Daily Brief

A former infrastructure engineer locked out Windows admins from 254 servers in a ransom scheme. The engineer demanded a €700,000 ransom to prevent daily server shutdowns at a New Jersey industrial company. Utilizing admin privileges, he changed passwords and threatened to delete backups, making data recovery difficult. The FBI's investigation traced unauthorized remote access and scheduled malicious activities back to the engineer. Forensic analysis revealed web searches on methods for password changes and log clearances. The criminal activities were intended to deny the company access to systems and data severely. The engineer faces up to 35 years in prison for extortion, intentional computer damage, and wire fraud charges.

The U.S. State Department and Secret Service are offering a $2.5 million reward for information leading to the arrest and/or conviction of Belarusian hacker Volodymyr Kadariya. Kadariya is accused of running malvertising campaigns linked to the Angler Exploit Kit, which targeted vulnerabilities in software like Adobe Flash and Internet Explorer to distribute malware. First indicted in June 2023 for wire and computer fraud, the indictment was publicly disclosed in August 2024, identifying Kadariya as a key player in global malware operations. His criminal activities included the management of malware distribution networks and scams, employing tactics such as "scareware" to trick victims into downloading malicious files. Kadariya's operations also involved selling stolen data and providing cybercriminals with access to compromised systems. The Angler Exploit Kit, prominent from 2013 to mid-2016, was instrumental in a significant volume of cyber attacks worldwide before it ceased activity. Kadariya's current location is unknown, and the substantial reward aims to facilitate his capture and curb his extensive cybercriminal impact.

The PoorTry driver, originally designed to disable endpoint detection and response (EDR) systems, has been upgraded to delete files critical to security software operation. This evolution marks a strategic shift by ransomware gangs to enhance the disruptive phase of attacks, ensuring a smoother encryption process by eliminating recovery options for EDR systems. Initially developed in 2021, PoorTry, also known as 'BurntCigar', was used by prominent ransomware groups like BlackCat, Cuba, and LockBit, and was flagged for having its malicious drivers signed through Microsoft's attestation process. Aside from ransomware, groups engaged in credential theft and SIM-swapping have also utilized PoorTry. Recent reports in 2024 highlight PoorTry's new capabilities in a RansomHub attack, systematically terminating and deleting security-related files to leave systems unprotected. The malware now uses advanced obfuscation techniques and supports operational flexibility in targeting a range of EDR products by deleting files by name or type. Attackers have started manipulating signature timestamps and employing varied certificates for payload execution, complicating detection and response efforts. Despite ongoing efforts to neutralize PoorTry’s impact, its developers continue to refine the tool’s capabilities, presenting both challenges and detection opportunities in cybersecurity defense.

The Iranian hacking group APT33, also known as Peach Sandstorm or Refined Kitten, has deployed Tickler malware to infiltrate networks within the US and UAE sectors, including government, defense, and oil. This malware was part of a broader intelligence collection operation conducted from April to July 2024, aimed primarily at gathering sensitive information from targeted sectors. Microsoft researchers highlighted that APT33 exploited Azure infrastructure for the malware’s command-and-control setups, employing fraudulently acquired Azure subscriptions which have since been disrupted. Initial access was achieved through extensive “password spray” attacks, a method where common passwords are used across multiple accounts to avoid detection. The compromised accounts, particularly from the education sector, were subsequently used to either control existing Azure subscriptions or establish new ones to support ongoing malicious activities. These orchestrated attacks had successfully penetrated defense, space, and government institutions, employing both Tickler and previously used FalseFont malware. Microsoft plans to enforce Multi-Factor Authentication (MFA) on all Azure accounts from October 15 to significantly reduce the risk of similar breaches in the future, following their findings that MFA prevents most unauthorized access attempts.

Iranian government-backed hackers, known as Pioneer Kitten, have been infiltrating U.S. and foreign networks, targeting sensitive data and deploying ransomware. Attacks have exploited vulnerabilities in VPN and firewall technologies from Check Point, Citrix, and Palo Alto Networks, among others. Most attacks are financially motivated, seeking to develop ransomware capabilities in collaboration with ransomware-as-a-service gangs like NoEscape and ALPHV/BlackCat. These cybercriminals have also targeted sectors such as defense, banking, healthcare, and education in the U.S., as well as international targets in Israel, Azerbaijan, and the UAE. A related group, Peach Sandstorm, linked to the Iranian Revolutionary Guard, used a new malware, Tickler, to breach U.S. and UAE sectors including satellite and oil and gas. The FBI warns that compromised U.S. cloud services accounts may be used by these actors to conduct further malicious activities. Recent activities indicate an escalation in election-related attacks, with suspicions of Iranian involvement in a hack-and-leak campaign against Donald Trump.

DICK'S Sporting Goods experienced a significant cyberattack, with confidential information reportedly exposed. The breach was detected on August 21, 2024, prompting immediate activation of the company’s cybersecurity response plan. In response to the cyberattack, DICK’S shut down email systems and temporarily locked out all employee accounts. The company engaged external cybersecurity experts to investigate, isolate, and contain the breach. All employees must have their identities manually verified on camera to regain access to their accounts, indicating heightened security measures. DICK'S has reported the incident to federal law enforcement and maintains that the breach has not impacted business operations. An ongoing investigation has yet to conclude the full extent and impact of the breach; however, DICK'S believes the breach is not material to its operations.

Iranian hackers from the Pioneer Kitten group are targeting U.S. sectors including defense, education, finance, and healthcare. These cyber actors are believed to be linked to the Iranian government, enhancing geopolitical cyber threats. The hackers monetize access by selling admin credentials and controlling domains through online cyber marketplaces. The FBI identifies direct collaboration between Pioneer Kitten and ransomware affiliates like NoEscape and ALPHV to execute encryption and increase ransom demands. Pioneer Kitten conceals their nationality and origins while partnering with ransomware groups, keeping these details secret from their partners. Recent activities include probing networks for vulnerabilities in security gateways and VPN devices, utilizing exploits in their cyber campaigns. Pioneer Kitten has historically exploited various security flaws to breach networks, showing a pattern of sophisticated and targeted cyber-attacks. Alerts from federal agencies like CISA and the FBI warn of the ongoing threat and capabilities of Pioneer Kitten to deploy and profit from ransomware operations.

Fortra issued a warning about a critical hardcoded password flaw in FileCatalyst Workflow, allowing unauthorized database access. Exploiting this flaw, attackers can extract sensitive data and create new admin profiles to take complete control over the system. The vulnerability, identified as CVE-2024-6633 with a CVSS score of 9.8, affects versions up to 5.1.6 Build 139. Fortra recommends upgrading to FileCatalyst Workflow version 5.1.7 or later to mitigate this security risk. The vulnerable HSQLDB database is intended only for initial installation setups and not for ongoing production use, as per vendor recommendations. There are no alternative mitigations; updating to the latest software version is the only recommended defense. Tenable discovered the vulnerability, noting that the hardcoded password "GOSENSGO613" is unchangeable by end-users and poses a high security risk for current deployments. The high potential for exploitation makes this flaw particularly hazardous for organizations using the affected product versions.

Google has updated its Chrome Vulnerability Reward Program, raising the maximum bounty to $250,000 for critical security flaws. The enhanced bounties aim to motivate researchers to submit high-quality reports and explore Chrome vulnerabilities thoroughly. Rewards now vary based on the quality of the vulnerability report and the potential security impact, with significant increases for reports demonstrating remote code execution. Google has also increased the reward for MiraclePtr bypass vulnerabilities to $250,128, up from the previous $100,115. The company continues to adapt its rewards program, including plans to introduce more experimental reward opportunities aimed at promoting deeper security research. Google has spent over $50 million in bug bounty payouts since the inception of its Vulnerability Reward Program in 2010, covering more than 15,000 reported vulnerabilities. The Play Security Reward Program (GPSRP) will close at the end of August due to a decrease in actionable vulnerability reports.

Dick's Sporting Goods reported a cyberattack discovered on August 21, notifying the SEC via an 8-K filing. An unidentified third party accessed portions of the company’s systems which contained confidential information; the specifics of the information compromised remain unclear. Although the cyberattack did not disrupt ongoing business operations, the full implications are still being assessed. The company has engaged law enforcement and external security experts to investigate the breach and fortify security measures. Customers affected by the breach will be notified, but the company has not specified which types of customer information were exposed. The outcome of this incident and further details will potentially be disclosed during the upcoming second-quarter earnings report on September 4. No clear evidence suggests the use of ransomware or immediate operational sabotage, as service continuance was not halted.

Fortra has patched a critical vulnerability in FileCatalyst Workflow, identified as CVE-2024-6633 with a CVSS score of 9.8. The security flaw was due to use of static default credentials in the HSQL database setup, potentially allowing unauthorized administrative access. Cybersecurity firm Tenable discovered the vulnerability, which made it possible for remote attackers to add admin users to the Workflow web application. Fortra’s advisory highlighted that although HSQLDB is intended only for installation and not for production, failure to switch databases left users exposed. Apart from the critical flaw, a high-severity SQL injection vulnerability (CVE-2024-6632, CVSS score: 7.2) was also patched. This SQL injection issue stemmed from improper validation of user input during the setup process, allowing attackers to make unauthorized database modifications. The vulnerabilities have been fixed in FileCatalyst Workflow version 5.1.7 and later, following responsible disclosure protocols.

DICK'S Sporting Goods experienced a cyberattack that exposed confidential information last Wednesday. Following the detection of the breach, the company hired cybersecurity experts to manage the incident and investigate its scope and impact. The cyberattack involved unauthorized access to certain information systems containing sensitive data. DICK'S initiated a swift response through its cybersecurity protocol, engaging external specialists to isolate and neutralize the threat. Employees have been temporarily restricted from accessing company systems, receiving further instructions via personal communication channels. The company has reported the incident to federal law enforcement but asserts that business operations remain unaffected. The ongoing investigation suggests that the incident may not significantly impact the company due to prompt response measures.

mWISE™ security conference scheduled for September 18 – 19 in Denver, targeting security practitioners with a focus on frontline cybersecurity challenges. Event offers a unique opportunity for attendees to interact with high-caliber security experts and industry leaders in a vendor-neutral, intimate environment. mWISE, hosted by Mandiant, part of Google Cloud, emphasizes actionable advice and solutions over sales-driven content. Highlights include sessions on ransomware trends, emerging threats, and managing sophisticated security threats, featuring speakers from prominent organizations like CISA and Bloomberg News. Registration promotion offers a 45% discount on early bird rates through September 4, with both in-person and digital access options available. Digital passes provide extended access to keynote recordings and session content until December 2024, ensuring attendees can engage with materials at their convenience.

A cyber-espionage group, APT-C-60, exploited zero-day vulnerabilities in Kingsoft WPS Office to deploy the SpyGlace backdoor. The critical remote code execution flaw, CVE-2024-7262, allowed arbitrary Windows library uploads and remote code execution. The group designed a one-click exploit using a maliciously crafted spreadsheet that appeared benign but housed a damaging hyperlink. The SpyGlace malware features capabilities including file theft, plugin loading, and command execution. CVE-2024-7263, another similar vulnerability, was identified with the same high-risk CVSS score of 9.3. APT-C-60 has been active since 2021, with detections of the SpyGlace trojan dating back to June 2022. Relatedly, a compromised Pidgin plugin was found distributing the DarkGate malware, highlighting ongoing security vulnerabilities in third-party applications. Users are urged to remain vigilant and remove any suspicious or verified malicious plugins immediately.

Microsoft resolved security flaws in Copilot that allowed attackers to access and steal personal user data like emails by using a chain of advanced attacks, including prompt injection. Johann Rehberger, a red teamer, discovered these vulnerabilities, demonstrated them comprehensively, and Microsoft has since addressed the issue without clearly detailing the mitigation strategies used. The attack initiated with a phishing email leading users to launch a malicious Word document labeled "Microsoft Defender for Copirate," turning the Copilot chatbot into a tool for attackers. Subsequent layers of the attack employed automatic tool invocation via Copilot, prompting it to search for sensitive user data such as additional emails and Multi-Factor Authentication (MFA) codes. ASCII smuggling was further used as a technique to stealthily exfiltrate data where invisible Unicode tags were embedded within harmless-looking hyperlinks. Rehberger also developed a tool called ASCII Smuggler, enabling users to reveal hidden Unicode tags, aiding them in identifying and decoding malicious messages. These vulnerabilities highlight the potential risks and needed safeguards for LLM-based applications, stressing an ongoing challenge in securing new AI technologies against sophisticated cyber attacks.