Daily Brief

Twilio disclosed an unauthorized access incident in its Authy app, revealing that attackers harvested millions of user phone numbers. This security breach centers on an unauthenticated endpoint within Authy that attackers used to extract specific account data. The incident follows a claim by an online entity, ShinyHunters, on the BreachForums that they possess a database containing 33 million numbers from Authy. Twilio has since fortified the app's security, modifying the Authy endpoint to reject unauthenticated requests. Despite the breach, Twile denied any evidence of penetration into their internal systems or theft of other sensitive data. Twilio recommends that all Authy users promptly update their apps to the latest versions for enhanced security. Users are also advised to be vigilant about potential phishing and smishing threats leveraging the exposed phone numbers. Twilio continues to emphasize the importance of ongoing surveillance and proactive security measures in response to the incident.

HealthEquity reported a data breach involving protected health information due to a compromised partner's account. The breach was detected after observing anomalous behavior from a partner’s personal device, prompting an immediate investigation. Hackers gained unauthorized access via the compromised account, leading to exfiltration of sensitive information, including personally identifiable and protected health information. The affected data was transferred off the Partner's systems, impacting an undisclosed number of HealthEquity's customers. HealthEquity, a leading provider of health savings accounts and other consumer-directed benefits, has begun notifying affected individuals and offering credit monitoring and identity restoration services. No malware was found in the company's systems, and there have been no interruptions to HealthEquity’s operations. HealthEquity is assessing the financial impact of the incident but does not expect it to materially affect its business outcomes.

OVHcloud, a major European cloud service provider, recently faced a massive DDoS attack reaching 840 million packets per second, setting new global records. The attack, primarily executed via compromised MikroTik routers, exploited vulnerabilities in outdated firmware vulnerable to high packet rate DDoS attempts. In particular, the attacks utilized MikroTik’s RouterOS “Bandwidth Test” feature, magnifying their destructive impact by exploiting high-performance network functions. OVHcloud’s observations indicate a worrying trend of increasingly frequent attacks, with numerous incidents surpassing 1 Tbps, a scale becoming almost daily in 2024. Investigations identified nearly 100,000 MikroTik devices exposed online with potential for exploitation, suggesting a vast attack surface for malicious actors. The most intense attacks, including the record-setting one, were conducted using advanced tactics that amplified traffic through few Points of Presence, complicating mitigation efforts. OVHcloud has notified MikroTik about the vulnerabilities, though no response has been received by the time of reporting. The continuing vulnerability of many MikroTik devices, despite warnings to update their systems, underscores the persistent risk and potential for future large-scale DDoS attacks.

Hackers exploited an insecure API endpoint at Twilio, affecting millions of Authy users. A threat actor known as ShinyHunters leaked a CSV file with 33 million phone numbers linked to Authy accounts. Leaked data included account IDs, phone numbers, account status, and device count without accessing more sensitive data directly. The breach exposes users to increased risks of SMS phishing (smishing) and SIM swapping attacks. Twilio has since secured the API and updated Authy’s security features to prevent further unauthorized access. Users are urged to update their Authy app to the latest version and remain vigilant against potential phishing attempts. Twilio advises users to configure additional security protections to safeguard against unauthorized number transfers.

Security consultant Nick Cerne from Bishop Fox identified critical vulnerabilities in Traeger grills with Wi-Fi capabilities. Vulnerabilities could allow remote attackers to manipulate grill temperatures or shut it down entirely, potentially ruining long cooking processes. The primary vulnerability, with a high severity score of 7.1, revolves around insufficient authorization controls that could be exploited by knowing the grill's unique 48-bit identifier. Attackers could potentially obtain the identifier by capturing network traffic during app pairing or by physically accessing a QR code on the grill. Bishop Fox demonstrated the exploit by remotely shutting down a grill and drastically altering its temperature to burn food. A second, less critical vulnerability could expose details of all registered grills, though Traeger has since disabled this function. Traeger has already issued firmware updates to address these vulnerabilities, requiring no action from grill owners.

Recorded Future's Insikt Group used leaked malware logs to identify 3,324 individuals involved in downloading and distributing child sexual abuse material (CSAM). The group leveraged data from various malware-infected systems to link illicit CSAM site accounts to legitimate online platforms used by the suspects. The analyzed data included credentials, IP addresses, system information, and various other digital artifacts gathered via information-stealing malware. Techniques involved cross-referencing details obtained from the malware with those registered on known CSAM domains to pinpoint unique users. Information stealer logs facilitated the process, originating from command and control servers of malware like Redline, Raccoon, and Vidar. The comprehensive data collected from these malware operations were extensively used in law enforcement efforts, assisting in unmasking the identities of suspected pedophiles. Logs normally used for cybercrimes provided an unusual but effective means to contribute positively towards law enforcement objectives, ultimately leading to several arrests.

The Fédération Internationale de l'Automobile (FIA) experienced a data breach due to a phishing attack that compromised several email accounts. Personal data was accessed without authorization from two specific FIA email accounts. The FIA reported the breach to the Swiss and French data protection regulators and has taken measures to enhance security and prevent future incidents. The breach's extent, including the number of affected individuals and the specific data compromised, has not yet been disclosed. FIA has expressed regret over the incident and reassures its commitment to stringent data protection and security practices in response to evolving cyber threats.

Europol's Operation Morpheus led to the takedown of 593 Cobalt Strike servers during a coordinated effort from June 24 to June 28. The operation targeted outdated, unlicensed versions of Cobalt Strike, a tool initially intended for legitimate cybersecurity testing but repurposed by criminal groups. A total of 690 IP addresses related to criminal activities were identified across 27 countries, significantly disrupting cybercriminal infrastructure. The collaborative action involved law enforcement from multiple countries, including the UK, USA, Australia, Canada, Germany, Poland, and the Netherlands, along with support from private industry experts such as BAE Systems Digital Intelligence and The Shadowserver Foundation. The crackdown was part of a broader, three-year-long investigation that yielded over 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise. Europol's European Cybercrime Centre (EC3) facilitated over 40 coordination meetings and established a virtual command post to synchronize the international law enforcement efforts. Cobalt Strike is widely used in ransomware attacks and cyberespionage, with various hacking groups and state-backed actors exploiting cracked versions of the software.

The Office of the Director of National Intelligence (ODNI) has promoted open-source intelligence (OSINT) as the "INT of first resort," recognizing its rising importance. Open-source intelligence entails collecting and analyzing data from publicly accessible sources like the media, social platforms, and government reports, excluding covert methods. Traditional OSINT techniques are becoming insufficient due to the vast amount of digital data being generated, creating challenges in processing and analysis. Artificial Intelligence (AI) and Machine Learning (ML) technologies are significantly enhancing the efficiency of OSINT by automating data collection and analysis processes. Implementing AI in OSINT allows analysts to focus on higher-level tasks, thereby improving productivity and job satisfaction. SANS Network Security provides practical courses on OSINT utilizing AI, illustrating both the enhanced capabilities and practical application of this technology in intelligence gathering. The article underscores the dynamic and evolving nature of OSINT, highlighting ongoing advancements and educational opportunities within the field.

Proton, a Swiss-based company known for its robust privacy services, has rolled out 'Docs in Proton Drive', a free open-source document editing tool. This new tool offers end-to-encryption, aiming to provide a secure alternative to mainstream platforms like Google Docs. The launch aligns with Proton's transition to a non-profit status, emphasizing its commitment to privacy over profitability. The development of Proton Docs was expedited by the recent acquisition of the encrypted notes app, 'Standard Notes'. Major features of Proton Docs include integration within the Proton ecosystem and secure collaboration, requiring collaborators to have a Proton account. Proton’s approach addresses growing concerns about privacy violations and data mishandling by larger tech corporations. According to Anant Vijay Singh, Product Lead for Proton Drive, Proton Docs simplifies secure and private document collaboration without user burdens.

An unknown group has exploited the CVE-2021-40444 flaw in Microsoft MSHTML to distribute MerkSpy spyware, targeting entities in Canada, India, Poland, and the U.S. The attack begins with a compromised Microsoft Word document, seemingly a job description, which triggers the exploit and subsequent malicious activities without user interaction. The spyware, termed MerkSpy, is designed to stealthily monitor user activities, collect sensitive data, and ensure its persistence on infected systems. A sequence involving the download of a malicious HTML file ("olerender.html") leads to the execution of a shellcode that facilitates the downloading and activation of further payloads from a remote server. The shellcode downloads a deceptively named "GoogleUpdate" file which injects MerkSpy into system memory, evading detection and establishing system persistence via Windows Registry modifications. MerkSpy's capabilities include capturing screenshots, keystrokes, and login credentials, particularly from Google Chrome and the MetaMask browser extension, sending collected data to an external server. This incident highlights severe threats posed by exploiting a previously known and patched security vulnerability in widely used software.

The FakeBat loader malware, also known as EugenLoader and PaykLoader, is extensively distributed through drive-by download attacks facilitated by deceptive techniques like SEO poisoning and malvertising. A Russian-speaking threat actor offers FakeBat as a Loader-as-a-Service (LaaS) on underground forums, with it seeing significant adoption due to its ability to mimic legitimate software installers. Recent updates to FakeBat include switching to the MSIX packaging format and adding digital signatures to bypass Microsoft SmartScreen, enhancing its evasion capabilities. Pricing for FakeBat varies depending on the service package, costing up to $5,000 per month for advanced options including combined MSI and signature packages. Sekoia's analysis identified that the FakeBat campaign uses social engineering, fake software updates, and malicious advertisements to distribute the malware effectively. Command-and-control servers for FakeBat likely use sophisticated filtering based on user-agent data, IP, and location to target specific victims. The loader is primarily used to download and execute secondary payloads like IcedID, Lumma, and RedLine, among others, signifying its role in broader cybercrime campaigns. Other similar malware campaigns include DBatLoader and Hijack Loader, also leveraging deceptive tactics to deliver various payloads, emphasizing a trend in the complexity and sophistication of malware distribution strategies.

Highly targeted cyberattack campaign discovered against various Israeli entities using Donut and Sliver frameworks. Attackers leveraged custom WordPress sites for payload delivery, involving a diverse range of unrelated sectors. Initial attack stage involves a rudimentary downloader written in Nim, fetching further malicious payloads from a specifically crafted virtual hard disk (VHD) file. Second-stage payload involves deploying Sliver, an alternative to Cobalt Strike, using Donut, a shellcode generation tool. Campaign potentially simulated a penetration test, raising concerns about transparency and the impersonation of official Israeli bodies. Additional threats include multi-stage trojans distributed through corrupted Excel files, utilizing Dropbox and Google Docs for payload updates. These incidents highlight ongoing risks and the advanced nature of cyber threats facing governmental and other critical entities.

An unnamed South Korean ERP vendor's update server was hacked, distributing Go-based backdoor Xctdoor. AhnLab Security Intelligence Center discovered the breach in May 2024, noting tactics similar to North Korea's Lazarus Group. The malware, found in a tampered executable, harvests keystrokes, screenshots, and clipboard data. Xctdoor employs HTTP for communication with C2 servers, using encryption through Mersenne Twister and Base64 algorithms. The attack also involved XcLoader, which injects Xctdoor into legitimate processes to evade detection. Related malware activities linked to North Korean groups were observed, including HappyDoor backdoor used since July 2021. The findings highlight ongoing cyber espionage efforts targeting South Korean entities, with email phishing as a common attack vector.

Google has introduced kvmCTF, a new vulnerability reward program emphasizing security improvements in the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000 for uncovering zero-day vulnerabilities. The initiative, first announced in October 2023, is designed for developing robust security safeguards, particularly for systems powering Android and Google Cloud platforms where KVM plays a critical role. The focus of kvmCTF is on VM-reachable bugs that enable successful guest-to-host attacks; other vulnerabilities like QEMU or host-to-KVM will not qualify for rewards. Participants in kvmCTF will operate within a controlled Google's Bare Metal Solution (BMS) environment, which is set up to facilitate and secure testing processes. Unlike other programs, kvmCTF specifically targets zero-day vulnerabilities, providing high rewards for newly discovered and previously unreported vulnerabilities instead of known issues. Successful exploits leading to guest-to-host system breaches will be rewarded based on severity, with a structured reward tier system guiding the potential bounty amounts. Submitted zero-day flaws will be shared with the open-source community only after the relevant patches have been released, ensuring responsible vulnerability disclosure and enhancing overall community security.