Daily Brief

A hacker defaced the pcTattletale website, a spyware tool used in Wyndham hotels, leaking its database and source code. pcTattletale was reported by Vice to leak real-time screenshots from devices, posing as child and employee monitoring software. Security researcher Eric Daigle discovered a severe API vulnerability in pcTattletale, allowing the capture of screenshots from any installed device. The developers of pcTattletale ignored multiple contacts to fix the security flaw, leading to unresolved security risks. A hacker exploited a different vulnerability using a Python script to extract AWS credentials, accessing the spyware’s critical data. The leaked information includes 20 archives of source code and data, further compromising pcTattletale's security integrity. Microsoft identifies pcTattletale as a potential threat, capable of recording keystrokes and screen images, risking sensitive user information. Despite the exposure, there has been no official response from pcTattletale's developer, Bryan Fleming, regarding the incident.

Best Buy and its Geek Squad were the most impersonated organizations in scams for 2023, with over 52,000 reports. Microsoft impersonators garnered the highest financial gain, stealing approximately $60 million. Amazon and PayPal were also heavily targeted, leading to losses of $19 million and $16 million respectively. Scammers used various communication methods, with phone and email being the most common, but social media scams proved to be the most costly. Popular payment methods among scammers included cryptocurrency, bank transfers, and gift cards. The Federal Trade Commission (FTC) advises the public to be cautious with payment demands, especially those specifying cryptocurrencies or gift cards. Overall, the top ten most impersonated companies accounted for significant financial losses, with figures ranging from $2 million to $60 million.

Courtroom audio-visual software from Justice AV Solutions was compromised in a suspected supply chain attack, affecting over 10,000 courtrooms. Security research team from Rapid7 discovered the backdoor after an alert from a customer's MDR solution. The compromised version, JAVS Viewer v8.3.7, featured a malicious binary, fffmpeg.exe, linked to known malware families and signed by an unauthorized entity. Rapid7 advises a complete re-imaging of affected endpoints and resetting of credentials to mitigate the threat fully. The malware could bypass anti-malware protections, collect system data, download additional payloads, and scrape browser credentials. Rapid7 traced the initial alert back to a discovery by another researcher, indicating that the malware was hosted on JAVS’ official download page. JAVS responded by working with authorities, reassessing their release and certification process, and asserting that their technicians validate installations. The full extent of the attack’s impact remains unknown as investigations continue.

Hackers targeted MITRE Corporation using zero-day vulnerabilities in Ivanti Connect Secure (ICS), exploiting two critical flaws. They created rogue virtual machines (VMs) within MITRE’s VMware environment to evade detection and maintain persistent, undetected access. The attackers, identified as UNC5221, leveraged compromised administrative credentials to control VMware infrastructure, deploying backdoors and web shells. Among the tools used were a Python-based tunneling tool for SSH connections, a Golang-based backdoor named BRICKSTORM, and web shells BEEFLUSH and BUSHWALK. The adversaries' tactics included using standard VMware accounts for API calls that mapped network drives, further hiding their activities. MITRE has proposed countermeasures like enabling secure boot and provided PowerShell scripts to help identify and mitigate hidden VM-related threats. The incident highlights the need for continuous vigilance and adaptation in organizational cybersecurity strategies.

In February 2024, Cencora, a large pharmaceutical service provider, experienced a significant data breach involving unauthorized access and data exfiltration. The breach affected personal information managed by Cencora for eight major pharmaceutical companies, including patient names, addresses, health diagnoses, medications, and prescriptions. Following the breach, Cencora filed a Form 8-K with the SEC and later, multiple pharmaceutical companies reported their data exposure related to this incident. Cencora offers drug distribution and various patient support services, handling sensitive data across 50 countries with a workforce of 46,000 employees. Data breach notifications issued by the affected companies revealed that there was no immediate evidence of the stolen data being used maliciously or being publicly disclosed. Cencora has provided two years of free identity protection and credit monitoring services through Experian to those potentially impacted. As of the latest updates, no ransomware group has claimed responsibility for the attack, and details regarding the number of individuals affected remain undisclosed.

A new ransomware named ShrinkLocker exploits Windows BitLocker to encrypt files by creating a new boot partition after shrinking existing non-boot partitions. ShrinkLocker has notably targeted a government agency and organizations within the vaccine and manufacturing industries across several countries including Mexico, Indonesia, and Jordan. Kaspersky's analysis reveals that ShrinkLocker is crafted using VBScript and includes features to specifically target systems running newer Windows OS versions (post-Vista). The malware manipulates Windows disk management utility to reallocate space for encrypting volumes and employs the BCDEdit tool to modify boot settings. It alters registry settings to disable remote desktop access and to facilitate BitLocker operations without requiring a Trusted Platform Module (TPM). Instead of a traditional ransom note, ShrinkLocker uses recovery email addresses labeled on boot partitions, complicating the discovery by system admins. Encrypted drives are locked without recovery options, with encryption keys sent to the attackers, potentially indicating intent more destructive than financial. Kaspersky advises enterprises to secure BitLocker recovery keys, maintain offline backups, and implement comprehensive endpoint protection solutions to safeguard against such ransomware tactics.

Threat actors are using counterfeit antivirus sites mimicking Avast, Bitdefender, and Malwarebytes to distribute malware targeting Android and Windows devices. The malware, spread through fake sites, is specifically designed to steal sensitive information via browser data pilfering and exfiltrates it to a remote server. A rogue binary named "AMCoreDat.exe" was identified, acting as a pathway for stealer malware that harvests user data. Various techniques possibly supporting the spread of these deceptive websites include malvertising and SEO poisoning. The cybersecurity landscape has seen an influx of new stealer malware variants like Acrid, SamsStealer, and Waltuhium Grabber, illustrating a sustained market demand for such malicious tools. Recent reports also highlighted a new Android banking trojan named Antidot, disguised as a Google Play update, that exploits Android's APIs to commit theft and further malicious actions. Antidot's capabilities range from keylogging to executing overlay attacks, illustrating advanced functionalities in newly emerging malware.

Cyber threats are increasingly targeting smaller businesses. Cybercriminals are employing more sophisticated methods to attack SMEs. Jamie Levy, a renowned cybersecurity expert, will lead a free webinar targeting these issues. The webinar titled "Navigating the SMB Threat Landscape: Key Insights from Huntress' Threat Report" aims to educate SMEs. Attendees will learn about the latest cyber threats and defensive strategies tailored for small to medium-sized businesses. The session is designed as a crucial resource for SMEs to enhance their cybersecurity measures. Attendees of the webinar will gain valuable insights to stay a step ahead of potential cyber threats. Registration is currently open for this informative online session.

The recent major cybersecurity incidents like the Colonial pipeline and SolarWinds attacks highlight the growing challenge for CISOs to maintain effective security measures within rapidly evolving DevOps environments. Misconfigurations in cloud services such as AWS S3 buckets have underscored the critical need for better collaboration between CISOs and DevOps teams to bolster cloud security configurations. Security practices often lag in pace with the rapid deployment cycles of DevOps, challenging CISOs to enforce security without hindering innovation. The evolving role of CISOs includes more direct communication and cooperation with CTOs and other IT leaders to emphasize security from the outset of project development. CISOs are encouraged to utilize modern security approaches like Managed Detection and Response (MDR) services to transition from a reactive to a proactive security posture. Legal and regulatory challenges are increasing, with implications for CISOs around disclosure and management of cybersecurity risks and breaches. It's vital for CISOs to integrate security as a core component of the DevOps process, ensuring it is proactive, embedded, and aligned with organizational objectives and innovations.

Google has issued a patch for a high-severity type confusion vulnerability in Chrome's V8 engine, identified as CVE-2024-5274. The flaw, reported on May 20, 2024, has been actively exploited in the wild, marking it as a zero-day exploit. This is the fourth zero-day vulnerability in Chrome Google has addressed this month, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947. Type confusion errors can lead to out-of-bounds memory access, system crashes, and arbitrary code execution, posing significant security risks. Google has resolved eight zero-days in Chrome since the beginning of the year, emphasizing ongoing threats and the need for vigilant updates. To mitigate the risk, users are urged to update their Chrome browsers to the latest versions: 125.0.6422.112/.113 for Windows and macOS, and 125.0.6422.112 for Linux. Users of other Chromium-based browsers are also advised to ensure they apply any available updates to protect against this vulnerability.

Cyber actors infiltrated the installer for JAVS Viewer v8.3.7, part of JAVS Suite 8, to deliver RustDoor malware. The compromised installer was downloaded from the official JAVS website on March 5, 2024, bearing an unexpected Authenticode signature. RustDoor malware connects to a C&C server, sending host information, and waits for further instructions. The infected installer activates obfuscated PowerShell scripts and attempts to download an additional payload disguised as a Google Chrome installer. Investigations revealed the malware’s incapability to operate as intended due to software bugs in the “main.exe” component. Detected RustDoor is a Rust-based backdoor previously noted for targeting multiple platforms through illegitimate updates or utilities. The breach highlights potential ties between RustDoor, GateDoor, and a ransomware-as-a-service group named ShadowSyndicate. JAVS has withdrawn the affected software version from its website, reset passwords, and conducted a system audit, asserting that no JAVS source codes or systems were compromised.

Google has urgently updated Chrome to address the eighth zero-day vulnerability this year, marked as CVE-2024-5274, which was being actively exploited. CVE-2024-5274 is a high-severity 'type confusion' flaw in Chrome's V8 JavaScript engine, leading to potential crashes, data corruption, or arbitrary code execution. The vulnerability was discovered internally by Google employee Clément Lecigne without releasing specific details to the public to prevent further exploitation. Google is limiting access to detailed bug information until most users have installed the update, especially noting that this bug could be in third-party libraries used by other projects. Updates are available on Chrome Stable version 125.0.6422.112/.113 for Windows and Mac, with Linux updates to follow shortly. Chrome users should ensure their browser automatically updates to the latest version and may need to relaunch the browser to apply the update. This third zero-day flaw patched by Google this month highlights ongoing security challenges and the importance of regular updates.

Cybersecurity experts in Japan have identified BLOODALCHEMY malware as an evolved form of Deed RAT and ShadowPad, targeting government bodies in Southeast Asia. Initially spotted by Elastic Security Labs, BLOODALCHEMY has been employed in cyberattacks against ASEAN countries by a group tracked as REF5961. The malware features are minimal yet potent, designed for stealth and specific operations, suggesting it could be part of a larger suite or still in development. BLOODALCHEMY operates by sideloading a DLL through a legitimate process for execution, evading standard detection methods and establishing backdoor access. Analysis reveals techniques and code structure similarities between BLOODALCHEMY and previous malware iterations used by China-linked groups. Attacks involve compromising VPN devices to gain initial access, illustrating the advanced methods and targeted nature of these intrusions. The ongoing campaigns highlight a strategic interest by Chinese-nexus cyber espionage groups, now also expanding their focus to include regions like Africa and the Caribbean.

Apache Flink vulnerability CVE-2020-17519, an improper access control bug discovered in 2020, is actively exploited by cybercriminals. The U.S. government's Known Exploited Vulnerabilities Catalog now includes this bug, requiring federal agencies to patch or decommission affected software by June 13. Apache Flink is an open-source framework used for processing large data streams, managed by the Apache Software Foundation. Despite fixes released in later 2020 versions, many deployments remain unpatched, exposing them to data theft risks. The vulnerability allows attackers to read any file from the Flink JobManager's local filesystem via its REST interface. CISA has yet to define the exact purpose or identity of the attackers exploiting this vulnerability. There's a critical emphasis on the necessity of software patching and updates to protect data and IT infrastructure from known vulnerabilities. Security experts encourage not only government entities but also private organizations to verify their systems' security status concerning this flaw.

ShrinkLocker ransomware utilizes Microsoft BitLocker for encrypting files, then extorting payment from companies. Targets include steel and vaccine manufacturing sectors, and a government entity in Mexico, Indonesia, and Jordan. The malware uses legitimate firmware tools to inflict maximum damage and complicates incident response efforts. Victims' systems are probed for OS specifics using VBScript, followed by partition manipulation and system encryption. Encrypted systems display a BitLocker screen indicating no available recovery options, with recovery keys sent to the attackers and then deleted locally. Kaspersky outlines strategies to detect ShrinkLocker and urges businesses to use managed detection and response systems. Recommended defensive measures include restrictive access permissions, frequent backups, and logging of critical system activities.