Daily Brief

Sophos cybersecurity firm has identified three Chinese-linked cyber activity clusters: Cluster Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305), committing espionage in Southeast Asia under Operation Crimson Palace. These clusters have compromised multiple governmental organizations, using networks of other breached organizations as staging grounds for malware delivery. Attacks extended from March 2023 to April 2024, with a renewed wave of aggressive targeting detected from January to June 2024 affecting 11 additional organizations. The cyberattacks utilized command-and-control infrastructure and various malware tools like Cobalt Strike, Havoc, and a novel keylogger, TattleTale, for in-depth network infiltration and data exfiltration. Cluster Charlie notably engaged in DLL hijacking for executing malware and incorporated software to disable antivirus processes and obfuscate files, aimed at evading detection. Data extraction remained a primary focus, with significant efforts to maintain access within compromised networks, even as countermeasures blocked initial entry points. The clusters exhibited operational collaboration while specializing in different stages of the cyberattack lifecycle, continuously refining their infiltration and exfiltration tactics against countermeasures.

Shadow apps are unauthorized SaaS applications that bypass security protocols, increasing risks of data breaches. These apps, whether standalone or integrated with company systems, evade IT oversight, leading to potential exposure and loss of sensitive data. Integrated shadow apps pose a greater threat by connecting with official systems, potentially granting attackers access to the broader SaaS ecosystem. The lack of control and visibility over shadow apps can lead to non-compliance with regulatory standards, such as GDPR or HIPAA, exposing the organization to fines and legal issues. Expanded attack surfaces due to shadow apps make companies more vulnerable to cyber attacks, unauthorized access, and data leaks. IT departments struggle with visibility into these apps, hindering effective management and security measures. SaaS Security Posture Management (SSPM) tools play a crucial role in identifying and managing shadow apps by monitoring configurations and user activity. SSPM tools integrate with other security systems, like email and browser extensions, to enhance detection and management of unauthorized apps.

The NoName ransomware gang, also tracked as CosmicBeetle by ESET, specializes in targeting SMBs using a variety of custom and acquired malware tools, including ScRansom and RansomHub tools. Recent attacks have exploited multiple well-known vulnerabilities such as EternalBlue (CVE-2017-0144) and Zerologon (CVE-2020-1472), among others, enabling unauthorized network access. ScRansom, the latest offering from the gang, is Delphi-based, supporting various encryption modes and capable of widespread file encryption across all drives. Despite its complexity, ScRansom's encryption process is prone to errors, resulting in difficulties with file decryption even after the ransom is paid, as evidenced by a victim who received multiple decryption keys but still couldn't recover all files. The gang has recently attempted to masquerade their operations under the guise of more established ransomware like LockBit, even setting up faux data leak sites to increase their leverage during ransom negotiations. In a significant shift, NoName has shown associations with RansomHub, indicated by the deployment of RansomHub-specific tools during attacks, suggesting a potential formal affiliation as a RansomHub affiliate. Continuous evolution and adaptation of their tactics showcase NoName's dedication to remaining a relevant and capable threat actor in the ransomware landscape.

Researchers have identified a new side-channel attack, named PIXHELL, which exploits the high-pitched noise, or coil whine, emitted by pixel vibrations on LCD screens to exfiltrate data from air-gapped systems without needing internet connectivity. The attack does not require specialized audio equipment; instead, it utilizes the internal components of the LCD display to create acoustic signals capable of transmitting sensitive information. Air-gapped environments, designed for high-security operations, are vulnerable to breaches through this method if malware is introduced, possibly through compromised hardware or social engineering tactics. PIXHELL manipulates the distribution and intensity of displayed pixels, generating unique acoustic signals which can be transmitted to nearby Windows or Android devices, which then decode the information. Potential entry points for the malware include phishing, malicious insiders, or supply chain attacks targeting software dependencies or third-party libraries. The attack is typically visible, displaying alternating black-and-white rows on the screen which can be minimized but still detected by observant users. Effective countermeasures against such attacks include the use of acoustic jammers, monitoring for unusual audio signals, restricting physical access, and prohibiting smartphones in secure areas.

Mustang Panda, identified under the alias Earth Preta, has updated its malware strategies to infiltrate government networks in the Asia-Pacific region. New tools such as PUBLOAD, FDMTP, and PTSOCKET have been integrated for efficient data exfiltration and deployment of subsequent malware payloads. The threat actor employs removable drives to spread the HIUPAN worm variant and uses PUBLOAD for reconnaissance and harvesting sensitive files. Recently developed hacking tools include a simple malware downloader FDMTP and multi-thread file transfer program PTSOCKET. Mustang Panda also runs spear-phishing campaigns that deploy the DOWNBAIT and PULLBAIT tools for initial infection and payload delivery. The campaign has expanded its geographical focus, targeting countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan. Advanced persistent threat techniques have evolved, possibly leveraging Microsoft’s cloud services to exfiltrate data. Monitoring agencies like Trend Micro and Google-owned Mandiant have tracked and reported detailed behavioral analysis linking the campaigns back to Mustang Panda.

China has prioritized quantum communication since the 2013 Snowden leaks, significantly advancing in Quantum Key Distribution (QKD) technology. The Beijing-Shanghai QKD network, stretching over 1,200 miles, is the world's longest, demonstrating China's lead in securing communications through quantum methods. China's advances include the 'Micius' satellite, which showcases the potential to create a secure, global quantum internet. While China excels in quantum communication, the US and its allies lead in quantum computing, particularly in hardware development and quantum algorithms. The Information Technology & Innovation Foundation report suggests these differences reflect varying national priorities, with China focusing on practical applications and the US on basic to applied research steps. The report advises the US to view quantum technology development as a critical national security and economic imperative. It also recommends careful application of export controls and international collaboration to avoid stifling innovation and maintain global leadership in quantum advancements.

The "View Once" privacy feature in WhatsApp was found to be defectively executed, allowing bypass of the disappearing messages functionality. Developers at Zengo discovered that by altering the "view once" flag in the message code, these messages could be made permanently accessible. This vulnerability was inadvertently revealed during Zengo’s development of a web interface, exposing weaknesses in WhatsApp’s API server enforcement. The flawed feature theoretically jeopardizes user privacy by making it possible to download, forward, and share supposed one-time-view messages. Bypassing the intended privacy controls could be done simply by modifying code, making the feature equivalent to a superficial privacy measure. WhatsApp confirmed the issue and is actively developing a fix after being notified by Zengo, who bypassed the standard 90-day disclosure waiting period. The company urges users to send view once messages only to trusted parties while a solution is being tested and implemented.

SonicWall identified critical vulnerability CVE-2024-40766 in their SonicOS firewall devices; the issue impacts Gen 5, 6, and 7 models. An initial patch was released on August 22, followed by a warning to secure firewall management interfaces and SSLVPN features due to active exploitation risks. Cybersecurity firms Arctic Wolf and Rapid7 observed ransomware affiliates, including Akira, leveraging this flaw for network breaches, primarily targeting accounts with disabled multi-factor authentication (MFA). Despite the patch, evidence of CVE-2024-40766 being used in ransomware attacks remains partly circumstantial, yet the potential link prompts urgent calls for firmware updates. CISA has mandated that federal agencies address this vulnerability by September 30, following the addition of the flaw to its Known Exploited Vulnerabilities catalog. Security recommendations from SonicWall include enabling MFA, restricting management and SSLVPN access to trusted sources, and possibly disabling internet access for the devices. The exploitation of SonicWall vulnerabilities is a repeating pattern, with past incidents involving espionage and ransomware by various threat groups targeting corporate and government entities worldwide.

The Quad7 botnet has evolved to target additional devices, specifically affecting SOHO devices, VPN appliances, and media servers. New targets include Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers, adding to the previously impacted TP-Link and ASUS routers. The botnet has developed new operational tactics, including the cessation of SOCKS proxy use, shifting to more stealthy communication protocols and tools like KCP and 'FsyNet.' Quad7 utilizes a novel backdoor named 'UPDTAE' forming HTTP reverse shells, enhancing control over compromised devices while avoiding detection. Several subclusters within Quad7, like 'xlogin' and 'rlogin', have been identified, each targeting specific device types and deploying unique attack methods. Security recommendations include applying the latest firmware updates, changing default admin credentials, disabling unnecessary web admin portals, and upgrading unsupported devices. The botnet's ultimate objective remains unclear but may involve distributed brute-force attacks on networks and service accounts.

Russian naval forces, under the General Staff Main Directorate for Deep Sea Research (GUGI), are suspected of increasing activity near vital undersea cables globally. US officials express concern over Russia's potential shift in strategy towards sabotaging US and allied underwater infrastructure critical for communications and electricity. Russian vessels have been observed far from their own borders, near key fiber-optic cables that carry over 95% of international data, raising serious security alarms. The disruption of these submarine cables could severely impact governmental, military, and private sector communications across continents. Past reports have identified Russian ships suspected of espionage in Nordic waters, with possible aims to disrupt undersea cables and energy infrastructure. The escalation of Russian cyberattacks and related military activities comes amid heightened geopolitical tensions, notably involving NATO countries supporting Ukraine. US officials warn that any damage to these cables could lead to significant misunderstandings and potentially dangerous escalations during sensitive times.

China-based cyberespionage group Mustang Panda has adapted its attack strategies using new malware types, named FDMTP and PTSOCKET, to infiltrate and extract data from target networks. The group employs the HIUPAN worm variant to spread PUBLOAD malware via removable drives, creating a low-visibility method to breach networks. Once inside the system, PUBLOAD achieves persistence through Windows Registry modifications and conducts network reconnaissance and data theft. Mustang Panda also deploys other malware tools including CBROVER and PLUGX, alongside a spear-phishing campaign observed in June designed to download keyloggers and additional payloads. Data is extracted primarily in RAR archives targeting a range of document formats, and exfiltrated using PUBLOAD with cURL, alongside alternatives like the PTSOCKET file transfer tool. The threat group's campaigns have targeted a wide range of government entities in the Asia-Pacific region, indicating a focus on acquiring sensitive governmental data. Trend Micro researchers highlight the significant evolution in Mustang Panda's malware deployment and exfiltration methods, flagging the need for heightened cybersecurity vigilance and response strategies.

Highline Public Schools in Washington state has closed all schools due to a cyberattack affecting their technology systems. The cyberattack prompted the cancellation of all school activities including athletics and meetings scheduled for September 9. Despite the school closures, the district's central office remains operational with staff required to report to work. The district is collaborating with third-party, state, and federal agencies to restore and secure the affected systems. A significant concern noted was the timing of the attack, which interrupted many students' first day of kindergarten, stressing the impact on families and staff. The district, which serves over 17,500 students and employs more than 2,000 staff members, is actively investigating the breach. Future updates are planned to be communicated to staff and families by the afternoon of the next school day. No information about data exposure or theft of personal details of staff or students has been confirmed at this stage.

WhatsApp's "View Once" feature, designed to allow a message to be viewed just once by the recipient, has been compromised by attackers. Attackers found methods to bypass the feature, enabling them to save and share the supposedly private photos, videos, and voice messages. The Zengo X Research Team identified and publicly disclosed the flaw, noting that the "View once" messages were stored and could be altered on WhatsApp servers. Despite Meta's claims of enhanced privacy through "View Once," users received a false sense of security as the feature did not delete messages from servers immediately and allowed downloading and forwarding. Meta has acknowledged the issue and is currently rolling out updates to the "View Once" feature on WhatsApp Web. Security researchers urge users to only send "View Once" messages to trusted contacts, highlighting ongoing concerns with privacy practices in messaging platforms.

A new side-channel attack named RAMBO, identified by Dr. Mordechai Guri, utilizes radio signals from RAM to exfiltrate data from secure air-gapped networks. RAMBO leverages malware to generate radio transmissions from RAM's clock frequencies that carry encoded sensitive data such as encryption keys, files, and biometric information. Attack methodology includes the use of software-defined radio (SDR) and basic antennas, allowing attackers to intercept and decode the signals from a distance. Dr. Guri's past research includes various techniques to extract data from isolated systems using components such as SATA cables, GPU fans, and even printer displays. Successful execution of RAMBO and similar attacks requires initial compromise of the target network through methods like malicious USBs or insider threats. Effective countermeasures against such attacks include implementing IDS, maintaining strict data transfer zones, utilizing radio jammers, and shielding with Faraday cages. This attack demonstrates the potential for high-speed extraction of sensitive information, revealing the ongoing vulnerability of air-gapped systems even with limited data transmission rates.

Avis Rent A Car System reported a data breach affecting 299,006 customers across various US states. The breach occurred from August 3 to August 6; Avis discovered the breach on August 14. Sensitive customer data was stolen, potentially including names, addresses, driver’s license numbers, and financial information. The company cited "insider wrongdoing" as the cause, without providing further details on the incident. Avis has engaged cybersecurity experts to enhance security measures and implement additional safeguards. Customers have been advised to remain vigilant against identity theft and fraud threats. Affected individuals are offered a free one-year membership to Equifax credit monitoring, with a deadline to apply by December 31. There may be potential legal repercussions, as hinted at by the possibility of a class-action lawsuit.