Daily Brief

Cyber-spies with possible connections to China have infiltrated Russian government and IT sections since late July. Malicious campaigns utilize phishing emails to install backdoors and trojans on dozens of devices, facilitated by cloud services like GitHub and Dropbox as command-and-control servers. Two China-nexus groups, APT27 and APT31, are implicated, with malware linking back to previous campaigns. The attackers employ DLL sideloading techniques disguised within legitimate-looking files to execute malicious code and extend control. Malware involves a trojan named GrewApacha, aligned with tactics seen in 2021 and 2023, and a modified version of the CloudSorcerer backdoor. The recently discovered PlugY implant facilitates extensive command functionality, including keystroke logging and remote system commands execution. Analysis indicates that EastWind campaign malware shares similarities with tools used by nation-state-backed groups, suggesting active collaboration and tool-sharing among these entities.

Georgy Kavzharadze, a 27-year-old Russian national, was sentenced to 40 months in prison for his role in selling over 300,000 stolen account credentials on the Slilpp marketplace. Slilpp was the largest online platform for trading stolen login details until its closure in June 2021 by international law enforcement. Kavzharadze operated under multiple aliases and engaged in these activities from July 2016 until May 2021, generating large-scale financial fraud. The credentials sold were linked to approximately $1.2 million in fraudulent or attempted financial transactions, primarily affecting U.S. bank accounts. Payment for these stolen credentials was conducted exclusively in Bitcoin, linking Kavzharadze to over $200,000 in withdrawals from the proceeds. Arrested following a coordinated operation involving multiple countries, Kavzharadze was charged with multiple fraud-related offenses and extradited to the U.S. where he pleaded guilty in February 2024. Slilpp's takedown was part of a larger ongoing international effort to combat cybercrime, which includes the seizure of other significant cybercrime marketplaces and arrests of other high-profile operators.

Microsoft has issued a warning about a critical remote code execution (RCE) vulnerability in the TCP/IP stack affecting all Windows systems using IPv6. The vulnerability, identified as CVE-2024-38063, allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted IPv6 packets. Due to the simplicity of the attacks and the "exploitation more likely" assessment, there is a high risk that attackers will develop exploit codes targeting this flaw. The flaw is described as wormable because it can spread malware from one vulnerable computer to another without user interaction. Microsoft advises customers to apply the latest security updates or disable IPv6 as a temporary workaround, although the latter is not recommended due to potential system disruptions. Previous IPv6 vulnerabilities patched by Microsoft suggest a consistent issue with IPv6-enabled devices, heightening concerns over future similar exploits. Enterprises are urged to prioritize this update to mitigate potential widespread security breaches facilitated by this vulnerability.

Microsoft has issued a warning regarding a critical TCP/IP remote code execution vulnerability (CVE-2024-38063) affecting all Windows systems with IPv6 enabled. The vulnerability arises from an integer underflow weakness that allows attackers to execute arbitrary code via buffer overflows initiated by specially crafted IPv6 packets. This security flaw has been assessed by Microsoft as "exploitation more likely" and poses a significant risk as it can be exploited remotely in simple, unauthenticated attacks. Disabling IPv6 is a temporary mitigation measure suggested by Microsoft, though it's typically enabled by default and crucial for system operations on newer Windows platforms. Dustin Childs from Trend Micro's Zero Day Initiative highlights the vulnerability as wormable, meaning it can spread from one infected computer to others without user interaction. Microsoft stresses immediate patching due to the severity and potential for widespread impact, reminiscent of past vulnerabilities exploitable through IPv6. Despite recommendations against disabling IPv6, users lacking immediate access to patches should consider this action to reduce the attack surface temporarily.

Palo Alto Networks’ Unit 42 discovered that numerous high-profile open-source projects were inadvertently leaking GitHub authentication tokens through GitHub Actions artifacts. The leaks originated from CI/CD workflows in projects by major corporations such as Google, Microsoft, AWS, and Red Hat. Exposed tokens could allow attackers to access private repositories, steal or alter source code, or introduce malicious code into software projects. The issue stems from a combination of insecure default settings, user misconfigurations, and insufficient security practices in handling CI/CD artifacts. GitHub has placed the onus on users to secure their artifacts, deciding against implementing platform-wide fixes to address the token leakage risks. Unit 42 highlighted the potential for attackers to exploit this vulnerability through scripts that locate and download exposed artifacts from public repositories. Recommended mitigation measures include adjusting default GitHub Actions, sanitizing logs, regular reviews of CI/CD settings, and practicing least-privilege access in token permissions.

The U.S. National Institute of Standards and Technology (NIST) has announced the release of three new encryption standards aimed at countering potential future cyberattacks leveraging quantum computing capabilities. These standards, named ML-KEM, ML-DSA, and SLH-DSA, were developed after nearly a decade of evaluation involving 82 candidate algorithms. The urgency of implementing these quantum-resistant algorithms arises from the potential of quantum computers to break current public-key cryptography very quickly due to their advanced computational capabilities. NIST advises system administrators to begin the transition to these new encryption methods as soon as possible to safeguard sensitive information against future threats. Several tech giants and privacy-conscious companies such as Google, Apple, and Zoom have already begun incorporating NIST-approved post-quantum encryption algorithms to protect data during transmission. Despite ongoing evaluation and initial confidence in the new encryption standards, the lack of fully operational quantum computing systems limits comprehensive testing and complete assurance of their effectiveness. These efforts are part of a larger initiative to prepare organizations for the adoption of quantum-resistant technologies in response to future cybersecurity challenges posed by advancements in quantum computing.

Russian FSB-backed groups, COLDRIVER and COLDWASTREL, have launched a significant phishing campaign termed "River of Phish" to extract credentials and 2FA tokens from Western targets. The espionage efforts, ongoing since 2022, specifically target Russian opposition exiles, NGOs across Russia, the US, Europe, media, US think tanks, and former government officials. COLDRIVER has also attempted to infiltrate the email networks of US defense and energy sectors, posing heightened risks to national security. The attacks initiated by deceptive emails mimic familiar contacts to entice victims to click on malicious links within seemingly benign PDF documents to harvest user data. Despite extensive phishing operations, no spyware or malware was detected on victims' devices; the focus remains on stealing account access credentials through crafted social engineering attacks. The operation's sophisticated tactics involve impersonating US government personnel and using language-based techniques to differ in attack vectors between COLDRIVER and COLDWASTREL. Citizen Lab, in collaboration with Access Now, is actively monitoring these threats, noting potential serious consequences for targeted individuals, including imprisonment or physical harm. The campaign is suspected to extend beyond the organizations directly investigated, continuing to pose a significant threat to global internet security.

Texas has filed a lawsuit against General Motors (GM) for allegedly selling driver data to third parties without consent. Involved data includes vehicle usage details such as speeds, seatbelt usage, and GPS locations, used to create driving scores. Over 16 million customers were affected, with approx. 1.8 million residing in Texas. Data was sold to data analytics and insurance companies, influencing insurance rates and coverage terms. GM and its subsidiary OnStar allegedly made significant profits from these data sales, including lump sum payments and royalties. The lawsuit challenges GM's claims that vehicle owners consented to data collection and sharing, suggesting consent was not clearly informed. Texas Attorney General condemns GM's practices as a violation of privacy and law, with ongoing measures to ensure consumer privacy.

An ongoing cyberattack campaign, linked to the Black Basta ransomware group, is using SystemBC malware to facilitate credential theft and data exfiltration. Attackers initiate contact through phishing emails, followed by deceptive phone calls often made through Microsoft Teams, posing as IT support to offer fraudulent solutions. Victims are manipulated into installing legitimate remote access tools like AnyDesk, which the attackers then use to deploy malware and steal sensitive information. The malware includes a fake "AntiSpam.exe" file, which tricks users into entering their Windows credentials and activates multiple malicious scripts and executables. Malware loaders such as SocGholish, GootLoader, and Raspberry Robin have been identified as prevalent tools in 2024 for delivering ransomware and other payloads. Cybercriminal forums offer malware loaders through subscription models, enabling less technically skilled criminals to execute complex attacks. Advanced detection mechanisms and continuous cybersecurity enhancements are necessary due to evolving tactics like obfuscated scripts, memory injections, and new loader features aimed at evading detection. Increasing use of fake QR codes and social media targeting emphasizes the need for robust security measures to safeguard user credentials and prevent unauthorized access.

Enzo Biochem has been fined $4.5 million by the attorneys general of New York, New Jersey, and Connecticut following a ransomware attack that exposed the data of over 2.4 million people. The investigation pinpointed poor cybersecurity practices at Enzo, including the sharing of outdated credentials and absence of multi-factor authentication. The majority of the fine will go to New York, where most affected individuals reside, with smaller portions allotted to New Jersey and Connecticut. The forensic review highlighted that Enzo lacked data encryption on some servers and desktops, had informal risk assessment procedures, and manual monitoring of network activity. New Jersey’s attorney general emphasized the importance of robust cybersecurity, especially for healthcare firms, to protect sensitive health information. Post-incident, Enzo has invested significantly in cybersecurity enhancements, including implementing an endpoint detection and response system, mandating multi-factor authentication, and moving to a Zero Trust security model. No ransomware group has claimed responsibility for the attack, despite it being part of a broader wave of attacks on healthcare organizations in 2023.

AutoCanada, a major car dealership group, was the target of a cyberattack that affected its internal IT systems last Sunday. The company has engaged external cybersecurity experts for containment and remediation following immediate actions to protect its network and data. It remains unclear if any customer, supplier, or employee data was compromised as the investigation continues. Although AutoCanada's business operations remain open, potential disruptions are expected until systems are fully restored. AutoCanada operates 66 franchised dealerships in Canada and 18 in the U.S., employing over 4,700 people and generating over $6 billion in revenue last year. The nature of the cyberattack is still under investigation with no claims of responsibility from major ransomware groups yet. The incident follows a recent IT outage at CDK Global caused by the BlackSuit ransomware attack, which also impacted AutoCanada, causing significant operational disruptions.

SolarWinds issued a security advisory for a critical remote code execution (RCE) vulnerability in its Web Help Desk software, affecting all versions. The vulnerability, identified as CVE-2024-28986, involves Java deserialization that could allow attackers to execute commands on the host machine. Though initially reported as an unauthenticated vulnerability, SolarWinds' engineers replicated the issue only with authentication. The severity score of the vulnerability is 9.8 out of 10, indicating a critical risk level. SolarWinds released a hotfix applicable only to Web Help Desk version 12.8.3.1813 and provided detailed guidance on applying the patch. The company strongly recommends that all users update their software to the latest version and apply the hotfix immediately. Admins are advised to backup existing files before applying the hotfix to prevent potential issues if the update is incorrectly implemented.

Palo Alto Networks faced significant backlash after women were made to wear lampshades over their faces at a Black Hat event, leading to accusations of misogyny. The women, who were dressed as lamps, stood at the entry of a networking event, which was criticized for sexualizing and objectifying them as mere props. Security architect Sean Juroviesky highlighted the controversial marketing tactic on LinkedIn, prompting widespread condemnation from the cybersecurity community. Palo Alto's CMO Unnikrishnan KP and CEO Nikesh Arora issued apologies, describing the stunt as "tone-deaf" and "unacceptable" and not reflective of the company's values. The company has since reviewed and reinforced its brand representation guidelines to better align with its diversity and inclusion principles. Critiques extended beyond the event, with professionals commenting on the broader implications of gender representation in tech and suggesting more inclusive and respectful marketing strategies. The incident has sparked broader discussions on corporate responsibility and the need to uphold ethical standards in promotional activities.

Maksim Silnikau, a dual-national of Belarus and Ukraine, was extradited to the U.S. from Poland to face charges involving ransomware and wire fraud. Silnikau, known by pseudonyms such as J.P. Morgan and lansky, was involved in creating and spreading ransomware like Reveton and the Angler Exploit Kit. His cybercrime activities reportedly netted approximately $400,000 monthly from Reveton victims and $34 million annually at Angler's peak. He used malvertising techniques to distribute malware and scam content, tricking users into surrendering sensitive personal and financial information. Stolen data and device access were sold in Russian cybercrime forums, emphasizing the extensive reach of his criminal network. The U.S. Department of Justice accuses Silnikau of also developing Ransom Cartel ransomware, enhancing cybercriminal methods and tools. He faces more than 50 years in prison if convicted on all counts, highlighting the severity of his multi-year cybercriminal activities. This case showcases international cooperation in the fight against cybercrime, involving agencies from the UK, Spain, Poland, and the U.S.

Traditional password security is inadequate due to the evolving cyber threat landscape. Active Directory security should be prioritized with strong password requirements and safeguards against repeated or compromised passwords, using tools like Specops Password Policy. External Attack Surface Management (EASM) tools identify and catalog an organization’s publicly accessible digital assets, scanning for vulnerabilities and security risks. EASM solutions provide continuous monitoring, real-time feedback, and actionable recommendations to mitigate vulnerabilities, enhancing the organization's defensive posture. EASM tools improve password security by monitoring for leaked credentials, detecting compromised accounts, and assisting in prioritizing responses to high-risk exposures. Combining strong internal password policies with EASM enables organizations to manage both internal and external security threats effectively. This integrated approach offers comprehensive protection against credential-based attacks and a robust defense for the organization’s digital infrastructure. Organizations are encouraged to map their external attack surfaces and integrate strategies like EASM to ensure sensitive information is protected against cyber threats.