Daily Brief

A new Ransomware-as-a-Service (RaaS), Eldorado, targets both Windows and Linux platforms, offering double-extortion capabilities. Launched through an advertisement on the RAMP ransomware forum on March 16, 2024, Eldorado has already impacted 16 entities across the U.S., Italy, and Croatia, hitting diverse industry sectors such as healthcare, real estate, and manufacturing. Developed using Golang for cross-platform operation, Eldorado utilizes Chacha20 and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for encryption. The ransomware can encrypt files on shared networks through Server Message Block (SMB) protocol and attempts to evade detection by cleaning its tracks post-encryption. Research from Group-IB highlighted that Eldorado does not share code with previously leaked ransomware strains, indicating a newly developed malware. Increased global ransomware attacks noted, with significant incidents in May 2024 involving other ransomware groups such as LockBit, Play, and Medusa. Law enforcement and cybersecurity firms continue to develop strategies and tools against these threats, with decryption tools being silently provided to victims in some cases.

Avast covertly supplied decryptors to DoNex ransomware victims since March after identifying flaws in the group's encryption method. The cybersecurity company made the decryptor publicly available after confirming that DoNex is no longer a significant threat, following the shutdown of its dark web operations in April. The announcement was formally made at Canada's Recon conference, highlighting Avast's findings and the availability of the free decryption tool. Avast criticized for not disclosing specific details about the cryptographic flaw exploited in DoNex's ransomware, limiting shared technical insights. DoNex ransomware has undergone several rebrands since its inception in April 2022, with the most recent being in March 2023, indicating its short lifespan and low development effort. Avast's decryptor is designed for user-friendly operation, requiring administrative privileges and a recommendation for using a 63-bit system for efficiency. DoNex targeted various countries, including Italy, the US, Belgium, the Netherlands, and uncommonly, Russia, with a ransom note similar to previous incarnations.

CISOs face persistent challenges in presenting cybersecurity risks in terms understandable by company boards to secure necessary support and resources. Recent studies reveal a significant communication gap between CISOs and CEOs, with only 5% of CISOs reporting directly to the CEO, and about 37% of organizations believe they effectively use their CISO's expertise. Effective risk communication requires ditching technical jargon and framing cybersecurity discussions in financial and business terms. A CISO's strategic communication to the board should quantify potential financial losses from breaches and highlight the ROI on security investments. Building a culture of cybersecurity awareness across all departments, including IT, HR, and Legal, strengthens a company’s overall security posture. Prioritizing significant threats and aligning them with business objectives helps CISOs focus resources effectively and optimize their organization’s security strategy. Encouraging board-level engagement through dedicated cybersecurity committees and direct reporting structures can enhance understanding and decision-making about cybersecurity initiatives.

Trend Micro reports a significant increase in cyber attacks by the Mekotio banking trojan, predominantly affecting Latin America. First identified by ESET in 2020, Mekotio has targeted countries including Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials. Mekotio operates by leveraging tax-themed phishing emails to trick users into downloading malicious installers, which then deploy malware scripts to execute the trojan. The malware gathers system information, connects to a command-and-control server for further actions, and displays fake banking pop-ups to capture credentials. It can also perform actions like keystroke logging, screenshot capturing, clipboard data stealing, and establishing persistent access via scheduled tasks. The infected systems allow threat actors to perform fraudulent transactions and unauthorized access to bank accounts. Recent arrests in Spain impacted the network responsible for spreading Mekotio, indicating some law enforcement success against related cybercrime activities.

The European Union is transitioning from eIDAS 1.0 to eIDAS 2.0 to streamline digital identities across member states, aiming to enhance cross-border transactions and digital services. eIDAS 2.0 introduces the EU digital identity wallet (EUDI wallet), allowing individuals and businesses to securely store and manage their electronic ID and credentials for use across the EU. Each EU member state must implement national digital identity schemes by the end of 2026, fostering wider acceptance and integration into both public and private sectors. Despite the push for a unified digital identity, Europe's digital identity landscape remains fragmented, influenced by varying national cultural, political, and technological factors. Countries like Finland and Denmark have established regulated digital identity systems, whereas countries like Germany and Spain show uneven adoption and integration across sectors. The EU Commission supports the development of EUDI wallet through substantial funding and pilot programs, involving key industry players like Signicat. Organizations in the EU must prepare to support multiple forms of electronic IDs and develop comprehensive digital identity strategies to embrace future changes effectively.

Four significant and currently unpatched vulnerabilities were identified in the Gogs open-source Git service, with three classified as critical. Authenticated attackers can potentially execute arbitrary commands, steal, modify, or delete source code, and plant backdoors on affected Gogs instances. The exploitable issues require that the attacker has an authenticated status, with the most critical flaw additionally needing SSH access enabled. Around 7,300 Gogs instances are publicly accessible online, predominantly in China and the U.S., with unclear specifics on how many are vulnerable. SonarSource, the research team that found the flaws, reported a lack of response from Gogs maintainers regarding the implementation of fixes. SonarSource suggests disabling the built-in SSH server, halting user registrations, or shifting to alternative platforms like Gitea due to the absence of vendor-supplied patches. The discovery is parallel to revelations about phantom secrets in SCM systems, stressing persistent risks in managing sensitive data within repositories.

Apple complied with Roskomnadzor's request to remove 25 VPN apps from its Russian App Store on July 4, 2024. Affected VPN providers include notable names like ProtonVPN, Red Shield VPN, NordVPN, and Le VPN. Roskomnadzor's actions are part of broader efforts by the Russian government to control internet access and content. NordVPN had previously ceased operations in Russia in March 2019 by shutting down all its Russian servers. The takedown aligns with Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection". VPN services have been added to Russia's "Unified register" of internet resources prohibited from public distribution. Le VPN introduced an alternative service named Le VPN Give to circumvent these restrictions using obfuscated VPN connections. This incident is part of ongoing censorship initiatives since the Russo-Ukrainian conflict began in February 2022, impacting various media and social media platforms.

Vietnam mandates selfie-based identity verification for digital transactions above $400, raising privacy and security concerns due to the country's poor cybersecurity ranking. Critics argue that Vietnamese banks' implementation accepting still photos instead of live images undermines security claims. Resecurity discovered a surge in leaked Singaporean identity documents with selfies on the dark web, indicating potential exploitation by cybercrime groups. Selfie verification's popularity surged during the pandemic, driven by the need for digital engagement and remote account opening in financial services. Concerns exist about the handling and disposal of the biometric data collected through selfie verification processes. The efficacy of "liveness checks" in verification, which includes real-time movement and biometric matching, may mitigate some risks of data misuse. Debate continues over balancing the need for robust digital identity verification processes with privacy, security, and inclusive accessibility. As technology and regulations evolve, continuous reassessment of privacy and security measures in digital identity verifications is required.

OpenAI failed to disclose a data breach of its private employee forum early in 2023, despite learning of the intrusion promptly. The breach involved the theft of no AI builds, leading executives to downplay the threat, believing it involved only a private individual. This undisclosed breach adds to concerns regarding OpenAI's safety culture, amplified by the recent departure of key safety executives. The macOS ChatGPT app was found to bypass built-in safety features and stored user data unsecuredly, which OpenAI later rectified but did not initially report. Other security news highlights include vulnerabilities in Xerox printers, a data breach of the FIA, and the discovery of a new, thorough ransomware group called Volcano Demon. A massive new password dictionary named "RockYou2024" surfaced, containing nearly ten billion unique plaintext passwords from previous breaches. Prudential’s breach victim count has dramatically increased from 36,000 to over 2.5 million due to the ALPHV/BlackCat ransomware attack.

Mt Gox, once a prominent Japanese crypto exchange, has announced plans to repay some investors in Bitcoin and Bitcoin Cash after losing track of assets now valued over $50 billion. The repayment by Mt Gox could potentially influence Bitcoin prices negatively due to increased circulation following payout completion. India's government is likely to increase funding for its semiconductor mission, having already committed the majority of the $9.1 billion initially allocated to attract chip manufacturing. An anticipated additional funding request by India aims to further establish local semiconductor production facilities in cooperation with international partners like Taiwanese foundry Powerchip. Samsung Electronics workers have begun a three-day strike, demanding better working conditions and pay, amidst the company's efforts to manage strike disruptions. Central banks in India, Malaysia, the Philippines, Singapore, and Thailand have collaborated under Project Nexus to link their instant payment systems, aiming to simplify and standardize cross-border transactions within the region.

Europol targets the privacy-enhancing technologies (PET) in Home Routing systems which hinder criminal investigations by encrypting data. Home Routing allows users to maintain their home network's services abroad, preventing local interception due to PET. Enforcement officials face delays and depend on foreign service provider cooperation due to encrypted communication paths. Europol proposes disabling PET for individuals using foreign SIM cards within EU to ease lawful interceptions. An alternative suggestion involves creating a quick mechanism for EU-wide communication interception requests. Currently, criminals exploit this system, aware of the delays and hurdles in cross-border law enforcement. Europol emphasizes the urgent need for collaborative solutions between national authorities, policymakers, and telecommunications providers to adjust or enhance current regulations.

Shopify has denied experiencing a data breach within its own networks, attributing the incident instead to a third-party application. A threat actor known as '888' claimed to have obtained customer data from Shopify and began selling it. This data includes detailed personal information and transaction records. Shopify has stated that the data loss stemmed from a compromised third-party app, whose developer will inform the impacted customers. Samples of the stolen data showed elements such as Shopify IDs, customer names, contacts, spending, and subscription details. This is not the first controversy involving Shopify; in 2020, they reported a breach involving unauthorized access by two members of their support team to merchant data. Threat actor 888, responsible for this data sale, has a history of dealing with stolen data from various prominent organizations worldwide.

Apple has removed certain VPN apps from its Russian App Store following demands from Russia's internet regulatory agency, Roskomnadzor. Two VPN providers, Red Shield VPN and Le VPN, confirmed their apps were taken down, allegedly to comply with local laws. Red Shield VPN criticized Apple's compliance, accusing the company of supporting an authoritarian regime, highlighting the effectiveness of Apple's action compared to the Kremlin's previous efforts. Mozilla resisted similar pressures from Roskomnadzor, reversing a temporary ban on VPNs in their store after one week. Google has also received requests from Roskomnadzor to remove VPN services but has not yet acted on these demands. Eight VPN apps, including big names like NordVPN, Proton, and Private Internet Access, are reportedly no longer available in the Russian App Store, though some may have been unlisted voluntarily by the providers in 2023. The focus of Roskomnadzor appears to be on preventing the distribution of VPN apps rather than attempting to block server access.

Cloudflare's DNS resolver service, 1.1.1.1, experienced service disruption affecting 300 networks across 70 countries due to BGP hijacking and a route leak. The incident started when Eletronet S.A. mistakenly announced the 1.1.1.1/32 IP address, leading other networks including a Tier 1 provider to treat it as a blackhole route. This specific announcement inadvertently redirected traffic meant for Cloudflare to Eletronet, causing service availability issues for Cloudflare users. Shortly after the initial disruption, another network, Nova Rede de Telecomunicações, further complicated the issue by leaking a 1.1.1.0/24 route to an upstream provider, exacerbating the hijacking impact. Cloudflare took corrective actions including disabling peering with the affected networks and resolving the incorrect route announcements within a few hours. To prevent future occurrences, Cloudflare highlighted the adoption of Resource Public Key Infrastructure (RPKI) which helped in rejecting invalid route announcements automatically.

Hackers, identifying as Sp1d3rHunters, have leaked barcode data for 166,000 tickets to Taylor Swift's Eras Tour, posing a threat to numerous upcoming concerts. The leak is part of an extortion attempt demanding $2 million to prevent further exposure of sensitive data, including information on events by major artists and sports fixtures. This cyber threat stems from a breach of Ticketmaster's data stored on Snowflake's platform, where hackers accessed databases using stolen credentials through malware. Additional victims compromised through the Snowflake breach include well-known organizations such as Neiman Marcus, Los Angeles Unified School District, and Santander. The breach was initially triggered by ShinyHunters, a notorious hacking group with a history of large-scale data leaks, who reportedly began selling 560 million Ticketmaster customer records in May. Sp1d3rHunters provided instructions on converting the leaked barcode information into scannable tickets, further complicating security measures for the affected events. Authorities and affected organizations, including Ticketmaster, are investigating the scope of the breach, evaluating impacts, and considering responses to prevent potential misuse of the leaked data.