunteers to use their bandwidth for attacks against NATO-aligned countries' organizations, incentivizing top contributors with payments. Equipment and documents were seized during the raids, which may aid further in the ongoing investigations. Despite the arrests, the group persisted in launching DDoS attacks, targeting EU organizations as recently as the following Monday. The DDoSia platform has grown significantly, boasting a 2,400% increase and over 13,000 Telegram channel users since its inception in August 2022. Targets of the DDoS attacks have included key government organizations in countries like Poland, Switzerland, Lithuania, Ukraine, Poland, and Italy, leading to significant service disruptions. Spanish authorities are actively seeking to identify and apprehend more individuals involved with the DDoSia attacks.

Chinese crime syndicate implicated in extensive cybercrime activities including human trafficking and illegal gambling throughout Southeast Asia. Operated under names like Vigorish Viper and Yabo Group, the network utilizes a comprehensive technology suite locally known as "baowang" to manage its illegal operations. The syndicate uses sophisticated DNS configurations and traffic distribution systems to evade detection and law enforcement measures, complicating efforts to trace and address their activities. Vigorish Viper sponsors European football clubs, using these partnerships as platforms to promote its illicit gambling sites to a broader audience. Infoblox investigation highlights how Vigorish Viper's network spans over 170,000 domain names, integrated with illegal streaming, pornography, and sophisticated encryption technologies. The network also has offline components, involving forced labor in promoting and operating these scams under the guise of high-paying jobs. Associated entities like Yabo Sports have been geo-blocked in various regions to sidestep legal consequences despite their overt operations in public domains.

Microsoft attributes third-party access to Windows kernel to a 2009 EU directive aimed at ensuring interoperability. The directive requires Microsoft to make certain APIs available to third-party security products, similar to those used by Microsoft’s own security software. This policy has allowed companies like CrowdStrike to operate deeply within the Windows system, which can enhance security but also pose significant risks. Microsoft is scrutinized over its decisions on third-party kernel level access, especially following a disruptive update from CrowdStrike. The issue highlights the broader challenge of balancing system security with third-party software capabilities within operating systems. Microsoft has not updated its stance following the chaos caused by the CrowdStrike update. The architecture of Windows allows such deep integration by third parties, similar to permissions seen in other operating systems, though with potentially high-profile failures.

FLUXROOT, a financially-driven group from Latin America, uses Google Cloud serverless projects for credential phishing schemes. The FLUXROOT campaigns primarily target Mercado Pago, exploiting Google Cloud container URLs to host phishing sites. Google's threat report indicates serverless architectures, while beneficial for legitimate enterprises, also offer advantageous platforms for cybercriminals. PINEAPPLE, another malicious actor, similarly exploits Google Cloud to distribute stealer malware, Astaroth, targeting Brazilian users. These threat actors also attempt to evade email security by manipulating email authentication processes. Google has responded to these threats by dismantling malicious projects and enhancing its Safe Browsing protections. The widespread adoption of cloud services has led to an increase in threats like illicit cryptocurrency mining and ransomware, leveraging the inherent difficulties of distinguishing malicious from normal cloud traffic.

Two Russian nationals, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, have been added to the US sanctions list for cyberattacks on US critical infrastructure. The individuals are associated with the Cyber Army of Russia Reborn (CARR), previously linked to the Kremlin's GRU, known for various disruptive operations. Targeted attacks included manipulation of industrial control systems across water, energy, and wastewater facilities in the US and Europe, affecting operations and resources. Despite claims of causing significant disruptions, the attackers reportedly lacked the sophistication to cause lasting major damage. The sanctions make any business dealings with Pankratova and Degtyarenko illegal in the US, illustrating a proactive approach to cybercrime by the US government. The sanctions and continued monitoring aim to curb the activities of CARR and similar groups, emphasizing global cooperative efforts against cyber threats. Analysts and security officials stress the importance of international collaboration in tracking and prosecuting such cybercriminals, regardless of geopolitical protections.

Tines, a workflow automation platform, has introduced AI capabilities to enhance organizational security through automated SMS analysis. The service analyzes scam SMS messages received by employees, identifying potential phishing attempts aimed at obtaining sensitive information or deploying malware. Using OCR and AI, the workflow extracts and examines message content for indicators of phishing, urgency, and authenticity, effectively spotting CEO fraud risks. The automated system provides a quick response to employees, advising on the safety of the SMS and suggesting further actions to ensure security. Benefits of automation include saving time for security teams, reducing human error, and scaling the response capability across the organization. Employees can interact with the service by submitting suspicious messages through a simple web-based form, receiving guidance in seconds. The platform leverages pre-built AI-enhanced workflows and offers the capability to customize features according to specific organizational needs.

vCISOs play a crucial role in shaping a client's cybersecurity strategy and managing risk governance. Effective reporting can greatly improve client relations by clearly demonstrating the value of security initiatives. Jesse Miller, co-author and veteran infosec strategist, emphasizes the reporting should highlight the client as the main protagonist in their security narrative. Proper vCISO reporting involves four key areas: General Recap, Tactical Review, Strategic Review, and Future Initiatives. Each section of the report is designed to cater to varying levels of technical expertise among decision-makers, ensuring comprehensible and actionable insights. Future Initiatives section helps prioritize tasks and manage resources effectively, enhancing both the client’s and vCISO’s standing against risks. Holistic reporting structures endorsed in workshops and the playbook are intended to boost vCISO client engagement and business growth.

SocGholish, a JavaScript downloader malware, is delivering AsyncRAT and exploiting the BOINC project to covertly execute cyberattacks. BOINC, an open-source computing platform from UC Berkeley, is renamed and used by malware to connect to malicious domains, acting as a C2 server. As of mid-July, over 10,000 clients have been reported as connected to these malicious domains with potential misuse for ransomware deployment or other malicious activities. Compromised websites trigger the malware download through fake browser update alerts, leading to malware payload deployment onto victims' devices. The malware sets persistence on the host machines via PowerShell scripts and disguises its processes as legitimate system files. BOINC project maintainers are aware of the misuse and are investigating methods to counteract the malware. This incident highlights emerging malware techniques like using compiled V8 JavaScript, which helps bypass traditional detection methods.

Cybersecurity experts have identified a new Linux variant of Play ransomware, specifically targeting VMWare ESXi environments. This variant is part of a significant shift by the ransomware group Play to extend its operations across the Linux platform, potentially increasing the number of targets and enhancing the success of ransom negotiations. Play ransomware employs a dual extortion strategy, both encrypting victim systems and stealing data to leverage ransom payments. With roots from June 2022, the Play ransomware group has impacted approximately 300 organizations globally by October 2023, with the U.S., Canada, and Germany among the top affected countries. Industries heavily affected include manufacturing, IT, retail, financial services, and real estate. The server hosting the Linux variant also contained common tools such as PsExec and NetScan, suggesting continued use of known malicious tools and tactics. The new variant checks for an ESXi environment before initiating encryption of various virtual machine files, appending a ".PLAY" extension to signal successful encryption. Collaborative behaviors between cybercriminal entities, such as the use of Prolific Puma's illicit infrastructure services, are highlighted as part of a strategy to evade detection and expand malicious capabilities.

The FBI utilized Cellebrite's digital forensics tools to unlock the Samsung smartphone of a deceased offender involved in a shooting, achieving access in just 40 minutes using an advanced, unreleased version of their software. Smartphone manufacturers continuously contest law enforcement's requests to weaken encryption, citing privacy concerns and potential misuse of backdoor accesses. Despite major efforts, Cellebrite's internal documents reveal the firm's inability to access newer Apple devices with recent iOS versions, though most Android devices remain susceptible. Separate cybersecurity issues highlighted include an extensive Oracle security update release, addressing 386 vulnerabilities, and ongoing exploits in industrial control systems by lesser-skilled Russian hackers under sanctions. U.S. Senators have issued an ultimatum to analytics firm Snowflake demanding explanations on recurrent security lapses following significant breaches involving stolen passwords and lack of multifactor authentication. A sizeable leak involving nearly 150,000 COVID test records from medical staffing firm InHouse Physicians was discovered by a security researcher, raising concerns over data privacy and secure management of sensitive information. Google identified a new data theft campaign by Chinese cyber group APT41 targeting global shipping and logistics sectors, aiming to establish long-term access and exfiltrate sensitive information.

Microsoft has launched a recovery tool to rectify a flawed CrowdStrike update which led to a Blue Screen of Death (BSOD) on approximately 8.5 million Windows devices. The CrowdStrike update triggered widespread IT outages globally, affecting essential services and businesses such as airports, hospitals, and banks. Organizations faced significant challenges as multiple Windows devices required manual intervention to remove a corrupt kernel driver. The tool, offered via a Microsoft support bulletin, is designed to automate the deletion of the faulty CrowdStrike kernel driver, enabling normal device reboot. To utilize the recovery tool, IT staff need a specific setup including a 64-bit Windows client, a USB drive, and possibly a Bitlocker recovery key. The USB drive is formatted and loaded with a custom WinPE image which carries out the corrective action without creating logs or backups of the removed driver. Following the fix, the primary challenge remains accessing requisite Bitlocker recovery keys to facilitate the process on encrypted devices.

CrowdStrike's Falcon Sensor software, originally linked to crashes on Windows PCs, has also caused Linux kernel panics. Issues arose after updates, including kernel panics on Red Hat Enterprise Linux 9.4 run systems, damaging global computer systems. Red Hat advised disabling the Falcon Sensor to stabilize systems while investigating the software-related crashes. The software problems recall a similar incident from 2010 involving McAfee (with the same executive, George Kurtz, involved). CrowdStrike is developing a rapid recovery tool to address these crashes, with insights from recent tests promising faster system remediation. Microsoft's estimate shows that approximately 8.5 million Windows machines were affected, and a specific USB-bootable recovery tool has been deployed. The impact extended to critical services, with the British Medical Association and airlines experiencing major disruptions, indicating ongoing recovery challenges. This story remains active and developments are expected as both CrowdStrike and external entities work on mitigating the damage and investigating the root causes.