Daily Brief

TP-Link Archer C5400X gaming router had a critical flaw, CVE-2024-5035, allowing remote attackers to execute arbitrary commands. The vulnerability, scored CVSS v4 10.0, was discovered through binary static analysis by analysts at OneKey. Attackers could inject commands via TCP ports 8888, 8889, and 8890 due to improper input sanitization in the 'rftest' service. Exploiting the flaw could enable attackers to alter DNS settings, intercept data, and access internal networks. TP-Link released a patch on May 24, 2024, addressing this issue in firmware version 1.1.7, which filters out shell metacharacters. Users are urged to update their routers immediately to avoid potential security breaches. The patch was developed after the initial report to TP-Link’s PSIRT on February 16, 2024, with a beta patch being prepared by April 10, 2024.

Threat actors target Check Point VPN devices to infiltrate enterprise networks, utilizing outdated authentication methods. Check Point advises against using local VPN accounts with password-only authentication, encouraging adoption of certificate-based security. Recent reports indicate unauthorized VPN access attempts using obsolete account details; a hotfix to forcibly improve authentication methods has been released. Attackers focus on Quantum Security Gateway, CloudGuard Network, and Mobile/Remote Access VPN applications. The warning follows similar alerts from other major tech firms like Cisco, indicating a broader pattern of VPN-oriented cyberattacks. Cisco devices have similarly faced attacks originating from TOR exit nodes and masked by anonymization tools. Cisco also reports malware-driven brute-force incidents and state-sponsored exploits targeting its network products for espionage. VPN users are urged to enhance security by updating authentication protocols and eliminating vulnerable accounts.

President Biden's executive order from October emphasizes safe AI usage in federal agencies, focusing on mitigating risks and establishing security standards. Former Pentagon deputy CIO, Rob Carey, reports that the implementation of this AI order is progressing well, with agencies aligning with outlined specifications. Most government agencies have appointed a chief data officer and developed comprehensive data management plans to comply with the executive order. The executive order serves as a guideline rather than strict rules, offering guardrails for ongoing projects within federal agencies. Carey highlighted the importance of these guidelines in preventing the deployment of unreliable AI systems, like those that might misidentify individuals or erroneously deny services. The White House remains committed to the advancement of trustworthy and secure AI technologies in federal operations.

Sav-Rx, a pharmacy benefit management company, suffered a data breach in October 2023, affecting 2.8 million people in the USA. The cyberattack initially disrupted the company's network on October 8, 2023, but systems were quickly secured and restored by the following day. Despite quick system recovery, the breach exposed personal data, and the full scope was only understood after an eight-month investigation concluded on April 30, 2024. The data compromised included sensitive personal information, raising concerns about potential identity theft among the affected individuals. Sav-Rx implemented new security measures post-breach, including a 24/7 security operations center and multi-factor authentication. The company provided two years of credit monitoring and identity theft protection service to all impacted parties. Sav-Rx alerted its health plan customers between April 30 and May 2, 2024, and subsequently notified affected individuals.

A Moroccan cybercrime group, Storm-0539, also known as Atlas Lion, is conducting gift card fraud, stealing up to $100,000 daily from various companies. Microsoft highlighted the group's use of sophisticated email and SMS phishing attacks to bypass multi-factor authentication and steal digital gift card values. Targets include major retailers, luxury brands, and fast-food chains, with criminals selling stolen gift cards at discounted rates on the black market. The group has evolved from deploying malware on point-of-sale devices to exploiting cloud-based gift card services and carrying out extensive reconnaissance within victim's cloud environments. Tactics include the creation of fraudulent gift cards, modifying email addresses on unredeemed gift cards, and the use of internal company mailing lists for distribution of phishing attacks. Increased vigilance by companies, including monitoring suspicious logins and enhancing authentication processes, is advised to protect against such threats. Storm-0539 uses legitimate compromised emails to add authenticity to their phishing messages and further employs deceit by setting up fake non-profit accounts on cloud platforms to remain undetected.

Phishing attacks are increasingly commonplace due to shifts to cloud technology, inadequate password management, and advances in webpage design. Security measures like email protection, firewall implementation, and workforce education have been deployed but phishing remains a significant threat. The LayerX report provides insights into current phishing trends and evaluates organizational defenses against such cyber threats. The study suggests implementing a browser security platform to effectively block phishing attacks that bypass other security layers. This platform acts directly at the potential point of attack—the browser—by detecting malicious pages, preventing password theft, and terminating unsafe sessions. It also offers deep session inspection, allowing for real-time surveillance, monitoring, and enforcement of security policies. LayerX's analysis highlights the necessity for IT and security professionals to incorporate browser-based security technologies into their phishing defense strategies.

Phishing campaigns are increasingly using Cloudflare Workers to create adversary-in-the-middle (AitM) phishing sites targeting major email and webmail providers like Microsoft and Gmail. Netskope discovered that these phishing attacks primarily affected sectors such as technology, financial services, and banking across Asia, North America, and Southern Europe. Attackers use HTML smuggling to assemble phishing pages on the victim’s side, evading detection by circumventing security measures. Phishing sites prompt victims to enter their Microsoft credentials to access a supposed PDF document, capturing both credentials and multi-factor authentication (MFA) codes. The campaigns utilize a modified open-source Cloudflare toolkit to intercept and collect data from victims' web requests. The use of Generative AI (GenAI) by cybercriminals is on the rise, helping them craft more convincing phishing emails and create malware-laden file attachments designed to overwhelm security scans. Cybersecurity experts have identified an increase in DNS tunneling techniques used in phishing campaigns to track victim interactions and scan for network vulnerabilities. The sophistication of phishing tools and techniques necessitates more stringent and advanced cybersecurity measures to protect against evolving threats.

The Transparent Tribe group, associated with Pakistan, has launched cyber attacks on India’s government and defense sectors. These attacks employ sophisticated malware developed in Python, Golang, and Rust and are delivered primarily through spear-phishing campaigns. BlackBerry Research reported the activity spans from late 2023 to April 2024 and targets three key firms in Bengaluru involved with the Department of Defense Production. Malicious tools used include various RATs and information gatherers like GLOBSHELL and PYSHELLFOX, adapting over years to evade detection and enhance efficacy. The malware exploits reputable online services such as Discord and Google Drive to orchestrate command and control communications. Attack methods observed include the use of malicious links, ZIP archives, and ISO images, exploiting India’s reliance on Linux-based systems. Persistent threats from Transparent Tribe highlight a critical ongoing risk to India's national security infrastructure with potential espionage motives.

In February 2024, Cencora, a significant US drug wholesaler previously known as AmerisourceBergen, suffered a data breach impacting over a dozen major pharmaceutical companies. Affected companies including Bayer, GlaxoSmithKline, Novartis, and others have begun reporting data losses to the California Attorney General, linking the breach to the theft of personal and health-related information. Compromised data may include names, addresses, birth dates, health diagnoses, and prescription details; there is currently no evidence of misuse or public disclosure of the stolen data. The breach's full scope on individual data remains unclear as companies are not mandated to disclose specific numbers of affected individuals to the California Attorney General. Cencora disclosed the breach in a February SEC filing but mentioned that it has not materially impacted their operations or financial condition, though the full consequences are still being evaluated. Additionally, cybersecurity vulnerabilities elsewhere include recent Chrome zero-day exploits and critical flaws found in VMware storage controllers potentially affecting system security through denial-of-service attacks or code execution. The U.S. Environmental Protection Agency (EPA) also reported critical cybersecurity failures in over 70% of inspected U.S. water systems, highlighting an increased risk of cyber attacks on national infrastructure.

Hackers are utilizing a Python clone of the Minesweeper game to camouflage malicious scripts targeting financial organizations in Europe and the U.S. The attack is executed through phishing emails impersonating a medical center, inducing recipients to download a malware-laden .SCR file. Malicious code within the file downloads additional scripts that install SuperOps RMM, a legitimate remote management software abused to gain unauthorized access. At least five breaches in financial and insurance institutions have been linked to this malware deployment tactic. The Minesweeper game code is used to mask the malicious payload, deceiving security systems into treating the download as harmless. SuperOps RMM presence or related network activity in non-client systems should be treated as indicators of a security breach. Ukrainian cybersecurity agencies have identified the threat actor as 'UAC-0188' and have provided additional indicators of compromise for organizational defense.

A malvertising campaign exploited Google Ads during the Windows launch of the Arc web browser, leading users to download malware-infected installers. Cybercriminals set up advertisements that appeared legitimate and used similar URLs to the Arc browser's genuine site to deceive users. Clicking on these deceptive ads redirected users to typo-squatted domains where trojanized installers were downloaded. These installers fetched additional harmful payloads, including a file named 'bootstrap.exe' that commanded further malicious operations. Malwarebytes identified another infection method involving a Python executable that manipulated system processes to execute harmful commands. The final payload suspected in these attacks is an information-stealing malware, although definitive identification hasn't been confirmed. Despite the actual Arc browser installing correctly, the malicious operations proceeded unnoticed in the background. The report highlighted the continuous effectiveness of using high-profile software launches to distribute malware and emphasized the need for cautious downloading practices.

An Indian man, Chirag Tomar, pleaded guilty to wire fraud conspiracy involving over $37 million stolen via a counterfeit Coinbase Pro website. Tomar was apprehended at Atlanta airport on December 20, 2023, following joint investigations led by the U.S. Secret Service and the FBI in Nashville. The fraudulent activity began in June 2021 when Tomar, along with accomplices, set up a fake website mimicking Coinbase Pro to phish for user credentials. Victims were deceived into entering their login details and two-factor authentication codes into the fake site, thinking they were accessing their real Coinbase accounts. Fraudsters also tricked victims into installing remote desktop software under the guise of Coinbase customer support, gaining direct access to their computers and subsequently their genuine Coinbase accounts. The scammers converted the stolen cryptocurrency into various forms or cash and distributed the proceeds among themselves. Proceeds from the criminal activity were used by Tomar to fund an extravagant lifestyle, purchasing luxury cars, high-end watches, and international trips. Tomar faces up to 20 years in prison and a fine of $250,000, with his sentencing date pending.

In February 2024, Cencora, a major pharmaceutical services provider, experienced a significant data breach impacting the personal information of US patients. Eleven major pharmaceutical companies, later revised to include three additional firms, were affected by the breach due to their partnership with Cencora. The breach was first disclosed by Cencora in a Form 8-K filing with the SEC, noting unauthorized access to their systems and data exfiltration. Information exposed includes full names, addresses, health diagnoses, medications, and prescriptions. There's no current evidence that the stolen data has been publicly disclosed or used for fraudulent purposes. Cencora has offered two years of free identity protection and credit monitoring services to affected individuals through Experian. The company has not publicly revealed the extent of the breach or the number of individuals affected, and has declined further comment beyond a recent news release.

Cybersecurity experts discovered a critical flaw in the AI-as-a-service provider Replicate, allowing potential access to customer AI models and sensitive information. The vulnerability involved the exploitation of AI model packaging methods that could enable arbitrary code execution and cross-tenant attacks. Security researchers successfully demonstrated remote code execution via a malicious model uploaded to Replicate, leveraging elevated privileges on the platform. An associated TCP connection and a central Redis server were manipulated to insert rogue tasks, risking the integrity and reliability of other customers' AI outputs. Attack techniques could potentially expose proprietary knowledge, sensitive data, and personally identifiable information used in training AI models. The flaw was responsibly disclosed to Replicate in January 2024 and has been subsequently addressed with no evidence of exploitation in the wild. This incident underscores ongoing security risks in AI platforms, highlighting the potential misuse of malicious models to access and manipulate sensitive data across tenants.

Steven Kramer, a 54-year-old political consultant from New Orleans, has been indicted on 13 felony counts of voter suppression and 13 misdemeanor counts related to impersonation of candidate Joe Biden. Kramer created a deepfake robocall using AI to clone Biden's voice and used caller ID spoofing; he spent $500 on the complete operation and notably $150 on the deepfake component. The robocall was aimed at suppressing voter turnout in the New Hampshire Democratic primary by discouraging Biden supporters from voting, purportedly to boost House Rep Dean Phillips' (D-MN) candidacy. More than 5,000 voters received the deceptive call, which Kramer claimed was a significant political tactic for a low budget. The FCC has proposed a first-of-its-kind $6 million fine against Kramer for election misinformation and unlawful call spoofing, marking a major enforcement effort in tackling deceptive political communications. The case highlights regulatory responses to new forms of election interference, including the misuse of artificial intelligence and digital communications technologies. Both the New Hampshire Attorney General and the FCC have taken actions signaling strong deterrent measures against anyone considering similar tactics to influence election outcomes.