Daily Brief

The Necro Trojan malware is actively targeting Android users, with an estimated exposure of up to 11 million devices to infected apps. Originating from a 2019 Kaspersky discovery, the malware primarily serves as a dropper to install further malicious software onto the devices it infiltrates. High-risk apps like Wuta Camera and Max Browser, downloaded millions of times from the Google Play Store, have been implicated in facilitating Necro infections. While Google has taken steps like removing the Max Browser and compelling Wuta Camera to eliminate the malicious code, the prevalence of such infections remains a concern. The malware exploits Android modifications (mods), particularly targeting popular apps like WhatsApp and Spotify, enticing users with fraudulent premium features. Apps widely used by children, such as Minecraft and Stumble Guys, are also at high risk, exploiting their audience's lesser security awareness. The latest version of Necro utilizes a sophisticated technique rarely seen in mobile malware, embedding malicious payload within the code of a PNG image. Kaspersky emphasizes basic preventive measures, advocating against downloads from unreliable sources to avoid such malware infections.

Telegram announced it will share users' phone numbers and IP addresses with law enforcement following valid legal requests. This policy update, disclosed by CEO Pavel Durov, mandates a court order to confirm the user's involvement in criminal activities violating Telegram's Terms of Service. Previously, Telegram restricted sharing sensitive user information only to terror suspect cases. The platform will include data sharing incidents in a quarterly transparency report, available via its transparency channel, although the reporting bot is currently under updates. Improvements have been made to the platform's search feature to curb the misuse for selling and promoting illegal goods. Users can report dubious content through the @SearchReport bot, with all reports reviewed by a dedicated moderator team. Pavel Durov was recently arrested and then bailed in France over investigations linked to the use of Telegram for various illegal activities. Ukraine has banned Telegram on government and critical infrastructure devices, citing national security risks.

The Mallox ransomware group has developed a Linux-targeting variant using leaked source code from Kryptina ransomware. SentinelLabs identified that the new variant, dubbed "Mallox Linux 1.0", largely retains the core features of Kryptina, such as AES-256-CBC encryption. This development marks Mallox's strategic expansion from previously targeting only Windows systems to now including Linux and VMware ESXi systems. Originally priced between $500-$800, the Kryptina ransomware failed to attract significant interest and its source code was ultimately leaked by its administrator "Corlys" in early 2024. The leaked code was repurposed by a Mallox affiliate, following an operational mishap that exposed their tools, to create Mallox Linux 1.0, modifying only superficial elements like naming and documentation. It remains unclear if this new Linux variant is being deployed by one specific affiliate or if it has been adopted by all operators within the Mallox ransomware ecosystem. The incident highlights ongoing shifts and adaptations within the ransomware landscape, reflecting broader trends in cyber threat development and distribution.

The US Commerce Department has announced plans to ban the sale and import of vehicle connectivity systems (VCS) and automated driving systems (ADS) from China and Russia. The proposed legislation aims to prevent the incorporation of such technologies in vehicles manufactured domestically in the US. This move reflects security concerns over potential espionage and data collection activities that could be facilitated by connected vehicle technology. The rule targets the control systems, cameras, and sensors in cars that gather detailed data, which could be exploited by foreign intelligence. There is a potential exemption clause in the new rules, where manufacturers may apply to bypass the ban. The ban will phase in starting with model year 2027 for software and 2030 for hardware, with complete enforcement by January 2029. The policy also accompanies heightened tariffs on Chinese-manufactured electric vehicles, indicating increasing trade tensions between the US and China.

Russian cybersecurity firm Kaspersky has unexpectedly removed its anti-malware software from U.S. customer systems, installing UltraAV in its place without prior user consent. This automatic replacement is linked to the ongoing process of Kaspersky closing its U.S. operations, following the U.S. government's decision to ban the company's products due to national security concerns. Despite Kaspersky's email assurances of continued protection, customers were not pre-informed about the forced software transition which led to confusion and concerns about malware infections. The replacement software, UltraAV, is operated by the Pango Group, a lesser-known entity controlling multiple VPN brands and a VPN review website. Users faced issues with uninstalling UltraAV; attempts often resulted in the software automatically reinstalling itself upon system reboot. Kaspersky ceased updates and new software releases in the U.S. market as part of compliance with the government's upcoming software ban effective September 29, 2024.

The Necro Trojan malware has infiltrated 11 million Android devices primarily through Google Play downloads. Malicious SDKs in legitimate apps and game mods are responsible for distributing the malware. Kaspersky identified the malware in significant apps like Wuta Camera and Max Browser, leading to millions of downloads before detection. The malware employs techniques like obfuscation and image steganography to install subsequent payloads discreetly. Affected applications displayed hidden ads and interacted with paid services without user consent. Google has been notified and is investigating the infected applications. Users are advised to uninstall infected applications and avoid downloading mods from unofficial websites.

Microsoft has assigned 34,000 engineers to its Secure Future Initiative (SFI) aimed at enhancing product security. The initiative was partly triggered by breaches involving Chinese and Russian entities accessing Microsoft-hosted email accounts and internal networks. After critique from the Cyber Safety Review Board and a Congressional hearing, security has been made a core component of executive compensation and employee performance reviews. Microsoft launched the Security Academy to provide security-specific training to all its employees globally. The SFI includes six engineering pillars, though specific executive compensation adjustments for security improvements remain undisclosed. A new Cybersecurity Governance Council and 13 deputy CISOs have been appointed to guide the initiative, providing quarterly updates to the board. Despite these efforts, Microsoft acknowledges the ongoing challenge of evolving cyber threats and the need to adapt continually.

Shadow IT refers to unauthorized IT solutions adopted by employees to increase productivity, often circumventing official IT processes. These solutions include unapproved apps, devices, and cloud services, posing significant security, compliance, and financial risks. The prevalence of shadow IT is driven by the need for efficiency and the ease of access to user-friendly, unauthorized applications. Effective management of shadow IT involves Continuous Discovery and External Attack Surface Management (EASM) tools. EASM tools by Outpost24 offer real-time discovery, analysis, and monitoring of internet-facing assets, enhancing security by identifying unknown assets. Integration of EASM tools with platforms like AWS, Azure, and ServiceNow facilitates efficient risk prioritization and remediation. Organizations are encouraged to recognize and mitigate the risks of shadow IT to maintain security and compliance in a fast-paced work environment.

A major IT hardware manufacturer, CyberPower, faced customer backlash following a security update that imposed a 32-character limit on passwords within its PowerPanel Cloud iOS app. Previously, there was no character limit on passwords, a change highlighted by Cabel Sasser, co-founder of Panic, when his 35-character password ceased to work. After customer complaints, CyberPower decided to extend the password limit to 64 characters, a change prompted by a third-party security auditor's recommendation and taking approximately two weeks to implement. Speculations arose among users about passwords possibly being truncated or stored in plaintext, which CyberPower denied, clarifying the character limit applied to new passwords post-update. The debate involves understanding the impact of password policies, where more extended characters generally provide better security by reducing the risk of brute-force attacks. National and international cybersecurity guidelines, such as those from NIST and OWASP, encourage the use of long passwords, suggesting limits that support passphrase use but warn against excessively small or large limits due to technical constraints. CyberPower’s incident underscores the critical importance of aligning security practices with expert guidelines and customer expectations, particularly in implementing changes that affect user account access and security.

A botnet named Raptor Train, controlled by the China-linked threat actor Flax Typhoon, was dismantled by the U.S. government. The takedown involved over 260,000 infected devices, with impacts spanning multiple continents including North America, Europe, and Asia. Flax Typhoon is reportedly associated with a Beijing-based, publicly-traded company, Integrity Technology Group. The article also highlighted ongoing challenges and trends in cybersecurity, including deceptive recruitment tactics by North Korean hackers. Additionally, it noted an unexpected development in the legal battle between Apple and the NSO Group. The overarching message stressed the importance of vigilance and education in digital security, suggesting readers engage with resources and webinars to stay informed. The article concluded with a quote emphasizing the high stakes in cybersecurity and the costly nature of forgiveness in this sphere.

'Never expire' password policies can reduce IT workload but may compromise security by avoiding frequent updates needed to thwart attackers. Traditional 90-day password resets are designed to counter brute-force attacks, but technological advances have called this cycle into question. Organizations avoiding regular password resets often face issues with password strength, as users tend to make minor changes to previous passwords. The reuse of strong passwords across different platforms can increase the risk of compromises, despite meeting standards of complexity and length. The extended use of the same password can give attackers ample time to exploit stolen credentials, potentially bypassing detection for months. Implementing password policies that encourage strong and unique password creation, extended through length-based aging, can improve security effectiveness. Systems like Specops Password Policy provide automatic checks against known compromised passwords, enhancing security without frequent manual resets. Comprehensive strategies should include mechanisms for detecting compromised passwords to prevent prolonged unauthorized access.

A critical vulnerability in Microchip ASF, labelled CVE-2024-7490, enables remote code execution. The security flaw, a stack-based overflow, arises from inadequate input validation within the tinydhcp server in ASF. This issue affects version ASF 3.52.0.2574 and earlier, with potential risks in many IoT devices using outdated software. No current fixes or patches are available for the CVE-2024-7490 vulnerability, exposing numerous systems to potential exploitation. Device security is further compromised by similar vulnerabilities in other platforms, including a severe MediaTek Wi-Fi chipset vulnerability. The MediaTek issue, covered under CVE-2024-20017, also allows remote code execution and affects a wide range of devices, including routers and smartphones. There are patches available for the MediaTek vulnerability, unlike the Microchip ASF flaw. CERT/CC has warned users and administrators about the increased exposure and exploitation risk due to these unsecured vulnerabilities.

Discord has introduced a new end-to-end encryption protocol named DAVE for audio and video calls, enhancing user privacy and security. DAVE stands for Discord's Audio and Video End-to-end encryption, applying specifically to DMs, Group DMs, voice channels, and Go Live streams. The new encryption protocol is designed to be publicly auditable and has been reviewed by cybersecurity firm Trail of Bits. Discord leverages WebRTC encoded transforms and Message Layer Security (MLS) for encryption, ensuring that each media frame is encrypted with a per-sender symmetric key. Messages on Discord remain unencrypted to allow for content moderation and ensure compliance with Discord’s safety protocols. The DAVE protocol ensures that media data is undecryptable by anyone outside the call, including the Selective Forwarding Unit (SFU) used by Discord, although it still processes all call packets. The implementation of MLS allows for dynamic participation in calls, where new joiners cannot decrypt historical media, and those who leave cannot decrypt future communications. The announcement aligns with broader industry trends towards enhancing communications security, evident from the GSM Association’s efforts to implement end-to-end encryption in the RCS protocol.

Splinter, a new post-exploitation tool, has been detected in IT systems, similar to but less advanced than Cobalt Strike. Unlike commercially available Cobalt Strike, Splinter intrudes and causes damage without an identified responsible malware group yet. Features of Splinter include executing commands, stealing files, hijacking cloud account data, and downloading more malware, then it self-deletes. This tool, discovered by Palo Alto Networks' Unit 42, employs a large number of external libraries and is written in Rust, with samples around 7 MB. Splinter utilizes JSON for configuration settings and communicates via HTTPS with a command-and-control server based on these configurations. Despite its capabilities, there's no clear attribution to who developed Splinter; it was discovered through debug artifacts within the code. Security practitioners are urged to check their systems for traces of this tool and be aware of its communication pathways as listed by Unit 42. The emergence of Splinter serves as a reminder of the continuous evolution and diversification of threats in the cybersecurity landscape.

North Korean threat actors have utilized poisoned Python packages to distribute new malware, PondRAT, targeting software developers. Palo Alto Networks Unit 42 linked the campaign with moderate confidence to Gleaming Pisces, part of the Lazarus Group known for previous high-profile attacks. The campaign, dubbed Operation Dream Job, tricks targets with fake job offers to initiate the malware download. Malicious Python packages were uploaded to PyPI, subsequently removed, but not before potentially compromising developer endpoints to gain further network access. PondRAT, a derivative of known malware POOLRAT, shares functionalities across Linux and macOS platforms and includes capabilities for file manipulation and remote command execution. The malware employs a simple infection chain involving package installation that executes encoded scripts to retrieve further malicious payloads. Analysis reveals significant overlaps in the operational methods between PondRAT and other malware variants previously attributed to the same group, highlighting an evolution in attack capabilities.