Daily Brief

Arid Viper, suspected to be affiliated with Hamas, has launched multiple mobile espionage campaigns using trojanized Android apps. The malware, known as AridSpy, has been embedded into apps that mimic messaging services and job opportunity apps, targeting users primarily in Palestine and Egypt. Trojanized versions of legitimate apps, including variants that replace functionality of apps available on official platforms, deploy AridSpy which then executes multifunctional spy activities. ESET researchers identified that these campaigns are still actively distributing malware through websites specifically crafted for this purpose, including a fake Palestinian Civil Registry site. AridSpy is a multi-stage trojan capable of downloading further malicious payloads from a command-and-control server once the initial breach is accomplished. Data exfiltration techniques include taking front-camera pictures under specific conditions, alongside other data harvesting methods driven by remote commands. Efforts to combat this threat have been hindered by the malware’s ability to continue functioning even after the initial host app is uninstalled, posing significant challenges to detection and removal.

Privacy group noyb filed a GDPR complaint against Google's Privacy Sandbox, alleging it deceives Chrome users by enabling disguised tracking. Introduced in 2023, the Privacy Sandbox API aims to replace third-party cookies with a system where ads are shown based on user interests directly through the browser. Despite claims of enhancing user privacy, the API instead facilitates Google to perform first-party tracking directly within the Chrome browser. Users opting into the feature under the premise of increased privacy were unknowingly consenting to Google's internal ad tracking. Legal concerns revolve around the lack of transparent, informed consent required by GDPR, with noyb accusing Google of outright lying to users. Google defended its consent mechanism, claiming it complies with legal standards under GDPR. The UK's Competition and Markets Authority has also expressed concerns over privacy issues with the Sandbox, prompting a delay in phasing out third-party cookies until 2025.

A medical student caused a data breach by improperly disposing of confidential NHS documents in household waste. The breached data, including sensitive patient information, was found scattered in a back alley in Jesmond, Newcastle. The incident involved personal details from at least two patients' records marked "Private and Confidential." The Cumbria, Northumberland, Tyne and Wear NHS Trust has recovered the documents and contacted the affected individuals. A full investigation has confirmed that all compromised data was retrieved, and measures are being taken to prevent future occurrences. The NHS provides training on information governance to all medical students, emphasizing the importance of data confidentiality. The trust is using the incident as a learning opportunity to enhance their policies on data protection and handling. The trust did not comment on any disciplinary actions against the student responsible for the data breach.

Recent increases in cyber-attacks on supply chains are driving stricter cybersecurity laws, notably within the finance sector, with expectations for similar regulatory adoption across additional industries. Many organizations lack effective ways to handle the urgent security and compliance demands associated with SaaS and AI technologies, even though free tools offer basic help for managing SaaS sprawl and shadow IT. Emerging regulations demand extended SaaS risk lifecycle management from discovery to incident reporting, which must happen within strict deadlines (e.g., 72 hours for reporting supply chain incidents). Effective SaaS security encompasses identifying all third-party services, assessing risks, setting clear usage policies, enforced continuously due to rapid application turnover. There's a focused effort on reducing the attack surface by limiting approved SaaS providers and improving security configurations, evidenced by implementing tougher measures like multi-factor authentication. Incident detection and response readiness is critical, with regulatory requirements pushing for rapid reporting of third-party breaches. Tools like Wing Security's new tiered offerings help organizations incrementally build their SaaS security capabilities, from basic risk assessments to comprehensive policy enforcement, suitable for various business sizes and maturity levels.

Threat actors associated with Pakistan have been actively conducting a malware campaign known as Operation Celestial Force, targeting platforms including Windows, Android, and macOS. The campaign, operational since at least 2018, utilizes a growing suite of malware tools such as GravityRAT and HeavyLift, managed by a standalone tool called GravityAdmin. GravityRAT, first identified in 2018 targeting Indian entities, has evolved from a Windows malware to a multi-platform tool also functioning on Android and macOS. Recent findings tie continuous use of the Android version of GravityRAT in attempts to compromise military personnel in India, disguised as various legitimate applications. The overarching operations are managed by Cosmic Leopard, leveraging spear-phishing and social engineering tactics to distribute malware through malicious links. GravityAdmin, documented since August 2021, facilitates orchestration of the malware attacks, interacting with command-and-control servers to manage infected systems. The newly identified HeavyLift malware, targeting Windows and macOS, focuses on extracting system metadata and receiving commands from a central server, indicating persistent and evolving cyber espionage activities linked to nation-state interests.

The SSLoad malware is distributed using PhantomLoader, a new type of loader that employs binary patching and self-modifying code to evade detection in legitimate software. Researchers identified that PhantomLoader compromises systems by masquerading as a DLL file for antivirus products, specifically 360 Total Security. SSLoad is utilized in phishing campaigns to perform initial reconnaissance and subsequently download additional malware payloads. The malware operates under a Malware-as-a-Service model, suggesting it is available for use by various threat actors. SSLoad has capabilities for system fingerprinting and sending gathered data to a command-and-control server, which then further instructs the malware to deploy more malicious content. The use of a Telegram channel as a dead drop resolver highlights advanced tactics for remote command and control communication. SSLoad incorporates sophisticated evasion techniques including dynamic string decryption and anti-debugging measures, indicating a high level of complexity and adaptability in its operations. Aside from SSLoad, other types of malware like JScript RAT and Remcos RAT have also been noted as part of phishing efforts aiming for long-term access and control over compromised systems.

Ukrainian Cyber Police arrested a 28-year-old man suspected of developing encryption tools for LockBit and Conti ransomware groups. The suspect from Kharkiv allegedly created crypters to evade detection by security software, subsequently used in ransomware attacks in the Netherlands and Belgium. During raids in Kyiv and Kharkiv, authorities seized computers, mobiles, and notebooks; the man faces up to 15 years imprisonment if convicted. The arrest was part of Operation Endgame, an international effort among law enforcement agencies aimed at dismantling cybercriminal infrastructure. Recent global law enforcement activities included the arrest of a Taiwanese national running a dark web narcotics market and a blockchain analysis website. The crackdown signifies intensified international cooperation to combat cybercrime, addressing botnets and ransomware distribution networks. Cybercrime tactics involve using social engineering and credential theft for lateral movement and account takeovers, highlighting the need for enhanced verification processes.

Google has identified a high-severity zero-day exploit, CVE-2024-32896, affecting Pixel Firmware. This vulnerability involves an elevation of privilege issue now under targeted, limited exploitation. June 2024 security update for Pixel devices fixes this issue among 50 other vulnerabilities. Several Qualcomm chipset components are also addressed in this update, covering DoS and information disclosure issues. Supported Pixel models receiving the update range from Pixel 5a with 5G to Pixel Fold. Similar security breaches were previously patched in April involving bootloader and firmware components. Arm also reported an exploited memory-related vulnerability in GPU kernel drivers last week. Google's ongoing measures include implementing advanced security testing techniques like ASM, Pentesting, and Red Teaming.

A new type of cross-platform malware, Noodle RAT, has been actively used for espionage and cybercrime by Chinese-speaking threat actors since at least July 2016. Trend Micro research indicates Noodle RAT is not a variant but a distinct malware type, previously misclassified as related to Gh0st RAT. The malware operates on both Windows and Linux platforms, utilizing different tactics to deploy tools for remote access and control. Known attack vectors for Windows include file manipulation and proxy functions, while the Linux version employs reverse shells and file scheduling. Attacks have specifically targeted Thailand and India, exploiting public-facing application vulnerabilities to install web shells on Linux servers. Shared code and command-and-control infrastructure suggest a high degree of sophistication and common origins, likely backed by Chinese state interests. Evidence suggests Noodle RAT is part of a complex supply chain within China, possibly developed and sold for espionage purposes by commercial entities tied to state-sponsored activities.

Recent vulnerabilities in VPN services have exposed ASEAN organizations to increased cyber threats, prompting a reevaluation of security strategies. A notable cyber attack, linked to nation-state hackers, targeted weaknesses in a widely-used VPN service, highlighting the need for enhanced security measures. In response to the attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for users to apply critical updates to Ivanti's networking products. The surge in remote and hybrid work models across Singapore, Malaysia, Thailand, Indonesia, Philippines, and Vietnam has introduced new cybersecurity vulnerabilities. Current perimeter-based security solutions like VPNs are deemed insufficient due to their limited network visibility and the complex nature of modern distributed environments. Cloudflare advocates for the adoption of a Zero Trust Security model, which assumes no inherent trust and strictly controls access to networks and resources. Cloudflare's Zero Trust approach integrates a suite of programmable, cloud-native services designed to enhance security across the Internet and corporate networks. Cloudflare offers a 90-day free trial of its Zero Trust Enterprise solution to help organizations protect their networks and user data efficiently.

Life360, producer of Tile Bluetooth trackers, faced a criminal extortion attempt linked to stolen customer data. Attackers claimed possession of data from the Tile customer support platform, accessing names, addresses, emails, phone numbers, and device IDs. The hacked platform did not contain particularly sensitive information like passwords, credit card details, or location data. Life360 CEO Chris Hulls disclosed the breach, stating that the core service platform was unaffected and not breached. The company was contacted by perpetrators demanding a ransom, though details of the payment or the amount demanded remain undisclosed. Life360 has engaged law enforcement and boosted security measures, with no additional details provided as investigation progresses. The breach poses further concerns as Tile faces a lawsuit for allegedly enabling stalking and compromising user safety.

A new phishing campaign uses HTML attachments to exploit the Windows search protocol to trigger downloads of malicious scripts. Attackers are utilizing the search-ms URI, which lets applications open Windows Explorer for searches, to access files on remote servers. Originally exposed in academic research by Prof. Dr. Martin Johns, this technique has been actively deployed by cybercriminals to deliver malware. The phishing emails disguise these HTML attachments as invoices within ZIP archives to bypass antivirus scanners. If a recipient opens the HTML file, it automatically directs the browser to a malicious URL via a meta-refresh tag. If this fails, a clickable link acts as a fallback. Upon clicking an innocuous-looking file link shown in the search, a batch script from the remote server is executed, the specifics of which were unknown as the server was offline during analysis. Trustwave SpiderLabs suggests disabling the search-ms/search URI protocol in the registry to mitigate risks, but advises caution as it could affect legitimate applications.

Black Basta ransomware group likely exploited a Windows privilege escalation bug as a zero-day, according to Symantec. Microsoft addressed the vulnerability (CVE-2024-26169) in its March Patch Tuesday, which could let attackers elevate to SYSTEM level. The exploit was detected in a failed ransomware attack analyzed by Symantec, showing signs of compilation before the official patch. The same cybercrime group used social engineering and Microsoft’s Quick Assist to distribute ransomware in related attacks. The techniques employed by Black Basta in this failed attempt align closely with those observed by Microsoft in a documented campaign by Storm-1811. The exploit works by manipulating registry keys through a null security descriptor, allowing execution with administrative rights. Time stamps on the malware variants suggest its creation predates Microsoft's patch, though time stamp manipulation cannot be ruled out entirely.

AWS has incorporated FIDO2 passkeys as a new multi-factor authentication (MFA) option to boost security. Starting July 2024, AWS will require all root account users to enable MFA, beginning with standalone accounts. Passkeys, supported by AWS, employ public key cryptography and are designed to resist phishing and man-in-the-middle attacks. Users can create and use software-based syncable passkeys, accessible via platforms like Apple Touch ID and Windows Hello. Amazon emphasizes the importance of choosing secure MFA methods and suggests passkeys as a robust option against social engineering attacks. AWS will gradually enforce the MFA requirement, extending it to more users over time, with the intention of enhancing overall security. The push for broader MFA adoption aligns with Amazon's commitment to the CISA's Secure by Design pledge.

Google has issued patches for 50 vulnerabilities in Pixel devices, including one actively exploited zero-day. This zero-day, identified as CVE-2024-32896, comprises an elevation of privilege flaw with high-severity impact noted in Pixel firmware. The exploitation of CVE-2024-32896 is reported to be limited and targeted, prompting an immediate patch to the 2024-06-05 level. The June 2024 update also addresses other security concerns, including seven critical privilege escalation vulnerabilities in different Pixel subcomponents. Unlike other Android devices, Pixels receive unique updates due to distinct features and Google's direct hardware control. Pixel users must manually install the update through their device settings to protect against these vulnerabilities. Additionally, a recent Arm's disclosure mentioned another unrelated but active exploit, CVE-2024-4610, affecting GPU kernel drivers. In April, Google patched other Pixel-specific zero-days used by forensic firms to bypass security controls and access device data.