Daily Brief

South Korea's People Power Party reports that DPRK hackers have stolen crucial data on K2 tanks and Baekdu and Geumgang spy planes, aiming to compromise military surveillance and tactics. The stolen tank information included design blueprints and special system details, which might have also reached Middle Eastern markets due to corporate espionage. Compromised details on spy planes encompass their operational capabilities and recent technical advancements, leaked by hacking a defense contractor's systems. South Korea fears the stolen data will lead to DPRK developing better evasion techniques for its drones and surveillance operations. The People Power Party emphasizes the urgent need for stronger cybersecurity laws and protective measures against such cyber espionage. The National Police Agency has issued warnings regarding heightened activities by North Korean hacking groups targeting South Korean defense firms. Policymakers are urged to revise espionage laws and enact comprehensive cybersecurity legislation to safeguard national security interests.

Attackers posed as the Security Service of Ukraine (SSU) to launch a malware campaign against Ukrainian government agencies. Over 100 government computers were infected with AnonVNC malware through malicious spam emails. The malware was distributed using attachments labeled as Dokumenty.zip, which were designed to look like official documents needed by the SSU. The malicious campaign, tracked by CERT-UA as UAC-0198, began around July 12 and utilized a Windows installer from a suspicious URL to deploy the malware. AnonVNC allows covert access to the compromised systems, affecting both central and local government bodies extensively. The attackers also used a falsified code signing certificate from Shenzhen Variable Engine E-commerce Co Ltd., a company appearing to be based in China. Additional cybersecurity concerns for Ukraine include attacks by Russian-linked groups using different malware to target critical infrastructure and government functions.

Evolution Mining, a major Australian gold producer, was hit by a ransomware attack on August 8, 2024, which affected their IT systems. The company has engaged external cybersecurity experts to manage the incident, and has declared the situation fully contained. Despite the attack, Evolution Mining has stated there will be no significant impact on their mining operations. This incident will not affect the company's production of gold and copper, maintaining their contribution to the economies of Australia and Canada. No group has claimed responsibility for the attack, and there has been no indication that data was stolen during the breach. The Australian Cyber Security Centre has been notified and is likely involved in the response to the incident. Evolution Mining is one of the top firms listed on the Australian Securities Exchange, with substantial reserves and strong market capitalization.

The East Valley Institute of Technology (EVIT) experienced unauthorized network access on January 9, leading to significant data theft. LockBit ransomware group claimed responsibility for the break-in on January 19, threatening to publish the stolen data. Although no publication of sensitive data has been confirmed, 48 types of personal information including SSNs, medical, and financial records were compromised. The breach affected 208,717 individuals, consisting of current/former students, staff, and parents, with extensive personal data exposure. In response, EVIT has implemented multiple security measures including locking VPN access, deploying EDR software, and rebuilding affected servers. EVIT also engaged a third-party network security firm to enhance defenses and has been actively monitoring the situation since the incident. Affected individuals have been offered 12 months of credit monitoring and received direct notifications from EVIT detailing the breach and protective actions.

Criminal IP has integrated its cyber threat intelligence capabilities with Maltego, a global investigation platform known for its visualization features. This partnership allows users to visualize complex data about malicious IPs, domains, and vulnerabilities directly through Maltego’s interface. Maltego’s users can now access Criminal IP’s database directly in the Transform Hub marketplace, enhancing the scope of cyber investigations. Enhanced features include detailed visual data graphs which help in recognizing relationships and assessing associated risks in cyber threat entities. Incorporation of Criminal IP into Maltego includes the capability to track and monitor sensitive information like bank account numbers and Bitcoin wallet addresses exposed online. The collaboration aims to reduce investigation times by utilizing visual link analyses and enabling real-time monitoring of digital threats and social media. Supported by multiple integrations with other major platforms like Microsoft Sentinel and IBM QRadar, this partnership significantly extends the utility and application of Maltego’s investigation tools.

Doxxing involves revealing someone's identity online, often for extortion and financial gain, with platforms like Doxbin leading the market. Doxbin has extensive reach with 300,000 users and over 165,000 pastes, generating significant income by charging for data removal. Former Doxbin participant “Ego” claims doxxing, supplemented with remote access trojans and fraudulent emergency data requests, as his primary activity. Violence and physical intimidation have emerged as methods to enforce extortion demands, with underground networks supporting these violent acts for a fee. High-profile cases and detailed insider interviews reveal the dark side of this cybercrime, emphasizing the blend of financial motives with occasionally stated moral justifications. Legal actions are limited since doxxing per se isn't illegal in many places, though some regions like Alabama have begun to outlaw it. Recommended preventive measures include enhancing privacy settings, using complex passwords, and avoiding personal data exposure online.

Phishing attacks have increased by 40% from last year, impacting 94% of businesses in 2023. Generative AI facilitates rapid creation of phishing content, including emails and deepfake videos. Phishing as a Service (PhaaS) allows individuals to hire attackers, simplifying the initiation of phishing campaigns. Phishers rapidly adapt to current events, exploiting situations like the CrowdStrike BSOD issue for financial gain. Cyberint uncovered typo-squatting domains post-CrowdStrike incident, collecting donations and payments fraudulently. Recurring and planned events like the Olympics and UEFA Euro 2024 are specific targets, with crafted emails and fake websites to steal financial information. Holiday seasons witness a spike in phishing attacks due to increased online shopping and promotional activities. Businesses and individuals can mitigate phishing risks through heightened vigilance and informed security practices during peak times.

Cybersecurity researchers from Bitdefender discovered critical vulnerabilities in Solarman and Deye PV system management platforms. These vulnerabilities could potentially enable attackers to control solar inverter settings, disrupting power supply and causing grid instability. If exploited, the security flaws allow complete takeover of Solarman accounts and unauthorized access via Deye Cloud, threatening user privacy and data integrity. Attackers could manipulate inverter functions to cause voltage fluctuations and power blackouts, posing significant risks to grid stability. Sensitive data about users and organizations could be exposed, leading to privacy breaches and targeted cyber attacks. Both Solarman and Deye have addressed the vulnerabilities as of July 2024, following Bitdefender's responsible disclosure in May 2024.

Market correction affects AI stocks, but foundation remains firm with AI technologies here to stay. Gartner's hype cycle predicts a potential market recovery leading AI into broader, mainstream adoption. Generative AI presents challenges in enterprise deployment, notably its non-deterministic nature and integration into workflows. Financial and practical hurdles include high costs and the required precision in AI model training for commercial viability. Cybersecurity applications for AI are double-edged, offering both potential defenses and new vulnerabilities. Governance of AI technologies is crucial, particularly around setting accurate access controls to limit security risks. The increased use of AI in Identity Access Management (IAM) shows promising improvements in user experience and system interaction. Overall, the adoption and integration of AI demand cautious optimism, with significant strategic planning needed to maximize benefits and minimize risks.

FreeBSD Project released updates to address a high-severity OpenSSH vulnerability, CVE-2024-7589. The flaw has a CVSS score of 7.4, indicating significant threat potential. Vulnerability allows attackers to execute arbitrary code with root privileges. The issue stems from unsafe signal handling in sshd during authentication timeframe. Related to previous regreSSHion issue where non async-signal-safe functions were called. Fix includes updating FreeBSD to the latest supported version and restarting sshd. As a temporary workaround, setting LoginGraceTime to 0 in sshd_config can mitigate risk at the expense of potential denial-of-service vulnerability.

The SANS Institute is organizing a free virtual event, the Cloud Security Exchange 2024, scheduled for Tuesday, 27 August. The event aims to educate security professionals on advanced cloud security architectures, threat detection, and best practices. Speakers from major cloud services like AWS, Google Cloud, and Microsoft Azure, along with top experts from SANS, will share insights. Participants will engage in interactive sessions allowing them to discuss real-time queries with cloud security leaders. Attendees will receive five Continuing Professional Education (CPE) credits to aid in professional certification. Discussions will cover topics such as the evolution of identity management with generative AI, secure-by-design principles, and AI's role in enhancing security and posing new threats. The event provides an exceptional networking platform for security professionals globally to exchange ideas and enhance their cloud security strategies.

Security vulnerabilities in the Ewon Cosy+ industrial remote access tool could enable attackers to obtain root privileges on the device. Attackers could decrypt firmware and data, hijack VPN sessions, and impersonate devices within the network. The vulnerabilities were disclosed by SySS GmbH at the DEF CON 32 conference. The attack exploits a series of vulnerabilities, including operating system command injection and persistent cross-site scripting (XSS). Attackers can gain administrative access through unprotected cookie-stored credentials and decrypt encrypted files using a hardcoded key. The vulnerabilities allow VPN session tampering by enrolling fraudulent certificates, leading to potential network and system imitations to intercept user inputs. These findings highlight critical security flaws potentially impacting industrial infrastructure managed remotely through the Talk2m platform.

Former US President Donald Trump's re-election campaign claims it was the target of a cyberattack that led to a leak of internal documents. Politico and The New York Times received a trove of data from an anonymous source, allegedly connected to the campaign. Trump campaign spokesperson, Steven Cheung, stated the documents were illegally obtained by "foreign sources hostile to the United States" aiming to disrupt the upcoming US elections. Microsoft reported a spear-phishing attempt by an Iranian group targeting a high-ranking official from a presidential campaign, which media sources suggest was Trump’s campaign. There is no confirmed evidence that the Iranian phishing attempt succeeded or was linked to the leaked documents received by Politico. Politico has corresponded with the anonymous emailer, who declined to reveal the acquisition method of the documents, leading to speculation but no concrete evidence of foreign involvement. The nature of politics and information leaks often involves multiple possible motives and actors, both domestic and international.

Russian government and IT entities have been attacked using spear-phishing to deploy multiple backdoors and trojans, including GrewApacha and PlugY. The malware spread originates from RAR archives attached to emails, containing a Windows shortcut that triggers the infection through DLL side-loading. GrewApacha, used in these attacks, previously connected to China-linked APT31, employs Dropbox and GitHub for command and control communications. CloudSorcerer, a refined cyber espionage tool, employs Microsoft Graph, Yandex Cloud, and Dropbox for data exfiltration, ensuring execution only on intended targets. PlugY, a new comprehensive backdoor discovered in the campaign, supports various communication protocols and has capabilities like keystroke logging and screen monitoring. Similarities found in PlugY's code suggest ties to other backdoors linked to Chinese cyber espionage groups such as APT27 and APT41. The campaign also includes a watering hole attack deploying the CMoon worm, focusing on data theft, including payment information, and can initiate DDoS attacks.

The UN has unanimously passed a Russian proposal aimed at combating cybercrime, despite significant opposition from tech companies and privacy advocates. Critics argue that the treaty could infringe on human rights under the guise of crime prevention, with refusal to cooperate with information requests left to the discretion of governments. British defense contractor Rolls-Royce Submarines outsourced crucial software development for UK nuclear subs to Russian and Belarusian programmers, raising security concerns. The FBI and CISA have issued warnings about the BlackSuit ransomware gang, which originates from the Royal malware family, seeking ransom payments totaling approximately $500 million. Sellafield, a major UK nuclear facility, has admitted to serious security failings, having left 75% of its servers vulnerable by using outdated Windows systems. Ubiquiti's G4 security cameras were found vulnerable due to unsecured ports, with many devices still unpatched after five years, highlighting the risks and persistence of cybersecurity issues.