Daily Brief

New ransomware-as-a-service, Eldorado, was first observed in March, targeting systems in the U.S., particularly within the real estate, educational, healthcare, and manufacturing sectors. Eldorado is designed to infect both Windows and VMware ESXi platforms, encrypted using the ChaCha20 algorithm. The operators are actively recruiting skilled affiliates online and have established a data leak site for extortion, though it was not accessible at the time of the report. Group-IB researchers accessed the ransomware encryptor and user manual, revealing that the malware supports both 32/64-bit systems and features significant customization options for targeted attacks. The malware avoids damaging critical system files and directories to maintain the bootability and usability of the compromised systems, and it is programmed to automatically delete itself post-attack to hinder forensic analysis. The cybersecurity firm provided defense recommendations, highlighting that proactive security measures are essential to defend against ransomware threats like Eldorida.

French cloud computing firm OVHcloud successfully mitigated a DDoS attack in April 2024, which recorded a peak packet rate of 840 million packets per second, surpassing the previous record of 809 million Mpps from 2020. The attack combined a TCP ACK flood from 5,000 source IPs and a DNS reflection leveraging around 15,000 DNS servers, utilizing 2/3 of the traffic from just four U.S.-based points of presence. OVHcloud has noted a significant rise in DDoS attacks since 2023, with occurrences of attacks exceeding 1 terabit per second becoming almost daily. The attacks are primarily facilitated by exploiting compromised MikroTik Cloud Core Router devices, with nearly 100,000 routers being vulnerable due to outdated operating systems. Potential threat levels escalate as even 1% compromise of these routers could lead to botnet attacks issuing over 2 billion packets per second. OVHcloud's observations highlight an urgent need for enhanced anti-DDoS measures and infrastructures to handle the evolving scale and complexity of DDoS threats.

The Ghostscript software, integral to many systems for PDF viewing and conversion, harbors a newly disclosed vulnerability labeled CVE-2024-29510. Despite being identified and partially mitigated, the flaw allows for remote code execution (RCE) and has significant implications if exploited. Ghostscript is widely used across various platforms and in automated workflows, often operating behind the scenes in image rendering, PDF conversions, and OCR tasks. The vulnerability's severity score (CVSS 5.5) has been contested by experts who believe its impact might be underestimated due to its potential for exploitation without user interaction. There's a divergence in the security community regarding the need for immediate action, with some professionals urging quicker remediation to prevent potential breaches. A proof of concept (PoC) for the vulnerability, facilitating RCE via EPS file handling, has been released, making public and operational attentions imperative. The National Vulnerability Database has yet to provide a comprehensive analysis, raising concerns about timely and accurate vulnerability assessments in the cybersecurity sector.

Upcoming webinar focused on the significance of Identity Threat Detection and Response (ITDR) in combating advanced identity-based cyber threats. The webinar is geared towards IT and cybersecurity professionals, aiming to equip them with the knowledge to safeguard digital identities. Yiftach Keshet, Silverfort's VP of Product Marketing, will lead the session, offering deep insights into ITDR technologies. Attendees will learn about continuous threat detection tactics and the importance of staying proactive in cybersecurity measures. The presentation will cover cutting-edge strategies for preventing ransomware attacks, unauthorized lateral movements, and data breaches. Every day without ITDR increases vulnerability to sophisticated cybercriminals targeting organizational digital assets. Registration urgency is stressed, as spots are filling up quickly and the opportunity is billed as a can't-miss for those serious about cybersecurity.

Continuous Threat Exposure Management (CTEM) emerged in 2022, providing a framework to improve security resilience by continuously viewing and managing threats across an expanding attack surface. CTEM addresses security measures across digital assets, workloads, networks, identities, and data, challenging traditional asset management's limited visibility. Enhances vulnerability management by focusing on prioritizing repairs based on exploitability and the risk impact, rather than just chronological or vendor-supplied severity scores. Stresses the inadequate coverage of current vulnerability management practices that mainly identify known CVEs, with a shift towards addressing a broader range of non-patchable vulnerabilities and exposures. Final pillar of CTEM involves validation processes that actively test the effectiveness of security controls by emulating attacker methods, thus moving from theoretical strategies to proven defenses. By continuously discovering, prioritizing, and mitigating high-risk exposures, CTEM aims to ensure an ongoing high level of security readiness across all aspects of the organization's digital environment.

GootLoader malware has been updated to version 3, expanding its functionality and distribution techniques. The malware, associated with Gootkit banking trojan and operated by Hive0127 (UNC2565), now includes tools for command-and-control activities and lateral movement dubbed GootBot. GootLoader infects victims by masquerading as legitimate documents on compromised websites, using refined SEO poisoning to enhance its distribution. Following infection, the malware establishes persistence through scheduled tasks and uses a series of encoded JavaScript and PowerShell scripts to gather system data and await further commands. Attack methods have evolved to include embedding the malware within legitimate JavaScript libraries, like jQuery and Lodash, complicating detection and analysis. Victims are typically enticed by manipulated search engine results directing them to download seemingly benign business documents, which contain the malicious payload. The updated version maintains core functionalities similar to earlier iterations but has enhanced evasion techniques to stifle security analysis and detection efforts.

Europol has issued a position paper addressing the difficulties posed by SMS home routing technology, which complicates criminal investigations. The technology involves service-level encryption that prevents local authorities in the EU from accessing communication data when a suspect uses a foreign SIM card. Current legal frameworks allow only prolonged processes like the European Investigation Order (EIO), which can take up to 120 days to deliver results, insufficient for timely law enforcement actions. Europol advocates for a legislative change to remove the additional encryption layer in roaming, aiming to equalize the security level as experienced within the user's home country without removing encryption entirely. The proposed solution is deemed technically feasible and may be enforced by national telecommunications regulators across the EU. Potential downsides include operational risks such as unwanted awareness of a person of interest's location by other EU member states. Europol seeks further debate on this issue to find a balanced solution that facilitates lawful interception of data without disproportionately impacting secure communications.

Over 380,000 hosts are embedding a compromised Polyfill script, pointing to malicious domains. Affected domains include major corporations such as WarnerBros, Hulu, Mercedes-Benz, and Pearson. The domain and associated GitHub repository linked to Polyfill.io sold in February 2024 to a Chinese company, leading to unauthorized redirections on the site. The attack prompted actions from domain and service providers, including Namecheap and Cloudflare, distancing themselves and blocking malicious links. The attackers attempted to relaunch under a different domain, and numerous related potentially malevolent domains were identified. Analysis by Censys revealed that other domains related to these attacks show similar malicious activities, threatening future exploitations. Patchstack highlighted additional risks to WordPress sites using legitimate plugins referencing the rogue domain, pointing to broader security implications.

Zergeca, a new botnet written in Golang, is designed for DDoS attacks and features advanced network capabilities. The botnet utilizes multiple attack methods, including proxying, scanning, self-upgrading, and collecting sensitive device information. DNS-over-HTTPS is being used for C2 communication concealment, with enhanced techniques like modified UPX packing and XOR encryption for evasion. Researchers identified the C2 IP previously associated with the Mirai botnet, suggesting experienced actors behind Zergeca. Zergeca employs a modular structure with distinct functionality for persistence, proxying, security evasion, and device control exclusively on x86-64 CPU architecture. Since its discovery, Zergeca has targeted multiple countries including Canada, Germany, and the U.S., with significant DDoS attack impacts reported in mid-2023. Continuous development and feature integration are suggested by updates in command capabilities and botnet behavior.

Ethereum's mailing list provider was compromised, affecting over 35,000 email addresses. Victims received phishing emails linking to a fake site offering high returns on Ethereum staking. The phishing attack was designed to siphon funds from users' cryptocurrency wallets through a crypto drainer. Ethereum swiftly responded by investigating the breach, blocking further malicious emails, and issuing public alerts. Prominent Web3 wallet providers and Cloudflare blocked the fraudulent link after Ethereum's report. On-chain analysis indicated that no recipients of the phishing email succumbed to the scheme. Ethereum is taking preventive steps by shifting some email services to different providers to enhance security.

Hackers are exploiting a critical vulnerability, CVE-2024-23692, in older versions of HTTP File Server (HFS) to install malware and Monero mining software. The affected versions are up to and including 2.3m, which is notably popular among individuals, small teams, and educational institutions. The CVE-2024-23692 vulnerability allows attackers to execute arbitrary commands remotely without authentication through specially crafted HTTP requests. Post-exploitation activities include collecting system information, installing backdoors, and adding new users to administrator groups to facilitate unauthorized access. ASEC has observed incidents where attackers deployed the XMRig mining tool to mine Monero in at least four distinct cases, with one attributed to the LemonDuck threat group. Other malicious payloads delivered during the attacks have been observed, highlighting the diversity and severity of the threat. Rejetto, the software developer, warns against using versions 2.3m to 2.4 and recommends upgrading to version 0.52.x, which includes enhanced security features like HTTPS support and dynamic DNS. AhnLab released indicators of compromise, including malware hashes and IP addresses for the attackers' command and control servers, to help organizations identify and mitigate threats.

Microsoft has discovered two significant security vulnerabilities in Rockwell Automation PanelView Plus that could allow hackers remote access without authentication. These vulnerabilities can enable attackers to execute arbitrary code or cause a denial-of-service (DoS) condition by abusing specific custom classes in the system. The first vulnerability, labeled CVE-2023-2071, affects FactoryTalk View Machine Edition and allows remote code execution and data leakage. The second, CVE-2023-29464, impacts FactoryTalk Linx and primarily facilitates conditions for a denial-of-service attack. Rockwell Automation issued advisories on these vulnerabilities on September 12 and October 12, 2023, while CISA followed with alerts shortly after each advisory. These disclosures coincide with reports of active exploitation of other critical vulnerabilities, such as CVE-2024-23692 in HTTP File Server, by attackers deploying cryptocurrency miners and trojans. These events underscore the importance of continuous vigilance and updating security protocols to protect against evolving cyber threats.

Europol, with various international partners, successfully disrupted illegal Cobalt Strike operations by dismantling nearly 600 IP addresses. Operation Morpheus, initiated by Europol with significant contributions from the private sector, was aimed at combating cybercriminals exploiting cracked versions of the Fortra's red-teaming tool, Cobalt Strike. The operation, led by the UK National Crime Agency, involved law enforcement from several countries including Australia, Canada, Germany, and the US, spanning from June 24 to 28. More than 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise were shared among partners using Europol’s Malware Information Sharing Platform. Despite comprehensive efforts, data shows a significant presence of Cobalt Strike resources in China, indicating persistent challenges. The operation marks over two and a half years of international collaborative efforts in curbing the misuse of Cobalt Strike which has facilitated ransomware and malware attacks globally. Law enforcement acknowledges Fortra's efforts in preventing misuse while highlighting the need for ongoing and intensified collaborative measures to combat such cyber threats effectively.

Brazil's ANPD has temporarily banned Meta from using personal data to train AI algorithms, citing privacy violations. The decision was influenced by Meta's updates to its terms, allowing AI training with public content from Facebook, Messenger, and Instagram. Human Rights Watch reported that the LAION-5B dataset used by Meta includes identifiable photos of Brazilian children, posing risk of exploitation. Brazil, a major market with over 102 million active users, sees Meta's actions as a breach of its General Personal Data Protection Law. Meta faces a potential fine of about $8,808 per day if it does not comply with the ANPD’s order within five working days. Meta argues that its policies comply with Brazilian laws and claims the ruling hinders AI innovation and competition. The company has faced similar regulatory challenges in the European Union concerning data usage for AI without explicit user consent.

Brain Cipher, a ransomware group, attacked Indonesia's Temporary National Data Center, disrupting national services. Initially demanding a ransom of 131 billion Rupiah ($8 million), the group later apologized and provided the decryption key without receiving the payment. The decryption key, a 54 kb ESXi file, was released freely with the effectiveness yet to be confirmed. In a statement, Brain Cipher claimed they acted as penetration testers, and released the key to highlight the need for better financing and recruitment in cybersecurity. Despite returning the decryption key, Brain Cipher hinted that other victims might not receive the same treatment and even requested public donations for their "service." The attack exposed significant vulnerabilities in the Indonesian cybersecurity infrastructure, leading to President Joko Widodo ordering an audit of government data centers. Public outcry intensified, resulting in a widespread demand for the resignation of the communications and informatics minister, evidenced by a petition with over 18,000 signatures.