Daily Brief

P2PInfect, a previously dormant malware botnet, has started deploying a ransomware module and a cryptominer targeting Redis servers. Initially discovered in July 2023, P2PInfect leveraged known vulnerabilities in Redis servers and utilized features like Redis replication for propagation. Between August and September 2023, the botnet’s activity surged, attempting thousands of breaches weekly while introducing features such as cron-based persistence and fallback communication systems. As of May 16, 2024, infected devices began downloading and executing a ransomware payload targeted at files with specific extensions and appending them with '.encrypted'. The ransomware, however, is limited by the privileges of the compromised Redis user, primarily encrypting configuration files as Redis is typically deployed in memory. Alongside the ransomware, an inactive XMR (Monero) miner in previous versions was activated, successfully generating approximately $10,000. A new user-mode rootkit was also identified, designed to conceal malicious operations from security tools, though its effectiveness is constrained by the Redis deployment. Cado Security suggests that P2PInfect could either be rented out to various cybercriminals or operated by a singular group, with its operational goals and ownership remaining somewhat ambiguous.

Browser security solutions are emerging as a cost-effective method to protect against web-related threats where traditional network and endpoint security fall short. Such platforms specialize in combating threats from phishing websites, malicious browser extensions, and internal data leaks, like sensitive information being shared wrongly. A new report details testimonials from six Chief Information Security Officers (CISOs) who have switched to browser security platforms, resulting in reduced operational costs and increased efficiency. Transitioning from using CASB and agent-based DLP solutions to lighter, more agile browser security frameworks like LayerX has significantly decreased Total Cost of Ownership (TCO) and improved granular data protection. CISOs benefit from easier management of browser security, such as keeping browser versions up-to-date and protecting against harmful extensions on both managed and unmanaged devices. Some organizations have shifted from traditional training to employing real-time notifications on browsers using solutions like LayerX, which has proven effective in mitigating risky online behaviors. The report emphasizes the continuous need for discovering, prioritizing, and mitigating new exposures through advanced security methods like Attack Surface Management (ASM), penetration testing, and Red Teaming.

79% of companies experienced ransomware attacks in the past year, with attacks becoming almost daily occurrences for some organizations. Attackers are increasingly targeting backup data and systems to cripple recovery processes, with 93% of last year's cyber attacks aimed at backup storage. Object First and Veeam collaborate to offer zero-trust based, immutable backup solutions dubbed Zero Trust Data Resilience (ZTDR), which protects data even if systems are compromised. The immutable storage, using the S3 Object Lock protocol, prevents data from being altered or deleted, securing data against ransomware and physical tampering. Veeam provides end-to-end encryption for data in all aspects of the 3-2-1 backup strategy, ensuring data is safeguarded against exfiltration even if accessed by unauthorized parties. Businesses express high concern over backup systems becoming targets; nearly 90% of surveyed organizations are worried about their backup integrity. The Object First Ootbi technology combines scalability, ease of management, and advanced security measures suitable for companies of varying sizes and needs.

"Why attack surfaces are expanding" webinar scheduled for June 25th, hosted by Cloudflare and The Register. Session aims to address the increasing issues related to cyber threats as attack surfaces expand. Attendees will gain insights into the latest trends affecting cybersecurity vulnerabilities. The webinar will provide actionable strategies for organizations to enhance their network security. Experts from Cloudflower will share their extensive knowledge and real-world case studies. The event emphasizes on equipping attendees with practical skills to address modern cybersecurity challenges. Secure your participation by registering for the webinar to learn from top cybersecurity experts.

WikiLeaks founder Julian Assange has been released after over five years in a U.K. high-security prison, concluding a 14-year legal fight. Assange pled guilty to conspiring to obtain and disclose U.S. national defense documents, sentenced to time already served. The plea agreement involved negotiations spanning numerous global figures and organizations, influenced by widespread campaigns for his release. His legal issues extended to accusations in Sweden, including rape and sexual assault, which he has denied. The U.S. Department of Justice highlighted the grave risks posed by Assange’s disclosures, which allegedly aided U.S. adversaries and endangered lives. WikiLeaks, since its inception in 2006, has published significant volumes of sensitive data, impacting international relations and national security. Assange is set to return to Australia, continuing to face legal and diplomatic repercussions from his actions.

Four Vietnamese nationals linked to FIN9 cybercrime group were indicted in the U.S. for orchestrating a $71 million cybercrime spree. The accused conducted phishing campaigns and supply chain compromises to access and steal sensitive information from U.S. companies. They extracted non-public info, employee benefits, gift card data, and credit card details, causing extensive financial and information losses. Using stolen data, they engaged in further illegal activities such as opening cryptocurrency accounts and setting up servers to hide their tracks. Defendants sold stolen gift cards via cryptocurrency marketplaces under fraudulent identities to launder the proceeds. If convicted, the accused face up to 45 years in prison, with additional charges of money laundering and identity fraud enhancing potential sentences. The case reflects growing concerns about sophisticated global cybercrime impacting critical infrastructure and private security.

Multiple WordPress plugins were backdoored, allowing attackers to inject malicious code. The malware enables creation of rogue administrator accounts named "Options" and "PluginAuth." Malicious code also injects JavaScript into the website footer to distribute SEO spam. Compromised account details are sent to an attacker-controlled IP address, 94.156.79[.]8. The attack was first noticed on June 21, 2024, and the affected plugins have since been removed from the WordPress directory. WordPress site owners are urged to check for unauthorized admin accounts and eliminate any related malicious code. The exact method by which the plugins were compromised remains unknown.

WikiLeaks founder Julian Assange has been released from a UK prison after agreeing to plead guilty to U.S. charges. Assange was previously held for five years in the UK, awaiting extradition for leaking classified documents. He has left the UK from Stanstead airport and is expected to plead guilty in a U.S. federal court located in the Northern Mariana Islands. This location was chosen to accommodate Assange's preferences and its proximity to Australia, his native country. Following his court appearance, Assange is anticipated to be allowed to return to Australia, considering the time he has already served. The U.S. Department of Justice indicates that the court proceedings will be completed, and a sentence handed down in a single day.

The American Privacy Rights Act (APRA) intended to establish a nationwide privacy standard but has been significantly weakened due to recent legislative amendments. Major concerns include the removal of anti-discrimination measures, transparency in AI usage, and protections for minors. Legal advocacy groups, including the Lawyers' Committee for Civil Rights Under Law, now urge lawmakers to vote against the revised APRA, pointing out the lack of comprehensive privacy safeguards. Critics argue that the revised APRA fails to cover personal data handled by on-device AI technologies, potentially giving tech companies excessive freedom. The new version of the bill is argued to be weaker than existing state privacy laws and could preempt more robust state-level protections. Several privacy and civil rights organizations expressed their inability to support the APRA in its current form due to its deficiencies in foundational civil rights and privacy protections.

CISA's Chemical Security Assessment Tool (CSAT) was breached on January 23, 2024, after a webshell was deployed on its Ivanti device. CSAT is used by facilities to report possession and safety assessments of chemicals potentially usable in terrorism, determining if they are high-risk facilities. The breach potentially exposed sensitive data including Top-Screen surveys, Security Vulnerability Assessments, and Site Security Plans. No evidence of data exfiltration was found, yet all information in the CSAT environment is encrypted with AES 256 encryption. The vulnerabilities that allowed the breach were CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, all exploited by threat actors promptly after disclosure. Despite no evidence of data theft, CISA has notified all potentially impacted individuals and organizations as a precautionary measure and advised CSAT account holders to reset their passwords. The incident was significant enough to meet the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).

A critical vulnerability identified in Ollama, an open source AI server, allows for remote code execution. The issue, designated as CVE-2024-37032 and named Probllama, was patched in the latest Ollama version 0.1.34. Over 1,000 instances of Ollama servers remain exposed online, despite the availability of a patched version. The flaw was due to insufficient server-side validation in the REST API, enabling attackers to submit malicious HTTP requests. Attackers could exploit the vulnerability to corrupt files, read arbitrary files, or execute remote code, especially in Docker environments where Ollama runs with root privileges. Wiz Research recommends updating Ollama installations immediately and not exposing them to the internet without proper authentication measures. The rarity of authentication support in contemporary AI tools poses a significant security risk, emphasizing the need for robust security protocols even with modern software.

A novel attack method, named GrimResource, leverages MSC files and a longstanding, unpatched Windows XSS vulnerability to execute arbitrary code via Microsoft Management Console. The shift to using MSC files for phishing attacks followed Microsoft’s mitigation strategies against macros in Office and security enhancements in handling ISO and ZIP files. Researchers from Elastic discovered this technique by analyzing a sample uploaded as 'sccm-updater.msc' to VirusTotal which was not detected by antivirus engines. The actual flaw exploited is a DOM-based XSS vulnerability in the 'apds.dll' library that has not been patched since its report in 2018. The deployment mechanism involves JavaScript handling within MMC, using a technique called DotNetToJScript, to execute .NET code and eventually deliver a Cobalt Strike payload. No official response from Microsoft about whether this XSS flaw has been patched as of the latest updates to Windows 11. System administrators are urged to monitor and apply defense strategies against suspicious MSC file activities as outlined in Elastic Security’s GitHub repository containing GrimResource indicators and YARA rules.

A new malware technique named GrimResource utilizes MSC files and an unpatched Windows XSS flaw for command execution. Attackers turned to MSC files following Microsoft's previous security enhancements on other file types, showcasing adaptive threat tactics. The GrimResource technique specifically abuses the 'apds.dll' cross-site scripting vulnerability, unaddressed since 2018, to execute JavaScript via Microsoft Management Console. A recent malicious file using this technique was found on VirusTotal in June 2024, deploying the Cobalt Strike toolkit without being detected by antivirus software. Microsoft has not yet patched the XSS vulnerability in the latest Windows 11 version, as confirmed by recent investigations. The attack works by embedding malicious JavaScript in MSC files that, when executed, exploit the XSS flaw to run arbitrary .NET code through the DotNetToJScript. System administrators are alerted to watch for suspicious MSC activity and implement detection tools provided by security researchers for proactive defense.

CDK Global, a prominent software provider for nearly 15,000 U.S. car dealerships, suffered a significant cyber incident, causing disruption in managing sales, accounting, and inventory systems. The incident led to multiple companies filing Form 8-Ks with the SEC, signifying major disruptions and activating their incident response protocols. Affected dealerships experienced disruptions, with some resorting to manual operations; the impact varied, with some reporting substantial disruptions particularly affecting sales in North America. Recovery timelines are uncertain, with CDK suggesting a restoration timeframe of days instead of weeks, amidst ongoing recovery efforts. Rumors indicate CDK may pay a ransom to an Eastern European cybercrime gang, with the demanded amount possibly reaching tens of millions of dollars. The situation remains dynamic, with CDK partnering with third-party experts to mitigate the impact and restore normal operations, keeping stakeholders informed through continuous updates.

Four members of the cybercrime group FIN9, all Vietnamese nationals, have been federally indicted in the U.S. for orchestrating extensive cyberattacks that resulted in over $71 million in losses. The individuals conducted their criminal activities from May 2018 to October 2021, engaging in sophisticated phishing, malware attacks, and exploiting third-party network vulnerabilities. Their operations included targeting individuals within companies to steal credentials and accessing vendor systems critical to the victims' operations to facilitate network breaches. Once inside the networks, the hackers exfiltrated sensitive information such as financial details, employee data, and credit card information which they monetarily exploited through crypto transactions and other means. Notably, in one incident, they infiltrated a company's employee benefits system to issue thousands of gift cards valued at about $1 million to controlled email accounts. The potential legal consequences for the indicted individuals include several decades of imprisonment, with charges encompassing conspiracy to commit fraud, wire fraud, and identity theft, among others. DOJ's investigation underscores the extensive measures taken by authorities to trace and prosecute cybercriminals, demonstrating neither technological barriers nor international borders effectively shield perpetrators from U.S. legal action.