Daily Brief

DigiCert has initiated a mass revocation of TLS certificates due to non-compliance with domain control verification. Approximately 6,807 customers are affected, needing to reissue 83,267 certificates within a strict 24-hour deadline set for July 31, 19:30 UTC. Critical infrastructure operators may request a revocation delay if immediate reissue and deployment of certificates are unfeasible, to prevent disruption of essential services. The certification issue originated from a system update in August 2019, with the underlying problem identified and corrected on June 11, as part of a project to enhance user experience. DigiCert is accommodating exceptions by engaging with browser representatives to allow additional time under exceptional circumstances where necessary. All impacted certificates must eventually be revoked by August 3, 2024, at 19:30 UTC, as part of compliance measures. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued warnings and guidance regarding the revocation, emphasizing the urgency of certificate reissue or rekeying by the deadline.

OneBlood, a major not-for-profit blood center in the U.S., experienced a ransomware attack, leading to an IT systems outage. The attack compromised the organization's VMware hypervisor infrastructure, encrypting its virtual machines and affecting operations. Due to the cyberattack, OneBlood has resorted to manual processes, slowing down its ability to collect, test, and distribute blood. Over 250 U.S. hospitals reliant on OneBlood for blood supplies have been advised to implement critical shortage protocols. A national coalition and the AABB Disaster Task Force are coordinating to reroute blood donations to mitigate the impact on OneBlood’s service areas. OneBlood continues to operate at reduced capacity and urges donations of O Positive, O Negative, and Platelets, which are urgently needed. The ransomware attack occurred over a weekend, a common tactic as fewer staff are available to counteract the intrusion immediately. OneBlood is collaborating with local and federal agencies to address the situation and plans to provide credit monitoring services to individuals potentially impacted by the data exposure.

CISA and the FBI assure that DDoS attacks on U.S. election infrastructure will not affect the security or integrity of the 2024 general election. Despite potential disruptions to public information access, core voting processes and results transmission remain secure. Authorities clarify that DDoS attacks might affect peripheral services like voter look-up tools but will not prevent voting. Official guidance emphasizes sourcing election information from state and local authorities if primary websites are down. Voters encouraged to report any suspicious activities, including potential cyber threats, to the FBI. CISA and the FBI's ongoing collaboration ensures the election infrastructure is safeguarded against both physical and cyber threats. Public reassured that while DDoS attacks are likely, they will not influence election security or outcomes.

Google's ad platform was exploited to promote a fake Google Authenticator site, distributing DeerStealer malware. Malwarebytes discovered a new malvertising campaign where threat actors used legitimate appearing ads to masquerade as the Google Authenticator download page. The deceptive ads displayed URLs mimicking Google’s domain, increasing their perceived legitimacy and effectively tricking users. Upon clicking these ads, users are redirected through several pages to fake sites that closely resemble official Google portals. The final landing page urges users to download "Authenticator.exe," a malware-infected file disguised with a credible, signed certificate. Once executed, the downloaded malware steals various sensitive data such as browser credentials and cookies. To mitigate such threats, users are advised to avoid clicking on ads for software downloads, use ad blockers, and verify URLs and domains before downloading any software.

Google has updated Chrome to enhance the security of sensitive data on Windows, combating infostealer malware targeting cookies. Chrome version 127 introduces app-bound encryption, which links encrypted data to specific applications, preventing other apps from decrypting the data. This form of encryption requires attackers to attain higher system privileges or inject code into Chrome, actions likely to be flagged by antivirus software. The new security feature builds upon previous measures like device-bound session cookies which tie user sessions to specific devices, rendering stolen cookies useless on other devices. Google aims to extend this technology to protect other types of sensitive information such as authentication tokens, passwords, and payment data in future updates. The recent security improvements also include enhancements to the Chrome downloads UI, providing more detailed explanations on why downloads are blocked to enhance user understanding and safety. While the encryption offers strong security on single devices, it may pose challenges for business users who work across multiple devices; Google advises following best practices or policy settings for those scenarios.

Fresnillo PLC, a major miner and the largest global silver producer, acknowledged that its IT systems were compromised via cyberattack. During the incident, unauthorized parties accessed certain data, though specific details about what was taken or exposed have not been released. Immediate response measures were undertaken to contain the breach, involving Fresnillo's IT team and external forensic experts. Operations remain unaffected by the incident, with no anticipated material or financial impact as per the company's assessment. Fresnillo remains steadfast in its approach to cyber security, with ongoing investigations to mitigate any potential threats. The company possesses extensive mining operations and exploration projects across Mexico, Peru, and Chile and is listed on both the London and Mexican stock exchanges.

Researchers have discovered a new Android malware called 'BingoMod' which is capable of wiping devices after draining bank accounts through fraudulent transactions. The malware, disguised as legitimate security applications through smishing (SMS phishing), manipulates Android’s Accessibility Services to gain extensive control over the device. BingoMod employs a technique known as on-device fraud (ODF) to perform almost real-time transactions by capturing screen content and executing remote commands. Advanced features include intercepting SMS messages, stealing login credentials, and enabling screen-casting to deceive anti-fraud systems. To remain undetected, BingoMod features code obfuscation and evasion tactics; it also possesses the capability to uninstall security apps and block certain apps by remote commands. The destructive feature triggers a device wipe, removing all data from external storage, post-successful fraudulent transfers; complete device reset could be executed via remote access. BingoMod is still under active development and features suggest it may be developed by a Romanian coder, possibly with international collaboration.

AI development is rapidly increasing, with expectations to reach 1 billion users by 2029. Cybercriminals are also utilizing AI, potentially leading to more sophisticated cyber attacks. Palo Alto Networks' CEO Nikesh Arora emphasized the importance of visibility, control, and governance in AI integration. The internal risk from employees not understanding AI usage and data handling within their organization is significant. Proper implementation of AI can greatly strengthen an organization’s cyber defenses. Palo Alto Networks focuses on making their cybersecurity solutions AI-driven, easy to use, and efficient in tracking data vulnerabilities. Security measures include designing AI applications to be secure from the start, ensuring safer data processing and storage.

LockBit, once a top ransomware operation, has significantly declined in activity and influence following a major law enforcement takedown led by the UK's National Crime Agency. The operation, dubbed Operation Cronos, not only disrupted LockBit's infrastructure but also exposed the identity of its alleged leader, Dmitry Khoroshev. Despite attempts to revive its operations, LockBit's reputation has suffered, leading many of its top earners and affiliates to depart for rival groups with better opportunities and technology. Recent data shows a drastic reduction in the number of attacks attributed to LockBit, with evidence suggesting some claimed attacks might be reposts of older ones, indicating a struggle to maintain influence. The exposure of affiliate identities and the subsequent reduction in their numbers from 194 to just 69 underscores the operation's impact on LockBit's network. Discussions about LockBit on cybercrime forums have diminished, indicating a loss of credibility and interest among potential new affiliates. Despite these setbacks, LockBit's core ransomware technology remains functional, and there is potential for the brand or its leadership to reemerge under a new guise following a period of reevaluation and restructuring. The future of LockBit and its leadership remains uncertain, with possibilities ranging from a complete shutdown to a rebranding or shift in criminal focus.

DigiCert, a certificate authority, will revoke over 83,000 SSL/TLS certificates within 24 hours due to a domain validation oversight. The issue arose from a failure to include an underscore prefix in DNS CNAME records used for Domain Control Validation (DCV), leading to potential ownership verification problems. This oversight stems from changes made in DigiCert’s system architecture starting in 2019, which removed the automatic inclusion of the underscore, impacting certain validation processes. The problem was identified several weeks ago when a customer reported discrepancies in the random values used for domain validation. Nearly 0.4% of domain validations conducted by DigiCert are affected, compromising around 6,807 customers. DigiCert has advised affected customers to generate a new Certificate Signing Request (CSR) and reissue their certificates after proper DCV. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of potential temporary disruptions to websites, services, and applications due to the revocations.

The "ERIAKOS" fraud campaign, involving more than 600 fake online stores, uses Facebook ads to target users, stealing personal and financial information. These counterfeit web shops promote well-known brands at heavily discounted prices but are accessible only through mobile devices to avoid detection by automated security tools. Researchers from Recorded Future identified the operation and speculate it originates in China, judging by the technical footprints such as domain registrars and IP addresses. Although many of the illicit sites have been taken offline, new ones continuously replace them, keeping the campaign active and continually trapping new victims. The fraudulent ads link only from Facebook and feature numerous fake user testimonials to appear legitimate and enhance engagement. Facebook has intermittently blocked these scam ads and related accounts; however, the scam's persistence and adaptation indicate sophisticated evasion techniques. Analysis indicated connections to infrastructure used by known malware, although direct attribution to this specific fraud campaign remains unclear. Recorded Future has reported these findings to Meta, and ongoing investigations aim to mitigate such fraudulent operations further.

North Korea-associated malware, named DEV#POPPER, targets software developers using Windows, Linux, and macOS. The malware distribution is executed through decoy job interviews offering coding tasks, delivered via GitHub. Victims are tricked into downloading a ZIP file containing malicious npm modules that activate malware named BeaverTail. The malware can identify the operating system, exfiltrate data, and deliver further malware stages, such as the InvisibleFerret Python backdoor. Enhanced attack features include sophisticated data theft from web browsers like Chrome and Opera, improved file transfer protocols, and remote desktop functionalities via AnyDesk. The campaign targets individuals in South Korea, North America, Europe, and the Middle East, revealing a broad geographical impact. Researchers highlight the campaign's evolution with advanced social engineering tactics and increased technical complexity in recent attacks.

Microsoft's Azure platform experienced an 8-hour outage due to a DDoS attack that was exacerbated by an error in Microsoft's defensive implementation. The attack was part of a global increase in DDoS attacks, with businesses now facing such disruptors almost monthly. Microsoft utilizes unique strategies against DDoS attacks owing to its global presence and extensive threat intelligence network. Despite correct triggering of defense mechanisms, an implementation error led to an amplified rather than mitigated impact during the incident. The outage affected various services including Azure App Services, Azure IoT Central, and parts of Microsoft 365 and Microsoft Purview. Microsoft managed to mitigate most of the impact by early afternoon, but the issue wasn’t fully resolved until late evening. A preliminary post-incident review is expected soon, with a final report to follow in the upcoming weeks to prevent future similar occurrences.

Chinese nation-state actors, attributed to the APT10 group, are targeting Japanese entities with advanced malware named LODEINFO and NOOPDOOR. Israeli cybersecurity firm Cybereason has tagged the ongoing espionage campaign as "Cuckoo Spear," indicating its stealth and prolonged presence in compromised networks. The malware is used to harvest sensitive information and maintain persistence in victims' networks for up to three years via mechanisms like scheduled tasks. Recent developments reveal the use of anti-analysis techniques in LODEINFO and exploitation of vulnerabilities in public-facing applications to install malware. Earth Kasha and Earth Tengshe, two sub-groups within APT10, have uniquely adapted their tactics, targeting different technologies and using multiple malware types. Alerts from JPCERT/CC and ITOCHU Cyber & Intelligence earlier this year highlight the ongoing risk and evolution of the targeted cyber attacks. The campaign’s sophistication includes exploiting unpatched vulnerabilities in products from Array AG, Fortinet, and Proself, marking an escalation in their operational capabilities.

Material Security offers innovative solutions to improve the efficiency of security teams in handling email threats while saving time. The concept of an "alert budget" is highlighted, which represents the maximum amount of time a team can dedicate daily to threat responses. Material's detection engine aims for high precision and recall, minimizing false positives and ensuring legitimate threats are captured. The system uses advanced techniques like message clustering and automatic remediation to streamline the process of managing phishing attacks. Implementing these solutions has led to significant time savings for security operations, with one customer reporting a three-month time saving of 300 hours. Material also optimizes user-reported phishing management, reducing the manual effort required and enhancing immediate protective measures. The article underscores the importance of continuing vigilance by employees alongside sophisticated detection systems, stressing that AI and machine learning are tools rather than complete solutions.