Daily Brief

Traditional Software Composition Analysis (SCA) tools often create alert fatigue and fail to address the full spectrum of third-party risks in software supply chains. Traditional SCAs are proficient in identifying known vulnerabilities but fall short in detecting emerging threats and unknown attack vectors, leaving significant security gaps. Innovative security tools and strategies are necessary to handle systemic security challenges effectively and secure software supply chains against rising threats. Myrror Security’s new guide discusses the shortcomings of traditional SCA tools and provides insights into more comprehensive security solutions for the future. According to Gartner, 45% of organizations will be affected by software supply chain attacks by 2025, highlighting the urgency to adopt improved security measures. Reading Myrror Security’s guide will equip application security professionals with deeper insights into enhancing their security posture against software supply chain risks. Continuous discovery and proactive management of exposures, combined with penetration testing and red teaming, are recommended to maintain a robust defense against evolving cyber threats.

Google has issued new guidelines for third-party Android app developers to ensure responsible use of generative AI, aimed at preventing the creation of harmful content. Meta faces a GDPR complaint from privacy group noyb, which criticizes the company’s use of public data to train its AI systems without adequate user consent. Microsoft's AI feature Recall has come under fire for privacy and security risks related to its function of capturing and storing screenshots from users' PCs. Recall's vulnerabilities were highlighted by researchers who demonstrated ways to access and extract sensitive information stored in its database without requiring admin rights. These developments underscore the growing scrutiny over AI technologies and the balance between innovation and user privacy and security. Both Meta and Microsoft are adjusting their strategies in response to feedback and legal challenges, indicating ongoing tension in AI development and data privacy practices.

A Russian hacktivist group, NoName57(16), has announced intentions to launch cyber attacks against EU internet infrastructure during the four-day EU election period. The attacks are said to be in retaliation for EU sanctions and perceived unfair treatment of Russia, citing ignored genocide claims in Ukraine's Donbas region. NoName57(16) and seven other pro-Russian groups, along with anonymous teams, plan on participating in these disruptive activities. Although specifics of the planned cyber attacks were not detailed, they are likely to include DDoS (Distributed Denial of Service) tactics, previously utilized against Ukrainian and European targets. Recent shifts in hacktivist focus now also include attacks on critical infrastructure sectors like water and wastewater systems across North America and Europe. Security analysts warn that such threats serve to undermine election security and should be treated with caution to avoid amplifying the impacts intended by these actors. Responses to the threat have been muted, with the European Parliament yet to comment, but Dutch political parties have already experienced DDoS attacks attributed to HackNet, another group involved in the announced campaign.

The FBI has obtained over 7,000 decryption keys linked to the LockBit ransomware to assist affected entities at no charge. Victims are encouraged to report their incidences to the FBI through the Internet Crime Complaint Center for recovery support. The LockBit ransomware group was significantly dismantled following an international law enforcement sting called Operation Cronos. Dmitry Yuryevich Khoroshev, alleged administrator of LockBit, was identified and his involvement with other ransomware operators revealed under duress. Despite setbacks, LockBit remains operational but less prolific, ranking behind other ransomware groups in recent activity based on Malwarebytes data. The FBI advises against ransom payments as there's no assurance that data will not be leaked or reused for further extortion. According to the Veeam Ransomware Trends Report 2024, businesses typically recover only 57% of data affected by ransomware, highlighting the risk of significant data loss. New ransomware variants continue emerging, targeting specific systems and adapting tactics, including a recent Linux variant that exploits Microsoft SQL servers and VMWare ESXi environments.

Ukraine's CERT-UA identified a new cyber campaign called "SickSync," by group UAC-0020 (Vermin) targeting Ukrainian defense forces. Vermin is linked to the Luhansk People's Republic (LPR), a region occupied by Russia, and their activities support Russian interests. The attack involves a phishing email with a malicious RARSFX archive leading to the deployment of SyncThing and SPECTR malware. SyncThing, a legitimate file-synchronization software, is exploited to establish a peer-to-peer connection to exfiltrate sensitive data stealthily. SPECTR malware is used for stealing documents and account passwords, hiding the stolen data in modified directory structures. CERT-UA advises treating any interaction with SyncThing's infrastructure as a potential compromise, necessitating immediate security investigations.

Ukraine's CERT-UA has issued warnings about espionage attacks on its defense forces utilizing SPECTR malware in the SickSync campaign. The identified threat actor UAC-0020 (also known as Vermin) is believed to be linked with the Luhansk People's Republic's security agencies, supported by Russia. The attacks start with spear-phishing emails that deploy a RAR archive with a decoy PDF, a compromised SyncThing application, and a script that launches the malware. The SPECTR malware's functionality includes capturing screenshots, harvesting data from devices, and stealing credentials from various communication applications. The legitimate SyncThing software's synchronization functionality is exploited to exfiltrate the stolen information via a peer-to-peer connection. This resurgence of the Vermin group marks its continued phishing operations against Ukrainian state entities, using a technique dating back to 2015. Additional threats include the use of Signal to deliver the DarkCrystal RAT and attacks by Belarusian hackers using Excel documents targeted at the Ukrainian Ministry of Defense.

Proofpoint has decommissioned SORBS, a spam blocklist service, ceasing its operation on June 5, 2024. SORBS, established by Michelle Sullivan over twenty years ago, provided a comprehensive DNS-based blocklist used by over 200,000 organizations. This service listed over 12 million hosts known for spam, phishing, or malware activities, aiding significantly in email threat mitigation. Although reviving SORBS would be manageable as its code base is intact, Proofpoint has cited sustainability issues without endorsing replacements. Concerns are rising within the anti-spam community about potential interest from spammers in acquiring SORBS for malicious purposes. Transparency and rigorous documentation of SORBS's operational procedures have historically bolstered its credibility. The anti-spam community is actively exploring alternative operators to continue the service, aiming to preserve its utility and integrity.

The FBI, along with international partners, successfully dismantled LockBit ransomware operations, leading to the identification of key suspect Dmitry Khoroshev. Over 7,000 decryption keys have been acquired by the FBI from the disruption of LockBit, aiding victims in data recovery. Despite LockBit's disruption, recent activities, including an attack on a Canadian pharmacy, indicate the group is still active. The FBI warns victims that paying ransoms does not guarantee the safety of their data in the future; LockBit and affiliates might still possess stolen data. Bryan Vorndran emphasized the importance of prevention as the ultimate security measure against ransomware threats and encouraged partnerships across various sectors for enhanced cybersecurity. The ongoing communication between the FBI and Khoroshev occurs even though Khoroshev, residing in Russia, is unlikely to face trial in the US or any other charging western nation.

The Commando Cat threat group is conducting a cryptojacking campaign targeting insecure Docker instances to mine cryptocurrency. Attackers deploy a Docker image named cmd.cat/chattr, leveraging command-and-control (C&C) servers to download malicious miners. The threat leverages misconfigured Docker remote API servers, using the chroot command for system access and payload deployment. The miner, suspected to be the ZiggyStarTux IRC bot, evolves from the Kaiten malware, using Docker’s flexibility to evade detection. Trend Micro highlights significant security lapses in Docker configurations that allow such attacks to proliferate undetected. Concurrently, Akamai reports exploitation of ThinkPHP flaws by a Chinese-speaking actor using the Dama web shell for advanced system control. These incidents underline a persistent risk in managing Docker configurations and the importance of comprehensive security strategies to mitigate such vulnerabilities.

Apache HugeGraph has a critical remote command execution (RCE) flaw, rated CVSS 9.8, impacting versions prior to 1.3.0, disclosed in April. The vulnerability, CVE-2024-27348, allows attackers to bypass security measures and execute malicious code through crafted Gremlin commands. Proof-of-concept (POC) exploit codes for this flaw are now publicly available on GitHub, increasing the risk of exploitation. Attackers exploiting this flaw could gain complete control over affected servers, potentially leading to data theft, network surveillance, or ransomware deployment. Upgrading to Apache HugeGraph version 1.3.0 and enabling Java11 along with the Auth system are strongly recommended to mitigate this vulnerability. Additional security measures, such as enabling a "Whitelist-IP/port" function, are advised to enhance RESTful-API security. The flaw was originally reported by a researcher from a Chinese cloud security vendor, highlighting the importance of community contributions to software security. Industry experts urge immediate updates given the widespread use of HugeGraph in various applications and the criticality of the flaw.

Los Angeles Unified School District (LAUSD) is investigating claims of stolen databases being sold, containing records for millions of students and thousands of teachers. An anonymous threat actor has listed over 26 million student records and more than 24,000 teacher records for sale on a hacking forum, allegedly demanding $1,000 for over 11GB of data. The data breach includes sensitive information such as Social Security Numbers, home addresses, email addresses, and parental contact details. Data verification by experts suggests the sold data could be legitimate, though possibly outdated, as no recent dates are included in the dataset shared. The breach allegation follows a September 2022 ransomware attack on LAUSD by Vice Society, where the attackers claimed to have stolen 500GB of various district files. Following the initial ransomware attack, LAUSD enhanced security measures, including a mandatory password reset and the implementation of multi-factor authentication across the district. It remains uncertain if the data currently up for sale is directly connected to the data previously stolen by the Vice Society ransomware attack.

Chinese threat actors are targeting ThinkPHP applications using old vulnerabilities for malicious installations. The Dama web shell is installed via flaws identified as CVE-2018-20062 and CVE-2019-9082, allowing remote code execution. The web shell facilitates further exploitation by enabling persistent access and use of compromised endpoints to aid in avoiding detection. The malicious payload is disguised and delivered from compromised servers in Hong Kong, highlighting sophisticated disguise tactics. Dama enables advanced server control, system data access, file management capabilities, and even bypasses certain PHP function restrictions. There is a significant lack of a command-line interface in the Dama web shell, which limits direct command execution. Attackers exploit these vulnerabilities to transform infected systems into nodes within their infrastructure. Mitigation efforts include upgrading to the latest ThinkPHP version and ensuring all known vulnerabilities are patched.

Ukraine's CERT-UA identified a campaign named "SickSync" by UAC-0020 (Vermin) group using SyncThing software to infiltrate defense forces. The Vermin group is associated with the Luhansk People's Republic, a region largely occupied by Russia, and their actions typically match Russian interests. The hackers incorporate SyncThing and SPECTR malware within a phishing approach involving a password-protected RARSFX archive. Once opened, this archive deploys SyncThing for data-sync over a peer-to-peer network and SPECTR malware to steal critical information silently. SPECTR has modular capabilities; it collects data and leverages the legitimate appearance of SyncThing to avoid detection by security systems. Ukraine's cybersecurity agency advises organizations to consider any interaction with SyncThing infrastructure as potential evidence of a breach requiring further investigation.

The FBI has released over 7,000 decryption keys to aid victims of the LockBit ransomware in reclaiming their data. Despite the disruption of LockBit operations in February, which led to the identification of Dmitry Khoroshev as the alleged leader, the gang remains active. Victims are encouraged to report to the Internet Crime Complaint Center if they believe they have been affected by LockBit. The FBI, along with international partners like the UK's National Crime Agency, continues to investigate and dismantle ransomware operations. Bryan Vorndran, the assistant director of the FBI's cyber division, noted that LockBit had been dishonest about deleting victim data post-ransom payments, retaining stolen data for potential future misuse. Vorndran emphasized the continuous threat posed by well-protected cybercriminals operating from countries like Russia, where they often receive tacit protection. The FBI is advocating for a united front involving private industry, nonprofits, academia, and the government to enhance collective cybersecurity defenses. LockBit's recent activity includes a confirmed attack on the Canadian pharmacy chain London Drugs, demonstrating the ongoing risk.

A new ransomware called 'Fog' specifically targets the U.S. education sector by exploiting compromised VPN credentials. Discovered by Arctic Wolf Labs in May 2024, Fog's operators infiltrate networks using stolen credentials from various VPN gateways. The cybercriminals perform sophisticated attacks such as "pass-the-hash" and utilize tools like PsExec to spread within the network and commandeer admin accounts. Before encrypting data stored in Virtual Machines (VMs), the ransomware terminates specific system processes and deletes backups to hinder recovery. Encrypted files are appended with '.FOG' or '.FLOCKED', making them inaccessible without a decryption key provided upon ransom payment. Victims find a ransom note on their systems, directing them to negotiate payment through a Tor-based dark web chat interface. Despite not initially setting up an extortion portal, BleepingComputer confirms that Fog uses double-extortion tactics, leveraging stolen data to pressure victims into paying. Arctic Wolf Labs has yet to confirm whether Fog operates under a ransomware-as-a-service model or if it is controlled by a select group of cybercriminals.