Daily Brief

A recent study suggests the prevalence of Security-Noteworthy Extensions (SNEs) in the Chrome Web Store is much higher than Google's reported figures. Researchers identified SNEs as extensions that contain malware, violate store policies, or have vulnerable code, posing significant security threats to users. Over 346 million installations of SNEs were recorded in the past three years, with millions potentially exposed to malware and policy violations. The Chrome Web Store struggles with long-lasting malicious extensions; some remained available for years, with the longest-surviving malicious extension available for 8.5 years. User reviews were found ineffective in identifying malicious or vulnerable extensions, indicating a need for more robust vetting processes by Google. The study calls for better incentives for developers to update and secure extensions, noting that many do not undergo updates, missing crucial security enhancements. Researchers also recommended monitoring for code similarities among extensions to detect vulnerabilities shared across multiple utilities. Although Google has initiated some improvements, including the transition from Manifest V2 to Manifest V3 to enhance security, researchers and users urge more rapid advancements in safety measures.

CDK Global, a major SaaS provider for car dealerships, suffered a significant IT outage due to a ransomware attack by the BlackSuit gang. The disruption forced CDK Global to shut down their IT systems, affecting car sales and service operations across North America. Major car dealership corporations such as Penske Automotive Group and Sonic Automotive were also impacted, resorting to manual operations due to the system outages. CDK Global is actively negotiating with the BlackSuit ransomware gang to obtain a decryptor and prevent the leak of stolen data. The BlackSuit ransomware, believed to be a continuation of the Royal ransomware operation linked to the Conti cybercrime syndicate, started its activities under this new name in 2023. Both the FBI and CISA have issued warnings about the BlackSuit/Royal ransomware, highlighting its attacks on over 350 organizations and accruing over $275 million in ransom demands since 2022.

Ratel RAT, an open-source Android malware, attacks primarily outdated Android devices demanding ransoms via a Telegram module. Over 120 campaigns deploying Ratel RAT have been identified, with significant activity traced back to Iran, Pakistan, and known groups like APT-C-35. The malware has successfully infiltrated high-profile targets, including government and military organisations predominantly in the US, China, and Indonesia. Victims predominantly use Android 11 or older versions, which represent 87.5% of cases, making them vulnerable due to lack of security updates. Malicious APKs masquerading as legitimate apps from brands like Instagram and WhatsApp are the primary method of spreading Ratel RAT. The malware gains extensive permissions during installation, allowing it to run persistently in the background and execute various malicious activities. Key commands include ransomware execution, where the malware can encrypt files, change lock screens, and even control device functions if admin rights are obtained. Protection recommendations include avoiding untrusted APK downloads, refraining from clicking suspicious links, and using Play Protect for app scans.

ExCobalt, a cybercrime group, has been actively targeting Russian organizations using a novel Golang-based backdoor named GoRed. Originating from the remnants of the infamous Cobalt Gang, ExCobalt engages primarily in cyber espionage activities and has been operational since at least 2016. The attack strategy focuses on multiple sectors including government, IT, metallurgy, mining, software development, and telecommunications. Initial infiltration often leverages a compromised contractor or a supply chain attack, where malware-infected components are embedded in legitimate software. ExCobalt employs a variety of tools for executing commands and extracting sensitive information, utilizing exploits for Linux privilege escalation and other sophisticated techniques. GoRed facilitates remote execution, credential access, and data harvesting, communicating via the RPC protocol with its command-and-control server. The cyber gang has demonstrated continuous development and refinement of their tools and tactics to evade detection and adapt to enhanced security measures.

A new adware campaign misleads users into downloading a malicious Meta Quest app clone, inflicting devices with AdsExhaust adware. AdsExhaust is capable of capturing screenshots, simulating keystrokes, and interacting with browsers to generate ad revenue through fraudulent clicks and redirects. The infection initiates from a website shown in Google search results due to SEO poisoning, prompting downloads of a malicious ZIP file that installs the adware. Once installed, AdsExhaust performs actions when Microsoft Edge is idle, including opening new tabs, clicking on ads, and navigating to specific URLs. It employs various techniques to remain stealth, such as creating overlays to conceal actions, detecting user interaction to close browsers, and specifically targeting ads labeled "Sponsored". Additionally, it can fetch keywords from a server, using them to perform Google searches to inflate ad interactions further. Related malware threats and tactics are emerging, such as Hijack Loader leading to Vidar Stealer infections, highlighting increased sophistication and prevalence of cyber threats.

The US government has issued a ban on the sale of Kaspersky Lab products in America starting late July. From October, Kaspersky will also be prohibited from issuing updates and malware signatures. Top executives at Kaspersky Lab, except CEO Eugene Kaspersky, have been sanctioned by the US. The sanctions and product bans are part of escalating cybersecurity concerns involving the Russian-based company. These developments were discussed by cybersecurity experts and journalists in a recent video and podcast session. The session included various viewpoints on the implications of the ban and its potential impacts on cybersecurity practices. Kaspersky Lab has faced scrutiny due to allegations of ties with Russian national interests, influencing these US government decisions.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has sanctioned 12 executives from Kaspersky Lab following a recent Commerce Department ban. These sanctions are part of efforts to protect the integrity of the U.S. cyber domain and guard against malicious cyber threats. Sanctioned individuals are from the executive and senior leadership teams but do not include Kaspersky Lab as a whole or its CEO, Eugene Kaspersky. The Commerce Department previously announced that Kaspersky software and related services are banned in the U.S., citing national security risks. Kaspersky Lab is also added to the U.S. Entity List, further restricting its business operations within the United States. Russia criticizes the U.S. move as an attempt to suppress foreign competition in favor of American products. Kaspersky denies any affiliations with the Russian government, amidst ongoing cybersecurity concerns.

Change Healthcare has begun formal notifications to hospitals and pharmacies regarding a ransomware attack in February that resulted in the theft of patient data. The data breach could potentially affect a "substantial proportion" of the U.S. population, with stolen data including names, birth dates, phone numbers, and email addresses; however, full medical histories have not been confirmed as compromised. The healthcare provider continues to work on identifying all affected individuals but faces challenges due to incomplete address information, delaying the notification process to late July. The breach originated from compromised credentials used by ransomware criminals to access a Citrix-based management platform without multi-factor authentication. The attack led to significant operational disruptions, including delayed prescription fulfillments and medical services, with a recovery and system restoration process stretching over several weeks. Change Healthcare incurred costs nearing $1 billion due to the attack, and a ransom of $22 million was paid to the attackers to prevent further data leaks. This incident highlights the ongoing vulnerability of the healthcare sector to cyberattacks, with similar disruptive ransomware incidents occurring in other healthcare facilities globally.

The Los Angeles Unified School District (LAUSD) confirmed a data breach involving stolen student and employee information from their Snowflake account. Data sold by hacker "Sp1d3r" for $150,000 includes comprehensive details like student demographics, grades, financials, and parent information. Two cyber threats involved; "Sp1d3r" sold data stolen from Snowflake, while "Satanic" independently sold different LAUSD data. Hackers exploited accounts that lacked multi-factor authentication, accessing and downloading sensitive data, then attempting extortion. An investigation involving SnowFlake, Mandiant, and CrowdStrike traced the breach to threat actor UNC5537 using stolen customer credentials. LAUSD, alongside the FBI and CISA, is still investigating the extent of the data compromise and working to secure their systems. The ongoing security incident highlights the critical need for robust data protection practices, including the implementation of multi-factor authentication.

The U.S. has issued sanctions against 12 senior executives of Kaspersky Lab, excluding CEO Eugene Kaspersky. Sanctions prevent U.S. persons and businesses from engaging with the named individuals and put non-U.S. financial entities at risk of similar sanctions. The actions are part of broader measures, including product bans and the inclusion of Kaspersky operations in sanctioned lists, citing national security threats. The Treasury has not designated Kaspersky Lab itself or its CEO but targets individuals within the company's executive circle. The sanctions are in alignment with Executive Order 14024, which addresses operations in sectors critical to the Russian economy. Previous U.S. administration actions have also targeted Kaspersky products, barring them from U.S. government networks over concerns of potential Kremlin-backed espionage. The U.S. Treasury emphasized the commitment to protecting the integrity of the cyber domain and safeguarding U.S. citizens from cyber threats.

The US Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on twelve Kaspersky Lab executives linked to the Russian technology sector. These sanctions are part of broader measures taken by the Biden administration, which include a ban initiated in July on sales and software updates of Kaspersky antivirus products in the US. The Department of Commerce has added AO Kaspersky Lab, OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (UK) to the Entity List, effectively barring US firms from transacting with these entities. The sanctions are in accordance with Executive Order 14024, targeting individuals operating within significant sectors of the Russian economy, including technology and defense. The specific individuals targeted hold leadership roles at Kaspersky Lab and are being sanctioned without affecting the company’s CEO or its broader corporate structure. Sanctioned individuals have their assets in the US frozen and are barred from accessing them. BleepingComputer has reached out to Kaspersky for comment regarding the sanctions and potential further implications.

Researchers have identified a new vulnerability in UEFI firmware, posing significant risks across various Intel chip families, including those since Kaby Lake in 2017. This vulnerability, documented as CVE-2024-0762 with a CVSSv3 score of 7.5, primarily affects Phoenix Technologies' UEFI software utilized in many consumer and enterprise systems. Similar to infamous exploits like BlackLotus, this flaw could allow unauthorized code execution and privilege escalation through buffer overflow and TPM configuration manipulation. Lenovo has responded promptly with patches after the flaw was initially discovered in their ThinkPad X1 models; other vendors using Phoenix's firmware may also be affected. Phoenix Technologies recommended that all affected users update their firmware immediately to prevent potential exploitation. The flaw was traced back to unsafe handling of the 'TCG2_CONFIGURATION' variable within the TPM configuration, which if manipulated, could lead to severe security breaches. Intel has yet to respond to inquiries regarding the vulnerability, which reflects broader concerns over UEFI security historically disturbed by similar exploits.

UnitedHealth's subsidiary, Change Healthcare, was the target of a significant ransomware attack in February, resulting in the theft of 6 TB of sensitive medical data. The breach potentially impacted a third of all Americans, exposing patient data and causing widespread disruption in the U.S. healthcare system, notably in pharmacies. The BlackCat ransomware gang, responsible for the attack, exploited compromised credentials via Citrix remote access service, which lacked multi-factor authentication. UnitedHealth has conceded to paying an initial ransom of $22 million, which was subsequently stolen by the attackers without fulfilling their promise to delete the stolen data. Despite another ransom reportedly paid after further threats, there is ongoing concern about the stolen data's usage in fraudulent activities. Change Healthcare is offering affected individuals two years of complimentary credit monitoring and identity theft protection services. Formal data breach notifications will start being mailed in late July, but in the meantime, affected patients are encouraged to visit changecybersupport.com for further assistance and information.

UnitedHealth subsidiary Change Healthcare was targeted in a ransomware attack in February, resulting in the theft of 6 TB of sensitive data. The attack caused significant disruptions across the US healthcare system, notably preventing pharmacies from processing insurance claims. Data compromised includes substantial personal and medical information, affecting potentially a third of all Americans. Change Healthcare has initiated measures including complimentary credit monitoring and identity theft protection services for impacted individuals. Lack of multi-factor authentication on Citrix remote access service facilitated unauthorized access by the BlackCat ransomware gang. Despite paying a $22 million ransom, the data was neither secured nor deleted, with additional ransom demanded via data leaks. The financial impact of the attack on UnitedHealth is estimated at $872 million as of April, with expectations of further increases. Formal breach notifications are to be mailed by late July, although not all affected individuals may be reachable directly.

Cloudflare and The Register are hosting a webinar on June 25th to discuss expanding attack surfaces in cybersecurity. The session will cover emerging trends that contribute to the increase in attack surfaces. Participants will learn effective strategies for managing and reducing vulnerabilities. The webinar will feature real-world case studies from leading organizations actively addressing these challenges. Cloudflare’s industry expertise will provide attendees with actionable insights to enhance their security posture. The event is designed to help professionals understand and mitigate the evolving cyber threats affecting their organizations.