Daily Brief

Cybersecurity researchers have detected an enhanced version of the ValleyRAT malware, now equipped with additional capabilities like screenshot capture, process filtering, and logging activities management. The malware is linked to a China-based threat actor and is involved in phishing campaigns aimed at Chinese and Japanese organizations, suggesting a targeted cyber-espionage effort. ValleyRAT operates through a sophisticated multi-stage infection process, utilizing legitimate software to sideload malicious DLLs and establish persistence on the target system. The malware sequence starts with a downloader using HTTP File Server (HFS) to pull malicious files, which then decrypt to facilitate further downloads and execute operations to evade anti-malware tools. Once established, the malware uses a complex mechanism involving shellcode injection into the system processes to communicate with its command-and-control server and download the final payload. The latest findings come amidst other cybersecurity alerts, including the discovery of an updated Agent Tesla campaign targeting Spanish speakers, underlining the continuous evolution and diversification of cyber threats. The implications of such malware advancements stress the importance of robust cybersecurity measures and continuous system monitoring to mitigate potential risks from state-linked cyber activities and sophisticated malware campaigns.

Snowflake reported a significant data breach impacting 165 customer accounts, linked to an extortion campaign by threat group UNC5537. The breach, facilitated by stolen credentials, involved posting victim data for sale and attempting to extort affected customers. Mandiant, the threat intelligence firm tracking this operation, described the hackers as financially motivated and operating primarily in North America, with affiliates in Turkey. The hacking campaign exploited weaknesses such as insufficient multi-factor authentication, infrequent credential rotation, and lax access controls. Malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar was used to obtain the credentials, with infections often occurring on contractor devices engaged in high-risk behaviors. UNC5537 employed tools like FROSTBITE and DBeaver Ultimate to conduct reconnaissance and extract information from Snowflake systems. Snowflake is bolstering its security protocols, mandating advanced controls like MFA, and working closely with affected clients to improve defenses. The operation and its scale underscore the growing threat from credential theft and the commercialization of infostealer malware affecting many SaaS platforms.

Arm has announced a zero-day vulnerability, CVE-2024-4610, in Mali GPU Kernel Drivers that is actively being exploited. The vulnerability, described as a use-after-free issue, allows unauthorized access to freed GPU memory. Affected drivers, specifically Bifrost and Valhall GPU Kernel Driver r41p0, have been patched as of November 2022. Current driver version r49p0 was released in April 2024. The flaw has been reportedly exploited in real-world attacks, though specific details haven't been disclosed by Arm. Previous CVEs in Mali GPU have been used in targeted spyware attacks by commercial vendors, notably affecting Android devices. Users of any affected products are strongly advised to update their systems to the latest secure driver version. Arm and security resources emphasize the importance of ongoing monitoring and regular updates to mitigate such vulnerabilities.

Mandiant reported that a cybercriminal group, using the identifier UNC5537, compromised over 165 Snowflake customer databases. The attackers, potentially linked with the Scattered Spider group (UNC3944), exploited stolen credentials to access and exfiltrate data. The breaches are traced back to compromised customer credentials rather than a breach of Snowflake’s corporate environment. Initial access was gained via Snowflake’s web-based user interface or a command line interface, using stolen credentials dating back to 2020. UNC5537 utilized a custom tool named "FROSTBITE" for recon and to exfiltrate data; compromised systems often lacked multi-factor authentication (MFA). The stolen data was sold online by May 2024, following the breach’s detection in April. Many affected systems belonged to contractors using personal devices for work, highlighting a key vulnerability. Mandiant recommends implementing MFA and regular credential rotation to prevent similar cybersecurity incidents.

Kadokawa, a large Japanese media conglomerate, experienced a significant cyber attack, resulting in the shutdown of several servers including those for the video-sharing site Niconico and e-commerce service Ebiten. The attack was detected early on Saturday, June 8, and led to a four-day offline period for Kadokawa and its associated properties. A temporary static HTML site has been set up for Kadokawa’s corporate site, while Niconico remains offline, currently undergoing a complete rebuild. Early investigations into the attack are ongoing, with no clear resolution or understanding of the nature of the attack reported yet. Niconico, being the second-most-popular video-sharing site in Japan, has profoundly impacted both viewers and content creators who rely on it for income. Despite the e-commerce service Ebiten's inability to send confirmation emails, it reassures customers that product orders will still be fulfilled, indicating some operational back-office functions remain unaffected. No specific details about the cyber attack have been disclosed by Kadokada, and there is no timeframe provided for when services will be fully restored.

Arm has reported a use-after-free (UAF) vulnerability in its Bifrost and Valhall GPU kernel drivers, affecting versions r34p0 through r40p0. Tracked as CVE-2024-4610, this vulnerability allows unprivileged users to execute arbitrary code by accessing freed memory. The flaw has been confirmed to be exploited in the wild, posing significant security risks for device users. Arm has released a patch (version r41p0) in November 2022 to address this issue, with the latest available version being r49p0. There may be delays in patch delivery to end users due to complex supply chain interactions among Arm, device manufacturers, and carriers. Bifrost and Valhall GPUs are integrated into a wide range of devices, including smartphones, tablets, Chromebooks, and embedded systems. Some older devices with these GPUs may not receive security updates, leaving them vulnerable to exploitation.

GitHub users targeted by phishing attacks impersonating official security and recruitment emails. Attackers use malicious OAuth apps to gain unauthorized access to private repositories and user data. Victims receive deceptive emails after being tagged in manipulated comments or pull requests. Phishing sites, disguised as GitHub career pages, trick victims into authorizing harmful OAuth apps. Compromised accounts result in wiped repositories and locked-out users, with attackers demanding contact via Telegram for data restoration. GitHub has been aware of and addressing the issue since February, advising users to report any suspicious activities. Previous related phishing incidents in September 2020 involved fake CircleCI notifications aimed at stealing GitHub credentials.

Apple introduced its generative AI feature, 'Apple Intelligence,' at the 2024 Worldwide Developer Conference, enhancing user experience across its devices. The feature integrates into iOS 18, iPadOS 18, and macOS Sequoia, offering personalized AI capabilities using data from the device like emails and images. 'Apple Intelligence' facilitates on-device processing for improved privacy, storing data semantically and enabling AI-generated content and data retrieval via human language queries. Privacy is a key component, with most processing done locally and complex queries handled by 'Private Cloud Compute' servers that ensure data is not stored or accessible by Apple employees. The AI feature is limited to newer hardware such as the iPhone 15 Pro and devices with M1 chips or later, maintaining high performance and security standards. Apple partners with OpenAI, allowing Siri to enhance its responses using ChatGPT for complex inquiries, with anonymity protocols for external requests. Despite strong privacy measures, uncertainties remain about the security of the semantic index used for 'Apple Intelligence,' especially considering past malware challenges on macOS and iOS systems.

Researchers at RedFox Security identified six significant vulnerabilities in the Netgear WNR614 N300 router, affecting numerous users. These flaws range from authentication bypasses and weak password policies to plain text storage of passwords and exposure of WPS PINs. Key vulnerabilities include unauthorized administrative access, interception of sensitive data, and potential for network manipulation. The identified router model has reached end-of-life (EoL) status and is no longer supported by Netgear, meaning no fixes will be issued. Despite its discontinuation, the WNR614 remains widely used in home and small business environments due to its previously noted reliability. For users unable to replace their outdated devices immediately, applying specific mitigations to prevent exploitation is highly recommended. Ultimately, users are encouraged to switch to actively supported router models to ensure network security and protect sensitive data.

Cylance acknowledged a data breach involving old data sold by a threat actor named Sp1d3r for $750,000 on a hacking forum. The compromised data includes 34,000,000 customer and employee emails and personally identifiable information, originally from 2015 to 2018. This breached data was accessed through a third-party platform and appears to be unrelated to BlackBerry's direct systems or sensitive customer information. Linkage was made to recent Snowflake attacks affecting several firms indicating a widespread campaign exploiting systems without multi-factor authentication. Mandiant's report connects these Snowflake attacks to a financially motivated group known as UNC5537, which used stolen credentials obtained via infostealer malware. Despite the breach, BlackBerry Cylance assured that no current customers or sensitive operations were impacted. Multiple organizations worldwide have been affected by similar breaches due to compromised and reused credentials from as far back as 2020.

Christie's confirmed a data breach impacting 45,798 individuals following a cyberattack, disputing the initial claims by RansomHub of over 500,000 affected. The stolen data included names and ID document numbers, with additional details such as birthplace, birth dates, and addresses claimed by the attackers. Christie's has engaged external cybersecurity experts, notified law enforcement, and provided affected clients with one year of credit monitoring services. The cyberattack occurred between May 8 and May 9, 2024, with unauthorized access gained and data copied from Christie's systems. Despite RansomHub's public threats to leak or auction the stolen data, Christie's indicated that there has been no evidence so far of the information being misused. RansomHub's final claim of auctioning the stolen data is suspected to be a facade to cover their inability to monetize the stolen information effectively. The issue became public after RansomHub named and shamed Christie’s on their leak blog, forcing the auction house's response. Christie's maintained they didn’t pay the demanded ransom. The data breach was publicly disclosed shortly before an $840 million auction, underlining significant timing related to Christie's operational activities.

A ransomware attack by the Russian cybercrime group Qilin disrupted multiple NHS hospitals in London on June 4, impacting their blood transfusion services. England's NHS Blood and Transplant (NHSBT) has issued an urgent appeal for O Positive and O Negative blood donors following the cybersecurity incident. The attack on the pathology provider Synnovis has jeopardized the ability of hospitals to match blood donor and recipient types, increasing the risk of transfusion mismatches. Due to the compromised system, hospitals are now relying on O Negative and O Positive blood types, which can be safely transfused to the majority of patients. This reliance has led to a significant depletion in reserves of these blood types, as they are being used more frequently to ensure patient safety during surgeries and procedures. Synnovis has not provided any updates since the attack, and recovery efforts are ongoing with no clear timeline for the restoration of normal operations. The NHSBT emphasizes the need for continual replenishment of blood stocks, especially the O blood types, to maintain safe and functional healthcare services amidst the crisis.

A phishing attack distributing More_eggs malware targeted an industrial services company's recruiter, disguised as a resume. The malware, linked to the group Golden Chickens (Venom Spider), functions as a Malware-as-a-Service (MaaS), designed to harvest sensitive information. The attack involved fake LinkedIn job applications that directed recruiters to a harmful download site, masking the payload as a resume. The malware deploys a malicious Windows Shortcut file to execute a DLL using legitimate Windows programs, establishing persistence and extracting data. After the initial setup, additional payloads, including the More_eggs backdoor, are deployed to further compromise the system. The cybersecurity firm eSentire identified the operation managers of this attack in the previous year, enhancing the understanding of the threat landscape. Similar social engineering tactics have been observed in other phishing campaigns, including fake sites for legitimate tools targeting broad user bases. Insight into the ongoing phishing efforts underscores the need for heightened security awareness and robust defenses against such socially engineered attacks.

A public proof-of-concept exploit targets a critical vulnerability in Veeam Backup Enterprise Manager (CVE-2024-29849). The flaw allows unauthenticated remote attackers to log in as any user via the web interface. The exploit leverages a specially crafted SSO token sent to an insecure REST API service, which fails to verify the token’s source. Attackers can gain administrative access by manipulating XML response validation via a rogue server. Veeam has urgently recommended upgrading to VBEM version 12.1.2.172 to mitigate the flaw and provided interim mitigation tips. No actual exploitation of this vulnerability has been detected in the wild yet, but the availability of the PoC greatly increases the risk. Immediate action by administrators is crucial to prevent potential unauthorized access and control over Veeam managed backup systems.

Privacy authorities in Canada and the UK are investigating the 23andMe data breach to determine the extent of exposure of sensitive customer information. The investigation focuses on whether 23andMe had adequate security measures to protect customer data and complied with notification obligations under privacy laws. The breach involved attackers using stolen credentials in a five-month long credential-stuffing attack, affecting millions of customers. Compromised data included health reports, raw genotype data, and personal attributes, with some information leaked on online platforms. 23andMe has since implemented mandatory password resets and enabled two-factor authentication for all users to enhance security. Health and genetic data of millions, including specific demographic groups, were notably affected, raising significant privacy concerns. Following the breach and subsequent customer impacts, 23andMe faces multiple lawsuits and has updated its Terms of Use to limit class action participation. The breach highlights the growing need for robust cybersecurity measures and thorough compliance with global data protection regulations in handling sensitive personal data.