Daily Brief

BlackByte ransomware group exploits VMware ESXi vulnerability (CVE-2024-37085) to gain administrator privileges and control virtual machines. The ransomware employs double extortion tactics and a data leak site on the dark web, continuing from tactics used since their emergence in 2021. Attack likely began with valid credentials obtained likely via a brute-force attack, enabling VPN access and reduced detection by EDR systems. BlackByte leverages vulnerable drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to terminate security processes and bypass controls. Recent updates to BlackByte include migration to complex programming languages like C/C++ for its encryptor, enhancing anti-analysis and anti-debug features. Cisco Talos investigation reveals attackers quickly utilized publicly disclosed vulnerabilities to advance their ransomware attacks. Only an estimated 20-30% of BlackByte victims reportedly appear on their public leak sites; reasons for this disparity are unclear. Affected sectors include professional, scientific, and technical services; manufacturing; and education, showing varying degrees of exposure to vulnerable drivers.

AI technology demonstrates a dual-use nature, serving both as a powerful tool for cyber defenders and as an enabler for cybercriminals. CISOs express significant concern regarding the risks associated with Large Language Models (LLMs) in cybersecurity, as these technologies allow for sophisticated and convincing phishing attacks. Enhanced by AI, phishing attacks have become more targeted and realistic, with Fraudulent AI-generated emails leading to increased business email compromise (BEC) incidents. Despite a decline in successful phishing attacks from 84% in 2022 to 71% in 2023, the negative consequences, including financial and reputational damages, have substantially increased. Security solutions that integrate AI are becoming crucial for organizations to effectively combat the flood of enhanced cyber threats while unable to increase staff sufficiently. Companies like Proofpoint integrate AI in their security products to enhance detection and prevention capabilities against sophisticated cyber-attacks. Human error remains a significant vulnerability in cybersecurity, emphasizing the critical role of advanced AI tools in identifying and preventing breaches.

A California woman successfully used an Apple AirTag to track stolen parcels, leading to two arrests. The AirTag was placed inside a package, which upon disappearance, was tracked to a residence in Santa Maria, verifying the theft. Santa Barbara County Sheriff's office reported that the stolen mail included items addressed to over a dozen unrelated individuals. Arrested individuals included Virginia Franchessca Lara and Donald Ashton Terry, facing multiple felonies including theft and fraud. Both suspects are facing severe charges, with Terry's bail set significantly higher due to additional warrants. The incident has highlighted both positive uses of tracking technologies like AirTags and their potential misuse, such as stalking. Apple and Google, responding to privacy concerns, have agreed to protocols that increase transparency of tracking devices.

A new QR code phishing campaign utilizes Microsoft Sway to create authentic-looking phishing sites aimed at stealing Microsoft 365 credentials. Cybercriminals are leveraging legitimate cloud services to boost the trustworthiness of their fake sites, complicating detection efforts. Victims in Asia and North America, predominantly in the technology, manufacturing, and finance sectors, are primarily targeted. The phishing scheme includes adversary-in-the-middle tactics to capture both credentials and two-factor authentication codes. Increases in phishing page traffic observed by cybersecurity analysts indicate a 2000-fold increase since July 2024. Attackers employ Cloudflare Turnstile to evade static analysis by URL scanners and create more hurdles for cybersecurity defenses. Recent developments in phishing techniques include using Unicode text characters to craft QR codes, bypassing traditional image-based security scans. This advanced phishing strategy represents a significant evolution in cybercrime, demonstrating the need for enhanced security measures against sophisticated threats.

CISA has added a critical vulnerability in the Apache OFBiz ERP system to its Known Exploited Vulnerabilities catalog due to active exploitation reports. The flaw, identified as CVE-2024-38856, has a CVSS severity score of 9.8 and facilitates unauthorized remote code execution. This vulnerability allows attackers to execute code remotely by sending a Groovy payload, exploiting improper authorization checks in Apache OFBiz. Originally discovered as a patch bypass, this vulnerability exposes endpoints to unauthenticated actors, enabling them to execute commands remotely. It follows the recent cataloging of another Apache OFBiz flaw, CVE-2024-32113, exploited to deploy the Mirai botnet. Although no specific cases of CVE-2024-38856 being weaponized are reported, PoC exploits are publicly available. Organizations using Apache OFBiz are advised to upgrade to version 18.12.15 to protect against these vulnerabilities. U.S. Federal Civilian Executive Branch agencies must comply with the update requirement by September 17, 2024, as mandated by CISA.

A critical vulnerability identified in the WPML WordPress plugin, labeled CVE-2024-6386, allows for remote code execution. This flaw affects all versions of WPML prior to 4.6.13, with a high severity rating of 9.9. Authenticated users with at least Contributor-level access can exploit the vulnerability by executing arbitrary code on the hosting server. The issue stems from inadequate input validation and sanitization in the handling of shortcodes, specifically relating to server-side template injection (SSTI). Over one million active installations of the WPML plugin are potentially at risk. Security researcher stealthcopter reported the vulnerability, which has since been addressed in WPML version 4.6.13 released on August 20, 2024. Site administrators are urged to update the WPML plugin immediately to prevent potential exploits. Despite the severity, plugin maintainers consider the likelihood of exploitation in real-world scenarios to be low due to specific conditions required for the vulnerability to be triggered.

Chinese companies are planning to launch over 15,000 broadband satellites to provide global internet service, with the first already launched. The Australian Strategic Policy Institute suggests these satellites could be used to extend China’s Great Firewall, potentially censoring and monitoring global internet traffic. Satellite broadband could allow China to impose its digital sovereignty internationally, influencing other countries' internal policies and restricting freedom of information. Ground stations controlling these satellites are potential points for data monitoring and censorship similar to China’s domestic internet control. Risks highlighted include possible cyber espionage by the Chinese government and complying with Chinese data laws that might compromise user privacy globally. Mercedes Page warns that adoption of Chinese satellite infrastructure could lead to international data control resembling a 'digital Iron Curtain.' Despite the global coverage ambition, skepticism and regulatory pushback from various nations may limit the global uptake of Chinese satellite services, offering alternatives like Starlink and Amazon’s Kuiper as less restrictive options.

Young Consulting, recently renamed Connexure, experienced a significant ransomware attack by BlackSuit on April 10, 2024, affecting 954,177 individuals. Personal information exposed includes full names, Social Security numbers, birth dates, and insurance claim details. The breach was discovered three days post-attack when encryption was triggered, with an investigation concluding on June 28. Victims are offered a complimentary 12-month credit monitoring service by Cyberscout, which must be claimed by November 2024. BlackSuit has since leaked the data on their darknet extortion portal, heightening the risk of fraud and identity theft for affected individuals. BlackSuit, a derivative of the former Royal ransomware, has notably extorted over $500 million from U.S. companies in two years, including a noted attack on CDK Global. Additional leaked content may include sensitive company and personal documents beyond what Young Consulting disclosed to affected parties.

The U.S. Marshals Service (USMS) has refuted claims by the Hunters International ransomware gang that it breached their systems. Despite being listed on the gang's leak site, USMS found no evidence of a new or undisclosed breach upon reviewing the posted materials online. Previously, a cyber threat actor named Tronic claimed to have stolen and sold data similar to that now claimed by Hunters International. In February 2023, the USMS confirmed an earlier ransomware attack affecting sensitive law enforcement information. Hunters International, suspected of being a rebrand of Hive, has targeted diverse organizations, resulting in high ransom demands. The ransomware gang has become one of the most active, claiming 157 attacks since the beginning of the year, including USMS.

Russian researcher Mark Ermolov discovered a security flaw in Intel's Software Guard Extensions (SGX), potentially allowing unauthorized access to secured data. The vulnerability hinges on a coding error that failed to clear the internal buffer in crucial processing units. Despite the serious potential impact, exploiting the flaw requires physical access to the hardware and a chain of unmitigated previous vulnerabilities. Older Intel processors such as Gemini and supported Xeons have been identified as susceptible to this security lapse. Intel had mitigated earlier vulnerabilities affecting these systems, which implies reduced risk unless systems remain unpatched. The revelation calls into question the trustworthiness of SGX, a feature introduced in 2015 to enhance data security even from manufacturers. Intel has phased out SGX in new client processors but many older embedded systems still use this technology. Security experts advise immediate cessation of using affected processors in secure enclaves while reassessing their trustworthiness.

China-based cyber espionage group, Volt Typhoon, exploited a high-severity bug in Versa SD-WAN's Versa Director as early as June 2024. The vulnerability, identified as CVE-2024-39717, allowed attackers to implant a custom web shell, VersaMem, for credential harvesting on compromised networks. The attacks targeted internet service providers (ISPs) and managed service providers (MSPs) as these roles enable further penetration into downstream customer networks. Versa has released a patch for the compromised systems, urging customers to update to Versa Director version 22.1.4 and adhere to recommended security hardening practices. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized this vulnerability in its Known Exploited Vulnerabilities catalog. Aside from credential theft, VersaMem provides functionality for loading additional malicious Java code, maintaining a stealthy presence on the network. Security expert Doug Britton indicates that this attack follows Volt Typhoon’s modus operandi, focusing on strategic infrastructure for greater network access. The incident underscores the ongoing debate about the accountability of vendors in ensuring the default security of their products to prevent such breaches.

Pidgin, an open-source messaging app, found a malicious plugin in its third-party plugin repository. The compromised plugin, ScreenShareOTR, was used to deploy keyloggers, information stealers, and initiate access to corporate networks. ESET identified the malware associated with the plugin as DarkGate, used by threat actors to breach networks. The plugin was available for both Windows and Linux versions of Pidgin and downloaded malware from a malicious server. The malware exploited the plugin’s advertised screen-sharing feature to execute malicious activities unknowingly. Other plugins from the same server were suspected to contain malware, suggesting a broader attack campaign. In response, Pidgin will now only allow plugins with an OSI Approved Open Source License to ensure code transparency and security. Users who installed the compromised plugin are urged to remove it and conduct a full system scan.

SafeBreach researcher Alon Leviev has created a tool called Windows Downdate, capable of reverting up-to-date Windows systems to versions with known vulnerabilities. Windows Downdate operates by downgrading components such as the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver to their exploitable states. The tool, which is both a Python-based open-source program and a pre-compiled Windows executable, helps system downgrades while remaining undetected by typical security defenses like EDR systems. Leviev demonstrated at Black Hat 2024 how the tool exploits vulnerabilities CVE-2024-21302 and CVE-2024-38202, essentially turning patched systems "fully patched" status irrelevant by reintroducing old vulnerabilities. Windows Downdate allows attackers to disable Windows virtualization-based security (VBS) features, like Credential Guard, without physical access, enhancing the severity of potential attacks. Microsoft has patched one of the exploited vulnerabilities (CVE-2024-21302) but has yet to address the other (CVE-2024-38202), leaving systems at risk of downgrade attacks. Recommended mitigation strategies include configuring audit settings, restricting update operations, and strengthening Access Control Lists to monitor and limit file access.

A macOS version of the HZ RAT malware targets users of Chinese instant messaging apps like DingTalk and WeChat. The malware, which replicates the functions of its Windows counterpart, was first documented in November 2022 and distributes via malicious zip files or RTF documents. Attack vectors for HZ RAT include masquerading as legitimate software installers, which also deploy a backdoor script running a RAT (Remote Access Trojan). HZ RAT connects to a command-and-control server, executing commands that include file manipulation, data upload, and system surveillance functionality. The malware primarily focuses on credential harvesting and system reconnaissance, with capabilities to extract personal information like WeChat IDs and corporate details from DingTalk. The latest findings from Kaspersky revealed a recent sample uploaded in July 2023 that impersonates the OpenVPN Connect installation but is aimed at data exfiltration. Command-and-control servers are predominantly located in China, with some in the U.S. and Netherlands, suggesting a targeted cyber espionage campaign. The involvement of HZ RAT across different systems since as early as June 2020 indicates ongoing and potentially expanding cybercriminal activity.

Park'N Fly experienced a data breach impacting 1 million customers in Canada, compromising personal information. Hackers accessed Park'N Fly’s network in mid-July through stolen VPN credentials, with unauthorized activity detected between July 11 and July 13, 2024. Exposed customer data includes full names, email and physical addresses, Aeroplan numbers, and CAA membership numbers. No financial or payment card information was compromised. The company confirmed that account passwords remain secure and restored affected systems within five days of the breach. Following the incident, additional security measures are being implemented to enhance protection of user information. Park'N Fly has assured customers of its commitment to transparency and system integrity in light of the breach. Customers have expressed concerns on Reddit about the retention of data by companies and potential risks, such as account hijacks. Affected individuals are advised to be cautious of phishing attempts and to consider resetting passwords for related accounts, like Air Canada’s Aeroplan program.