Daily Brief

The 2024 Cisco Cybersecurity Readiness Index report details insights from over 8,000 business and cybersecurity leaders across 30 international markets. Only 3% of surveyed organizations possess 'Mature' cybersecurity defenses, with the bulk categorized as 'Formative' or 'Beginner'. A majority of respondents, 73%, predict cybersecurity incidents could disrupt their business within the next one to two years. Despite potential threats, 80% of leaders express moderate to high confidence in their resilience capabilities. The report uses five criteria for evaluating readiness: Identify Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and AI Fortification. Cisco offers solutions like the Secure Firewall and AI-enabled Extended Detection and Response (XDR) to enhance security measures. There is also a focus on improving safeguards with third-party cloud services through the Multicloud Defense platform.

Cybersecurity researchers found two malicious npm packages that used image files to hide backdoor code. Identified packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, imitated a legitimate npm library. These packages harbored altered code that could execute malicious commands from a remote server. Specifically, they leveraged the logo images of Intel, Microsoft, and AMD to enable code execution. Image associated with Microsoft's logo was used to extract and activate the hidden malicious content. Upon installation, the malicious code would register the new client with a command-and-control server and execute commands every five seconds. The findings underscore the increasing sophistication in attacks targeting open source software ecosystems. The npm security team has taken down the compromised packages after being alerted.

Identity-based threats are prevalent in SaaS environments, with 90% of cyberattacks starting with phishing. Effective Identity Threat Detection and Response (ITDR) systems are vital for detecting and countering these threats. Recent breaches have demonstrated the consequences of weak ITDR measures, such as the Snowflake incident where 560 million customer records were compromised. Multi-factor authentication (MFA) and single sign-on (SSO) are essential tools in reducing identity-based risks. Organizations often fail to fully utilize identity management safeguards, turning off MFA and lacking continuous monitoring of user activities. Proactive steps include deprovisioning access for former employees, monitoring external user accounts, and applying the principle of least privilege (PoLP) to limit user access rights. Regular monitoring and real-time data analysis across multiple SaaS applications enable ITDR systems to quickly identify and mitigate unauthorized access and potential data breaches. Prioritizing identity security and enhancing ITDR capabilities are crucial for protecting sensitive corporate information from cyber threats.

"Konfety," a massive ad fraud operation, uses over 250 decoy apps on Google Play, pairing them with malicious "evil twin" apps. Threat actors utilize a dual-app system to obfuscate malicious activity, making fraudulent traffic appear legitimate. Evil twin apps mimic their harmless counterparts’ app IDs and ad publisher IDs to disguise their malvertising activities. These malicious apps facilitate ad fraud, monitor user web searches, install unauthorized browser extensions, and sideload APKs. The campaign is underpinned by the Russia-based CaramelAds network, manipulating their SDK for ad fraud purposes. At its operational peak, the Konfety scheme generated 10 billion ad requests per day. Users are tricked into downloading evil twin apps through links on various platforms, including compromised sites and social media. Once installed, these apps hide their icons, display intrusive ads, and can modify device settings to further exploit users.

Iranian-backed hacking group MuddyWater has introduced a new malware, BugSleep, targeting a broad array of global entities including government, airlines, and media. BugSleep, a customizable backdoor malware, is still under active development and is being utilized to exfiltrate files and execute commands on infiltrated systems. The malware distribution involves sophisticated phishing emails that masquerade as webinar or online course invitations, redirecting victims to malicious payloads via the Egnyte platform. Check Point Research identified several versions of BugSleep displaying ongoing improvements and adjustments, indicative of a trial-and-error development strategy. Transitioning from legitimate Remote Management Tools, BugSleep allows MuddyWater expanded capabilities to inject malware directly into processes of popular applications like Google Chrome and Microsoft Edge. The shift in tactics denotes an escalation in MuddyWater's operational scope and sophistication, consistently targeting regions beyond their initial focus on the Middle East. U.S. Cyber Command has linked MuddyField directly to Iran's Ministry of Intelligence and Security, highlighting their significant role in state-sponsored cyber espionage.

Kaspersky Lab, a Russian cybersecurity firm, is ceasing its operations in the United States effective July 20, following U.S. sanctions. The U.S. Treasury Department sanctioned 12 Kaspersky executives, freezing their assets due to their operation within Russia's technology sector. The U.S. Department of Commerce added Kaspersky Lab and its subsidiaries to the Entity List, blocking American businesses from dealing with them. These government actions stem from concerns that Kaspersky poses a national security risk, potentially influenced by the Russian government. The Bureau of Industry and Security banned the sale of Kaspersky software and delivery of updates in the U.S., citing cybersecurity threats. Kaspersky announced the decision to shutdown after evaluating the impact of U.S. legal and regulatory measures, declaring the business nonviable in the U.S. Less than 50 U.S.-based employees will be affected by the layoff as part of the company's gradual wind-down.

Microsoft addressed a bug in Outlook that incorrectly triggered security alerts for ICS calendar files after a December security update. The alerts warned users of potential security concerns due to an issue initially intended to patch a vulnerability allowing theft of NT-LM hashes. The vulnerability (CVE-2023-35636) could enable attackers to use stolen NTLM hashes for pass-the-hash attacks and data breaches. Although initially fixed in April, Microsoft retracted the update after discovering problems during Beta Channel tests with Office Insiders. A final fix was successfully rolled out in the July 9 public update for the Outlook Desktop application. Microsoft recommended customers who used a temporary workaround involving registry keys to revert these changes to ensure the new patch’s effectiveness. The company also announced upcoming deprecation of basic authentication for personal email accounts and addressed a separate bug affecting encrypted email replies.

Microsoft reports Scattered Spider cybercrime gang now utilizes Qilin ransomware in attacks, enhancing their capability to target high-profile organizations. Scattered Spider, also known as Octo Tempest and other aliases, previously conducted the 0ktapus campaign impacting over 130 prominent entities including Microsoft and T-Mobile. The group aligned with BlackCat/ALPHV ransomware as an affiliate in 2023 and was recognized for their association with the RansomHub ransomware-as-a-service by Symantec. Tactics employed by Scattered Spider involve phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain unauthorized entry and persistence in corporate networks. Qilin ransomware, active since late 2023 after a rebranding from "Agenda", has rapidly advanced, focusing on customizable encryptors for Linux systems and VMware ESXi virtual machines. The gang carries out double-extortion ransomware attacks by exfiltrating sensitive data before encryption, then leveraging it for ransom negotiations. According to the FBI and CISA, the latest surge in Qilin ransomware activities includes high ransom demands and targets several enterprise-scale organizations.

Rite Aid reported that personal information of 2.2 million customers was compromised in a data breach in June. The breach involved unauthorized access using an employee's credentials, detected 12 hours post-incident on June 6. Exposed data includes names, addresses, dates of birth, and government-issued IDs linked to transactions between June 2017 and July 2018. RansomHub, a ransomware gang, claimed responsibility, alleging they acquired 10 GB of customer data following failed ransom negotiations. The breach was publicized after Rite Aid appeared on RansomHub's dark web leak site, with a warning of potential data leakage. Rite Aid confirmed that Social Security numbers, financial, and health information were not exposed in this breach. RansomHub specializes in data theft and extortion, distinctively selling or auctioning data if ransom negotiations falter.

GitHub Personal Access Token leaked, exposing crucial Python and PyPI repositories to potential unauthorized access. JFrog discovered the leaked token in a public Docker container, which could have led to significant misuse such as injecting malicious code into Python packages. The leaked token granted admin access, posing a risk of a large-scale supply chain attack on the Python programming language’s core source code. Immediate action taken post-disclosure: the leaked token was revoked quickly with no evidence of exploitation found. The token belonged to PyPI Admin Ee Durbin and was unintentionally pushed in modified local code meant for rate limit avoidance during development. Security incident highlights wider issues: Checkmarx found PyPI hosted malicious packages that exfiltrate data to a Telegram bot linked to cybercriminal groups in Iraq. The incident underscores the critical need for stringent security measures in software development and repository management practices.

ZDI reported a zero-day exploit in Microsoft's MSHTML engine to the company in May, which was later patched in July without proper credit to ZDI. Microsoft described the flaw as a spoofing vulnerability, whereas ZDI identified it as a more severe remote code execution flaw. Confusion persists over the nature of the patch, with ZDI expressing concerns about Microsoft's grasp on the patch's specifics. The cybersecurity group dubbed attackers exploiting the flaw as Void Banshee, who targeted multiple regions to extract cryptocurrency. Microsoft's failure to coordinate properly with researchers post-bug report submission is a noted issue, leading to frustration among cybersecurity researchers. This incident highlights a broader industry problem regarding vulnerability disclosures and the treatment of cybersecurity researchers by large software vendors. The potential consequence of poor disclosure practices is that end-users may not understand risks properly, affecting timely patch applications.

SEXi ransomware, known for targeting VMware ESXi servers, has rebranded to APT INC as of June. The group targets organizations using leaked Babuk and LockBit 3 encryptors, focusing on VMware ESXi and Windows systems. In a notable incident, APT INC launched a major attack on Chilean hosting provider IxMetro Powerhost, encrypting their VMware servers. Post-rebrand, victims shared experiences of attacks involving file encryption specific to VMware virtual machines, storage, and backups, excluding other operating system files. Each ransom demand by APT INC involves unique victim identifiers for ransom notes and encrypted file extensions, and communication with the attackers is conducted via the secure Session messaging app. Ransom demands range significantly, with IxMetro Powerhost being asked for two bitcoins per encrypted customer. No decryption options are available for free, with Babuk and LockBit 3 encryptors deemed secure and lacking known weaknesses. The rebranding and continued use of powerful encryptors indicate an escalating threat from APT INC to organizations utilizing VMware ESX servers.

Security researchers have linked recent DNS hijackings at web3 companies to flaws during the Squarespace migration of Google Domains customer data. Attackers exploited unvalidated pre-registered admin email addresses to gain unauthorized access to domain accounts. Phishing attacks were conducted by rerouting legitimate website traffic to malicious sites, aiming to steal digital assets and tokens. The compromised email addresses allowed attackers to register as Google Workspace admins, leading to further unauthorized access and potential data breaches. Numerous web3 firms, including Compound Labs and Unstoppable Domains, have detected and resolved these security breaches in their systems. Several other businesses could still be vulnerable; companies are urged to enforce two-factor authentication to strengthen security. Ongoing vigilance through log reviews and account verifications is recommended to detect and reverse any unsanctioned alterations.

Cybercriminals leverage Facebook business pages and ads to promote malvertising featuring fake Windows themes and pirated software. The ads direct users to download links on Google Sites or True Hosting, delivering malware-infected files disguised as popular software. The malvertising campaigns utilize various fake offers, including Windows themes, free game downloads, and cracked versions of well-known programs like Photoshop and Microsoft Office. Downloaded zip files contain the SYS01 malware, which uses DLL sideloading tactics for installation and data theft, including browser cookies, stored credentials, and cryptocurrency wallet information. The malware campaign primarily affects Facebook, but similar tactics have been observed on LinkedIn and YouTube, expanding its potential impact. Trustwave's report indicates that this method of cyberattack has evolved from previous campaigns targeting narrower audiences with adult-themed content or game-related ads. The data stolen via this malware campaign can be used for further malvertising campaigns or sold to other cybercriminals, enhancing the threat landscape on social media platforms.

Infostealer malware is rampant, compromising thousands of users daily with data theft from organizations. Low entry costs and high rewards empower even non-technical individuals to participate in cybercrime, exploiting or selling stolen data. Specialization within the cybercriminal community has led to a sophisticated, segmented industry where various actors focus on specific roles such as malware development, data trafficking, and credential selling. Popular tools among cybercriminals include malware droppers or loaders, which facilitate the download of malicious code, bypassing antivirus defenses. Communication and transaction channels include darknet forums, Telegram, and custom malware markets where stolen data and tools are bought and sold. Subscription-based malware services and crypter services enable attackers to continuously evade detection and operate stealthily. Infostealer malware often targets credentials and sensitive information, which can then be used directly or sold to other criminals for profit. The article underscores the scale of the threat and the ease of access to malicious tools, highlighting the urgent need for robust cybersecurity measures in organizations.