Daily Brief

A severe security bypass vulnerability, CVE-2024-6242, was discovered in Rockwell Automation ControlLogix 1756 devices, which allows unauthorized access and command execution. The flaw, with a CVSS v3.1 score of 8.4, permits attackers to bypass the Trusted Slot feature of the device and execute hazardous CIP commands. CISA issued an advisory noting that exploiting this flaw allows attackers to alter user projects and device configurations on ControlLogix controllers. Security research company Claroty discovered the vulnerability, enabling attackers to sidestep security measures and send malicious commands directly to the PLC CPU. The Trusted Slot feature, designed to enforce security policies and control communication, was compromised, allowing attackers to transmit commands across local backplane slots, effectively breaching the security perimeter. Although exploiting this vulnerability requires network access to the affected device, if accessed, attackers can send high-level commands and download logic to the PLC CPU. The vulnerability has now been patched following responsible disclosure practices; updates are available in newer versions of the software.

China has launched a pilot for a new national cyberspace ID system involving 81 apps, including major platforms like WeChat and Taobao. The cyberspace ID system utilizes facial recognition and real name verification to integrate physical and online identities. This system is designed to negate the requirement for Chinese citizens to provide personal information directly to internet service providers. The ID system will centralize data retention, transferring responsibilities from individual ISPs to the government. Despite still being open for public comment until August 25, the beta testing of this national ID scheme has already commenced. Concerns have been raised about the reduction of privacy, with significant criticisms from legal experts and public citizens. A lawsuit has been filed arguing that the ID system should not be implemented before official enactment post-public consultation.

A new Android banking trojan named BlankBot has been discovered targeting financial data of users in Turkey. BlankBot uses malicious capabilities including customer injections, keylogging, and screen recording, and communicates with a command and control server via WebSocket. The trojan abuses Android's accessibility services to gain extensive control over the infected devices, allowing it to execute a variety of malicious actions. Features of BlankBot include harvesting bank account credentials, intercepting SMS messages, uninstalling applications, and accessing contact lists and installed apps. It utilizes a session-based package installer to bypass Android 13’s restrictions on sideloaded apps requesting dangerous permissions. The malware is still under active development, with multiple code variants observed in different applications, suggesting ongoing refinement by its developers. In parallel, Google is enhancing measures to counteract cell-site simulators and SMS Blaster fraud, implementing options to disable 2G connections and improve network security alerts for users.

Evasive Panda, a cyber espionage group linked to China, compromised an ISP to distribute malicious software updates. The attack targeted various companies in mid-2023, using sophisticated methods to push malware through software update mechanisms. The group employed multiple types of malware including MgBot and MACMA, affecting both macOS and Windows systems. The recent operations involved DNS poisoning attacks to manipulate automatic software updates, particularly targeting insecure HTTP update mechanisms. Researchers identified the misuse of legitimate hostnames for command-and-control server communications as part of the malware delivery process. Volexity, a cybersecurity firm, reported the issue and has notified the affected ISP to help mitigate the DNS attack. The attack also included deploying a malicious Google Chrome extension designed to steal browser cookies on compromised macOS devices. This incident highlights the ongoing trend of exploiting supply chain vulnerabilities to conduct espionage and gather sensitive data.

Scammers exploited Google’s advertising services to promote a malicious, fake version of Google Authenticator. Malwarebytes researchers identified the deceptive ads, which appeared to originate from a Google-approved and verified domain. Users were redirected several times before being led to a site hosting the fraudulent app on GitHub, enhancing its perceived legitimacy. Russian-coded elements found on the download site hint at the geographical origin of the attack, though specific attribution remains unclear. Industry experts warn against downloading software directly from advertisements to avoid similar security risks. The increase in AI-generated emails, accounting for 40% of business email compromise cases, points to a growing sophistication in cyber-attacks. CISA has responded to rising AI threats by appointing its first Chief Artificial Intelligence Officer, Lisa Einstein, to focus on both leveraging AI for threat detection and guarding against AI-driven threats. Significant arrests in Toronto related to SIM swapping highlight ongoing challenges in cybercrime enforcement and prevention.

A large-scale Magniber ransomware attack is ongoing, targeting devices of home users worldwide and demanding ransoms. Ransomware encrypts files and demands payments up to $5,000; payments increase if not made in Bitcoin within three days. Magniber was first identified in 2017 and is known for using deceptive methods such as fake updates and trojanized software to distribute malware. Victims typically get infected by downloading and running malicious software such as cracks and key generators. Significant increase in attack reports since July 20, 2024, with numerous victims seeking assistance on specialized forums. No existing decryptors are effective against the latest versions of Magniber, leaving affected users unable to recover files for free. BleepingComputer advises against the use of software cracks and key generators due to high risks of malware and ransomware infection.

Researchers from Graz University of Technology uncovered a new cross-cache attack, dubbed SLUBStick, affecting the Linux kernel. The attack exploits existing heap vulnerabilities to achieve arbitrary memory read-and-write capabilities with a 99% success rate. SLUBStick can bypass major kernel defenses including SMEP, SMAP, and KASLR, leading to potential privilege escalation and container escapes. The vulnerability impacts multiple Linux kernel versions, notably 5.9 and 6.2, across both 32-bit and 64-bit systems. The attack, which will be detailed at the upcoming Usenix Security Symposium, utilizes a timing side channel to predict and manipulate memory chunk reuse. SLUBStick's effectiveness in converting heap flaws into exploitable conditions could lead to significant security breaches on affected systems. The full technical details and usage scenarios are available in a published paper by the researchers, aimed to help in the understanding and mitigation of the exploit.

StormBamboo, a Chinese cyber-espionage group, infiltrated an ISP to tamper with software updates. The group exploited weak HTTP update mechanisms lacking digital signature validation to install malware on devices. Modified DNS requests directed victims to malicious IP addresses, where malware was installed without user interaction. The malware included backdoors like MACMA and POCOSTICK, and a malicious Chrome extension called ReloadText. The malicious extension was used to steal browser cookies and mail data from compromised systems. Volexity, a cybersecurity firm, detected the breach and collaborated with the ISP to halt the DNS poisoning by taking network components offline. Similar methods were employed in subsequent attacks on international NGOs and organizations in Taiwan, utilizing new malware variants.

The US Defense Advanced Research Projects Agency (DARPA) is developing TRACTOR (TRanslating All C TO Rust), a project aimed at converting legacy C code into Rust using AI to enhance memory safety. Memory safety issues, such as buffer overflows, are predominant in major vulnerabilities found in large codebases; Rust offers memory safety inherently. The AI-powered translation project reflects a broader consensus in the software engineering community and supports directives from the Office of the National Cyber Director for secure coding practices. Despite potential gains, the conversion from C to Rust remains challenging, with risks of inaccuracies in automated translations and the need to adapt C-specific constructs not directly translatable to Rust. Private sector efforts, including those from Prossimo and Code Metal, illustrate growing support for securely rewriting critical software components originally in C. DARPA's initiative aligns with movements in cybersecurity favoring memory-safe programming languages like Rust to replace or supplement languages like C and C++ in critical applications. DARPA plans to host a proposal submission event for the TRACTOR project on August 26, 2024, requiring prior registration.

The U.S. Department of Justice and the Federal Trade Commission have filed a lawsuit against TikTok for significant violations of children's privacy laws. TikTok is accused of knowingly allowing children to create accounts, thereby exposing them to potential interactions with adults and adult content on the platform. The lawsuit highlights TikTok's practices of illegal collection and retention of children's personal data without parental consent, violating the Children's Online Privacy Protection Act (COPPA). TikTok allegedly breached a 2019 consent order which required the platform to notify parents before collecting data from children and to delete videos posted by users under 13 years old. Despite offering a "Kids Mode", TikTok supposedly collected email and other personal information from children under 13 without following legal requirements. TikTok’s account review process, which allegedly takes only five to seven seconds per account, fails to effectively prevent children under 13 from bypassing age restriction measures. The complaint links TikTok to problematic data practices, including extensive data collection aimed at targeted advertising, and inadequate enforcement of account deletion requests from parents. Despite facing significant penalties in Europe for similar violations, TikTok disputes the allegations, referring to them as outdated or inaccurately represented.

Cybersecurity researchers discovered a DDoS attack exploiting misconfigured Jupyter Notebooks. The attack, named Panamorfi, uses a Java tool originally designed for Minecraft called mineping. Attackers initiate the attack through wget commands to download malicious Java files from a file-sharing site. Compromised Jupyter Notebooks are used to flood target servers with TCP connection requests, overloading them. Attack outcomes and updates are systematically reported to a Discord channel via bots. The threat actor associated with these attacks is identified as yawixooo, who is active on GitHub. This incident underscores ongoing security risks to internet-exposed Jupyter Notebooks, previously targeted for different cybercrimes such as cryptocurrency mining.

The U.S. Department of Justice has sued TikTok and its parent company ByteDance for alleged violations of the Children's Online Privacy Protection Act (COPPA). TikTok is accused of collecting personal information from children under 13 years old without obtaining parental consent. The lawsuit highlights that TikTok allowed children to create accounts outside the dedicated "Kids Mode" and did not adequately work to disable or delete these accounts. According to the DOJ, TikTok also failed to delete children's data upon parental request, contrary to legal requirements under COPPA. The complaint asserts that TikTok misrepresented its data collection practices to parents and users, inadequately informing them about how collected data was being used. The DOJ seeks civil penalties and injunctive relief to prevent further violations and enforce stricter data privacy measures. TikTok responded by expressing pride in its efforts to protect children and disagreed with the allegations, referring to many as based on inaccuracies or outdated practices.

A malvertising campaign on Facebook targets individuals searching for AI image editing tools, leading to credential theft. Attackers create fake websites mimicking legitimate AI tools, deceiving users into downloading information-stealing malware. The campaign initiates with phishing messages directed at Facebook page owners, luring them to counterfeit account protection pages. Upon gaining access to user credentials, attackers hijack social media accounts to post and promote malicious content using paid ads. Victims are tricked into installing what appears to be legitimate software but is, in fact, a remote desktop tool used to deploy Lumma Stealer malware. The malware harvests sensitive data such as credentials, cryptocurrency wallets, and password manager databases, which are sold or used in further scams. The incident highlights the necessity of enabling multi-factor authentication and educating users on recognising phishing attempts and suspicious links. Researchers point to similar previous campaigns that compromise user security and promote fraudulent activities through seemingly legitimate channels.

U.S. and German law enforcement agencies have seized the domain of Cryptonator, a cryptocurrency wallet platform implicated in laundering ransom payments and processing transactions from darknet marketplaces. Roman Boss, the operator of Cryptonator, faces charges of money laundering and running an unlicensed money service business as per the U.S. Department of Justice. Cryptonator, established in 2014, lacked proper anti-money laundering controls, facilitating transactions for anonymous and pseudonymous users engaged in illicit activities. Investigations link transactions from the Cryptonator wallet to sanctioned entities and illegal operations such as Hydra Market, Blender.io, and possibly an unknown terrorist organization. The platform, known for minimal KYC requirements, mainly required just an email and password for account creation, which contradicts stringent anti-money laundering regulations. Roman Boss is accused of knowingly enabling and discussing integration of cryptocurrencies popular on darknet markets, as well as providing API keys for criminal service accessibility. The crackdown is part of a broader effort involving multiple U.S. agencies including the FBI, IRS:CI, and the National Cryptocurrency Enforcement Team, alongside German authorities.

An Israeli hacktivist collective, WeRedEvils, has publicly taken responsibility for disrupting internet services across Iran. They announced their intentions to target Iranian systems and providers shortly before the outage occurred. The attack allegedly involved infiltrating Iran's computer infrastructure, leading to data theft and significant internet disruptions. WeRedEvils claims to have transferred the stolen data to the Israeli government as part of their cyber warfare efforts. Several Iranian ministry websites, including the Ministry of Information and Communications Technology, were reported as down or inaccessible. The group's aggressive cyber activities have drawn attention from Israeli authorities, resulting in the arrest of some members by the Israeli Security Agency for espionage. WeRedEvils describe themselves as "warriors without uniform" and use rhetoric suggesting a continuous assault against Iranian interests. The full extent and the actual impact of WeRedEvils' operations remain uncertain due to Iran's opaque reporting on internal cyber incidents.