Daily Brief

Over 600,000 SOHO routers were disabled in a cyber attack, impacting a U.S. ISP between October 25-27, 2023. The attack, coined "Pumpkin Eclipse" by Lumen Technologies Black Lotus Labs, targeted specific router models and rendered them inoperable. The affected ISP, suspected to be Windstream, saw a nearly 50% reduction in functional modems, requiring hardware replacements. Analysis linked the attack to the Chalubo remote access trojan, first documented in 2018, suggesting a strategic choice to complicate attribution. Chalubo is capable of performing DDoS attacks, executing any Lua script, and affecting all major SOHO/IoT kernels. The initial breach method of the routers remains unclear but might involve exploited weak credentials or administrative interfaces. The attack's focus on a specific ASN rather than widespread vulnerabilities or models suggests potential targeted motivations. This event marks one of the few instances where such a large number of devices required replacement following a cyber attack.

Europol, in collaboration with German law enforcement, has identified eight key figures linked to malware loader botnets. The identification is part of Operation Endgame, which led to the seizure of 100 servers involved in malware operations such as IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. Four individuals were arrested during the crackdown, including one in Armenia and three in Ukraine. The targeted criminals, of Russian descent, are central operatives in the Smokeloader and Trickbot malware campaigns. Despite knowing the identities, current locations of these individuals remain unknown, though most are believed to reside in the Russian Federation. One of the identified suspects is reportedly living in the United Arab Emirates. The public has been urged to provide any information about the whereabouts of these criminals via Europe's Most Wanted portal.

ShinyHunters, a known threat actor, is allegedly selling data from Santander Bank involving 30 million customer and employee records. The data breach was first reported by Santander two weeks ago, following unauthorized access through a third-party provider, affecting customers mainly in Chile, Spain, and Uruguay. ShinyHunters advertised the stolen data set for $2 million on dark web forums, including personal, credit card, and account information. The selling post appeared following the FBI's recent seizure of BreachForums, a platform historically linked to ShinyHunters, which was briefly taken down but restored on a new domain. The authenticity of the Santander data for sale was hinted at by sample data shared by ShinyHunters, although direct confirmation that it belongs to Santander is pending. This breach incident follows a pattern of high-profile data leaks by ShinyHunters, affecting companies like Ticketmaster and previously AT&T. Observers noted that the data was first listed on a Russian-speaking hacking forum, raising doubts about the legitimacy of the offer on the restored BreachForums.

Cisco Talos has identified a previously unknown espionage group, LilacSquid, active for three years, targeting a wide range of industries across the US, Europe, and Asia. LilacSquid is focused on stealthily obtaining sensitive data, including intellectual properties and financial information, without detection. Attacks have been successful in various sectors such as software, oil and gas, and pharmaceuticals, demonstrating LilacSquid's ability to adapt its methods per industry. Researchers noted similarities in methodologies between LilacSquid and known North Korean cybercrime groups, although direct attribution has not been confirmed. The group uses advanced tools like the PurpleInk malware—a heavily customized variant of QuasarRAT, which is designed to evade standard detection and facilitate data theft. LilacSquid employs multiple infection vectors including exploiting web app vulnerabilities and misusing legitimate remote desktop protocol (RDP) credentials. Talos' findings highlight the need for organizations to strengthen their monitoring and defense mechanisms to detect and block unauthorized activities to prevent long-term breaches.

Microsoft has highlighted a significant rise in cyber attacks on internet-connected operational technology (OT) devices since late 2023. Attacks on these devices can lead to critical disruptions by tampering with industrial controls, revealing a lack of robust security mechanisms in OT systems. Recent advisories from Rockwell Automation and CISA have urged better protections due to increased cyber activities and the exploitation of these systems by pro-Russia hacktivists and other groups. The recent Israel-Hamas conflict precipitated escalated cyber threats targeting Israeli-developed OT systems, showcasing international implications. Claroty reported a destructive malware, Fuxnet, used by a group possibly backed by Ukraine, indicating the extent and sophistication of modern cyber weapons. Microsoft and cybersecurity experts advocate for the adoption of zero trust frameworks and regular security updates to mitigate the risk of such cyber threats. Kaspersky's recent data underscores the common avenues for such attacks, including internet, email, and removable storage devices, highlighting the importance of multi-layered security defenses.

Starting June 3, 2024, users of Google Chrome's Beta, Dev, and Canary builds will see warnings about the discontinuation of Manifest V2 browser extensions, including popular ad-blockers. Google is urging users to switch to extensions that support the new Manifest V3, which promises better performance, privacy, and security but has sparked controversy over its effectiveness on content filtering. Users will temporarily be able to reactivate their Manifest V2 extensions after they are automatically disabled, but this option will eventually be phased out. Despite improvements and added features in response to developmental concerns, Manifest V3 is still criticized for not fully matching the capabilities of its predecessor. Transition efforts have been ongoing for nearly five years, with 85% of actively maintained extensions in the Chrome Web Store now supporting Manifest V3. Other major browsers like Edge, Firefox, and Safari are also adopting Manifest V3 to various extents. Enterprises can defer the mandatory switch to Manifest V3 until June 2025 through the ExtensionManifestV2Availability policy.

Digital content, widely used for information sharing, has become a major target for cybercriminals and nation-state actors, presenting significant threats globally. The expanding digital landscape has outpaced traditional cybersecurity measures, necessitating advanced, proactive security protocols to combat sophisticated cyber threats. Cybersecurity has evolved into a continuous "arms race," with attackers frequently outmaneuvering defensive technologies through the development of new evasion techniques. Traditional detection-based security methods are increasingly insufficient due to the rapid generation and complexity of digital content, highlighting a critical need for enhanced proactive measures. Everfox has developed a transformation-based Content Disarm and Reconstruction (CDR) strategy that shifts the focus from detection to prevention, assuming all data could potentially be compromised. This innovative approach to cybersecurity allows Everfox to provide more resilient protection against advanced persistent threats and zero-day exploits without the constant need to update malware signatures. Governments and highly regulated industries are moving towards such proactive cybersecurity solutions to protect national security, public safety, and economic stability more effectively. Shaun Bierweiler of Everfox emphasizes the importance of proactive defense measures in building stronger, more reliable security frameworks for organizations worldwide.

APT28, a Russian GRU-affiliated cyber group, targeted European networks, focusing heavily on Ukraine, deploying HeadLace malware and credential-harvesting operations. The attacks, conducted from April to December 2023, involved sophisticated tactics such as geofencing and multi-stage infection processes, leveraging legitimate internet services and binaries to evade detection. The credential harvesting targeted major services like Yahoo! and UKR.net, using lookalike web pages to deceive victims into disclosing login information. Key targets included the Ukrainian Ministry of Defence, European railway systems, and an Azerbaijani think tank, aiming to collect intelligence to influence military and regional strategies. The hacking group utilized different infrastructures for their attacks, including GitHub and PHP scripts on various hosting platforms, evolving their technique over three distinct phases. In February 2023, a U.S.-led law enforcement operation disrupted a botnet used by APT28, which involved compromised Ubiquiti routers aiding in credential theft. BlueDelta’s operations reflect Russia’s broader intelligence strategy amid ongoing conflicts, illustrating the blend of cyber espionage with geopolitical ambitions.

OpenAI identified and disrupted five covert influence operations using its AI models, originating from China, Iran, Israel, and Russia. These operations manipulated online discourse and political outcomes by generating fake comments, articles, and social media personas in multiple languages. Two of the campaigns were linked to Russia, including an operation called Bad Grammar, targeting audiences in Ukraine and the U.S. Meta removed nearly 500 fake and compromised accounts engaging in influence operations targeting North America. OpenAI claimed no significant increase in audience engagement or reach due to these campaigns, underscoring the inauthentic nature of the interactions. Concerns are growing over the potential for generative AI tools to aid more sophisticated and hard-to-detect disinformation efforts in the future. Tiktok also uncovered and disrupted multiple influence operations on its platform from various countries, demonstrating an ongoing issue across social media platforms.

Cloudflare's threat intelligence team intercepted a sophisticated phishing scheme by the Russian-aligned group FlyingYeti targeting Ukrainian citizens. The attack exploited financial vulnerabilities following the Ukrainian government's lifting of a moratorium on evictions and utility disconnections. FlyingYeti used the Komunalka payment platform's impersonation to create phishing lures aimed at a broad segment of Kyiv’s residents, potentially targeting high-value military entities. The campaign involved meticulous preparation, including reconnaissance of Ukraine's communal housing payment systems and legal changes related to utility debts. Cloudflare discovered and mitigated the threat by shutting down malicious infrastructures on its platform and GitHub, where the phishing site and malware were hosted. The disruption efforts by Cloudflare increased the operational costs and complexity for the attackers, effectively extending the time needed to execute their plans. GitHub collaborated by removing the malicious content and suspending the account associated with the phishing attack, forcing FlyingYeti to seek alternative hosting solutions. The proactive measures prevented the deployment of malware, including a PowerShell-based tool named COOKBOX, and stopped further phishing attempts using the initial tactics.

Over 600,000 routers were disabled by a malicious firmware update by unknown attackers, targeting specific models used by a single ISP. The incident, dubbed "Pumpkin Eclipse," occurred between October 25 and 27, 2023, and was investigated by Black Lotus Labs. Affected devices, models T3200 and T3260 from ActionTec, were rendered permanently inoperable, necessitating hardware replacement. The malware identified in the attack, Chalubo, has capabilities for remote access, encryption, DDoS attacks, and script execution, though DDoS was not utilized in this incident. There is currently no known link between this malware attack and any nation-state activities, and this incident has been isolated to routers within a single ASN. The technique used was similar only to the AcidRain wiper case attributed to the Sandworm group, suggesting a rare and sophisticated attack method. The exact method of router compromise remains unclear, with speculations pointing to either exploitation of weak credentials or an exposed administrative interface.

OpenAI successfully disrupted five AI-powered covert influence operations aimed at manipulating public opinion and elections. These operations originated from Russia, China, Iran, and a commercial entity in Israel, employing AI to generate diverse content and conduct research. The disruptive efforts targeted the creation of fake social media profiles, translation, and editing of texts, but failed to significantly engage audiences. Notable operations include "Bad Grammar" focused on Telegram users in Ukraine and the U.S., and "Spamouflage" promoting pro-China sentiments. The effectiveness of these operations was rated as minimal (two out of six) on the Brookings’ Breakout Scale, with no significant spread among authentic audiences. Errors in AI-generated content, such as refusal messages included in posts, often exposed the operations. Experts like Thomas Rid from Johns Hopkins express initial surprise at the ineffectiveness of AI in these early disinformation attempts, despite potential future risks. Concerns persist about the broader implications of AI on democratic systems, including sowing distrust and inciting hate, which remain difficult to measure.

The US Treasury Department has identified NFTs as a significant risk for fraud and scams, noting their easy exploitation due to weak cybersecurity and insufficient user verification on NFT platforms. Despite the potential for misuse, the report clarifies that serious criminal activities such as terrorism financing and drug trafficking are not prevalent in the NFT sphere. NFTs are primarily used by low-level fraudsters for operations like rug pulls, chargeback fraud, and money laundering. The report points out that while NFT platforms facilitate illicit finance due to their lax regulations, they are largely neglected by more organized criminals. The Treasury urges the implementation of stricter regulations and improved corporate and governmental understanding of the NFT sector to prevent misuse. In terms of priority, the report advises that NFT regulation should not divert attention from higher-risk areas but recognizes that proactive measures are needed to curb potential escalation in fraud.

Cybercriminals are using cracked versions of Microsoft Office from torrent sites to distribute a variety of malicious software. The malware package includes remote access trojans, cryptocurrency miners, and tools to disable anti-virus programs. AhnLab Security Intelligence Center has highlighted the risks associated with using pirated software and identified this as an ongoing campaign. The infected Microsoft Office installer allows users to choose various installation options while secretly installing malware via a .NET framework in the background. The malware communicates with servers using legitimate platforms like Telegram and Mastodon to avoid detection and fetches further malicious payload from Google Drive or GitHub. Installed malware ensures persistence by registering tasks in the Windows Task Scheduler, which reinstalls the malware even if initially removed. The incident underscores the dangers of downloading software from unreliable sources and the importance of maintaining legitimate software licenses.

In October 2023, a botnet named 'Pumpkin Eclipse' rendered 600,000 small office/home office routers useless, leading to extensive internet disruptions across several Midwest states. The affected routers belonged to a single Internet Service Provider (ISP), serving communities, causing a 49% drop in operational modems. The malware attack specifically targeted three router models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380. Researchers from Black Lotus Labs highlighted that the attack required physical replacement of the devices due to the severity of the damage. Investigations suggested the use of a second stage malware payload 'Chalubo,' which can perform data exfiltration and possibly launch DDoS attacks, though no DDoS activity was observed from this botnet. The attack exploited possibly a zero-day vulnerability or weak credentials, and the malware performed functions without a persistence mechanism, meaning a reboot would disrupt the operation. This incident was noted for the specific targeting of hardware within a single ISP's autonomous system and was suspected to be a deliberate malicious action for unknown purposes.