Daily Brief

The UK's National Crime Agency (NCA) dismantled Russian Coms, a caller ID spoofing platform used by criminals to conduct scam calls internationally. Russian Coms enabled scammers to appear as trustworthy entities such as banks and law enforcement, thus deceiving victims into transferring funds or revealing sensitive information. The platform, active since 2021, is linked to substantial financial losses, estimated to have affected around 170,000 victims in various countries including the UK and the US. Arrests were made in Newham, London, with three men detained, two of whom are suspected to be the platform's developers and administrators. The scam services were marketed on social media platforms like Snapchat, Instagram, and Telegram, and included features such as encrypted calls and voice changing. The operation was part of a broader law enforcement effort, "Operation Henhouse," resulting in 290 arrests and targeting crime as a service models that promise anonymity but often retain user data. NCA's continued efforts emphasize collaboration with international partners and Europol to tackle cybercrime and arrest offenders utilizing such fraudulent technologies.

Over 35,000 registered domains hijacked using Sitting Ducks DNS attacks exploiting registrar and DNS provider vulnerabilities. Discovered vulnerabilities enable attackers to claim domains without needing the domain owner's credentials. Sitting Ducks attacks are leveraged by Russian cybercriminal groups for spam, scams, malware delivery, phishing, and data exfiltration purposes. Conditions enabling the attack include authoritative DNS services managed outside the registrar and a lack of owner verification in DNS setup. Variations of Sitting Ducks attacks include partially lame delegation and redelegation, broadening the risk scope. Attackers can manipulate DNS settings post-domain claim, redirecting to malicious sites while preventing legitimate owner corrections. GoDaddy and six other DNS providers identified as vulnerable to such attacks; over 35,000 cases have been documented since initial observations in 2018. Recommendations for domain owners and registrars include vigilant DNS configuration checks and proactive defenses against lame delegations.

Pharmaceutical giant Cencora confirmed that protected health information (PHI) and personally identifiable information (PII) were stolen in a cyberattack reported in February. The attack exposed patients' sensitive details, including names, addresses, birth dates, health diagnoses, and prescriptions. Affected data was mostly maintained by a subsidiary that provides patient support services, marking the first recognition of PHI being compromised. Several major U.S. pharmaceutical companies partnered with Cencora, such as Novartis and Bayer, reported patient information leakage due to the breach. Cencora's initial announcement in February only indicated personal data theft, with a recent follow-up confirming the additional compromise of health information. Cencora has not confirmed if this incident involved a ransomware attack nor disclosed if a ransom was paid after a separate Fortune 50 company reportedly settled a record $75 million with Dark Angels ransomware. The breach highlights significant vulnerabilities in the data security protocols of major pharmaceutical firms and their subsidiaries.

The FBI warns of an increase in scammers posing as cryptocurrency exchange employees to defraud investors. These fraudsters contact victims via phone or messages, claiming urgent security threats to their accounts. Scammers often pressurize victims to provide login credentials, which are then used to drain their crypto accounts. Victims are advised by the FBI to verify any suspicious communications by contacting the exchanges directly through official channels. The FBI discourages responding to unsolicited calls or messages and warns against providing personal information or clicking on any links provided by the caller. Further advice includes avoiding suspicious links and downloads that might contain malware intended to steal more information. This alert follows other FBI warnings about similar scams, including fake law firms and remote job advertisements targeting crypto owners.

Lee Klarich from Palo Alto Networks emphasized the critical use of AI to counter advanced cyber threats targeting businesses. Palo Alto Networks utilizes Precision AI technology across its platforms for real-time, advanced threat detection and prevention. The company analyzes over 4 billion new events daily, identifying 2.3 million fresh attacks, enhancing their AI models continuously. Advances in AI-powered attack path detection prioritize security efforts amidst 500 million cloud applications. The integration of 3000 detection models facilitates rapid threat recognition and response automation. A real case was discussed where Palo Alto's XSIAM platform detected and mitigated a nation-state attack swiftly. Another customer, Consensus, effectively manages cybersecurity across 400,000 endpoints and 20,000 servers using AI-driven solutions. The full presentation offers deeper insights into embedding AI in cybersecurity practices and is available for further viewing via a linked video.

The FBI and CISA issued a PSA confirming that U.S. voting systems are secure against DDoS attacks, despite recent IT service outages like the one at Microsoft Azure. Recent disruptions in IT services, such as Microsoft 365 and GitHub Codespaces, have heightened public distrust in system reliability. Security agencies emphasized that while DDoS attacks might affect access to voter information tools, they cannot compromise the election infrastructure itself. The PSA responded to fears that cybercriminals could mislead the public by claiming their DDoS attacks had disrupted the election process. Official sources and agencies continue to ensure the American public that DDoS attacks do not prevent voting nor affect vote integrity. The FBI and CISA have not observed any past incidents where DDoS attacks prevented votes from being cast or impacted vote tabulation. U.S. citizens are advised to rely only on official sources for election-related information, especially in facing potential misinformation campaigns.

Over 1 million domains are at risk of being hijacked through a technique known as Sitting Ducks, which exploits DNS vulnerabilities. This attack vector has been exploited by more than a dozen Russian-affiliated cyber actors to take control of domains without accessing the domain owner’s account. Sitting Ducks attacks are noted for their ease of execution, high success rate, and difficulty in detection compared to other domain hijacking methods. Once hijacked, these domains can be used to distribute malware, send spam, and conduct other malicious activities under the guise of the legitimate owner. The technique was first documented in 2016, yet remains under-recognized and largely unresolved, with an estimated 35,000 domains hijacked since 2018. Incorrect configuration at domain registrars and authoritative DNS providers, along with exploit vulnerabilities at the DNS service level, facilitate these attacks. Researchers urge organizations to check their domains for vulnerabilities and choose DNS providers that offer protection against such hijacks.

Hackers exploited the Stack Exchange platform to distribute malicious Python packages aimed at cryptocurrency users. The malware triggered upon installation, compromising the victim's system to steal data, including web browser credentials and crypto wallet information. Specifically targeting users of Raydium and Solana, the rogue packages were downloaded over 2,000 times before being removed from PyPI. The malware featured information-stealing capabilities, including the ability to capture screenshots, search for GitHub recovery codes, and exfiltrate data via Telegram bots. Aside from data theft, a backdoor component provided the attackers persistent remote access to victims' machines for potential further exploits. The attackers used seemingly helpful but deceptive responses on Stack Exchange to promote their malicious packages, exploiting the platform's credibility. The incident underscores the vulnerability of community-driven platforms to malware distribution and the potential risks for corporate software ecosystems.

Cybersecurity firm Cleafy identified a new Android RAT, BingoMod, capable of fraudulent money transfers and wiping devices to erase malware traces. The malware, still under development, is attributed to a Romanian-speaking threat actor based on language cues in the code. BingoMod exploits accessibility services to perform malicious activities, including stealing credentials and initiating unauthorized transactions. The remote access features may allow complete device factory resets, enhancing the threat's ability to cover tracks after fraudulent activities. Identified malicious apps mimic legitimate applications like antivirus tools and a Google Chrome update to deceive users into installation. BingoMod supports up to 40 command-and-control commands for real-time interaction, including live operator-executed transfers up to €15,000. To evade detection, the malware uses code obfuscation, the ability to uninstall other apps, and emphasizes real-time screen control and phishing through overlay attacks. Unlike typical overlay attacks triggered by specific apps, BingoMod's are initiated directly by the malware operator, showcasing sophisticated operator control.

Mozilla has decided to follow Google's lead by distrusting Entrust as a root certificate authority due to ongoing compliance issues and unsatisfactory responses. Google had previously dropped Entrust, citing a series of concerning behaviors and unfulfilled improvement commitments over the past six years. Entrust has attempted to address the concerns with a plan to regain trust, but both Mozilla and Google have found the actions inadequate. Mozilla cited 22 compliance incidents within just a couple of months and noted that Entrust's new commitments were similar to those made in 2020, which had failed. Entrust plans to continue in the CA space by partnering with SSL.com, allowing it to operate as a registration authority rather than a certificate authority. Mozilla will stop trusting new certificates issued by Entrust after November 30, 2024, but will support those issued through Entrust's partnership with SSL.com. Google's trust cutoff for new Entrust certificates will begin a month earlier than Mozilla's, starting October 31, 2024.

Obfuscation makes software code difficult to interpret by using complex language and redundant logic, serving both protective and malicious uses. Legitimate applications use obfuscation to shield sensitive data and prevent unauthorized access through methods like data obfuscation and code encryption. Malicious actors utilize obfuscation to camouflage malware, making it harder for antivirus programs that rely on signature-based detection to identify threats. Techniques such as the use of packers, crypters, and dead code are employed by hackers to disguise malware and evade detection systems. The dual nature of obfuscation challenges cybersecurity defenses, necessitating advanced detection methods beyond traditional signature-based solutions. Modern security strategies should include machine learning, behavioral analysis, and network detection and response (NDR) tools to combat both known and unknown malware threats. NDR tools offer elevated security by continuously adapting to evolving cyber threats and detecting anomalies in system behavior.

Google has introduced app-bound encryption in Chrome to secure cookies on Windows systems. This new security layer is an enhancement over the existing Data Protection API (DPAPI), which only protects data at rest and not against active malware executed by a user. App-bound encryption intertwines Chrome’s identity with the encrypted data, preventing other apps from accessing it during decryption attempts. The upgrade prevents info-stealing malware from obtaining cookies, requiring attackers to achieve system privileges or inject code into Chrome. This protection currently applies only to cookies, with plans to extend it to passwords and other sensitive data. Additional recent security updates in Chrome include enhanced Safe Browsing and automated scans for suspicious downloads. This update follows Google's decision not to eliminate third-party cookies from Chrome, contrasting with efforts by other browsers to reduce dependency on them. Google states that the new encryption method makes data theft more challenging and conspicuous, aiding defense mechanisms against unauthorized access.

A sophisticated scam network targeting Facebook users with ads leading to over 600 fake e-commerce sites has been uncovered. These websites impersonate well-known brands and lure victims with limited-time discounts through ads solely accessible via mobile devices. The campaign, named ERIAKOS, utilizes a specific content delivery network to evade detection and has been active in several short-lived waves. Victims are further enticed into the scam through fake Facebook comments and merchant accounts registered in China. Recorded Future's Payment Fraud Intelligence team identified the operation, stressing its design to steal personal and financial data. This incident is part of a larger trend of cybercriminal networks exploiting social media and ad platforms to conduct credit card theft. Related cybercrime activities include other networks like BogusBazaar which made over $50 million through similar fraudulent tactics. Recent findings also involve malvertising campaigns distributing various types of malware, indicating a broad and interconnected threat landscape.

Germany has identified state-controlled Chinese actors as responsible for a 2021 cyber attack on the Federal Office of Cartography and Geodesy (BKG). The attack aimed at espionage involved initial compromises of devices owned by private individuals and businesses. German Federal Minister of the Interior Nancy Faeser condemned the attack, labeling it a serious threat to national sovereignty. Following the incident, Germany summoned China's ambassador to express its strong disapproval of the cyber attacks. The German government expects China will continue its cyber espionage efforts to support its industrial and technological advancement. The attack led to partial network compromises at BKG, but no malware was found throughout the agency's systems after networks were rebuilt. Concurrently, the U.S. is considering additional sanctions on AI hardware exports to China to prevent military applications, affecting major HBM-makers like Samsung, SK hynix, and Micron.

A ransomware attack targeted OneBlood, a major blood donation organization, affecting its operations significantly. The cyber attack led to a severe disruption in the ability to collect, test, and distribute blood, forcing the use of slower manual processes. Over 250 hospitals across Florida, Georgia, North Carolina, and South Carolina have been instructed to activate critical blood shortage protocols. National coordination by AABB Disaster Task Force is underway, with blood centers nationwide providing support to OneBlood. There is an emphasized need for donations, particularly O Positive, O Negative, and platelets due to the decreased inventory availability. No specifics were given on the recovery timeframe of the encrypted systems, as efforts continue to restore full functionality urgently. Investigation into the intrusion is ongoing, with cooperation from cybersecurity experts and government agencies, though no information on data theft or ransom demands has been disclosed yet. The ransomware closely resembles the "Qilin" attack which previously targeted healthcare sectors in the U.S., indicating a potential pattern or repeat offender.