Daily Brief

Threat actors are using NiceRAT malware to create a botnet, primarily targeting South Korean users. The malware spreads through cracked software downloads, including fake Microsoft Windows and Microsoft Office license verification tools. NiceRAT disguises its distribution by instructing users on disabling anti-malware solutions, making its detection challenging. In addition to direct downloads, NiceRAT also spreads through NanoCore RAT-infected zombie computers, previously used for distributing different malware. NiceRAT, a Python-based open-source RAT and stealer, employs Discord Webhook for its command-and-control operations. Since its initial release on April 17, 2024, NiceRAT has been actively developed and is offered in both free and premium versions under a malware-as-a-service model. Concurrently, the resurgence of the Bondnet cryptocurrency mining botnet has been observed, utilizing high-performance bots as command-and-control servers.

Data443 is initiating a free spam domain and IP blocklist service aimed at former users of the now-defunct SORBS service, which officially ceased operations on June 5. The new service from Data443 will utilize data from their existing Cyren platform, providing a time-lagged version of their commercial offerings specifically for domain/IP blocklists. SORBS, which was operated by security vendor Proofpoint until its closure, served over 200,000 organizations with a DNS-based block list containing 12 million records for servers linked to spam and scams. In cybersecurity enforcement news, a Georgia woman has been charged with cyberstalking and making interstate threats related to an online adoption scam, facing up to 15 years if convicted. Klaus Pflugbeil, a Canadian battery executive residing in China, has pled guilty to stealing Tesla’s proprietary battery charging technology and is now facing a potential 10-year prison sentence. It remains unclear if Data443 intends to acquire the actual SORBS codebase, as they have not made any definite statements regarding this matter.

Japan's Aerospace Exploration Agency (JAXA) and Astroscale have successfully demonstrated a satellite, ADRAS-J, that can approach and monitor space debris, specifically a defunct rocket stage. India's government has appointed a new tech minister, maintaining continuity while aiming to bolster its technology governance. A former NCS employee from India has been jailed for deleting virtual machines after his dismissal, highlighting risks of remote access post-employment. Hong Kong trials a robodog capable of detecting pollution, potentially replacing human inspectors in hazardous environments. Forrester forecasts a significant 6.4% increase in APAC tech spending for 2024, with India expected to see the highest regional growth rate. Australia's bipartisan support emerges for imposing a minimum age requirement of 16 for social media usage, amid broader efforts to combat online financial scams. Environmental and technological advancements across Asia-Pacific signal robust growth and innovation, alongside ongoing regulatory adaptations to new challenges.

A speculative execution attack, named "TIKTAG," has been identified targeting ARM's Memory Tagging Extension (MTE), affecting Google Chrome and Linux systems. The attack exploits ARM's security feature designed to prevent memory corruption by leaking MTE memory tags with over a 95% chance of success. Researchers from Samsung, Seoul National University, and the Georgia Institute of Technology co-authored the study demonstrating the vulnerability. TIKTAG utilizes two specific code gadgets, TIKTAG-v1 and TIKTAG-v2, to manipulate speculative execution paths and infer memory tags from cache states. While leaking MTE tags does not expose direct sensitive data like passwords or encryption keys, it potentially allows attackers to bypass MTE protections and facilitate more severe memory corruption attacks. No immediate fixes have been implemented, though ARM and Google's Chrome security teams have been informed; ARM does not consider this a compromise of the architecture's principles according to their bulletin. Mitigations and potential long-term solutions are still under discussion among the tech community and concerned entities.

U.K. national, linked to the cybercrime group Scattered Spider, was arrested in Palma de Mallorca, Spain. The arrest is a collaboration between the FBI and Spanish Police, targeting the individual as he attempted to leave for Italy. Identified as Tyler Buchanan, known online as "tylerb," specialized in SIM-swapping and associated with multiple ransomware attacks. This arrest follows the earlier capture of another group member, charged with wire fraud and aggravated identity theft in the U.S. Scattered Spider has evolved from SIM swapping and credential harvesting to sophisticated ransomware and data extortion schemes. The group uses phishing, privilege escalation, and data theft from SaaS platforms, increasingly targeting the finance and insurance sectors. Mandiant and other security firms note the group's use of fear-mongering and Okta permissions abuse in their operations.

A new Linux malware, named 'DISGOMOJI', uses emojis for command execution, uniquely controlled via Discord. DISGOMOJI primarily targets a custom Linux distribution used by Indian government agencies, discovered by Volexity linked to Pakistan-based threat actor UTA0137. This malware enables remote operations like command execution, file theft, and additional malware payload deployments, with espionage objectives. Commands to the malware are issued through emojis sent on a Discord server, allowing it to potentially bypass text-command detection systems used by security software. The distribution method likely involves phishing, with the malware initially presented in an executable within a ZIP archive that simulates a PDF document. Upon execution, the malware exfiltrates essential system information and awaits emoji commands for further actions. DISGOMOJI's method of maintaining persistence involves reboot cron commands and other mechanisms, facilitating long-term access and data theft. Researchers uncovered attempts by attackers to spread laterally within networks, aiming to steal credentials and gather extensive intelligence from targeted systems.

ASUS has issued a critical firmware update for seven router models due to a severe authentication bypass flaw identified as CVE-2024-3080, with a CVSS score of 9.8. The vulnerability allows unauthenticated, remote attackers to gain control of affected routers without needing login credentials. Affected router owners are urged to update their firmware immediately or strengthen their device security settings if immediate update isn't possible. Recommendations include enforcing strong passwords, disabling internet access to administration panels, and turning off features like port forwarding and VPN server. The update also fixes another high-severity issue, CVE-2024-3079, a buffer overflow vulnerability that can be exploited with admin access. Additionally, ASUS responded to CVE-2024-3913, impacting multiple router models with a critical arbitrary firmware upload flaw. Not all models will receive updates as some have reached end-of-life status, suggesting alternate mitigation options per model. Alongside the router firmware upgrades, a new version of Download Master for ASUS routers has been released to tackle five less severe, but significant, security threats.

Microsoft is set to improve cybersecurity for personal Outlook email accounts by phasing out basic authentication by September 16, 2024. This move is aimed at decreasing vulnerability by replacing basic authentication with token-based authentication and multi-factor authentication (MFA). The change will see the end of support for the 'Mail' and 'Calendar' apps on Windows and the 'light' version of the Outlook Web App due to security concerns. Users of older Outlook versions which rely on basic authentication will need to switch to more recent email clients that support modern authentication methods. Microsoft is ceasing the ability to access Gmail accounts via Outlook.com from June 30, 2024; however, standalone Outlook clients for Windows and Mac will retain this functionality. Enhancements are part of Microsoft's 'Secure Future Initiative' aimed at bolstering user security amid rising email-based cyberattacks. The firm suggests users with Microsoft 365 subscriptions to utilize the Outlook version included, ensuring full compatibility and security.

The Smishing Triad, a threat group possibly Chinese-speaking, has expanded its operations to Pakistan with malicious SMS scams using Pakistan Post's identity. Targets receive fake messages about failed package deliveries and are tricked into entering financial details on fraudulent websites. Google detailed the activities of PINEAPPLE, a threat actor distributing the Astaroth malware in Brazil using spam with tax and finance-themed lures. PINEAPPLE exploits cloud services like Google Cloud, Amazon AWS, and Microsoft Azure to deliver malware across Brazil and LATAM. UNC5176, a Brazil-based cluster, targets sectors like financial services and healthcare with URSA malware, capable of stealing extensive personal data. New threat actor FLUXROOT uses cloud services to host phishing pages and distribute the Grandoreiro banking trojan in Latin America. An additional threat actor, Red Akodon, targets organizations across multiple sectors in Colombia, using phishing emails designed to steal credentials.

A Pakistan-based threat actor, UTA0137, has been targeting Indian government entities using a malware named DISGOMOJI. DISGOMOJI, a Golang-based malware aimed at Linux systems, uses Discord for command and control via emoji-encoded messages. The malware infiltrates systems through spear-phishing campaigns delivering a malicious Golang ELF binary within a ZIP file. Once installed, DISGOMOJI downloads a benign document as a decoy while secretly fetching the malware payload from a remote server. Volexity discovered variations of DISGOMOJI with features for establishing persistence, avoiding duplication, and hiding its real functionality to impede analysis. The attackers also utilize legitimate tools like Nmap, Chisel, and Ligolo for networking tasks, and have exploited the DirtyPipe vulnerability for privilege escalation. In a specific user manipulation tactic, the malware displays a fake Firefox update dialog to trick users into surrendering their passwords. Continuous improvements to DISGOMOJI indicate an evolving threat capability and ongoing espionage activity against the Indian government.

Meta has delayed training its large language models (LLMs) on EU user data following concerns raised by the Irish Data Protection Commission (DPC). The planned data utilization was based on the 'Legitimate Interests' legal ground without explicit consent from users which contradicts the EU's GDPR requirements. The delay affects the use of public Facebook and Instagram content from adult users in the European Union, intended to enhance AI's contextual understanding. Meta argues that the restriction will hinder European competitive edge in AI innovation and adaptability, resulting in a "second-rate experience" in AI applications. Collaboration with both the DPC and the UK’s Information Commissioner's Office (ICO) is ongoing to seek compliance and acceptance for the AI tools. Austrian non-profit organization, noyb, filed a complaint in 11 EU countries alleging that Meta's AI data practices violate GDPR privacy laws. Meta remains "highly confident" that its data handling tactics comply with European laws, despite criticisms and legal challenges from privacy advocates.

Microsoft President Brad Smith testified before Congress, acknowledging the company's security shortcomings and defending its operations in China. The U.S. government, including the White House and Congress, are urged to take action to prevent further security breaches linked to Microsoft, leveraging tools from executive orders to revised federal spending. A Homeland Security report criticized Microsoft for "avoidable errors" that allowed Chinese-backed cyberspies to access sensitive U.S. government emails via Microsoft's Exchange Online. Despite the risks, Smith claimed Microsoft is not compelled by Chinese law to hand over data or provide governmental snooping services, a statement met with skepticism by some members of Congress. Discussions highlighted the potential national security threats due to the U.S. government's heavy reliance on Microsoft for cloud infrastructure, operating systems, and security products. There are calls for an independent evaluation of security tools offered by Microsoft and potentially exploring other vendor options to enhance cybersecurity diversity and effectiveness. Senators have questioned the Pentagon's continued investment in Microsoft products despite these security issues, suggesting a reassessment of contractual decisions with the company. The ongoing debate emphasizes the need for a robust government strategy to ensure software accountability and secure procurement practices at the federal level.

Stanford Internet Observatory (SIO), known for highlighting social media disinformation, is undergoing management changes and staff reductions. The restructuring follows the departure of research director Renee DiResta and amidst legal pressures from conservative groups critiquing the organization's role in online speech moderation. Despite these changes, a Stanford spokesperson affirmed that SIO will not disband but will continue its mission, focusing areas such as child safety but reducing its focus on election misinformation. The changes occur during crucial political periods in both the US and UK, raising questions about the timing and impact on election integrity research. Last year, SIO faced significant pressure from the Subcommittee on the Weaponization of the Federal Government, which demanded documents related to their moderation activities. SIO's involvement in the Election Integrity Partnership and the Virality Project targeted it for lawsuits and legal scrutiny, alleging violation of First Amendment rights due to perceived government collaboration in censorship. These legal and political challenges have led to substantial legal costs for Stanford, as well as concerns over the chilling effects on freedom of inquiry and academic research integrity.

Keytronic, a large PCBA manufacturer, confirmed a data breach following a ransomware attack by the Black Basta group. The cyberattack occurred on May 6, disrupting operations and causing Keytronic to shut down facilities in the U.S. and Mexico for two weeks. The attack led to the theft of 530GB of sensitive data, including HR, finance, and engineering information, as well as personal details such as employees' passports and social security cards. Keytronic disclosed in an SEC filing that the breach will materially impact their financial condition in the fourth quarter of 2024, with already $600,000 spent on external cybersecurity responses. The company is in the process of notifying affected parties and regulatory agencies as required, following the new SEC guidelines. The Black Basta ransomware operation, believed to include former members of the Conti group, has claimed responsibility for this and several other significant breaches in various sectors.

Meta has paused its AI training plans using European user data following concerns from European data protection agencies, particularly led by Ireland. The decision prevents Meta from utilizing Facebook and Instagram posts from EU citizens to train its large language models (LLMs), claiming this will delay AI advancements and offerings in Europe. Meta expressed disappointment, stating this move contradicts their efforts to incorporate regulatory feedback and could hinder European technological innovation. However, European Data Protection Commissioner and privacy advocates have welcomed this decision, with continued engagement planned to address data usage and privacy concerns. Meta intended to use only public posts for AI training and had included options for European users to opt out, which were not made available to non-EU users. Without EU data, Meta argues its AI won't effectively understand regional languages or cultural contexts, resulting in a compromised service quality for European users. Meta has committed to ongoing collaboration with European regulators, including resolving specific issues raised by the UK's Information Commissioner’s Office. The decision has broader implications for AI development policies, emphasizing the need for privacy assurance in the early stages of technological development.