Daily Brief

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding fraudsters impersonating its employees to solicit money transfers. Criminals are using legitimate government titles and names to lend credibility to their schemes, fooling individuals into sending funds through various methods. CISA explicitly clarifies that its staff will never request money transfers or instruct secrecy during communications. The agency advises the public to hang up immediately on suspicious calls, note down the caller’s number, and confirm the legitimacy of the contact through CISA’s provided phone number or report to law enforcement. The Federal Trade Commission (FTC) also highlights a significant rise in impersonation scams, with financial losses more than tripling since 2020, totaling over $1.1 billion in 2023. Both business and government impersonation scams are prevalent, with scammers often combining fake roles within a single fraudulent operation.

A new phishing toolkit has been developed to create convincing Progressive Web Apps (PWAs) for credential theft. PWAs can mimic corporate login forms with a forged address bar, increasing their deceptive appearance. Originally designed for legitimate enhancements in engagement, PWAs are being manipulated for phishing, demonstrating a significant security concern. The toolkit allows the creation of fake interfaces that can mislead users into installing malicious software under the guise of legitimate applications. Security researcher mr.d0x has made the PWA phishing templates available on GitHub for testing and educational purposes. Measures against such attacks are limited, as Chrome shows the real domain only periodically and not all security training programs cover PWA phishing risks. No existing group policies effectively prevent the installation of PWAs, posing a challenge for IT security at organizational levels. This technique may likely be adopted by cybercriminals in future attacks, complicating the cybersecurity landscape.

Life360, a company specializing in safety and location services, disclosed an extortion attempt following a breach of its Tile customer support platform. The breach, which occurred after Life360's acquisition of Tile for $205 million, exposed user names, addresses, email addresses, phone numbers, and device IDs. The stolen data did not include highly sensitive information such as credit card numbers, passwords, or location data. The breach involved the use of credentials believed to be stolen from a former Tile employee, allowing unauthorized access to various Tile systems. Life360 has taken measures to secure its platforms and has reported the incident to law enforcement, though details on when the breach was detected and the full extent of the impact remain unclear. The threat actor sent multiple extortion emails to Life360, claiming possession of the stolen customer information. There is ongoing concern about whether the stolen data might appear on hacking forums or the dark web, impacting customer privacy and security.

The White House report detailed 11 major data breaches across U.S. federal agencies in 2023, with various departments impacted. A total of 32,211 cybersecurity incidents were reported by U.S. federal agencies in 2023, marking a 9.9% increase from the previous year. Major causes of the incidents include improper usage, phishing, and web-based attacks, with brute force attacks showing a significant increase. Most incidents were rated "medium" or below in terms of potential impact on national security, economic security, or public services. Notable breaches involved the Departments of Health and Human Services, Treasury, Justice, and the Office of Personnel Management, with incidents ranging from ransomware attacks to accidental data exposure. Affected data included personally identifiable information such as names, Social Security numbers, and health information, impacting millions of individuals. Response measures have involved strengthening internal processes, training, and in some cases, providing credit monitoring services to affected parties.

Microsoft has declared the deprecation of its DirectAccess remote access technology, promoting migration to Always On VPN. DirectAccess, introduced with Windows 7 and Server 2008 R2, allowed seamless corporate network access for remote users and IT management. Always On VPN, available from Windows Server 2016 and Windows 10 onwards, supports modern VPN protocols and multi-factor authentication for enhanced security. The newer VPN solution also accommodates both domain-joined and non-domain-joined devices, offering greater flexibility over DirectAccess. Microsoft has not specified a removal date for DirectAccess but urges users to begin transitioning to Always On VPN to prevent future disruptions. A migration guide has been provided, recommending a phased migration approach and parallel setup of both systems to ensure continuity. Post-migration steps include removing the DirectAccess server role, updating DNS records, and decommissioning the server from AD DS.

The Netherlands’ cybersecurity agency (NCSC) has discovered that a previously reported Chinese malware attack targeted at least 20,000 FortiGate firewall systems. This expansive campaign, linked to Chinese state-sponsored actors, used a stealth malware named Coathanger and compromised devices during a "zero-day period" in 2022 and 2023. The specific vulnerability exploited was CVE-2022-42475, a critical buffer overflow bug in FortiOS SSL-VPN, which allows for remote code execution. The victims of this malware campaign include Western governments, international organizations, and numerous defense companies. The Coathanger malware creates persistent access in infected systems, maintaining footholds even after system updates. Dutch intelligence warns that many devices might still be infected as full removal of Coathanger requires complete device reformat. Reports indicate that the attackers could potentially expand their reach, posing significant risk of further data theft and system compromise. Security concerns for edge devices like firewalls are increasing, evidenced by a growing number of vulnerabilities identified and the inherent security challenges of these highly targeted devices.

OAuth grants, which facilitate third-party access to Google accounts, pose significant security risks if not managed properly. Essential to investigate potential risks associated with OAuth grants, including the permissions they entail which can be viewed in OAuth consent screens or API logs. Attack instances, like the abuse of Microsoft OAuth grants by the group "Midnight Blizzard," underscore the need for vigilance. Checking app registration details, such as client ID and publisher email, can reveal if an app might be malicious or poorly configured. Vendor trust can be assessed through markers like official marketplace listings and verification statuses, although these can still be exploited by sophisticated threat actors. App popularity within an organization or the wider market can serve as a trust indicator, helping to determine the reliability of the app. Tools like Nudge Security streamline the management of OAuth risks by continuously discovering SaaS apps and assessing the associated risk levels, with features to revoke risky OAuth grants.

Cybersecurity firm Wiz reports a cryptojacking campaign exploiting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The term "cryptojacking" refers to the unauthorized use of someone else's computer processing power to mine cryptocurrency. Attackers are using Docker Hub to host malicious container images, with some accumulating over 10,000 pulls. These images bypass initial security setups by targeting Kubernetes API servers set to allow anonymous access. The new cryptojacking variant uses misleading names like "k8s-device-plugin" and "pytorch-container" for DaemonSets to deploy mining operations across cluster nodes. The involved DERO miner is a UPX-packed, open-source Go binary with built-in cryptocurrency wallet addresses and mining pool URLs to facilitate undetected operations. Security analysts also discovered additional malicious tools, including a Windows DERO miner and scripts intended to disrupt competing mining processes. The actor’s tactics include using innocuously named domains to camouflage malicious traffic and blend with legitimate web activities.

Police in Ukraine have arrested a 28-year-old Russian expert linked to the Conti and LockBit ransomware groups. The individual specialized in developing crypters to make malware payloads undetectable by antivirus software. His arrest was part of Operation Endgame, which targeted botnets used by ransomware operators for network breaches. Information from the Dutch police, following an attack on a multinational company, was crucial in tracking down the suspect. At least one direct involvement in a ransomware attack using a Conti payload was confirmed by the authorities. Searches in Kyiv and Kharkiv led to the seizure of computer equipment, mobile phones, and handwritten notes. The man faces charges for unauthorized interference in electronic systems and could be sentenced to up to 15 years in prison. The ongoing investigation aims to detail his exact contributions to the cyber attacks orchestrated by these ransomware groups.

Last week, ShinyHunters targeted Ticketmaster, compromising 1.3 terabytes of data from 560 million users, sparking global concern. Live Nation confirmed the breach via a SEC filing, identifying unauthorized activity in their third-party cloud database hosted by Snowflake, but anticipates no significant impact on operations. Santander also experienced a data breach affecting customers and employees, linked to a third-party provider's database hosted by Snowflake. Snowflake issued security alerts advising users to inspect logs and strengthen access controls, as the attackers leveraged single-factor authentication. Recommendations included enforcing multi-factor authentication, setting network policies, and resetting and rotating credentials to enhance security. Mitiga's research suggested the incidents were part of a broader campaign utilizing stolen credentials, primarily targeting environments lacking multi-factor authentication. The breaches underscore the need for robust cybersecurity practices including mandatory multi-factor authentication, single sign-on enforcement, and proactive password management policies. The situation highlights the vulnerability of cloud environments and the critical importance of implementing comprehensive security measures to protect sensitive data.

Black Basta ransomware actors potentially exploited a Microsoft Windows privilege escalation flaw (CVE-2024-26169) before it was patched in March 2024. Symantec's analysis suggests the exploit tool may have been in use as a zero-day, possibly compiled prior to Microsoft's fix. Threat actors known as Cardinal, Storm-1811, and UNC4393 have been using legitimate Microsoft tools (e.g., Teams, Quick Assist) to facilitate attacks, including credential theft and persistent access. These attacks include misuse of Microsoft Teams and Quick Assist for initial access, followed by the deployment of credential theft tools and batch scripts for further exploitation. The exploit involves manipulation of the werkernel.sys security descriptor to gain administrative privileges via registry key changes. Although an attempt to deploy ransomware using this exploit was unsuccessful, the presence of the tool in the wild indicates active exploitation. The ransomware threat landscape has intensified, with a significant rise in ransom payments to attackers and the emergence of new ransomware families like DORRA.

Black Basta ransomware group suspected of using a Windows zero-day vulnerability (CVE-2024-26169) for privilege escalation in ransomware attacks. The vulnerability, located in the Windows Error Reporting Service, was patched by Microsoft in their March 12, 2024 Patch Tuesday update. Symantec's investigation links the exploit to Black Basta following their detection of specific tool deployment post-initial DarkGate loader infection. Attack technique involved altering registry keys through an exploited weakness in werkernel.sys file handling, enabling execution with SYSTEM privileges. Evidence suggests Black Basta had developed an operational exploit tool weeks to months before Microsoft issued a patch. Security analysts highlight the importance of timely system updates and adherence to CISA's security guidelines to mitigate potential threats from such vulnerabilities. Black Basta has been previously connected to the defunct Conti group and has reportedly amassed over $100 million through ransom operations since April 2022.

Cybersecurity researchers have uncovered a phishing campaign using job-related themes to deploy a backdoor named WARMCOOKIE. The campaign has been active since late April, using emails from supposed recruitment firms to lure victims into downloading malicious JavaScript files. WARMCOOKIE can fingerprint devices, capture screenshots, and execute additional malicious payloads. The backdoor establishes persistence on the infected machine via scheduled tasks and employs anti-analysis techniques to evade detection. Command-and-control servers for the backdoor are fixed in the malware's code, showing signs of a premeditated and structured attack. Researchers observe similarities in the malware's functionality to a previous campaign targeting industries such as manufacturing and healthcare. The campaign's effectiveness is partially due to the use of compromised infrastructure for hosting phishing and malware deployment sites. The findings coincide with reports from other cybersecurity firms noting an uptick in sophisticated phishing tactics exploiting trusted user interfaces and prompts.

Chinese state-backed hackers exploited a critical flaw in Fortinet FortiGate systems, affecting 20,000 global systems. The attackers were aware of the vulnerability two months before Fortinet disclosed it, utilizing this knowledge to infect 14,000 devices during the zero-day period. The cyber campaign targeted Western governments, international organizations, and defense industry companies. This operation included CVE-2022-42475, allowing remote code execution and resulting in a data breach of the Dutch armed forces' network. Attackers deployed COATHANGER malware to maintain persistent access and control over the compromised devices, which could serve as a launch point for further infections. It remains unclear how many of the 20,000 affected devices received the COATHANGER implant, indicating potential underestimation of the scope. This incident highlights the significant risks associated with edge devices, which are susceptible due to their direct internet connections and lack of robust security measures like EDR solutions.

Microsoft issued security updates to fix 51 vulnerabilities, including a critical remote code execution (RCE) flaw in Microsoft Message Queuing (MSMQ). One vulnerability was categorized as Critical, while the other 50 were rated Important. A publicly known denial-of-service (DoS) vulnerability, tracked as CVE-2023-50868, potentially causes CPU exhaustion in DNSSEC-validating resolvers. The critical MSMQ vulnerability (CVE-2024-30080) allows attackers to execute remote code by sending malicious MSMQ packets. Additional significant updates include patches for RCE bugs in Microsoft Outlook and the Windows Wi-Fi Driver. Windows operating system components, such as the Win32 Kernel Subsystem and Cloud Files Mini Filter Driver, also received patches for numerous privilege escalation vulnerabilities. Other vendors, in addition to Microsoft, also released security updates to counter various vulnerabilities affecting different systems. None of the vulnerabilities patched by Microsoft were reported as actively exploited in the wild at the time of release.