Daily Brief

A joint law enforcement effort, named Operation Kaerb, dismantled an international phishing ring designed to unlock stolen or lost mobile phones. The operation began in 2022, triggered by intel from cybersecurity firm Group-IB and coordinated by Europol's European Cybercrime Centre and Ameripol's Specialised Cybercrime Centre. The criminals used a phishing-as-a-service platform called iServer, which targeted over 1.2 million phones globally, successfully compromising around 483,000 of them. Victims, primarily Spanish-speaking, were deceived into providing their credentials on fake web pages mimicking cloud-based mobile platforms. The phishing network was managed by an Argentinian national who provided phishing services to other criminals for the past five years. During a coordinated action week, authorities in Argentina, Chile, Colombia, Ecuador, Peru, and Spain arrested 17 suspects and conducted 28 searches, seizing 921 items including electronic devices and vehicles. This operation marks the first collaborative effort between Europol's EC3 and Ameripol's specialized cybercrime units on such a scale.

Threat actors used default credentials to access FOUNDATION Accounting Software, targeting the construction sector. The breach primarily impacted sub-industries like plumbing, HVAC, and concrete, utilizing brute-force attacks at scale. FOUNDATION software includes a Microsoft SQL Server with high-privileged accounts "sa" and "dba," which often retain default passwords. Approximately 35,000 brute-force attempts were recorded on September 14, 2024, against a single MS SQL server before successful penetration. Of 500 hosts analyzed by Huntress, 33 were publicly accessible and vulnerable due to unchanged default credentials. Attackers exploited the xp_cmdshell feature in SQL server to execute arbitrary shell commands, gaining further system access. Huntress recommends rotating default account credentials, limiting public internet exposure, and disabling the xp_cmdshell configuration to mitigate risks.

German law enforcement has seized 47 cryptocurrency exchanges that assisted in laundering money for cybercriminals, including ransomware groups. The seized platforms violated "Know Your Customer" regulations, allowing complete anonymity in transactions. This operation, named "Operation Final Exchange," was publicized with warnings on the now-seized websites about the false promises of anonymity. Authorities have captured extensive data from these platforms, including transactions, user registration data, and IP addresses, which will aid in further investigations and potential arrests. These exchanges were pivotal for criminals to convert illicit gains into regular currencies, making this operation significant in disrupting the cybercrime money flow. No arrests have been made yet, but the operators of the exchanges face charges under the German Criminal Code for money laundering and illegal trade practices, potentially leading to multi-year prison terms. The Federal Criminal Police Office highlighted the challenge of prosecuting identified criminals, as they often reside in countries that either tolerate or protect them.

SambaSpy, a previously unknown malware, is specifically targeting users in Italy via a sophisticated phishing campaign led by a suspected Brazilian threat group. The malware is initiated through phishing emails that contain either an HTML attachment or a link. If clicked, these can deploy a multifunctional remote access trojan (RAT). Depending on the user’s browser language settings, clicking the phishing link can either lead to a legitimate invoice service or redirect to a malicious server for further infection. The RAT involved, developed in Java, includes capabilities such as file and process management, remote control of the desktop, webcam, and clipboard, keylogging, and screenshot capture. It can also steal credentials from various web browsers including Chrome, Edge, and Opera, and can download additional malicious plugins to expand its functionality. Evidence suggests the threat actors are planning to extend their operations beyond Italy to include Brazil and Spain, based on shared language and target profiles. The incident highlights a broader trend of Latin American cybercriminals targeting European countries with linked linguistic roots using advanced phishing and malware tactics.

Security experts have revealed that incorrect configurations in ServiceNow could expose sensitive knowledge base (KB) article data from thousands of companies. Researchers Aaron Costello and Dan Meged independently found that private KB articles could be accessed through public widgets due to these misconfigurations. Approximately 30% to 45% of ServiceNow users might unknowingly be leaking critical data, such as VPN passwords and other secure information. The exposure occurs because the ServiceNow KB Article Page widget, which is public by default, allows the retrieval of content from articles meant to be private. A possible mitigation involves using ServiceNow's User Criteria to appropriately restrict access, although many platforms have not effectively updated their Access Control Lists (ACLs) to combat this issue. Security enhancements made by ServiceNow did not adequately address widget vulnerabilities, leaving a significant gap in data protection. These findings highlight a crucial need for administrators to reevaluate their ServiceNow configurations and ensure security measures are correctly implemented.

Onboarding new employees introduces security risks as they are prime targets for social engineering attacks due to unfamiliarity with company protocols. Hackers use phishing campaigns, often crafted via information obtained from LinkedIn, to exploit new employees' eagerness to respond promptly and cooperatively. Common practices, like sharing passwords via SMS or email, expose organizations to man-in-the-middle attacks. An overlooked risk during onboarding is new employees' failure to update temporary passwords, making it easier for cyberattacks to occur. Specops Software highlights the need for strong, unique passwords and the implementation of secure password distribution tools. Best practices include adhering to the principle of least privilege and conducting continuous security training for all employees. Instituting secure protocols from day one through tools like Specops' First Day Password can significantly reduce the likelihood of data breaches.

GreyNoise, an internet intelligence firm, has been observing substantial waves of spoofed internet traffic, dubbed "Noise Storms," since January 2020. This traffic features spoofed IP addresses and is characterized by large volumes of TCP connections targeting port 443 and ICMP packets containing an ASCII "LOVE" string. The origin and motive behind these noise storms remain unknown, with speculation about their role in covert communications, DDoS coordination, or malware C2 channels. Specific ISPs like Cogent, Lumen, and Hurricane Electric are heavily targeted by these attacks, while major services like AWS are notably avoided. The packet characteristics (e.g., TTL values and TCP window sizes) suggest a sophisticated actor with a deep understanding of network behaviors. The ICMP packets with the "LOVE" ASCII strings add an intriguing layer to the mystery, prompting further analysis. GreyNoise has shared packet captures of the noise storms on GitHub to encourage collaboration among cybersecurity experts in unpacking these anomalies. The firm emphasizes the importance of adaptive security strategies to address unconventional threat manifestations like these noise storms.

TeamTNT, a known cryptojacking group, has initiated a new campaign targeting CentOS servers mainly used in VPS infrastructures. The attackers gain initial access through SSH brute force attacks, uploading a malicious script that compromises server security. This script deactivates security software, deletes logs, and disrupts existing cryptocurrency mining operations to conceal its activities. The deployment of the Diamorphine rootkit by the attackers hides their malicious processes and maintains persistent access to infected hosts. TeamTNT's operations had reportedly ceased in November 2021, but recent activities since September 2022 suggest they have resumed their cybercriminal activities. The script also removes competing miners and establishes cron jobs to maintain persistence and ensure continuing control over the compromised system. Researchers from Group-IB have identified these activities with moderate confidence as those of TeamTNT due to the similar tactics, techniques, and procedures used in past attacks.

Four UK activists filed a police report in London against NSO Group, alleging privacy violations via the Pegasus spyware. Complaint facilitated by Global Legal Action Network, accuses NSO Group of aiding UAE, Saudi Arabia, and Bahrain in spying activities since 2018. Activists claim the use of Pegasus spyware breached the Computer Misuse Act 1990 and National Security Act 2023, compromising UK sovereignty and security. Noted individuals among complainants include Anas Altikriti of the Cordoba Foundation and Yusuf Al Jamri, a persecuted Bahraini activist. Third-party confirmations from Amnesty International and Citizen Lab support claims of Pegasus infections. The UK government has yet to take legal action against NSO, despite global lawsuits by entities like Apple, WhatsApp, and Facebook. NSO Group defends its operations, citing compliance with laws and significant use of Pegasus in thwarting crimes and saving lives.

A fraudulent campaign is exploiting GitHub Issues to distribute malware through seemingly official security alerts. Attackers create issues in open source project repos falsely claiming security vulnerabilities and urging users to check an external site. The phishing emails are sent from GitHub's legitimate notification system, enhancing the scam's credibility. The fake "GitHub Scanner" website prompts users to download malware under the guise of a security scan. The downloaded executable is a trojan with anti-detection capabilities, identified by antivirus tools. This campaign highlights how platforms like GitHub can be manipulated for malicious purposes. Users are advised to be cautious with email links and report suspicious GitHub issues to help mitigate threats.

Healthcare industry, heavily reliant on interconnected systems, is increasingly targeted by cybercriminals, resulting in ransomware attacks and data breaches. Poor cybersecurity hygiene identified as the primary root cause of frequent and devastating cyberattacks within the healthcare sector. Analysis of 1,454 ransomware events from 2016 to 2023 revealed a significantly higher frequency of attacks on organizations with poor cybersecurity ratings. Specific cybersecurity challenges in healthcare include managing third-party risks and maintaining operational capabilities during attacks, with 46% of ransomware attacks occurring over weekends. Effective strategies for improving healthcare cybersecurity include continuous monitoring, 24x7 security operations, rigorous third-party risk management, regular patching, and strong encryption practices. Incident response and recovery planning are essential, emphasizing the importance of well-developed and regularity updated response strategies. Mastercard’s RiskRecon TPRM solution highlighted as a valuable tool for healthcare organizations, offering detailed assessments of third-party risks and helping to improve overall cybersecurity hygiene.

Microsoft reports a new threat actor using INC ransomware specifically targeting the U.S healthcare sector. The threat group, named Vanilla Tempest, has been active since at least July 2022 and has previously attacked sectors including education, IT, and manufacturing. Vanilla Tempest employs a sequence of infection tools such as the Supper backdoor, AnyDesk, MEGA tool, and initiates attacks via GootLoader. Attackers utilize lateral movement strategies involving Remote Desktop Protocol (RDP) and deploy ransomware using Windows Management Instrumentation (WMI). Vanilla Tempest has been linked to the Vice Society, known for using pre-existing ransomware solutions rather than developing their own. Recent trends show ransomware operators like BianLian and Rhysida increasingly using tools like Azure Storage Explorer for data exfiltration to evade detection.

The Tor network's integrity was questioned after German police reportedly decrypted a user's anonymity, leading to an arrest. German authorities are alleged to have used "timing analysis" to track and identify users within the encrypted Tor network. The implicated user, operating a dark-web site involved in illegal activities, was reportedly using outdated Ricochet software, lacking critical security updates. Telefónica cooperated with authorities by providing data on customers connected to known Tor nodes, which helped pinpoint the suspect’s identity. The Tor Project suggests the breach was due to old software vulnerabilities rather than an inherent flaw in the Tor system itself. Despite concerns, the Tor Project maintains the network’s health, citing robust measures to prevent and remove suspicious relay nodes. The Tor Project calls for more detailed information on the police investigation to better guide and protect its users and relay operators.

GitLab has issued patches for a critical vulnerability in its Community Edition (CE) and Enterprise Edition (EE) that could allow authentication bypass. The vulnerability, identified as CVE-2024-45409 with a CVSS score of 10.0, affects the ruby-saml library. Attackers could exploit this flaw to log in as any user on vulnerable systems by forging the SAML Response/Assertion with arbitrary contents. Updates include upgrading omniauth-saml to version 2.2.1 and ruby-saml to version 1.17.0 across multiple GitLab versions. GitLab recommends enabling two-factor authentication and disabling the SAML two-factor bypass option as mitigation strategies. There are indicators provided for detecting potential exploitation attempts, which involve monitoring specific SAML log events and validation errors. The flaw has not been reported as being exploited in the wild, but GitLab is actively monitoring for attempts. This security update coincides with CISA adding new vulnerabilities to its KEV catalog, emphasizing the importance of addressing these issues promptly to mitigate risks.

Discord has introduced a new end-to-end encryption protocol named DAVE to protect audio and video calls on the platform. The encryption covers private one-on-one calls, small group chats, large server-based channels, and real-time streaming. Cybersecurity firm Trail of Bits developed and audited the DAVE protocol, ensuring its effectiveness and security. The protocol and its libraries are made open-source, with a whitepaper published for transparency and community engagement. Key features include the use of WebRTC encoded transform API for encryption, MLS for key management, and ECDSA for identity verification. The user verification process includes out-of-band methods like voice privacy codes to ensure call security and counter tracking. Discord has begun migrating existing communication channels to use the new encryption, starting with its desktop and mobile apps, planning for web client updates in the future. Users need to update their client applications to benefit from the new security features, with legacy clients limited to basic transport encryption.