Daily Brief

A cyber espionage group, XDSpy, has launched phishing attacks on companies in Russia and Moldova. Security firm F.A.C.C.T. identified the campaign, which deploys malware, DSDownloader, via infected email attachments. XDSpy, first identified by Belarus's CERT in 2020, has historically focused on government entities in Eastern Europe and the Balkans. The group uses spear-phishing and malware, including a C#-based dropper and a DLL file that executes via DLL side-loading, to infiltrate systems. Recent attacks leverage agreement-themed phishing emails to distribute RAR files containing malicious and legitimate executable files. The campaign is part of a broader increase in cyberattacks in the region since the onset of the Russo-Ukrainian war in 2022. Other Russian hacking groups and pro-Ukrainian hacktivists have also escalated their cyber operations, indicating an intensifying cyber conflict arena. CERT-UA has reported a rise in phishing activities by other groups like UAC-0057, distributing malware to compromise further systems.

The UK Electoral Commission suffered a significant data breach involving the personal data of approximately 40 million voters due to cybersecurity failings. Chinese state-sponsored attackers exploited vulnerabilities in the Commission's Microsoft Exchange Server, leading to a 13-month undetected access. Failures included ineffective security patching, usage of default passwords, and inadequate password management policies. The breach was initially facilitated by the ProxyShell vulnerabilities which were already patched by Microsoft months before the attack began. The Information Commissioner's Office (ICO) issued a formal reprimand rather than fines, stressing improvements rather than financial penalties. Post-breach improvements made by the Electoral Commission as acknowledged by the ICO include implementing a modern infrastructure plan and enhanced security measures. Stephen Bonner of the ICO highlighted that the breach could have been prevented with basic security measures and urged organizations to ensure system security to protect personal data. Despite the breach's scale, there has been no evidence suggesting misuse of the stolen data or direct harm to individuals.

Meta has settled for $1.4 billion with Texas for illegally collecting biometric data without user consent. This settlement marks one of the largest penalties against Meta for privacy violations. The lawsuit stems from Meta’s use of facial recognition technology on Facebook without informing users or obtaining proper consent as mandated by Texas law. Texas Attorney General emphasized strong actions against tech giants for violating privacy and data laws. Meta, while settling, did not admit any wrongdoing related to the allegations. The settlement follows a similar $650 million payment by Meta in Illinois for comparable privacy infringements. Texas has also initiated legal actions against Google for violating biometric privacy laws. Meta has discontinued its facial recognition system and deleted extensive user data in response to growing privacy concerns.

DigiCert identified a critical flaw in its SSL/TLS certificate validation process, linked to a missing underscore in DNS CNAME records. About 0.4% of domain validations could be impacted, necessitating urgent certificate replacement to avoid revocation. The issue, originating from a change in code first implemented in August 2019, was not initially caught due to inadequate system testing. The validation error breaks compliance with CA/Browser Forum regulations, forcing a 24-hour deadline for affected users to reissue certificates. DigiCert’s discovery came after reports from a user, prompting an additional review and a string of corrective actions as per CABF guidelines. Customers must generate a new Certificate Signing Request (CSR) and follow DigiCert’s outlined steps for reissuing their certificates. DigiCert has communicated with all impacted customers and provided support options through their account managers and a dedicated hotline.

A large-scale malicious operation has infected Android devices across 113 countries, stealing SMS messages and one-time passwords. The malware, spread via Telegram bots and malvertising, impersonates official app download pages to deceive users. Over 107,000 distinct malware samples have been observed, orchestrated by cybercriminals using 2,600 Telegram bots and 13 control servers. Primary victims are found in India, Russia, Brazil, Mexico, and the United States, with motives largely tied to financial gains through phone number exploitation. Compromised devices are likely being used for authentication purposes and to anonymize illegal activities without the owner's consent. The malware fetches OTPs needed for two-factor authentication and transmits these to a centralized API, potentially implicating victims in unauthorized transactions or criminal activities. Zimperium, the cybersecurity firm tracking this malware, advises Android users to only download apps from Google Play and to keep Play Protect enabled.

A Fortune 50 company has paid a record $75 million in ransom to the Dark Angels ransomware gang. This payment surpasses the previous record of $40 million paid by insurer CNA following an Evil Corp attack. The payment details were disclosed in the 2024 Zscaler Ransomware Report and confirmed by Chainalysis via social media. Dark Angels targets large corporations, employing a “Big Game Hunting” strategy to secure significant ransoms. The group started operations in May 2022, originally using Babuk ransomware source code, but later switching to a Linux-based encryptor used by Ragnar Locker. They also operate a data leak site, ‘Dunghill Leaks’, threatening to release stolen data if their ransom demands are not met. Dark Angels’ sophisticated approach involves breaching networks, moving laterally, and obtaining administrative controls before deploying ransomware to encrypt all network devices.

A Fortune 50 company paid a groundbreaking $75 million ransom to the Dark Angels ransomware gang, the highest on record. The payment surpasses the previous largest known ransom of $40 million paid by CNA to Evil Corp. Zscaler ThreatLabz and crypto intelligence firm Chainalysis confirmed the transaction. Dark Angels, operational since May 2022, employs tactics involving data theft and encryption to leverage ransom negotiations. This ransomware group targets significant, high-value entities, focusing on fewer victims to maximize ransom payments. Details about which Fortune 50 company made the payment remain undisclosed, though speculation points to pharmaceutical giant Cencora. Dark Angels has shifted encryption tools, currently using a Linux encryptor previously utilized by Ragnar Locker.

CISA has directed all U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their VMware ESXi servers due to a vulnerability (CVE-2024-37085) exploited in recent ransomware incidents. This vulnerability was addressed by VMware in their latest ESXi 8.0 U3 update, following its discovery by Microsoft security researchers. CVE-2024-37085 allows attackers, with elevated privileges, to add a new user with full administrative rights to the 'ESX Admins' group. Despite being rated as medium-severity by VMware, the exploit has been actively used by ransomware groups like Storm-0506 and Octo Tempest to compromise sensitive data and encrypt systems. The security flaw enables unauthorized access and control over domain-joined hypervisors, leading to data theft, lateral movement within networks, and significant operational disruptions. CISA has included this vulnerability in its 'Known Exploited Vulnerabilities' catalog, urging rapid remediation by August 20 under the directive BOD 22-01. Although the directive is specific to federal agencies, CISA strongly recommends that all organizations prioritize this security issue to protect against potential ransomware attacks targeting similar vulnerabilities.

Delta Air Lines experienced extensive operational losses estimated at $500 million due to a CrowdStrike service outage on July 19. To address these financial setbacks, Delta hired David Boies of Boies Schiller Flexner, a lawyer known for notable tech sector litigation. The service disruption was linked to a defective Channel File update impacting millions of Windows machines globally, with Microsoft also blamed partially. The U.S. Department of Transportation is investigating Delta following the cancellation of nearly 7,000 flights, leading to an extensive volume of passenger reimbursement requests. CrowdStrike's standard terms and conditions generally limit liability to service fee refunds, but it's uncertain if Delta negotiated additional coverage. Microsoft and CrowdStrike have not made extensive comments about potential litigation or the specifics of the outage. The hiring of a high-profile law firm suggests Delta is exploring significant legal and recovery strategies against both Microsoft and CrowdStrike.

Black Basta ransomware has been active since April 2022, with over 500 attacks globally, employing a double-extortion tactic involving data theft and encryption. Following the disruption of the QBot botnet by law enforcement, Black Basta formed new alliances using alternative initial access vectors, including DarkGate and SilentNight malware. The group has developed and deployed custom malware such as DawnCry and DaveShell, concluding with the PortYard tunneling tool to establish C2 communications. Notable victims in 2024 include Veolia North America, Hyundai Motor Europe, and Keytronic, highlighting the group's continued impact and reach. The threat actors, tracked as UNC4393 by Mandiant, have access to exploits for critical vulnerabilities like Windows and VMware ESXi flaws. Black Basta's shift from using publicly available hacking tools to creating sophisticated, proprietary malware indicates a significant evolution in their operational tactics. The gang continues to utilize "living off the land" techniques alongside their custom tools to maintain stealth and operational security.

Google Chrome has implemented app-bound encryption to enhance cookie security on Windows, targeting protection against infostealer malware. This new feature restricts data decryption to the application to which it was originally bound, preventing unauthorized access by other applications. Chrome's app-bound encryption enhances the existing Data Protection API (DPAPI) used in Windows, which only secures data at rest and not against active malwares. Key technical detail of the system involves a privileged service that verifies app identity before encrypting or decrypting data, ensuring only designated apps can access sensitive information. The protective measure will be extended to passwords, payment data, and other persistent authentication tokens to further safeguard user data. Google adds this update alongside other recent security measures like improved download protection and enhanced threat detection mechanisms incorporated within Chrome. These developments come as part of Google’s broader effort to combat evolving malware threats and improve system-wide security protocols.

Columbus, Ohio encountered a ransomware attack on July 18, 2024, impacting city services and causing IT disruptions. The ransomware attack did not lead to system encryption due to a quick response, involving the FBI and Homeland Security. Mayor Andrew J. Ginther described the attackers as "an established, sophisticated threat actor operating overseas." Investigations are ongoing to ascertain if personal data of Columbus citizens was compromised during the attack. Despite initial IT outages, critical emergency services like 911 and 311 lines remained operational. The City's authorities are in the process of securing the network and will notify potentially impacted citizens. Residents are advised to be vigilant against phishing and scamming attempts, possibly utilizing any stolen data. Further updates from the City are anticipated to confirm the extent of data breach and detail remedial actions.

DigiCert announced the mass revocation of SSL/TLS certificates affecting approximately 0.4% of domains validated from August 2019 to June 2024 due to a domain validation error. The issue involved the omission of an underscore in DNS CNAME records used for Domain Control Verification, risking potential domain and subdomain collisions. The problem originated from a system update in August 2019, which was not corrected until a recent review uncovered the error in July 2024. All impacted customers are required to log in to their DigiCert CertCentral account, generate a new Certificate Signing Request (CSR), and reissue their certificates within 24 hours. The company has installed safeguards including an enhanced random value generation process to prevent repeat incidents. Failure to reissue certificates promptly could result in connectivity loss for the impacted websites or applications. DigiCert remains in compliance with CABF standards, demanding immediate certificate revocation to heed security protocols.

EvilProxy, dubbed the "LockBit of phishing," operates as phishing-as-a-service (PhaaS), facilitating massive monthly phishing attacks utilizing legitimate services like Cloudflare. Utilized by hackers with minimal technical skills, EvilProxy aids in credential theft, ransomware attacks, and business email compromise through seemingly legitimate phishing links. Sold on dark-web marketplaces, the service includes customer support and tutorial videos on setup and disguise of phishing campaigns. Proofpoint reports approximately one million threats monthly from EvilProxy, with recent campaigns significantly leveraging Cloudflare services to bypass automated detection systems. TA4903 and TA577, notable threat actors, have recently adopted EvilProxy, with attacks targeted primarily at high-ranking business executives to steal sensitive access credentials and perpetrate further malicious activities. Proofpoint's data shows that 73% of organizations subjected to BEC attacks followed a successful phishing attempt, with 32% leading to ransomware infections. The upward trend in EvilProxy usage underscores the importance of deploying phishing-resistant MFA solutions, enhancing cloud security measures, and conducting persistent user education on phishing threats.

Organizations must measure the effectiveness of cybersecurity investments, particularly password policies. Password policies should align with broader cybersecurity KPIs to accurately gauge impact and adjust strategies. Metrics for success include compliance with standards like NIST, reduction of weak passwords, and checks for compromised passwords. Tracking KPIs such as the rate of password resets and MFA adoption provide insights into system vulnerabilities and user behavior. Regular auditing with tools such as Specops Password Auditor helps detect and address security gaps in real time. High priority is given to the security of privileged accounts through specific KPIs related to privilege management. Effective MFA implementation is crucial, measured by adoption rates, authentication success, and the ability to prevent bypass attempts. The article underscores the importance of proactive security management to prevent data breaches and unauthorized access.