Daily Brief

GitHub repositories are being erased in an extortion campaign by attackers using the alias Gitloker. Victims are instructed to contact the attackers via Telegram for potential data recovery. Attackers are likely gaining access through stolen GitHub account credentials. Compromised accounts have their repository contents wiped and replaced with a README.me file containing ransom notes. Previous similar attacks prompted GitHub to advise users to change passwords and secure their accounts against unauthorized changes. This attack builds on past incidents where GitHub data was compromised, including a significant breach of a Microsoft account in 2020. GitHub has acknowledged the susceptibility of accounts to phishing campaigns that can result in account takeovers and data theft.

PandaBuy, a Chinese e-commerce platform service, paid a ransom to prevent their customers' stolen data from being leaked but faced renewed extortion threats. The attacker, using the alias "Sanggiero," initially leaked 3 million rows of customer data including names, contact information, addresses, and order details by exploiting vulnerabilities in PandaBuy's API. The compromised data was reported to Have I Been Pwned, which added 1.35 million affected email addresses from the incident to its system. On June 3, 2024, Sanggiero attempted to sell an alleged 17 million rows of additional data for $40,000, although no proof was given for the new batch of data. PandaBuy has since repaired the previously exploited vulnerabilities and decided against further payments to the hacker due to frozen funds and concerns of ongoing unauthorized data sales. Customers are advised to change their passwords and remain vigilant against phishing attempts by parties claiming to represent PandaBuy.

Mandiant, a part of Google Cloud, is organizing mWISE™ 2024, a cybersecurity conference in Denver, Colorado from September 18–19. Designed specifically for hands-on security practitioners, mWISE offers a unique, intimate setting to foster one-to-one connections with cybersecurity leaders. The conference serves as a platform for professionals from industry, academia, and government to share their experiences without fear of judgment. Attendees can expect to learn from some of the industry's most respected speakers who will discuss the latest security innovations and strategies. mWISE 2023 successfully drew thousands of practitioners nationwide, showing significant impact through positive attendee testimonials. The 2024 event agenda will include a variety of key topics in cybersecurity, shaped by community submissions and curated by an independent panel. Early Bird Registration for the 2024 conference ends on July 3, providing substantial savings on the standard conference rate.

The U.S. Justice Department is taking action to recover over $5 million stolen from a Massachusetts trade union through a business email compromise (BEC) scam. Cybercriminals spoofed the email of the union's investment manager, orchestrating a fake wire transfer of $6.4 million, primarily to various offshore bank accounts. The stolen funds were traced to seven bank accounts across China, Singapore, Hong Kong, and Nigeria, and are currently held in six JPMorgan Chase accounts and one Texas Bank and Trust account. The scam involved the recruitment of "money mules" who unknowingly helped launder the proceeds through complex transactions designed to obscure the origin of the funds. Rapid and purposeless money transfers between accounts were used as a technique to conceal the fraud, as evidenced by several flip-flop transactions recorded in a single day. Some of the stolen funds were converted into cryptocurrency, complicating the recovery efforts, although the majority of the funds were seized shortly after the fraudulent transfer. BEC scams continue to pose significant financial risks nationwide, with estimated daily losses reaching $8 million and annual losses reported by the FBI at $2.9 billion.

Muhstik botnet, first identified in 2018, targets IoT devices and Linux servers. Utilizes the CVE-2023-33246 vulnerability in Apache RocketMQ for malware deployment, enabling remote code execution. The malware, named "pty3," is designed to avoid detection and maintain persistence by mimicking system files and residing in memory. Features include metadata collection, lateral movement via SSH, and establishing C2 communications through IRC. Primary objectives are to launch DDoS attacks and perform cryptocurrency mining. Over 5,200 vulnerable instances of Apache RocketMQ remain exposed, putting numerous systems at risk. Security recommendations include patching impacted systems and adopting strong, frequently changed credentials.

Microsoft has officially marked the NTLM authentication protocol as a deprecated feature, urging a shift to more secure authentication methods. The protocol, first introduced in 1993 with Windows NT 3.1, is notorious for its vulnerabilities and weak encryption. NTLM will still function in upcoming releases of Windows Server and Windows, but developers are encouraged to transition to using Negotiate with Kerberos. The use of NTLM spiked unexpectedly due to issues caused by a security update in April 2024, which was corrected in a subsequent update. Despite being replaced as the default by Kerberos in 2000, NTLM remains hardcoded in some applications and Windows components, posing ongoing security risks. Microsoft is applying a data-driven methodology to monitor NTLM usage declines, aiming to eventually disable the protocol entirely. Organizations still using NTML due to compatibility issues are advised to catalog and plan for their transition strategies urgently.

Supply chain attacks in the interconnected business ecosystem allow cybercriminals to exploit vulnerabilities across multiple organizations by targeting software and IT vendors. In 2023, the U.S witnessed 245,000 software supply chain attacks, causing substantial financial damage estimated at $46 billion, projected to increase to $60 billion by 2025. Attackers utilize compromised accounts and vulnerabilities to inject malicious software or execute unauthorized access, affecting entities from small vendors to large corporations like Ferrari and Audi. Notable past incidents such as SolarWinds and Kaseya underscore the devastating potential of these types of attacks, necessitating rigorous and continuous security measures. Cybersixgill highlights methods for mitigating risk, including enhanced cyber threat intelligence and continuous monitoring of third-party vendors' security practices to protect against supply chain vulnerabilities. Importance of a proactive security posture emphasized, integrating advanced tools and strategies to detect and respond to these expanding threats.

The CVE-2017-3506 vulnerability in Oracle WebLogic Server allows remote command execution, originally patched in 2017 but recently exploited. Chinese cybercriminal group Water Sigbin, also known as 8220 Gang, uses this bug along with another Oracle vulnerability (CVE-2023-21839) to install cryptocurrency miners on targets. Water Sigbin employs complex obfuscation techniques, making detection and response challenging for security teams. Previously, CVE-2017-3506 was utilized with other WebLogic vulnerabilities to infiltrate the Click2Gov servers of multiple county governments for credit card theft. The continuous exploitation of CVE-2017-3506 indicates persistent vulnerabilities and the need for updated patches or enhanced security measures. Water Sigbin targets multiple technology vulnerabilities, frequently shifting malware deployment to include cryptominers and botnets. Oracle may re-release a special patch to fully address CVE-2017-3506, acknowledging past patching efforts as inadequate.

Hackers are increasingly exploiting legitimate packer software like BoxedApp to distribute malware undetected. The surge in use of these packers, observed around May 2023, predominantly targets financial and government sectors. Notable malware distributed includes Agent Tesla, AsyncRAT, LockBit, and others, with submissions from Turkey, the U.S., Germany, France, and Russia. These tools, originally designed to compress software, now add a layer of obfuscation making malware difficult to analyze. BoxedApp-packed applications tend to trigger high false positive rates in anti-malware systems, complicating detection efforts. The NSIXloader, another exploited packer utilizing the Nullsoft Scriptable Install System, disguises malicious payloads as legitimate installers. Specialized tools like Kiteshield target Linux systems with sophisticated encryption and injection techniques. Continuous global monitoring and advanced security protocols are recommended to mitigate such sophisticated cyber threats.

Account takeover (ATO) attacks start with compromised credentials, posing severe risks to organization's operational integrity. Once inside a system, attackers use legitimate user credentials to blend in, making unauthorized access hard to detect and increasing potential damage. Such attacks can allow hackers to access sensitive information like financial data, intellectual property, or personally identifiable information. A specific example is mentioned, where a U.S. State Government breach occurred due to an ex-employee’s leaked credentials, leading to further network compromise. Weak password security practices, such as using simple passwords or repeating passwords across multiple sites, substantially increase the risk of ATOs. The article emphasizes the importance of stronger password policies and the implementation of multi-factor authentication (MFA) to enhance security. Specops Password Policy is promoted as a tool to detect and force the reset of compromised passwords within an organization's Active Space.

Microsoft’s new tool, Recall, has been criticized for potential privacy risks as it continuously logs user activities and captures screenshots. Jaime Teevan, Microsoft Research’s chief scientist, dismissed privacy concerns related to Recall at a conference, emphasizing the significance and utility of data in AI. Erik Brynjolfsson, director of the Stanford Digital Economy Lab, queried about the security implications of storing such data locally rather than in the cloud. Teevan reassured that Recall data is stored locally and not uploaded to the cloud, highlighting Microsoft's focus on data protection. Security researcher Alex Hagenah revealed a tool, Total Recall, that can access Recall's unencrypted SQLite database, aggravating privacy concerns. Critics argue that Recall could make Windows PCs targets for legal investigations and raise issues with GDPR compliance due to retained user data. The feature will potentially expose sensitive conversations and activities, posing a threat to sectors like healthcare that require confidentiality. The backlash continues as security experts and analysts advise against the rollout of the controversial feature, scheduled for later this month.

Google plans to store Maps Timeline data locally on devices starting December 1, 2024, enhancing user privacy. This change coincides with defaults set for Location History auto-delete after three months, reduced from 18 months. Maps Timeline, which records routes and locations visited, will no longer be accessible via web but only on the user's device. Users are encouraged to enable device backups to save an encrypted version of the Timeline data on Google's servers. These updates are in response to prior criticisms and legal actions alleging Google misled users about tracking with Location History disabled. The modified privacy practices follow a $62 million settlement with several U.S. states over misleading consumer practices related to location tracking. The Texas lawsuit regarding similar issues related to user privacy and data handling is still ongoing.

Cybersecurity experts uncovered a malicious package named "crytic-compilers" on Python Package Index (PyPI), designed to mimic the legitimate "crytic-compile" library. The counterfeit package, downloaded 441 times before removal, attempted to deceive users by aligning version numbers with the legitimate library, suggesting it was a newer version. The rogue package employed tactics such as installing the actual library in some versions to appear genuine while delivering malware in others. The latest version targeted Windows systems, executing an information stealer malware known as Lumma (LummaC2) when run. Lumma Stealer has also been distributed via other channels, such as trojanized software and fake browser updates, under a malware-as-a-service (MaaS) model. This incident highlights a growing trend where seasoned threat actors exploit open-source registries to disseminate potent data theft tools targeting developers.

Researchers have identified a new Linux variant of the TargetCompany ransomware, also known as Mallox, FARGO, and Tohnichi, targeting VMware ESXi environments. This variant employs a custom shell script to gain administrative privileges, deliver, and execute the ransomware payload, and potentially exfiltrate data. The malware checks for VMware ESXi systems specifically, encrypts files related to VM operations with a ".locked" extension, and drops a ransom note with payment instructions. The new variant marks an evolution from previous attacks predominantly focused on Windows systems and database environments in Asia. Cybersecurity firm Trend Micro traced the attacks to an affiliate named "vampire" and linked payload delivery to an ISP provider in China, though the exact origin remains unconfirmed. After execution, the script deletes the ransomware payload to eliminate forensic evidence, complicating post-incident analysis. Trend Micro has issued recommendations including enabling multifactor authentication (MFA), regular backups, and system updates, alongside a list of indicators of compromise for detection and prevention.

The FBI has acquired over 7,000 LockBit ransomware decryption keys following an international law enforcement operation. FBI Cyber Division Assistant Director Bryan Vorndran announced at the 2024 Boston Conference on Cyber Security that these keys can assist victims in recovering their encrypted data free of charge. The international operation, named "Operation Cronos," dismantled LockBit's infrastructure in February 2024, during which authorities seized 34 servers. The operation resulted in the discovery of approximately 2,500 decryption keys, aiding the creation of the free LockBit 3.0 Black Ransomware decryptor. Despite significant disruptions, LockBit remains active, continuing global targeting and leaking sensitive data on dark web platforms. The group has managed to accumulate roughly $1 billion in ransoms from about 7,000 attacks between June 2022 and February 2024. Recent activities include a cyberattack on Canadian pharmacy chain London Drugs in April 2024, subsequent to another law enforcement sting operation. The U.S. State Department is offering a reward of up to $10 million for information leading to the arrest or conviction of the LockBit leadership.