Daily Brief

The Tor Project has launched Tor Browser 13.5 with key updates for both Android and desktop platforms. The update focuses on usability improvements rather than new security features. For desktop users, enhancements include better bridge management and improved visual design of letterboxing for privacy. Android users will see a revamped connection experience and a more accessible location for Tor logs. The redesign also makes managing bridge connections easier, with a more user-friendly interface and clear labeling. Error messages for onion sites have been standardised to align with other network errors, improving consistency. The Tor team has announced upcoming support changes, phasing out Windows 8.1 and macOS 10.14 with the next major release.

A Chinese cyberespionage group named SneakyChef is primarily targeting government entities in Asia and the EMEA region using a malware called SugarGh0st. SneakyChef's operations, detected since August 2023, utilize document lures from foreign ministries and embassy-related entities. Both SugarGh0st and another Trojan, SpiceRAT, are identified in SneakyChef's latest attacks, evidencing an evolution in their toolset. These attacks use sophisticated spear-phishing campaigns, embedding malware in RAR archives disguised as legitimate documents. Once executed, SugarGh0st and SpiceRAT deploy via different stages, including DLL side-loading and decoy document presentation, to avoid detection. Besides government targets in regions like Angola, India, and Latvia, the threat actor has also targeted U.S. organizations working in AI. This ongoing campaign demonstrates SneakyChef's persistent and expanding interest in sensitive governmental and technological sectors.

A new phishing campaign, named PHANTOM#SPIKE, uses military-related content to spread malware in Pakistan. The malware is delivered via email attachments containing ZIP files, purporting to be documents from an upcoming military forum in Russia. These ZIP files include a Microsoft Compiled HTML Help (CHM) file that covertly executes a malicious executable when interacted with. The malicious executable, termed "RuntimeIndexer.exe," functions as a backdoor, establishing remote connectivity for command and control. Upon execution, the malware can perform actions like retrieving system info, listing running tasks, extracting public IP addresses, and setting up persistence mechanisms. The backdoor allows attackers to execute commands remotely, steal sensitive information, or deploy additional malware. Despite its fairly unsophisticated approach, the campaign effectively exploits the theme of military events to trick users into opening harmful attachments.

The ransomware group Qilin leaked over 400GB of data belonging to London's pathology services provider Synnovis, reportedly stolen during a cyberattack. Synnovis, a partnership between Synlab and two London NHS Trusts, was forced to pull its systems offline due to the ransomware attack, causing significant disruptions across multiple hospitals. Despite claiming to have stolen over 1TB of data, Qilin released data that matched claims after negotiations with Synnovis stalled, and the company refused to pay a $50 million ransom, in line with UK policy against cyber ransom payments. The ongoing impact of the attack has severely affected hospital operations, leading to the postponement of 1,134 elective surgeries and 2,194 outpatient appointments since the attack began on June 4. NHS London continues to mitigate the impact, with some services returning to near-normal levels and mutual aid agreements helping prioritize critical blood tests. Qilin expressed no remorse for the attack, acknowledging the healthcare crisis caused and insisting it was part of their 'struggle', showing a disregard for the ethics of their actions in targeting healthcare infrastructure.

CDK Global, a major SaaS platform for US car dealerships, was targeted in a cyberattack leading to significant disruptions. Following the cyberattack, threat actors started impersonating CDK support staff in phone calls to customers, aiming to gain unauthorized system access. CDK has shut down its customer support channels and taken most systems offline as a precautionary response to the cyberattack. The company has set up automated toll-free lines to provide updates and warnings about the security breach and the associated risks. Customers have been advised to avoid performing any Dealer Management System (DMS) tasks and to ignore unsolicited communications purporting to be from CDK. The Digital Retail Application and Data remains secure, despite the disabling of many system integrations. There is currently no estimated time for when full service functionality will be restored, and CDK continues to work with third-party experts on a resolution.

Malvertising campaign employs trojanized versions of popular software including Google Chrome and Microsoft Teams to distribute Oyster backdoor. Users are directed to counterfeit websites via search engines, where downloading supposed legitimate software results in malware installation. Oyster backdoor enables information gathering, communications with a command-and-control server, and supports remote code execution. Following malware execution, legitimate Microsoft Teams software is installed as a facade to minimize suspicion. The malware, linked to the Russia-associated ITG23 group, also sets up persistence via a PowerShell script. Connected to wider cybercriminal activities including a phishing scheme by Rogue Raticate using PDF decoys to deploy NetSupport RAT. Concurrent emergence of ONNX Store, a Phishing-as-a-Service platform, facilitating phishing campaigns with QR codes that lead to credential harvesting. ONNX Store utilizes advanced techniques such as anti-bot mechanisms and encrypted JavaScript for evading detection and collecting sensitive data.

A high-severity vulnerability in SolarWinds Serv-U software, identified as CVE-2024-28995, is currently being exploited by cybercriminals. The flaw is a directory traversal issue allowing attackers to read sensitive files on affected machines, with a CVSS score of 8.6. All software versions up to Serv-U 15.4.2 HF 1 are impacted; a patch in Serv-U 15.4.2 HF 2 (15.4.2.157) has been released to address this flaw. Security researcher Hussein Daher discovered the vulnerability, and subsequent public disclosures included technical details and a PoC exploit. Cybersecurity firm Rapid7 described the exploitation of the vulnerability as trivial for external unauthenticated attackers. Threat actors, including those from China, have used the vulnerability to target sensitive files, such as /etc/passwd, in opportunistic attacks. The widespread potential for "smash-and-grab" attacks and data extortion make it crucial for users to apply the necessary updates promptly to protect their data. The ease of exploiting this vulnerability poses significant risks, enabling attackers to launch further attacks using compromised information.

Sweden has reported "harmful interference" with its satellites, attributing this to Russia following its NATO membership initiation in March. The Swedish Post and Telecom Authority formally addressed the issue with Russia on March 21, two weeks after joining NATO. Complaints escalated to the International Telecommunications Union on June 4, concerning interference with three Sirius satellites serving Scandinavia and parts of Eastern Europe. Kremlin spokesperson Dmitry Peskov denied any knowledge of the incident. The European Union corroborated issues with satellite signal interference across several member states, though it stopped short of directly accusing Russia. The EU's statement linked the interference contextually with Russia's ongoing military actions in Ukraine. Further disruptive activities attributed to Russia in Europe include cyber-attacks on infrastructure and attempts to influence French national elections through cyber means.

An Australian telco Optus experienced a significant data breach revealing personal information of over 9 million customers due to a coding error in an API. The breach occurred because a redundant website's API, which had been left accessible online since 2017, had flawed access controls from a 2018 coding mistake. Optus recognized and corrected the error on their main domain in 2021, but failed to address the issue on the target domain that was compromised. The compromised API allowed unauthorized access simply through trial and error, indicating the breach did not require sophisticated hacking skills. Australia's Communications and Media Authority (ACMA) is pursuing legal action against Optus, demanding civil penalties for the negligence. Although the redundant website and API had no practical utility, they were not decommissioned, leading to the vulnerability. Singtel, owner of Optus, expressed to investors the inability to estimate potential financial penalties but plans to defend against the claims.

The U.S. Department of Commerce has officially banned Kaspersky Lab and its affiliates from selling their security software in the U.S., effective July 20, due to national security risks. The Bureau of Industry and Security (BIS) labels Kaspersky's operations as vulnerable to manipulation by the Russian government, potentially endangering U.S. data security and critical infrastructure. Kaspersky's software has allegedly provided the Kremlin with mechanisms for data theft, espionage, and potentially harmful manipulation of software functionalities. Existing customers will receive software and antivirus updates until September 29, during which time they should secure alternative security solutions to avoid protection gaps. Kaspersky has been added to the Entity List, highlighting its cooperation with Russian military and intelligence for cyber intelligence purposes. Historical tensions include a 2017 federal ban on Kaspersky products in U.S. federal networks, and allegations of Russian hackers using Kaspersky software to steal U.S. NSA tools. Kaspersky disputes the Commerce Department’s claims, citing them as geopolitical and theoretical rather than based on solid evidence of wrongdoing. The company warns that the ban might bolster cybercrime by hindering essential international cooperation among cybersecurity experts.

The Biden administration announces a ban on Kaspersky Labs, blocking sales and updates of its antivirus in the U.S. U.S. entities must cease using Kaspersky products by September 29, 2024, encouraging a transition to alternative security software. The ban targets the U.S. subsidiary of Kaspersky and related entities due to concerns over potential Russian exploitation for intelligence. Kaspersky has denied any wrongdoing or ties to the Russian government, attributing the ban to geopolitical strains rather than factual evidence. U.S. Commerce Department adds Kaspersky and related entities to the Entity List for alleged cooperation with Russian intelligence. Despite the ban, Kaspersky remains steadfast in its commitment to offering cybersecurity services and has seen an 11-percent increase in sales bookings in 2023. The closure of Kaspersky in the U.S. is expected to disrupt current customers and could theoretically enhance risks by limiting cybersecurity collaboration internationally.

Consulting Radiologists, a Minnesota-based healthcare provider, experienced a significant cyberattack in February, impacting 511,947 patients. The breach involved unauthorized access to personal and medical information, including Social Security numbers, health insurance details, and medical records. Two ransomware groups, LockBit and Qilin, have publicly claimed responsibility for the data theft, with Qilin stating the theft of over 70GB of data. Following the detection of the breach, Consulting Radiologists implemented enhanced security measures and partnered with a cybersecurity firm for further protection. The company has offered a year of free credit monitoring services to affected individuals to mitigate potential identity theft. There is currently no evidence that the stolen data has been misused, and the company continues to investigate the breach with assistance from cybersecurity experts. Global ransomware activities, including those by LockBit, are on the rise, with a significant increase in attack volume reported.

A significant buffer overflow vulnerability, CVE-2024-0762, impacts the UEFI firmware in numerous Intel CPUs across multiple device manufacturers. Discovered by Eclypsium, the vulnerability exists within the TPM configuration of Phoenix SecureCore UEFI firmware, affecting Secure Boot processes. The flaw could allow attackers to execute malicious code at the firmware level, potentially installing bootkit malware that is hard to detect and remove. Phoenix and Lenovo have confirmed the vulnerability affects a wide range of Intel processors including Alder Lake, Coffee Lake, and Comet Lake among others. Manufacturers such as Lenovo, Dell, HP, and Acer might see hundreds of their models impacted due to the widespread use of the vulnerable firmware. Lenovo has already started rolling out firmware updates to mitigate the flaw, covering over 150 device models, with more updates planned. This vulnerability highlights the escalating focus of threat actors on exploiting UEFI firmware because of its foundational role in system boot processes and security mechanisms.

The Biden administration has officially banned the sale and distribution of Kaspersky products in the United States. Starting July 20, Kaspersky will be prohibited from entering contracts with new U.S.-based customers; existing customers must transition by October. The Commerce Secretary cited national security risks due to potential exploitation by the Russian government. Kaspersky is also barred from distributing software updates and malware signatures to U.S. customers after September 29. Violations of the ban could result in fines or criminal charges against sellers or resellers. The decision reflects ongoing concerns about Russian cyber operations and their potential impact on American digital security. The U.S. government's investigations concluded that risks associated with Kaspersky’s operations could not be mitigated without a total ban.

CDK Global, a major software provider for nearly 15,000 US car dealerships, experienced a severe cyber incident, leading to repeated systems shutdowns. Initial system closure occurred early on June 19, with an attempt to restore services, including the Dealer Management System and other key platforms. Shortly after restoration, CDK Global was forced to shut down systems again due to a subsequent cyber incident, raising concerns about the security of restored services. The company has engaged third-party cybersecurity experts to assess the situation and has not provided a timeline for when services will be fully operational again. The cyber attacks were speculated to be timed with the Juneteenth public holiday to maximize disruption. There is an implication that the incident could involve ransomware, although CDK Global has not confirmed this detail. Dealerships have resorted to manual processes in response to the outage, with uncertainties around the duration of system downtime affecting business operations.