Daily Brief

Advance Auto Parts has verified a data breach exposing personal information of employees and potentially customers. The breach stemmed from unauthorized access to a third-party cloud database used by the company. The incident was first noted on May 23, 2024, and confirmed when a hacker named 'Sp1d3r' attempted to sell the data in June. Among the compromised data are social security numbers, government identification numbers, full names, and email addresses of employees and job applicants. There is an indication that some customer data, including email addresses and names, may also have been exposed. The company has contacted law enforcement, begun notifying affected parties, and is offering free credit monitoring and identity restoration services. Advance Auto driven to spend around $3 million in response to the breach to mitigate its impacts and strengthen security measures.

CDK Global, a software provider for car dealerships, was the victim of a significant cyberattack, which led to a shutdown of its systems. Over 15,000 North American car dealerships were affected, unable to access critical operational tools like CRM, inventory, and financing systems. The cyberattack prompted CDK Global to take its two main data centers offline to contain the spread, severely impacting day-to-day dealership operations. Dealership employees were advised to disconnect the always-on VPN links to CDK's data centers, a measure to prevent further network infiltration. The attack may have involved ransomware, which could also compromise backups, leading to prolonged system downtimes and potential data leaks. There remains uncertainty and lack of information from CDK Global about the exact nature and scope of the breach, as official confirmations are still pending. The incident has forced many dealership employees to revert to manual processes, with some being sent home due to the inability to operate normally.

Kraken Crypto Exchange disclosed a $3 million theft exploiting a critical zero-day flaw in their platform by an unnamed security researcher. The exploit was linked to a recent user interface change allowing users to use deposited funds before clearance. Within 47 minutes of detecting the issue, Kraken remedied the flaw that allowed artificial inflating of account balances. Three accounts manipulated this vulnerability shortly after its emergence, leading to the siphoning of funds directly from Kraken's treasuries. The supposed researcher, instead of reporting the bug for a bounty, collaborated with others to withdraw substantial amounts, rejecting the return of the funds and demanding a payment from Kraken. The incident has been escalated to a criminal case, with Kraken engaging law enforcement. Kraken's Chief Security Officer emphasized the ethical protocols of bug bounties, indicating that the actions of the researcher constituted extortion and criminal behavior.

The cyber espionage group UNC3886, linked to China, has exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. Mandiant researchers report that UNC3886 uses sophisticated tactics to maintain long-term access in compromised networks by employing multiple persistence mechanisms. Techniques include deploying backdoors and harvesting credentials through the exploitation of CVEs like CVE-2022-41328 (Fortinet FortiOS) and CVE-2023-20867 (VMware Tools). UNC3886 targets entities across multiple global regions and various industries including government, telecommunications, and aerospace. The espionage activities include the use of publicly available rootkits and custom malware like Reptile, Medusa, MOPSLED, and RIFLESPINE, leveraging GitHub and Google Drive for command-and-control operations. UNC3886 has also developed tactics to evade detection and lateral movement through legitimate credentials. Security advisories from Fortinet and VMware recommend best practices to mitigate exposure to these threats.

Kraken's security team was alerted about a critical bug on June 9th, which allowed artificial inflation of wallet balances. Researchers exploited a zero-day vulnerability, initiated by a recent UI change, to steal $3 million from Kraken's treasury. The exploit enabled initiating deposits and crediting funds even if transactions did not complete, misleadingly boosting account balances. The security flaw was swiftly corrected within an hour of its discovery, but not before substantial funds were withdrawn. Three individuals, including one posing as a researcher, abused the vulnerability; despite this, they did not cooperate with Kraken post-disclosure. The alleged researchers involved have attempted to extort Kraken by withholding details of the bug and the stolen funds. Kraken has refrained from publicly identifying the exploiters and has reported the incident to law enforcement authorities for further investigation.

Amtrak has issued notifications to users of its Guest Rewards program about a data breach between May 15-18, involving unauthorized access using valid credentials obtained from third-party sources. The breach potentially exposed sensitive data including email addresses, contact info, account numbers, dates of birth, partial credit card numbers with expiration dates, and details of past travel. Amtrak has enforced mandatory multi-factor authentication (MFA) for all affected accounts to strengthen security and prevent future unauthorized access. Affected users are also advised to reset their passwords to something unique and review other online accounts for any unusual activity. In the aftermath, Amtrak has taken steps to modify the account email addresses and forced password resets where necessary. The company has provided affected customers with instructions for securing their accounts and accessing a free credit report to monitor for fraudulent activity. This incident marks the second breach of Amtrak's rewards program following a similar episode in 2020, although no financial data was compromised in the earlier breach.

A global ticket-selling company experienced a data breach due to misconfigured Google Tag Manager (GTM) tags, which were outsourced for management. The breach demonstrates the risks associated with not maintaining active oversight of tracking technologies and data privacy compliance. The misuse of GTM highlights a common issue across many businesses, where GTM connects to multiple apps, often without proper configuration, risking data exposure. About 45% of applications connected through GTM are for advertising purposes, with a significant number potentially leaking sensitive user data. The article emphasizes the need for companies to enforce strict compliance with data privacy laws like GDPR and CCPA to avoid hefty penalties and lawsuits. Continuous web threat management systems are advised to monitor and control tag configurations effectively, mitigating risks while balancing marketing and security needs. The case study underscores the broader implications and potential financial and reputational damage from GTM misconfigurations in various industries.

A novel threat group named Void Arachne is targeting Chinese-speaking users by disguising malware in popular VPN software installers using Windows Installer files. The primary malware distributed, known as Winos 4.0, is a sophisticated Command-and-Control (C&C) framework capable of DDoS attacks, disk searches, webcam and microphone control, keylogging, and more. The campaign exploits social media, messaging platforms like Telegram, and search engine optimization poisoning to distribute its malicious software, effectively using the interests of users in bypassing internet censorship in China. Void Arachne also uses AI technology in its attacks, including software for creating deepfake pornography and voice-altering tools, raising significant privacy and ethical concerns. The malware facilitates persistence by altering firewall rules to permit traffic, using a loader that executes a second-stage payload to establish long-term access and control over infected systems. Researchers identified custom plugins developed by the attackers that enhance the functionality of the Winos 4.0 framework, indicating a high level of sophistication and potential for future modular expansion. Void Arachne’s methods highlight the importance of vigilance in downloading software, especially VPNs, from trustworthy sources to avoid falling prey to such targeted malware distribution campaigns.

A cybercriminal known as markopolo orchestrates a broad scam targeting cryptocurrency users, utilizing fake virtual meeting software named Vortax and 23 other malicious applications. These applications are employed to distribute information stealer malware specifically aimed at macOS and Windows systems, including Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS). markopolo builds a facade of legitimacy for Vortax through social media, supported by a verified X account and a Medium blog hosting AI-generated content. Victims are lured via social media engagements, as well as crypto-centric channels on Discord and Telegram, where they are directed to download booby-trapped software via a RoomID system. Upon entering the provided RoomID on the Vortax website, users are redirected to Dropbox links or other sites for malware-laden software installation. Recorded Future attributes continuous shared hosting use and Command and Control (C2) infrastructure across all builds to markopolo, indicating a streamlined, agile operation. The scam's operational agility allows for quick shifts to new lures after detection, mirroring broader trends in cybercriminal exploitation of cloud services for phishing and info-stealing attacks.

Two vulnerabilities in the Mailcow mail server suite can lead to arbitrary code execution on affected servers. All versions of Mailcow prior to the April 2024 release (version 2024-04) are susceptible to these security flaws. The vulnerabilities allow attackers to inject malicious scripts into the admin panel, potentially hijacking administrator sessions. Attack scenarios include sending a specially crafted HTML email to trigger unauthorized actions without user interaction. Both the vulnerabilities were responsibly disclosed by SonarSource on March 22, 2024, with the software flaws being rated as moderate in severity. Exploitations of these flaws could allow attackers to execute commands and access sensitive data under the guise of an administrator. Mailcow has released an updated version to address these vulnerabilities and users are advised to update immediately to protect their data.

Cybercriminals are using sophisticated social-engineering attacks to trick users into executing malicious PowerShell scripts by presenting fake error messages related to popular software like Google Chrome and Microsoft Word. Victims visiting legitimate but compromised websites encounter pop-up warnings that prompt them to install a fix by pasting a script into their PowerShell terminal, which then downloads and executes malware. At least two criminal gangs, identified as TA571 and the group behind the ClearFake malware campaign, are actively using this tactic, which has recently expanded to include a third operation known as ClearFix. The downloaded malware can perform multiple harmful activities such as stealing credentials, hijacking cryptocurrency transactions, and installing additional malware including ransomware. Proofpoint's researchers named a method "EtherHiding" where malicious scripts involved in these attacks are hosted on blockchain services, complicating tracking and mitigation efforts. Notably, one campaign encourages users to copy a Base64-encoded PowerShell command, leading to the installation of further malware loaders and potentially ransomware. Proofpoint emphasizes the importance of organizational training to help employees recognize and report these types of deceptive tactics and highlights the criticality of this threat‘s persistence and evolution.

Ronald Simpson, ex-IT director at Webster University, pleaded guilty to a $2.1 million fraud involving the university and a computer equipment supplier. Simpson orchestrated a scheme from 2018 to 2023, misleading both the school and supplier to enrich himself through illicit sales. He faces up to 20 years in prison and a $250,000 fine with sentencing scheduled for September. The fraud entailed Simpson purchasing equipment under false pretenses and selling it to a third party, diverting funds to his personal accounts. Webster University terminated Simpson in September 2023 upon discovering the fraudulent activities. As part of the scam, Simpson exploited a return policy meant for defective items, falsely claiming equipment issues to receive and then sell replacements. The FBI conducted the investigation that led to Simpson’s guilty plea.

AMD's internal data is being advertised for sale on the dark web by an individual using the pseudonym IntelBroker. The data for sale reportedly includes customer databases, product specifications, internal financial details, staff information, and source code among other sensitive documents. AMD acknowledges awareness of the purported incident and is collaborating with law enforcement and third-party services to investigate the claims. IntelBroker, the vendor of this data, is known for distributing information from previous high-profile security breaches including incidents involving Europol, Home Depot, and the Pentagon. The legitimacy and actual value of the stolen data are unclear, posing a substantial risk to potential buyers in the underground market. The exposure of such critical information could potentially facilitate activities by phishers, fraudsters, and unscrupulous investors. Law enforcement officials are actively pursuing individuals associated with BreachForums, increasing pressure on IntelBroker and other users of the platform.

The EU Council has delayed a vote on a legislative proposal aimed at protecting children online by mandating the scanning of private digital communications for illegal content. Critics, including tech companies and civil liberties groups, argue that the proposal, known as Chat Control, would undermine encryption, jeopardizing user privacy and security. The proposed client-side scanning, or "upload moderation," would require internet services to pre-scan messages and media on devices before encryption, looking for content such as child sexual abuse material (CSAM). This approach has been widely contested; similar plans by Apple were abandoned in 2021 after significant opposition. Signal’s CEO Meredith Whittaker has expressed concerns that such technology is unfeasible without creating vulnerabilities that could have wide-reaching implications. European MPs have urged the Council of Europe to reject the proposal, warning that it contravenes the European commitment to secure communication and digital privacy. Business entities like Threema threaten to exit the European market if forced to comply, citing a loss of secure and private communication for EU citizens and professionals.

AMD is investigating a possible cyberattack after data claiming to be stolen was listed for sale on a hacking forum. A threat actor known as IntelBroker alleges to possess AMD employee details, confidential financial records, and other sensitive data. IntelBroker claims the data includes future AMD product details, employee databases, and more sensitive files. AMD is coordinating closely with law enforcement and a third-party hosting provider to determine the authenticity and importance of the claimed data. The hacker, also linked to previous breaches involving DC Health Link and the Europol Platform for Experts, has a history of significant cyber incidents. AMD remains cautious as it had dealt with a similar threat in June 2022 from the RansomHouse extortion group, which claimed a substantial data theft. The tech company has not confirmed the veracity of the new hacking claim as the investigation continues.