Daily Brief

The FTC has imposed a $2.95 million penalty on Verkada for failing to secure its internet-connected security cameras, enabling unauthorized live feed access. Hackers accessed 150,000 camera feeds, divulging sensitive footage from locations like health clinics, prisons, and schools. Verkada falsely assured customers of robust security measures and compliance with major privacy standards which were not actually in place. Beyond the camera breach, Verkada faced a DoS attack in 2020 due to unpatched legacy firmware, revealing prolonged security oversight. The settlement mandates Verkada to establish a comprehensive security program, undergo regular assessments, and ensure truthful marketing regarding its security practices. Verkada is required to report future cybersecurity incidents to the FTC within 10 days of notifying other U.S. government bodies. The company must also incorporate an opt-out mechanism in its marketing emails, adhering to the CAN-SPAM Act.

A new ransomware named Cicada3301, unaffiliated with the legitimate Cicada 3301, has emerged targeting VMware ESXi servers, employing tactics like data theft followed by encryption for extortion. Cicada3301 began operations by June 2024, initially operating solo before seeking affiliates through the RAMP cybercrime forum. The operation draws significant tactical and technical parallels with the defunct ALPHV/BlackCat group, suggesting possible rebranding or continuation by former ALPHV members. Cicada3301 exploits a double-extortion model, threatening to leak stolen data unless ransoms are paid and has already listed 19 victims on its extortion site. The ransomware utilizes the Brutus botnet for initial breaches, which had previously targeted notable VPN providers globally. The Cicada3301 malware, particularly its Linux/VMware encryptor, shows specialized design to maximize operational disruption by attacking both file extensions and virtual machine operations. Security analyses indicate the use of sophisticated encryption methods and possible evasion tactics to delay detection and maximize impact on affected organizations.

CBIZ Benefits & Insurance Services disclosed a data breach involving unauthorized access to customer data from specific databases. The breach occurred between June 2 and June 21, after attackers exploited a webpage vulnerability. Unauthorized access was first detected on June 24, leading to an immediate investigation with cybersecurity experts. Personal information of approximately 36,000 individuals was compromised during the breach. CBIZ has initiated contact with affected clients from August 28, providing them with options for credit monitoring and identity theft protection for two years. The company has not found any evidence of the misused data post-breach. Clients are also advised to take additional security measures like placing a credit freeze and adding fraud alerts to their credit reports. CBIZ is a prominent professional services firm in the U.S., with substantial business in consulting, accounting, insurance, and human resources services.

The RansomHub ransomware group has targeted 210 organizations in critical infrastructure sectors across various regions since February 2024. Originating from older ransomware variants Cyclops and Knight, RansomHub now operates as a Ransomware-as-a-Service (RaaS), drawing affiliates from other notorious groups like LockBit and ALPHV. Attack analysis shows an increasing proportion of all ransomware incidents attributed to RansomHub, with significant growth observed each quarter in 2024. Approximately 34% of RansomHub's attacks have been against European entities, employing aggressive tactics such as double extortion by both encrypting data and threatening to release it unless a ransom is paid. Common initial access methods include exploiting vulnerabilities in widely used systems such as Apache ActiveMQ, Atlassian Confluence, and several others, followed by extensive internal reconnaissance and lateral network movements. Affiliates disable antivirus software and utilize advanced tools like Cobalt Strike and Metasploit for operations, escalating privileges to manipulate network systems further. Initial access and data exfiltration techniques involve using a mix of proprietary and open-source software, highlighting a sophisticated approach to bypass security measures. The broader ransomware landscape continues to evolve with practices like triple and quadruple extortion tactics, significantly impacting victim organizations' operations and reputation.

The cybersecurity landscape continually evolves with daily emerging vulnerabilities. The sophistication of cyber attackers is increasing, demanding advanced defensive strategies. Artificial Intelligence (AI) plays a transformative role in enhancing vulnerability management. AI-powered tools enable proactive security measures and efficient threat identification. This webinar focuses on leveraging AI to empower security teams and promote a security-first culture within organizations. Attendees will learn how to integrate developers into the security process, enhancing overall security advocacy. The session promises valuable insights into transforming traditional vulnerability management approaches through AI. The upcoming AI revolution in cybersecurity presents both a challenge and an opportunity for security leaders.

The FBI and CISA have issued a joint advisory highlighting the rising threat of ransomware and the emergence of new, sophisticated cybercriminal groups. Cybercriminals are increasingly using generative AI to enhance phishing and ransomware attacks against large organizations, targeting everyday users as primary victims. Latest advisories stress the urgent necessity for organizations to adopt phishing-resistant multifactor authentication (MFA) and to update their cyber defense protocols. CISOs from major U.S. firms, interviewed by Datos Insights, pinpoint user vulnerability due to sophisticated attack vectors as their top security challenge. The report argues for a strategic overhaul in security measures, advocating for hardware-based, biometric MFA solutions that comply with FIDO standards. There is a significant shift toward ransomware-as-a-service (RaaS) and AI-driven tools on the dark web, making these attacks more accessible to those with minimal technical skills. Recommendations for organizations include targeted deployment of next-gen MFA for high-risk roles and an organizational emphasis on upgrading cybersecurity infrastructure. Overall, the adoption of advanced, phishing-resistant MFA technologies is crucial to mitigate the effectiveness of phishing and ransomware attacks, substantially reducing potential losses.

Several fake npm packages mimicking 'noblox.js' are designed to compromise the systems of Roblox developers by installing malware. Checkmarx and ReversingLabs have documented a campaign employing these malicious packages to deliver a stealer known as Luna Token Grabber and Quasar RAT. The fake packages use deceptive tactics such as brandjacking and combosquatting to appear legitimate, enhancing their chances of being downloaded. Once installed, the malware can steal Discord tokens, bypass Microsoft Defender Antivirus, and manipulate Windows Registry for persistence. The malware ensures execution by hijacking the Windows Settings app, causing any attempt to access settings to trigger the malware. The attackers gain remote control of the infected systems through the deployment of Quasar RAT. Ongoing publication of these malicious packages indicates that developers need to remain vigilant despite efforts to take down harmful content.

A new phishing campaign in China uses Cobalt Strike to target Chinese-speaking users, employing phishing emails to deliver payloads. Attackers have utilized resources hosted on Tencent Cloud, signalling misuse of public cloud services by cybercriminals. After initial contact via a phishing email containing a malicious Zip file, the attack exploits a DLL path traversal vulnerability using a renamed legitimate Windows file to sideload harmful DLLs. The attack achieves persistent access and control over compromised systems by inserting malicious code into the Windows 'runonce.exe' process. The technique includes advanced lateral movement across networks leveraging tools like remote desktop protocol and gathers sensitive data including Active Directory configurations and public IP addresses. No direct evidence links this campaign to any known Advanced Persistent Threat (APT) groups, but the sophistication suggests a seasoned threat actor with considerable understanding of advanced exploitation frameworks. The campaign, dubbed SLOW#TEMPEST by Securonix, showcases methodical initial compromise, persistence, privilege escalation, and lateral movement, indicating a highly organized and sophisticated approach.

Cicada3301, a new ransomware-as-a-service (RaaS) operation, began operations in June 2024, targeting VMware ESXi systems and rapidly listing 19 companies as victims on its extortion portal. The operation employs double-extortion tactics, stealing corporate data before encrypting networks and leveraging the threat of data exposure to demand ransoms. Cicada3301 may have connections with the infamous ALPHV (formerly BlackCat) group, noted by similar tools and tactics, as well as potential collaborations with other malicious networks like the Brutus botnet. The ransomware uses a sophisticated Linux encryptor tailored for VMware ESXi environments, capable of disrupting virtual operations and maximizing damage by deleting snapshots before encryption. Truesec's analysis revealed that Cicada3301's encryptors share technical similarities with those used by ALPHV, suggesting a possible rebranding or evolution from the ALPHV team. The group's quick propagation and advanced methodologies suggest an experienced team with significant capabilities in executing high-impact ransomware campaigns. The Cicada3301 ransomware specifically targets files based on size and type, employing intermittent or full encryption to ensure effective lock-down of critical data.

GitHub's platform was misused to disseminate Lumma Stealer malware through comments posing as project fixes. Contributors first reported the deceptive comments in a Reddit post regarding the teloxide rust library, leading to the discovery of over 29,000 similar comments across various projects. The malware was distributed through password-protected archives on MediaFire, linked via comments, with passwords typically being "changeme." Lumma Stealer, when executed, extracts sensitive data such as passwords and cookies from popular browsers and steals cryptocurrency wallet information. The stolen data could be utilized for further attacks or sold on cybercrime marketplaces. Despite GitHub's efforts to delete malicious comments, several users reported being compromised by the malware. GitHub users are advised to change all their passwords and transfer any cryptocurrency to new wallets to mitigate risks.

A new Mirai botnet variant is exploiting old vulnerabilities in discontinued AVTECH AVM1203 IP cameras, among other devices. Akamai researchers have discovered this campaign actively exploiting a notable RCE vulnerability (CVE-2024-7029) since early 2024. Additional vulnerabilities aiding the spread of this botnet include decade-old flaws in Realtek SDK and Huawei HG532 routers. The botnet also capitalizes on a publicly available proof of concept since 2019, despite the lack of early CVE reporting. Texas Dow Employees Credit Union reported a data breach affecting over 500,000 customers due to the MOVEit compromise. U.S. Secret Service offers a $2.5M reward for information leading to the arrest of Belarusian hacker Volodymyr Kadariya. Backpage leaders sentenced to prison for their roles in facilitating prostitution and money laundering through the notorious website. CISA has introduced a new incident reporting portal in preparation for mandatory cybersecurity incident disclosures by 2025.

North Korean threat actors exploited a zero-day vulnerability in Google Chrome’s V8 engine (CVE-2024-7971) to deliver the FudModule rootkit. Microsoft identified the group behind the attack as Citrine Sleet, part of the Lazarus Group, focusing on financial gain, particularly in the cryptocurrency sector. The attackers set up fake cryptocurrency trading platforms as part of their strategy to deploy weaponized applications. The exploit used involves multiple components including CVE-2024-38106, a recently patched Windows kernel bug, highlighting the complexity of the attack chain. The attack was spotted and reported by Microsoft on August 19, 2024, after it had exploited security flaws that were already patched. The ongoing use of zero-day exploits by this group indicates their persistent capability and the potential for significant cybersecurity threats. The exact scale and impact of the attacks are still unclear, highlighting the challenges in tracking such sophisticated espionage activities.

GitHub is being exploited by cybercriminals to disseminate the Lumma Stealer malware through comments disguised as solutions to user issues. Over 29,000 deceptive comments were posted on various GitHub projects within a three-day period, directing users to download malware-ridden files. The malware campaign instructs users to download a “fix.zip” file from external links, which contains dangerous executable files. Lumma Stealer, the malware being distributed, is capable of extracting sensitive data from browsers, including passwords, cookies, and credit card information, as well as cryptocurrency wallets and keys. The malware collects stolen data into an archive which is then sent back to the attackers, potentially for use in further crimes or for sale on the dark web. GitHub staff has been actively deleting malicious comments, but not before numerous users have reportedly fallen victim to the scheme. Affected individuals are advised to change all their passwords and move funds from compromised cryptocurrency wallets to secure their accounts and finances. The incident highlights a growing trend of using trusted platforms like GitHub for malicious campaigns by cybercriminals.

Apple filed a DMCA takedown against the Docker-OSX project for copyright infringement, leading to its removal from Docker Hub. Docker-OSX, an open-source initiative, allowed macOS virtualization on non-Apple hardware and was used widely among security researchers. The project had significant engagement, with 750,000 downloads on Docker Hub and 40,000 stars on GitHub. Users began reporting errors when attempting to access the macOS images, later confirmed by Docker to be a result of Apple’s legal action. Apple's EULA prohibits macOS usage on non-Apple branded hardware, which grounds their legal position despite the open-source nature of Docker-OSX. Creator Sick.Codes expressed concerns over the impact of the takedown on security research and the contradiction in Apple’s stance on security testing. While the Docker-OSX repository on GitHub remains active, it does not contain macOS installer images, which limits potential legal issues from similar takedown requests. Apple and Docker have not responded to inquiries from the press at the time of the publishing of this information.

RansomHub, a rising ransomware group, has claimed 210 victims since its inception in February, leveraging expertise from former major ransomware outfits like LockBit and ALPHV. Security agencies, including CISA, the FBI, HHS, and MS-ISAC, have issued an advisory highlighting the tactics, techniques, and procedures (TTPs) used by RansomHub. The group is known for exploiting vulnerabilities, notably CVE-2017-0144 and 2020's ZeroLogon, alongside popular tools like Mimikatz, Cobalt Strike, and Metasploit for their operations. RansomHub's wide targeting spectrum includes critical infrastructures and emergency services, emphasizing the indiscriminate nature of their attacks. Mitigation strategies suggested in the advisory stress the basics of cybersecurity such as system updates, network segmentation, strong passwords, and the implementation of multi-factor authentication (MFA). The advisory also promotes the 'Secure By Design' initiative, urging software manufacturers to enhance default security to prevent exploitation. Despite stiff competition from other ransomware groups, RansomHub is becoming a preferred option among elite cybercriminal groups due to its effective strategy and high-profile affiliations.