Daily Brief

FBCS has increased the reported number of individuals affected by their February data breach to 4.2 million. Initially reported at 1.9 million, the numbers were later adjusted to 3.2 million in May, before reaching the current figure. Compromised data includes sensitive personal information which varies per individual, heightening risks of identity theft. All affected individuals are being notified and offered 24 months of free credit monitoring and identity restoration services. The type of cyber attack responsible for the breach remains unidentified, with no claims from any ransomware groups. FBCS discovered unauthorized access to its network on February 26, 2024, confirming the breach was confined to their internal systems. Affected parties are advised to remain vigilant for phishing attempts and to monitor their credit reports for unauthorized activities.

On July 19, a flawed update from cybersecurity firm CrowdStrike caused a massive outage affecting millions of Windows systems globally. The update inadvertently introduced a "logic error" in a configuration file, leading to widespread Blue Screens of Death (BSOD) and disrupting critical services like flights and healthcare. The fiasco highlighted significant vulnerabilities in the digital infrastructure's dependency on single points of failure, particularly in widely used systems like Windows. Microsoft's integration allowing third-party access at the kernel level, while facilitating competition, contributed to the scale of the problem. CrowdStrike's testing protocols have been criticized post-incident, as the calamitous error that passed QA suggests the need for a stringent review and overhaul of testing procedures and deployment mechanisms. Security expert Kevin Beaumont criticized the practice of deploying major updates globally without phased or "canary" testing to ensure stability and security. The slow and inadequate initial response by CrowdStrike exacerbated the problem, leaving users and administrators scrambling to manage the fallout. The catastrophic event serves as a crucial lesson for the tech industry on the importance of rigorous testing, robust fail-safe mechanisms, and preparedness for self-inflicted tech crises.

Acronis notified its customers about a severe vulnerability allowing attackers to bypass server authentication using default credentials. The security flaw, identified as CVE-2023-45249, affects Acronis Cyber Protect (ACI), a platform used by over 20,000 service providers globally. ACI combines remote management, backup, and virtualization capabilities to securely handle disaster recovery and enterprise data backups. Despite the patch being available nine months ago, the vulnerability has been actively exploited in the wild. Acronis recommends that customers urgently update their software installations to the latest version to mitigate risk. Users can check the vulnerability of their systems by verifying the build number of ACI through the Help -> About section of the software. Maintaining up-to-date software is crucial for securing Acronis products against potential cyberattacks.

Russian ransomware groups are responsible for about 69% of all crypto ransom proceeds, totaling over $500 million in the past year. North Korea leads in cryptocurrency theft through exploits, having stolen over a billion dollars, while Asia leads in scams and investment fraud. Major ransomware operations such as LockBit, Black Basta, and Cl0p are predominantly managed by Russian-speaking threat actors. Russian darknet markets are significant in the cybercrime ecosystem, accounting for 95% of global darknet market sales, totalling $1.4 billion in transactions. TRM Labs identifies a significant link between Russian criminal activities and the sanctioned Garantex exchange, which allegedly processes over 82% of crypto transactions related to sanctioned entities. Russian cybercriminals also reportedly support their military by using crypto transactions for purchasing critical weapon components from China. The predominance of Russians in cybercrime is attributed to historical, regulatory, and geopolitical factors, compounded by the difficulty Western nations face in disrupting these activities due to political and logistical barriers.

Progress Software has issued a security warning about a new critical flaw in Telerik Report Server, marked as CVE-2024-6327, which could allow remote code execution. This is the second severe vulnerability reported in as many months, following another high-risk bug that also permitted administrative rights via authentication bypass. CVE-2024-6327 has a high severity score of 9.9 and affects all versions of the software prior to 10.1.24.709, making it a prime target for exploitation. An Advanced Persistent Threat (APT) group previously exploited a similar vulnerability in the Telerik suite, particularly CVE-2019-18935, to attack US federal agencies. CISA has flagged these types of vulnerabilities but faced detection challenges due to atypical installation paths, potentially obscuring further exploitation. Progress also disclosed another concerning vulnerability, CVE-2024-6096 in Telerik Reporting, rated at 8.8, highlighting ongoing security risks within these products. The repeated discovery of critical vulnerabilities in such a short timeframe underscores the significant threat to organizations using Telerik products without promptly applying security updates.

A Spanish cybercrime group, known as GXC Team, has been selling a sophisticated phishing-as-a-service platform integrated with Android malware. This malware service is extensively used for targeting over 36 banks and various institutions globally, demanding a subscription fee of about $500 per month. The malicious combo is particularly aimed at users of financial institutions in Spain, the US, the UK, Slovakia, and Brazil, and also involves tax and governmental services. Using deceptive tactics, the malware encourages victims to download a bogus Android banking app which can intercept SMS one-time passwords and forward them via Telegram. The GXC Team has also ventured into offering stolen banking credentials and bespoke coding services to other cybercriminal groups focussing on different sectors including cryptocurrency. Options for client engagement extend to AI-enhanced voice calling tools which facilitate more effective phishing (vishing) attacks, mimicking legitimate voices from recognized sources. Recent advancements noted involve using adversary-in-the-middle (AiTM) phishing kits capable of bypassing secure authentication methods offered on various platforms. Emerging trends show phishing campaigns increasingly using techniques such as encoding URLs with security tools or tricking users into executing harmful scripts, evolving the landscape of social engineering threats.

Initial computer viruses like Creeper sparked the development of the cybersecurity field, highlighting early recognition of digital threats. Development of defensive tools like the Reaper program marked the beginning of anti-virus software, addressing the need for cyber defense mechanisms. Technological advancements in cybersecurity mirrored historical progress in physical warfare, evolving from simple walls to sophisticated detection systems. Modern cybersecurity challenges include the potential misuse of enhanced tools like AI to develop advanced malware capable of bypassing traditional security measures. Offensive AI emerges as a significant threat and necessity; advanced AI-driven threats require the development of sophisticated offensive AI tools for effective defense. The future of cybersecurity may rely heavily on understanding and implementing advanced offensive AI to outpace and counteract evolving cyber threats. Foster Nethercott, a seasoned cybersecurity expert, underscores the importance of offensive AI in cybersecurity strategy and development at industry workshops and events.

The U.S. Department of Justice has indicted North Korean hacker Rim Jong Hyok for ransomware attacks targeting U.S. healthcare facilities, helping fund illicit North Korean activities. These cyber attacks involved a ransomware strain called Maui, first reported in Japan and the U.S. in 2022, with ransom payments laundered through Hong Kong into Chinese yuan. The prosecutions are part of a broader accusation against Andariel, a North Korean hacking group also known as APT45 and other aliases, tied to the Korean military intelligence service. Andariel's operations include hacking into U.S. Air Force bases and defense contractors, stealing over 30GB of sensitive data, including information about military aircraft and satellites. The State Department has offered a reward of up to $10 million for information leading to Hyok's capture or identification of any associated individuals. Executed cyber strategies include exploiting internet-facing applications, employing a mix of custom malware, remote access tools, and public utilities for extensive system and data breaches. U.S. agencies have interdicted about $114,000 in virtual currency related to these attacks and frozen several involved online accounts. The NSA and CISA highlight ongoing threats posed by Andariel to multiple sectors worldwide, emphasizing the persistent security challenges from state-sponsored North Korean cyber activities.

Cybersecurity experts have uncovered an ongoing cyberattack targeting outdated Selenium Grid services to mine cryptocurrency, dubbed SeleniumGreed. The threat actors exploit Selenium WebDriver API, which allows full interaction with the host machine, to run Python code that downloads and executes XMRig, a crypto mining software. The campaign, active since at least April 2023, primarily targets older versions of Selenium (3.141.59 and previous) that lack default authentication, exposing them to unauthorized access. By sending requests to vulnerable Selenium Grid hubs, the attackers execute a Base64-encoded Python program to establish a reverse shell and retrieve the mining payload from an attacker-controlled server. The modified XMRig miner dynamically generates the mining pool IP at runtime and sets a TLS-fingerprint, ensuring communication is limited to servers controlled by the attacker. The attackers exploit inadequately protected instances of the Selenium automated testing framework, which should be secured from external access with proper firewall configurations. More than 30,000 instances of Selenium are susceptible to this exploit, highlighting the critical need for users to secure or update their deployments to prevent unauthorized use and potential data breaches. Cloud security firm Wiz emphasizes the importance of securing Selenium Grid instances and removing them from public access to mitigate security risks.

CrowdStrike has identified a spear-phishing campaign using a fake installer to target German users following a problematic Falcon Sensor update. The campaign involves an imposter website created to distribute a counterfeit installer, leveraging a fake JavaScript download to mask its malicious intent. The phishing website, impersonating a German entity, offers a password-protected ZIP file which contains a malicious executable disguised under normal-looking JavaScript. CrowdStrike's investigations highlight that the installer requires specific input for further installation, indicating a highly targeted approach. The malware deployment could not be fully analyzed or attributed due to its encrypted content and anti-forensic techniques used by the perpetrators. This incident occurs amidst a broader context of phishing attempts exploiting the recent CrowdStrike update fiasco to spread stealer malware. CrowdStrike leadership has publicly apologized for the disruptions caused by the initial faulty update and reaffirms their commitment to security.

Progress Software discovered a critical remote code execution vulnerability in Telerik Report Server, urging updates to mitigate risk. The flaw, identified as CVE-2024-6327 with a high CVSS score of 9.9, affects versions up to 2024 Q2 (10.1.24.514). Attackers can exploit the vulnerability via insecure deserialization, allowing them to execute unauthorized commands remotely. The vulnerability has been rectified in the newer version 10.1.24.709 of the software. As an interim safety measure, changing the user for the Report Server Application Pool to one with restricted permissions is recommended. Administrators are advised to verify their server's vulnerability status by following specific checking procedures outlined by Progress Software. This announcement follows a recent patch for another severe vulnerability in the same Telerik software that permitted authentication bypass and unauthorized administrator account creation.

The US Department of Justice has indicted North Korean Rim Jong Hyok for conducting ransomware attacks on US healthcare providers and NASA. Rim used malware from North Korea’s military intelligence, specifically the Reconnaissance General Bureau, for these cyber attacks. The indictment alleges that ransom proceeds were laundered in China and used to fund further international cyber intrusions, including attacks on defense and government entities. Andariel, the group Rim is associated with, has targeted systems worldwide, including defense companies in the US and South Korea and a Chinese energy firm. Microsoft and Mandiant reports describe Andariel's sophisticated use of custom malware and their exploitation of vulnerabilities in widely-used software. Approximately $114,000 in crypto currency related to the ransomware attacks has been seized by the FBI. The US government has offered a $10 million reward for information leading to Rim’s capture, although his current whereabouts are unknown.

Researchers at Check Point Software uncovered over 3,000 GitHub accounts forming the "Stargazer Ghost Network" used for distributing malware. The network, operated by "Stargazer Goblin," targets gamers, malware researchers, and other cybercriminals, employing innovative phishing tactics without using emails. Stargazer Goblin uses platforms like Discord to lure victims with links aiming to increase social media followers, leading them to malicious GitHub repositories. These GitHub accounts appear legitimate, some even verified, but harbor dangerous links within README.md files that facilitate malware distribution. The network's structure allows for quick replacement of banned accounts and repositories, likely automated, ensuring continuity in their malware distribution efforts. In a recent campaign, the network successfully distributed the Atlantida stealer malware, achieving over 1,300 infections in just four days. Another campaign spread the Rhadamanthys malware across repositories, attracting over a thousand downloads in two weeks by masquerading as cracked software and crypto tools. Check Point estimates the malware operations on GitHub alone have generated approximately $100,000 over the past year.

CrowdStrike's recent software update resulted in a shutdown of millions of Windows computers, with projected global financial losses possibly reaching billions. US Fortune 500 companies were significantly impacted, sustaining an estimated $5.4 billion in financial damage. Microsoft, a key player, was not included in this loss assessment. Insurance payouts for these losses are expected to cover only 10% to 20% for Fortune 500 companies, due to high risk retentions and low policy limits. Specific sectors like retail and IT lost around $500 million each, while airlines and the banking and healthcare sectors faced the highest losses, with airlines alone losing approximately $860 million. The effects varied by company size and industry, with CyberCube estimating a $15 billion loss worldwide, and noting that smaller companies might receive even less insurance compensation, about 3% to 10%. Despite the financial impact, CrowdStrike is attempting to mitigate the situation with actions like offering $10 Uber Eats gift codes to partners and support teams, though this gesture faced issues with redemption flagged as potential fraud. As of the latest update from CrowdStrike's CEO, 97% of the affected Windows systems have been restored to functionality.

Malicious actors are exploiting CrowdStrike's brand in a phishing scheme to distribute Lumma infostealing malware. The malware specifically targets and steals sensitive information, such as online banking, cryptocurrency wallet credentials, and login details of various services. The recent scam surfaced shortly after a CrowdStrike update caused disruptions for 8.5 million Windows users, a situation leveraged by cybercriminals to promote a fake recovery tool. CrowdStrike Intelligence links the fake domain involved in this campaign to earlier phishing attacks conducted by the same threat actor group. The attackers employ social engineering tactics such as phishing emails followed by fake support calls to deliver and execute the malware. The malware itself remains undetected by terminating if antivirus software is detected and then proceeds to install the Lumma stealer using a decoy installer. Infected systems had a tool called WidowsSystem-update[.]msi disguised as Microsoft Installer file, which ultimately executed the malware. CrowdStrike confirms that 97% of systems affected by the faulty update are now restored, highlighting quick remedial actions.