Daily Brief

Iranian threat actor linked to MOIS, referred to as Void Manticore, executed destructive wiping attacks in Albania and Israel. These attacks targeted governmental and critical infrastructure, using custom wiper malware named Cl Wiper, No-Justice, and BiBi. Void Manticore, also recognized by other names including Storm-0842, shares operational overlaps with another group, Scarred Manticore, suggesting coordinated attacks. Tactics include the utilization of public tools and conventional protocols such as RDP, SMB, and FTP for initial infiltration and lateral movements. Initial access often involves exploiting known vulnerabilities in internet-facing applications, followed by the deployment of web shells for further control. U.S. Cybersecurity and Infrastructure Security Agency issued advisories regarding these threat actors' exploitation techniques and recommended defensive measures. Microsoft has identified a high level of cooperation among various Iranian groups, revealing organized and multiphase attack strategies on international targets. Check Point highlights the dual nature of these campaigns that combine psychological operations with actual data destruction to maximize impact.

A newly updated version of BiBi Wiper malware now also corrupts disk partition tables, increasing restoration difficulties. BiBi Wiper, associated with Iranian group Void Manticore, targets Israel and Albania, disrupting critical operational systems. Security Joes first detected BiBi Wiper in October 2023; subsequent warnings were issued by Israel's CERT about its significant threat. Check Point Research identified additional custom wipers used by Void Manticore, suggesting coordinated attacks with another group, Scarred Manticore. Void Manticore, masquerading behind the Karma hacktivism group on Telegram, has claimed responsibility for attacks on over 40 Israeli organizations. The malware specifically targets Israeli systems without disabling critical recovery facilities but removes partition data to hinder repair. BiBi Wiper variants show operational differences between Windows and Linux platforms, refining tactics to maximize system disruptions. The related CI Wiper and Partition Wiper are employed in attacks on Albanian targets, causing severe damage like BSOD and system crashes.

A security audit of QNAP QTS uncovered fifteen vulnerabilities, eleven of which remain unfixed. The critical vulnerability, CVE-2024-27130, allows remote code execution via a stack buffer overflow in the Share feature. For exploitation, a crafted request using a 'name' parameter and a valid 'ssid' parameter from the NAS share link is needed. Although the exploit requires specific conditions, shared links can sometimes be found online, increasing risk exposure. WatchTowr Labs developed a proof of concept that creates a privileged account when the exploit is successful. QNAP issued security updates in April 2024 for four of the vulnerabilities, but did not address the others. Despite multiple delays in response, QNAP has yet to comment on these latest findings.

WatchTowr security researchers publicly disclosed multiple unpatched vulnerabilities in QNAP's operating systems after extended deadlines were exceeded. Of the 15 vulnerabilities found, only four have been patched despite reports initially made as early as December 2023. Six validated vulnerabilities, including a severe stack overflow issue permitting remote code execution, remain unpatched with CVEs assigned. The security firm extended the standard 90-day disclosure period, citing significant remediation blockers, but had to eventually disclose due to the ongoing risk to the internet community. Despite slow patch response times, QNAP cooperated with researchers by granting access to testing environments, signifying a high priority on user security. QNAP has faced criticism and negative impacts from past incidents, including ransomware attacks exploiting previously patched vulnerabilities. There is an ongoing concern over the speed of QNAP’s vulnerability response, especially given the company’s history with critical security breaches.

ByteDance and the Department of Justice have jointly requested an expedited court schedule for the TikTok ban/divestiture case aiming for a ruling by December 6, to meet the Supreme Court filing deadline. The request was made to the US Court of Appeals for the District of Columbia and includes eight content creators as co-petitioners, arguing against the feasibility and legality of a forced TikTok divestiture. The content creators claim the TikTok ban violates their First Amendment rights, emphasizing the significant public interest in prompt case resolution. The law in question, Protecting Americans from Foreign Adversary Controlled Applications Act, forces ByteDance to sell TikTok or shut it down, classifying them as foreign adversary-controlled applications. US lawmakers justify the law citing potential risks like data snooping or propaganda spread dictated by Beijing, but the plaintiffs argue there is no solid evidence supporting these claims enhancing data security. The ban is scheduled to begin on January 19, 2025, giving TikTok 270 days post-enactment to comply with the divestment or cessation of operations. The court is requested to calendar oral arguments by September of this year, with a decision requested by the end of May.

Multiple hackers are exploiting a flaw in Foxit PDF Reader to distribute various types of malware, including Agent Tesla and NanoCore RAT. The exploit deceives users with pop-up warnings, pressing them to execute harmful commands, leading to malware downloads and executions from Discord's CDN. Adobe Acrobat Reader is immune to this exploit, contributing to its low detection in antivirus systems and aiding the campaign's effectiveness. The malware attacks are linked to both cybercrime and espionage, with some activities attributed to the DoNot Team, known for its sophisticated cyber tactics. Malicious PDFs are being dispersed via social platforms like Facebook and utilize legitimate sites like Gitlab and Discord to host malware and evade detection. Check Point researchers identified a specific attack chain with PDFs delivering payloads capable of data theft, cryptocurrency mining, and system surveillance. Some malware within the PDFs is designed to steal browser credentials and can progress through multiple attack stages, ultimately delivering tools like Remcos RAT. Foxit has acknowledged the vulnerability and plans to release a corrective update in its upcoming software version.

GitGuardian introduces an SCA tool capable of scanning for Common Vulnerabilities and Exposures (CVEs) during coding. A significant percentage (70%-90%) of modern software uses open-source components, frequently introducing vulnerabilities. GitGuardian's tool allows developers to check for known vulnerabilities in dependencies before finalizing a pull request. The scanning tool, integrated via Git Hooks, automates the security checks at pre-commit or pre-push phases. The process is designed to catch vulnerabilities early in development, significantly reducing the cost and complexity of later fixes. SCA tool scans can be limited to new or altered code only, avoiding disruptions from unresolved issues in the existing codebase. Developers receive immediate feedback if a vulnerability is detected, with suggestions for patched versions when available. GitGuardian offers a 2-week free trial for their SCA tool, extending their suite of security solutions including Secrets Detection and Infra as Code Security.

The British Library (BL) experienced a significant ransomware attack, which severely impacted its operations and data security. BL's response was driven by emotional intelligence, focusing on frequent transparent communications despite the ongoing crisis. CEO Roly Keating emphasized the emotional impact on staff and users, adapting communications to be more relatable and human-focused. The library's candid approach in March revealed outdated architecture, which enabled the Rhysida gang to execute the attack. Keating highlighted the incident's lessons, aiming to enhance cyber resilience across the cultural and library sectors. Recovery efforts are ongoing, with a focus on retiring legacy systems, enhancing security measures like deploying MFA, and rebuilding technical infrastructure. While some services have resumed, the library continues to face challenges in fully restoring all functionalities. BL's strategy involves not negotiating with attackers, maintaining public access, and rebuilding trust and service quality via effective communication and narrative management.

Cyber criminals are exploiting legitimate services like GitHub and FileZilla to distribute a variety of malware, including stealers and banking Trojans. Malware variants such as Atomic, Vidar, Lumma, and Octo are being disguised as popular software like 1Password and Pixelmator Pro. The operation, dubbed GitCaught by Recorded Future's Insikt Group, uses fraudulent profiles and repositories to host counterfeit software aimed at harvesting sensitive data. Attack vectors include malvertising and SEO poisoning, with links to malicious files embedded in various domains to lure victims. The adversaries, likely Russian-speaking actors from the Commonwealth of Independent States, use FileZilla servers for malware management and distribution. Further analysis links the attacks to a larger campaign involving multiple malware types and targeting multiple platforms including Android, macOS, and Windows. Significant abuse of other legitimate services like Bitbucket and Dropbox has been observed, widening the scope of the campaign. Microsoft’s intelligence has flagged a macOS backdoor, codenamed Activator, as a part of this malicious campaign, targeting cryptocurrency wallets among other sensitive data.

Germany is debating the removal of Huawei and ZTE equipment from its 5G networks due to national security concerns, with key ministries supporting this move. The German Foreign Office, Ministry for Economic Affairs, and Interior Ministry propose the phasing out of critical components from core networks by 2026 and reducing dependency on Chinese tech in other network areas by 2029. Industry opposition is reportedly affecting the Digital Ministry's decision-making process, though a ministry spokesperson refuted such claims. The concerns are partly based on China’s National Intelligence Law, which mandates cooperation with intelligence services, potentially compromising customer network information. Other countries such as Japan, Australia, Canada, and the UK have already imposed restrictions or full bans on Huawei equipment in their government and critical infrastructure networks. The European Union has labeled Huawei a "high risk supplier," and some EU member states have independently banned Huawei and ZTE from their national infrastructures. Germany faces significant financial implications for replacing existing telecom equipment, with the Deutsche Bahn estimating costs of over €400 million for compliance.

Cybersecurity researchers observed an increase in email phishing campaigns using Latrodectus, a new malware loader, starting March 2024. Latrodectus replaces IcedID and possesses the ability to deploy other payloads like QakBot, DarkGate, and PikaBot for varied post-exploitation activities. Features advanced techniques including obfuscation, anti-analysis checks, self-deletion of its files, and persistence mechanisms on infected Windows systems. The malware interacts with its command-and-control server using HTTPS, executing commands that manage system information, updates, and downloads. Recent phishing-related findings also include campaigns deploying DarkGate malware through invoice-themed emails and a sophisticated phishing-as-a-service platform targeting Microsoft 365 and Gmail sessions. New malware loader D3F@ck and stealers like Fletchen Stealer and WaveStealer show evolving malware-as-a-service and data stealing capabilities. The intersection of these malicious campaigns underscores an enduring and adaptative cybercrime ecosystem with increasing sophistication in evading detection and persistence.

Nissan disclosed a severe data breach that compromised the personal information of over 50,000 U.S. employees due to a targeted cyber attack. The breach, reported in November 2023, involved unauthorized access through compromised external VPN, leading to the theft of social security numbers. The criminals shut down specific Nissan systems and demanded a ransom, though Nissan initially believed only business information was affected. It wasn't until February of the following year that Nissan realized employee Social Security Numbers were also breached. Post-breach security measures include an enterprise-wide password reset, the implementation of Carbon Black monitoring, and enhanced vulnerability scans. In a separate incident, Nissan's Oceania division was attacked by the Akira ransomware gang in December 2023, resulting in additional personal data exposure. Nissan is taking several steps to fortify security and mitigate potential future risks, amidst no immediate indication that the stolen employee data has been misused.

American Radio Relay League (ARRL) experienced a significant cyberattack that impacted its network and IT systems. The attack disrupted online services, including email and ARRL's Logbook of the World, a crucial tool for amateur radio operators. ARRL is a key entity in the U.S., advocating for amateur radio at the governmental level and offering resources for radio enthusiasts. Following the cyberattack, ARRL assured its members that sensitive financial data like credit card details were not stored in their systems. The member database contains personal information such as names, addresses, and call signs, raising concerns about the breach of private data. The specific nature of the cyberattack, whether ransomware or another form, remains unclear as investigations continue. ARRL is actively working to restore affected services and strengthen its cybersecurity measures in response to the incident.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has updated its KEV catalog with new vulnerabilities, notably in Google Chrome and older D-Link routers. Federal agencies have been given a deadline of June 6th to address these vulnerabilities, either by updating, replacing affected devices, or implementing defenses. The Chrome vulnerability, identified as CVE-2024-4761, is an actively exploited flaw in the browser's JavaScript engine, with another related flaw also noted but not yet cataloged by CISA. An enduring vulnerability in D-Link DIR-600 routers, from 2014, presents a CSRF issue allowing administrative hijacking. Despite D-Link routers being end-of-life, previous fixes were issued which remain critical to implement for security integrity. Older vulnerabilities are often targeted by botnet malware, exploiting a range of devices regardless of age or type, stressing the importance of sustained device and firmware updates.

The U.S. Department of Justice arrested two Chinese nationals, Daren Li and Yicheng Zhang, in a sophisticated cryptocurrency scam, laundering over $73 million. Li and Zhang reportedly managed an international network, misleading victims into investing in fraudulent crypto schemes and moving the money through U.S. shell companies. The laundered funds were channeled through U.S. banks to accounts in the Bahamas, converted to USDT (Tether), and then transferred to other cryptocurrency wallets. The scheme, known as a “pig butchering scam," often targets vulnerable individuals via social networks to invest in fake opportunities, culminating in significant financial losses. Both suspects face charges including conspiracy and multiple counts of international money laundering, with each count carrying a potential 20-year prison sentence. Additional cases highlight a growing trend of crypto-related scams and exploitation, including a disturbing human trafficking dimension in Asia linked to scam operations. Legal actions continue globally as authorities intensify efforts to clamp down on digital financial crimes and exploitation-related offenses.