Daily Brief

The North Korean Kimsuky hacker group has deployed a Linux backdoor called Gomir, targeting South Korean entities. The Gomir malware, a Linux variant of the GoBear backdoor, was distributed through trojanized software packages. Key capabilities of Gomir include direct command and control communications, persistence on infected systems, and execution of diverse commands. The malware establishes itself by ensuring it runs with root privileges and maintains persistence by copying itself to system directories and setting up a systemd service. Symantec’s investigation revealed that Gomir supports 17 specific operations, similar to those of the Windows version, GoBear. Supply-chain attacks, utilizing trojanized software installers, are identified as the primary method of deploying these malicious tools. Symantec's report includes indicators of compromise to help identify and mitigate these security threats.

The adoption of generative AI (GenAI) tools in the workplace has surged rapidly, with businesses observing a significant rise in AI application usage from 150 in July 2023 to over 500 recently. Many employees use GenAI tools without formal oversight due to free trials and SaaS models, complicating IT and security teams' tracking and management efforts. Nudge Security offers a SaaS management platform that detects all SaaS and GenAI tools used across an organization, providing an immediate comprehensive inventory even for newly adopted tools. The platform allows security teams to review and assess the security of these tools by offering insights into usage, user identity, and integration details with aligned security evaluations. Nudge Security helps identify and manage risky permissions granted via OAuth, enhancing security by understanding and overseeing the scope of access each application has. It supports IT governance by sending timely "nudges" to users when they adopt new AI tools, prompting them to acknowledge the organization’s AI usage policies and encouraging secure practices. Through these mechanisms, Nudge Security enables businesses to maintain a balance between fostering innovation with new AI technologies and ensuring robust protection against associated security risks.

North Korea-linked Kimsuky hacking group conducts a malware campaign via Facebook Messenger using fictitious accounts. Targets are deceived by fake profiles imitating public officials in the North Korean human rights sector. Attack employs social engineering through private document shares on OneDrive, diverging from traditional email spear-phishing. Decoy documents presented as academic and interview content related to diplomatic summits, hosted with misleading file types to bypass detection. Upon opening the malicious document, a command sequence is triggered, connecting the victim's computer to a control server. Collected data includes IP addresses, user details, and process information, which are sent to the adversary's server for further exploitation. The malware campaign's techniques partially overlap with previous activities identified as part of Kimsuky's operations, indicating a continuation and evolution of their strategic cyber attacks. Genians highlight the importance of early detection of such personalized and covert social media-based attacks, which often remain undetected by standard security measures.

North Korean Kimsuky group targeted South Korean entities using trojanized software to deploy Linux malware, Gomir. Trojanized versions of TrustPKI, NX_PRNMAN, and Wizvera VeraPort utilized to insert malware, including a Windows variant, Troll Stealer. Gomir, a new backdoor similar to Windows' GoBear malware, facilitates direct C2 communications and has robust persistence capabilities. Upon infection, Gomir secures itself on the host machine by copying to /var/log/syslogd, creating a systemd service, and establishing a crontab command for reboot persistence. The backdoor can execute 17 different operations controlled via HTTP POST commands from its command and control center. Symantec identified malicious activities and shared indicators of compromise, emphasizing supply-chain attacks as the prevalent method for these espionage efforts.

Google has issued an emergency security update for Chrome to fix a third zero-day vulnerability exploited within a week. The vulnerability, identified as CVE-2024-4947, involves a type confusion issue in the Chrome V8 JavaScript engine. This high-severity flaw, reported by Kaspersky researchers, allows for arbitrary code execution on targeted devices by manipulating memory buffers. The updated Chrome versions 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux will be distributed to users in the Stable Desktop channel in the upcoming weeks. Chrome users are urged to ensure their browser is updated to the latest version by manually checking via the Chrome menu and installing available updates. Details about the attacks utilizing this vulnerability remain restricted to prevent further exploits, especially considering the bug may also exist in third-party libraries used by other projects. This zero-day is the seventh to be addressed in Chrome in 2024, signaling a concerning trend in browser security vulnerabilities.

Security researchers have identified 11 vulnerabilities in the GE HealthCare Vivid Ultrasound systems, potentially enabling ransomware attacks and patient data manipulation. The flaws affect both the ultrasound system itself and related software, including the EchoPAC program used on Windows workstations by doctors. Exploitation requires physical access to the healthcare environment, after which a threat actor can execute arbitrary code with administrative privileges. The most critical vulnerability, CVE-2024-27107, involves the use of hardcoded credentials, facilitating unauthorized access to patient data. An attacker could employ various methods for exploitation, including the use of malicious USB drives to automate attacks or accessing the hospital network via stolen VPN credentials. GE HealthCare has responded to the findings, suggesting that existing controls mitigate the risks to an acceptable level, emphasizing that physical access is required for exploitation. Recent security disclosures have heightened concerns regarding the robustness of security measures in healthcare and related IoT devices, underscoring the essential need for constant vigilance and timely updates.

NCSC CTO Ollie Whitehouse discussed the tech industry's role in cybersecurity challenges during the CYBERUK conference. Addressed the market's inability to produce cyber-resilient technology despite technical know-how in fields like memory safety and rust coding. Highlighted a significant rise in known vulnerabilities and a gap between security claims and reality. Emphasized the pervasive issue of technical debt and the need to impose penalties on vendors for security failings. Advocated for stronger regulatory and legislative actions to enforce vendor accountability for cybersecurity. Suggested incentives for companies that proactively improve their security practices, such as increased transparency and tighter regulations. Stressed the importance of continuous investment in security rather than seeking one-time, simplistic solutions. Called for a paradigm shift in how the market values cybersecurity to better prepare for future technologies and security requirements.

Storm-1811, a financially motivated cybercriminal group, exploits Microsoft Quick Assist to launch social engineering and ransomware attacks. The attackers deploy Black Basta ransomware using a deceptive technique involving voice phishing, remote tools installation like RMM, and malware such as QakBot and Cobalt Strike. The criminals masquerade as IT support to access victims' devices, using Quick Assist under the guise of assisting with spam problems created by their link listing attacks. Once access is gained, the attackers use a cURL command to deploy malicious batch or ZIP files, facilitating further ransomware spread across networks. The misuse of Quick Assist has prompted Microsoft to consider adding warning messages to alert users to potential tech support scams. Industries targeted include manufacturing, construction, food & beverage, and transportation, demonstrating the widespread nature of these ransomware campaigns. Microsoft and cybersecurity experts urge organizations to disable or uninstall unused RMM tools and educate employees on recognizing tech support scams.

Google has issued updates to fix a newly discovered zero-day vulnerability, CVE-2024-4947, in its Chrome browser, actively exploited in the wild. The vulnerability exists due to a type confusion issue in Chrome's V8 JavaScript engine, allowing attackers to execute arbitrary code. Kaspersky researchers flagged the security flaw, marking it the third zero-day patched by Google in just a week. This type of vulnerability enables unauthorized out-of-bounds memory access, potentially leading to system crashes and uncontrolled code execution. Google has now addressed seven zero-day vulnerabilities in Chrome since the beginning of the year. Users are strongly urged to update their Chrome browsers to the latest version (125.0.6422.60/.61 for Windows and macOS, 125.0.6422.60 for Linux) to protect against potential exploits. Updates are also recommended for users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi as patches become available.

Google has enhanced Android 15 and Google Play Protect with new security features to combat scams, fraud, and malware on devices. Upgrades focus on blocking spyware and banking trojans which steal banking credentials and multi-factor authentication codes. Enhanced privacy during screen sharing, with sensitive information, such as one-time passcodes, being automatically obscured to thwart data theft. A notification system will alert users when they are connected to an unencrypted cellular network, increasing protection against Stingray attacks and similar threats. Google Play Protect now includes live threat detection using on-device AI to identify and review suspicious app behavior. Developers will benefit from the updated Play Integrity API, which checks if apps are running in secure environments. These updates were announced at Google I/O 2024 and will be implemented in the upcoming updates for Google Play services and Android 15.

The FBI, alongside international law enforcement agencies, has successfully seized control of the ransomware brokerage site BreachForums and its associated Telegram channel. This law enforcement action comes shortly after BreachForums hosted stolen data from Europol's databases. Previous attempts to disable the site have been made, but it has consistently re-emerged until this recent operation. The takedown was coordinated by the Five Eyes intelligence alliance plus police forces from Switzerland, Iceland, and Ukraine. BreachForums had replaced the previously dismantled RaidForums and was known for trading in stolen data and facilitating double extortion ransomware attacks. The site’s former administrator, Conor Brian Fitzpatrick, was sentenced to 20 years of supervised release following his earlier arrest in January. The current website of BreachForums now displays a notice of its seizure by the FBI and DOJ, and a call for information related to cybercriminal activities conducted through the platform. While the takedown represents a significant disruption in cybercriminal operations, the persistence of such illicit online marketplaces suggests ongoing challenges in completely eliminating such criminal enterprises.

Google released an emergency update for Chrome to patch a severe zero-day vulnerability known as CVE-2024-4947, already exploited in the wild. This marks the third zero-day exploit addressed by Google within a single week, highlighting an intensifying security threat. The vulnerability stems from a type confusion issue in Chrome’s V8 JavaScript engine, discovered by researchers at Kaspersky. The flaw can potentially allow attackers to execute arbitrary code on target devices by manipulating browser memory. Chrome updates are deployed automatically, but users can manually verify and finalize the update via the browser's settings. Given the nature of the exploit, Google restricted access to detailed bug information to prevent further abuse until most users have updated. This recent patch is part of a broader trend, with Google fixing a total of seven actively exploited zero-days in Chrome since the onset of 2024.

An extortionist known as IntelBroker claims to have stolen files from the US Army Aviation and Missile Command (AMCOM) and a $75 billion aerospace and defense company. The stolen data from AMCOM reportedly includes maintenance tasks, PDFs, PNG files, and some .txt files, though these claims have not been officially verified. IntelBroker also boasts selling stolen source code and other data from the defense company's CI/CD pipeline, Bitbucket, Github, and Apache SVN repositories. Both data breaches were announced on dark web platforms, with IntelBroker urging potential buyers to contact via encrypted messages and pay in Monero (XMR). Europol is currently investigating IntelBroker's claim regarding the theft of confidential data from the Europol Platform for Experts, though no core or operational data has been compromised. Additional claims by IntelBroker in recent months include data thefts from the Pentagon, other national security agencies, and private sector entities like Home Depot through third-party vulnerabilities.

Google has introduced new security features in Android 15 and Google Play to enhance protection against malware, scams, and fraud. The updates, revealed at Google I/O 2024, include measures to secure users from banking trojans and spyware, specifically by obscuring one-time passcodes and expanding restricted settings that control app permissions. New functionalities will protect sensitive information during screen-sharing sessions by hiding private notification details and sensitive data entry from remote viewers. Google is rolling out alerts for users when their devices connect to an unencrypted cellular network, helping prevent interception of voice and SMS data. The company introduced Google Play Protect live threat detection that utilizes on-device AI to identify and respond to suspicious app behaviors in real-time. Google's updated Play Integrity API helps developers ensure their apps are operating in secure environments and verify app signals for enhanced security. These enhancements are part of Google's broader effort to help developers create safer applications and provide end-users with robust protections against evolving cyber threats.

Nissan North America experienced a significant data breach impacting over 53,000 current and former employees' personal data. The breach was identified after a threat actor targeted Nissan's external VPN and subsequently demanded a ransom, although no systems were encrypted. Nissan detected the breach in November 2023, with further discovery in February 2024 of exposed Social Security numbers among the accessed files. The company promptly involved law enforcement, contained the incident with the help of cybersecurity experts, and successfully terminated the threat. Despite the exposure of sensitive data, there have been no reports of misuse of the information so far. To assist affected individuals, Nissan is offering two years of free credit monitoring and identity theft protection services through Experian. This incident is part of a series of security issues encountered by various Nissan divisions globally over the past few years.