Daily Brief

Signal is updating its desktop client to better secure encryption keys, addressing a flaw first reported in 2018. Originally, Signal Desktop stored encryption keys in plain text, accessible to any user or program on the same device. The security community criticized Signal for ignoring the flaw, despite the company's focus on user privacy and security. Recent public scrutiny, especially from notable figures like Elon Musk and researcher Tommy Mysk, reignited concern over this vulnerability. Signal plans to utilize Electron's SafeStorage API to improve key security on supported platforms, adding platform-specific encryption. A temporary fallback mechanism will ensure users can access data during the transition, aiming to mitigate potential data loss. While some solutions will be platform-dependent, the update reflects a commitment to enhancing user data protection amidst increased scrutiny.

A new signal handler race condition vulnerability in OpenSSH, CVE-2024-6409, affects Red Hat Enterprise Linux 9 and Fedora versions 36 and 37. Alexander Peslyak of Openwall discovered the flaw, which impacts sshd daemon versions 8.7p1 and 8.8p1. AlmaLinux has proactively issued a patch for the vulnerability, acting ahead of other distributions like RHEL or CentOS Stream. The affected sshd daemon runs with reduced privileges, potentially limiting the scope of attacks but still allowing remote code execution. The bug arises from a function, cleanup_exit(), being called within a signal handler where it should not be, a coding mistake related specifically to patches made by Red Hat. This vulnerability is separate from the previously identified CVE-2024-6387 "regreSSHion" bug, although both involve OpenSSH. Ubuntu users and non-RHEL-based distributions are reportedly not affected by this specific vulnerability issue.

Google has raised the payouts for its Vulnerability Reward Program, now offering up to $151,515 for the discovery of critical bugs. The new top bounty amount reflects a fivefold increase from previous payout levels, addressing the increased effort required to find vulnerabilities as Google’s systems have advanced. The new payout structure takes effect for vulnerabilities reported starting July 11th, and includes the possibility of receiving payments via Bugcrowd. Google launched kvmCTF to target security enhancements for the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000. In addition to the recently improved bounty terms, last year Google tripled the reward sum for Chrome sandbox escape exploits, maintaining this increased level until December 1, 2023. Since initiating the VRP in 2010, Google has paid out over $50 million for more than 15,000 reported vulnerabilities. A notable top payment of $605,000 was made to a researcher in 2022 for uncovering a critical chain of security bugs in Android.

Dallas County, Texas, alerted over 200,000 individuals about a data breach following a ransomware attack by the Play ransomware gang in October 2023. Personal data, including Social Security numbers and taxpayer IDs, were compromised, affecting residents, employees, and users of county services. Victims are being offered two years of credit monitoring and identity theft protection services to mitigate potential fraud. In response, the county has enhanced its network security, including the implementation of Endpoint Detection and Response solutions, mandatory password changes, and blocking of suspicious IP addresses. Additional recent cybersecurity incidents have troubled Dallas County, including a business email compromise that cost $2.4 million and another ransomware attack on the City of Dallas. Dallas County established a dedicated call center and published an update in January 2024 to address public concerns and provide information on the breach's impact.

Palo Alto Networks has issued updates for five vulnerabilities affecting its products, including a critical authentication bypass. The most severe bug, tracked as CVE-2024-5910 with a CVSS score of 9.3, affects the Expedition migration tool, enabling potential admin account takeovers. The vulnerability arises from a lack of authentication in a key function of the Expedition tool, risking data compromise. Users are strongly advised to upgrade Expedition to version 1.2.92 or later to mitigate the risk and apply suggested workarounds such as restricting network access. The issue also highlights a vulnerability in the RADIUS protocol known as BlastRADIUS (CVE-2024-3596), facilitating potential adversary-in-the-middle attacks. The security flaw could allow attackers to elevate privileges to "superuser" under certain conditions when CHAP or PAP protocols are used without adequate encryption. Palo Alto Networks emphasizes that CHAP and PAP should not be used unless protected by an encrypted tunnel to maintain security integrity.

CRYSTALRAY, a new cyber threat entity, has expanded its attack tactics and victim count, leveraging the SSH-Snake tool to breach 1,500 systems. Initially identified in February with about 100 victims, the scope and complexity of CRYSTALRAY's operations have significantly increased, particularly involving cryptomining and credential theft. SSH-Snake, an open-source worm, enables the propagation of the attack across networks by stealing SSH keys, which facilitates lateral movements and payload deployment. Sysdig reports that CRYSTALRAY employs multiple open-source security tools and modified PoC exploits, indicating a sophisticated approach to scanning and exploiting vulnerabilities. Among the targeted vulnerabilities are likely those found in Atlassian Confluence products, based on patterns observed from 1,800 IP addresses, notably a third of them from the U.S. In its latest campaigns, CRYSTALRAY uses tools like Platypus for managing web-based shell sessions, and scripts for stealing credentials, which are sold for profit on the dark web or via Telegram. The threat actor also boosts its income through cryptomining, strategically killing existing miners to maximize the hijacked processing power. Although exact current revenue is unknown, previous tracking showed approximately $200/month from such activities. Sysdig emphasizes the importance of timely security updates and vulnerability management as key defenses against escalating threats like CRYSTALRAY.

A new wave of attackers published approximately 60 malicious packages in the NuGet package manager, part of a continued campaign that started in August 2023. These malicious packages, involving around 290 versions, employ a more sophisticated method from previous instances detected in October 2023. Attackers utilize a technique known as IL Weaving to insert obfuscated downloaders into legitimate PE binaries, modifying .NET applications post-compilation. The primary intent of these counterfeit packages is to distribute SeroXen RAT, a remote access trojan designed for espionage and data theft. Notably, the technique includes exploiting homoglyphs in popular package names, like altering "Guna.UI2.WinForms" to a nearly indistinguishable but malicious "Gսոa.UI3.Wіnfօrms." ReversingLabs, a software security firm, identified and reported these packages, which have since been removed from availability. This incident highlights a growing trend of cybercriminals targeting software supply chains, necessitating heightened vigilance from developers and security teams.

Advance Auto Parts has issued notifications for a data breach impacting over 2.3 million people, primarily affecting current and former employees and job applicants. Personal information compromised includes full names, Social Security numbers, driver's licenses, and government ID numbers. The breach originated from unauthorized access to the company’s Snow-ink environment between April and May 2024. Attackers exploited stolen credentials as part of a larger campaign that also targeted other high-profile entities such as Ticketmaster and Banco Santander. Affected individuals have been offered 12 months of free identity theft protection and credit monitoring by Experian. Advance has completed a detailed investigation, which determined the exact number of individuals impacted and the types of data accessed. The data discrepancy noted between the initially reported and the confirmed impacted data suggests potential additional notifications in the future. The breach is part of a broader issue involving security vulnerabilities within the Snowflake accounts.

Mandiant's mWISE 2024 conference will take place on September 18-19 in Denver, focusing on practical, non-vendor-centric cybersecurity solutions. The 2024 event adds new content tracks on AI's role in cybersecurity and programs tailored for the next-generation CISOs. Programs cover a broad range of topics including cloud security, cyber threat intelligence, security operations, and threat management. Unique features of the event include high-caliber speakers and actionable advice tailored for incident responders and detection engineers. mWISE differentiates itself by providing a neutral platform that emphasizes real-world problems and peer-to-peer learning. Networking opportunities highlighted as a major benefit, along with the setting in Denver which offers engaging social and environmental benefits. Early registration offers significant savings, incentivizing participants to secure their spot by August 12.

Advance Auto Parts reported a data breach affecting approximately 2.3 million people following unauthorized access to its Snowflake storage account. The compromised data includes sensitive information like social security numbers, driver's licenses, and other ID document numbers, primarily from job applications. The breach was first detected on May 23, with unauthorized access spanning from April 14 to May 24. Upon discovery, Advance Auto Parts engaged third-party cybersecurity experts to investigate and mitigate the breach, and law enforcement was notified. Measures to strengthen security and prevent future incidents include enhancing system hardening and implementing broader use of multifactor authentication (MFA) across the organization. The cybersecurity culprit, known online as Sp1d3r, had initially claimed to have stolen details on 380 million customers, but this was found to be an exaggeration. Advance Auto Parts is among several high-profile companies affected by a series of break-ins targeting Snowflake accounts, prompting Snowflake to introduce new security measures.

Chinese APT group APT41, active since 2007, is using upgraded StealthVector malware, now called DodgeBox, to deploy MoonWalk backdoor. DodgeBox utilizes advanced evasion techniques including call stack spoofing, DLL side-loading, and DLL hollowing. MoonWalk, the backdoor delivered by DodgeBox, uses Google Drive for command-and-control communications, showcasing sophisticated concealment methods. The U.S. Department of Justice indicted members of APT41 in 2020 for attacks on over 100 global companies, stealing valuable data and enabling other crimes like ransomware. Previous uses of the original StealthVector involved delivering Cobalt Strike Beacon and ScrambleCross malware. The newly discovered capabilities of DodgeBox highlight its role in bypassing detection mechanisms and executing complex attack strategies. The exact distribution method for this malware remains unidentified, but it is known to employ DLL side-loading using legitimate executable files for execution.

Small to medium-sized organizations are increasingly targeted by cybercriminals, exploiting perceived vulnerabilities for quick profits. Historically, these smaller entities have lacked robust mechanisms for managing privileged access, underestimating their appeal to hackers. The market now caters to these organizations with affordable, tailored Privileged Access Management (PAM) solutions that are easy to implement and require minimal upkeep. PAM tools are crucial in defending against both external and internal security threats, helping to protect sensitive company data. These solutions also facilitate regulatory compliance and enhance overall security practices without necessitating substantial resource investment. Offering PAM as a software-as-a-service (SaaS) promotes quick deployment and cost efficiency through a subscription model, minimizing initial costs. PAM implementation now provides greater accessibility and scalability for smaller organizations, enabling effective protection of critical assets and fostering operational continuity.

Sumit Garg, a former privacy consultant, has been convicted and sentenced to 9 years in federal prison for running an extensive cyberstalking campaign. Garg targeted his former roommate and several others associated with her, including her attorney uncle, her boyfriend, and the prosecuting attorney of his case. Initially igniting from a rental dispute, Garg’s campaign escalated to involve threats of murder, rape, and torture. Despite a court order, Garg continued harassing the victims using numerous internet accounts created to mask his identity. He used his tech skills to send threats and personal information breaches, indicating a profound lack of empathy and obsessive retaliatory desires. Garg’s arrest temporarily halted his threatening communication, but resumed immediately upon his release, despite being electronically monitored. His cyberstalking activities included secretly obtaining photographs inside his victim’s apartment building to intimidate her further.

A new email phishing campaign deploying a remote access trojan named Poco RAT targets sectors such as mining, manufacturing, hospitality, and utilities, mainly affecting Spanish-speaking individuals. The phishing messages feature finance-related hooks to entice victims into downloading a 7-Zip archive containing the malware from a Google Drive link. Tactics used by threat actors include employing legitimate hosting services like Google Drive to deliver malware via embedded URLs in HTML or PDF attachments, circumventing secure email gateways. Once activated, the Delphi-based Poco RAT establishes persistence, communicates with a command-and-control (C2) server, and potentially downloads further malicious payloads. The malware exhibits advanced anti-analysis features and utilizes POCO C++ Libraries, indicative of a focus on victims in Latin America, a region often targeted by similar banking trojans. The campaign does not respond to C2 server requests from devices not geolocated in Latin America, highlighting a regional focus in the cyber attack. This development aligns with broader trends in cybercrime, including the use of deceptive online tactics and social engineering to deploy RATs and steal sensitive information globally.

EstateRansomware, a new ransomware gang, is exploiting a previously patched vulnerability in Veeam backup software, CVE-2023-27532, to install file-encrypting malware. The attackers gain initial access by brute-forcing dormant accounts on FortiGate firewall SSL VPN appliances and then use remote desktop protocol (RDP) connections for further intrusion. Once inside, the attackers steal credentials and use a vulnerability in the backup software to deploy a LockBit ransomware variant, leading to data encryption and extortion demands. Veeam had issued a patch for this high-severity vulnerability in March 2023, but not all users have applied it, leaving systems vulnerable to attack. Group-IB, the security firm that discovered this campaign, noted that the attackers employed various tools to scan the network and recover passwords before deploying ransomware. It remains unclear how many victims have been affected by this ransomware operation. Veeam emphasized the importance of installing updates and patches promptly to avoid such security threats. This incident highlights the continuing trend where cybercriminals exploit known vulnerabilities and valid account credentials to initiate ransomware attacks.