Daily Brief

Microsoft attributes third-party access to Windows kernel to a 2009 EU directive aimed at ensuring interoperability. The directive requires Microsoft to make certain APIs available to third-party security products, similar to those used by Microsoft’s own security software. This policy has allowed companies like CrowdStrike to operate deeply within the Windows system, which can enhance security but also pose significant risks. Microsoft is scrutinized over its decisions on third-party kernel level access, especially following a disruptive update from CrowdStrike. The issue highlights the broader challenge of balancing system security with third-party software capabilities within operating systems. Microsoft has not updated its stance following the chaos caused by the CrowdStrike update. The architecture of Windows allows such deep integration by third parties, similar to permissions seen in other operating systems, though with potentially high-profile failures.

FLUXROOT, a financially-driven group from Latin America, uses Google Cloud serverless projects for credential phishing schemes. The FLUXROOT campaigns primarily target Mercado Pago, exploiting Google Cloud container URLs to host phishing sites. Google's threat report indicates serverless architectures, while beneficial for legitimate enterprises, also offer advantageous platforms for cybercriminals. PINEAPPLE, another malicious actor, similarly exploits Google Cloud to distribute stealer malware, Astaroth, targeting Brazilian users. These threat actors also attempt to evade email security by manipulating email authentication processes. Google has responded to these threats by dismantling malicious projects and enhancing its Safe Browsing protections. The widespread adoption of cloud services has led to an increase in threats like illicit cryptocurrency mining and ransomware, leveraging the inherent difficulties of distinguishing malicious from normal cloud traffic.

Two Russian nationals, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, have been added to the US sanctions list for cyberattacks on US critical infrastructure. The individuals are associated with the Cyber Army of Russia Reborn (CARR), previously linked to the Kremlin's GRU, known for various disruptive operations. Targeted attacks included manipulation of industrial control systems across water, energy, and wastewater facilities in the US and Europe, affecting operations and resources. Despite claims of causing significant disruptions, the attackers reportedly lacked the sophistication to cause lasting major damage. The sanctions make any business dealings with Pankratova and Degtyarenko illegal in the US, illustrating a proactive approach to cybercrime by the US government. The sanctions and continued monitoring aim to curb the activities of CARR and similar groups, emphasizing global cooperative efforts against cyber threats. Analysts and security officials stress the importance of international collaboration in tracking and prosecuting such cybercriminals, regardless of geopolitical protections.

Tines, a workflow automation platform, has introduced AI capabilities to enhance organizational security through automated SMS analysis. The service analyzes scam SMS messages received by employees, identifying potential phishing attempts aimed at obtaining sensitive information or deploying malware. Using OCR and AI, the workflow extracts and examines message content for indicators of phishing, urgency, and authenticity, effectively spotting CEO fraud risks. The automated system provides a quick response to employees, advising on the safety of the SMS and suggesting further actions to ensure security. Benefits of automation include saving time for security teams, reducing human error, and scaling the response capability across the organization. Employees can interact with the service by submitting suspicious messages through a simple web-based form, receiving guidance in seconds. The platform leverages pre-built AI-enhanced workflows and offers the capability to customize features according to specific organizational needs.

vCISOs play a crucial role in shaping a client's cybersecurity strategy and managing risk governance. Effective reporting can greatly improve client relations by clearly demonstrating the value of security initiatives. Jesse Miller, co-author and veteran infosec strategist, emphasizes the reporting should highlight the client as the main protagonist in their security narrative. Proper vCISO reporting involves four key areas: General Recap, Tactical Review, Strategic Review, and Future Initiatives. Each section of the report is designed to cater to varying levels of technical expertise among decision-makers, ensuring comprehensible and actionable insights. Future Initiatives section helps prioritize tasks and manage resources effectively, enhancing both the client’s and vCISO’s standing against risks. Holistic reporting structures endorsed in workshops and the playbook are intended to boost vCISO client engagement and business growth.

SocGholish, a JavaScript downloader malware, is delivering AsyncRAT and exploiting the BOINC project to covertly execute cyberattacks. BOINC, an open-source computing platform from UC Berkeley, is renamed and used by malware to connect to malicious domains, acting as a C2 server. As of mid-July, over 10,000 clients have been reported as connected to these malicious domains with potential misuse for ransomware deployment or other malicious activities. Compromised websites trigger the malware download through fake browser update alerts, leading to malware payload deployment onto victims' devices. The malware sets persistence on the host machines via PowerShell scripts and disguises its processes as legitimate system files. BOINC project maintainers are aware of the misuse and are investigating methods to counteract the malware. This incident highlights emerging malware techniques like using compiled V8 JavaScript, which helps bypass traditional detection methods.

Cybersecurity experts have identified a new Linux variant of Play ransomware, specifically targeting VMWare ESXi environments. This variant is part of a significant shift by the ransomware group Play to extend its operations across the Linux platform, potentially increasing the number of targets and enhancing the success of ransom negotiations. Play ransomware employs a dual extortion strategy, both encrypting victim systems and stealing data to leverage ransom payments. With roots from June 2022, the Play ransomware group has impacted approximately 300 organizations globally by October 2023, with the U.S., Canada, and Germany among the top affected countries. Industries heavily affected include manufacturing, IT, retail, financial services, and real estate. The server hosting the Linux variant also contained common tools such as PsExec and NetScan, suggesting continued use of known malicious tools and tactics. The new variant checks for an ESXi environment before initiating encryption of various virtual machine files, appending a ".PLAY" extension to signal successful encryption. Collaborative behaviors between cybercriminal entities, such as the use of Prolific Puma's illicit infrastructure services, are highlighted as part of a strategy to evade detection and expand malicious capabilities.

The FBI utilized Cellebrite's digital forensics tools to unlock the Samsung smartphone of a deceased offender involved in a shooting, achieving access in just 40 minutes using an advanced, unreleased version of their software. Smartphone manufacturers continuously contest law enforcement's requests to weaken encryption, citing privacy concerns and potential misuse of backdoor accesses. Despite major efforts, Cellebrite's internal documents reveal the firm's inability to access newer Apple devices with recent iOS versions, though most Android devices remain susceptible. Separate cybersecurity issues highlighted include an extensive Oracle security update release, addressing 386 vulnerabilities, and ongoing exploits in industrial control systems by lesser-skilled Russian hackers under sanctions. U.S. Senators have issued an ultimatum to analytics firm Snowflake demanding explanations on recurrent security lapses following significant breaches involving stolen passwords and lack of multifactor authentication. A sizeable leak involving nearly 150,000 COVID test records from medical staffing firm InHouse Physicians was discovered by a security researcher, raising concerns over data privacy and secure management of sensitive information. Google identified a new data theft campaign by Chinese cyber group APT41 targeting global shipping and logistics sectors, aiming to establish long-term access and exfiltrate sensitive information.

Microsoft has launched a recovery tool to rectify a flawed CrowdStrike update which led to a Blue Screen of Death (BSOD) on approximately 8.5 million Windows devices. The CrowdStrike update triggered widespread IT outages globally, affecting essential services and businesses such as airports, hospitals, and banks. Organizations faced significant challenges as multiple Windows devices required manual intervention to remove a corrupt kernel driver. The tool, offered via a Microsoft support bulletin, is designed to automate the deletion of the faulty CrowdStrike kernel driver, enabling normal device reboot. To utilize the recovery tool, IT staff need a specific setup including a 64-bit Windows client, a USB drive, and possibly a Bitlocker recovery key. The USB drive is formatted and loaded with a custom WinPE image which carries out the corrective action without creating logs or backups of the removed driver. Following the fix, the primary challenge remains accessing requisite Bitlocker recovery keys to facilitate the process on encrypted devices.

CrowdStrike's Falcon Sensor software, originally linked to crashes on Windows PCs, has also caused Linux kernel panics. Issues arose after updates, including kernel panics on Red Hat Enterprise Linux 9.4 run systems, damaging global computer systems. Red Hat advised disabling the Falcon Sensor to stabilize systems while investigating the software-related crashes. The software problems recall a similar incident from 2010 involving McAfee (with the same executive, George Kurtz, involved). CrowdStrike is developing a rapid recovery tool to address these crashes, with insights from recent tests promising faster system remediation. Microsoft's estimate shows that approximately 8.5 million Windows machines were affected, and a specific USB-bootable recovery tool has been deployed. The impact extended to critical services, with the British Medical Association and airlines experiencing major disruptions, indicating ongoing recovery challenges. This story remains active and developments are expected as both CrowdStrike and external entities work on mitigating the damage and investigating the root causes.

Threat actors are leveraging CrowdStrike's recent software update mishap by distributing malware and data wipers disguised as assistance for affected systems. Following the disruption caused by a flawed CrowdStrike update that crashed millions of Windows hosts, phishing emails and fake updates have become prevalent, targeting companies scrambling to recover. Official communications from CrowdStrike have warned customers to only engage with verified representatives through legitimate channels to avoid falling victim to these scams. The U.K. National Cyber Security Center and the malware analysis platform AnyRun have both reported a spike in phishing activities and fake resolutions pretending to be from CrowdStrike. A particular phishing campaign targeted BBVA bank customers with a website that distributed a fake CrowdStrike hotfix, installing Remcos RAT, a known remote access tool. Another malicious campaign, attributed to a pro-Iranian hacktivist group, used a similar tactic to distribute a data wiper to Israeli companies, heavily damaging infected systems. Despite the update affecting less than one percent of all Windows machines, its impact was significant, causing widespread disruption across various sectors globally. CrowdStrike has identified and corrected the channel file responsible for the outages, and is assisting customers with restoration efforts through official recovery guidelines.

Threat actors are capitalizing on a recent malfunction in CrowdStrike's update to distribute malware and data wipers to companies. CrowdStrike acknowledged the defect in their software update, which caused millions of Windows hosts to crash globally, and is working to assist those affected. Phishing campaigns have escalated as cybercriminals disguise malware as fixes or updates from CrowdStrike, exploiting customer anxieties about resolving the issue. The malware distributed includes HijackLoader, which installs the Remcos remote access tool, and a data wiper that overwrites files, rendering them useless. Official communication channels are emphasized by CrowdStrike to prevent companies from falling victim to these attacks. The U.K. National Cyber Security Center (NCSC) and malware analysis platforms like AnyRun have reported an increase in phishing and fake updates masquerading as CrowdStrike communications. Despite CrowdStrike's swift response to rectify the original update flaw, the disruption has had significant ripple effects across multiple sectors.

UK police have detained a 17-year-old from Walsall suspected of involvement in the MGM Resorts ransomware incident. The arrest was part of a coordinated effort with the National Crime Agency and the FBI, targeting the Scattered Spider hacker collective. The suspect was released on bail pending further investigation, and their digital devices were seized for examination. Scattered Spider, implicated in the MGM attack, is a fluid network of English-speaking hackers known for ransomware and data theft. The group is not a cohesive unit but a collection of individuals with varying skills known to collaborate on cybercrimes. Beyond ransomware, Scattered Spider engages in phishing, MFA bombing, and SIM swapping to penetrate networks. They have recently begun collaborating with Russian ransomware groups and have been linked to multiple high-profile cyber attacks.

Cybersecurity firm CrowdStrike issued flawed updates causing major global IT disruptions. Malicious actors are misusing the incident to distribute Remcos RAT using a deceptive hotfix in Latin America. Attackers deploy malware through a ZIP file posing as a CrowdStrike update, including instructions in Spanish to ensure execution. The updates previously caused Blue Screen of Death (BSoD), affecting numerous systems using Windows Falcon sensor version 7.11 or above. This cybersecurity incident highlights the risks of typosquatting and the urgent need for secure communications with official representatives. Businesses impacted by the faulty update faced operational challenges and are cautioned to verify the authenticity of any corrective instructions received. CrowdStrike attributes the malicious campaign to a likely e-crime group focusing on customers in Latin America.

UK authorities have apprehended a 17-year-old suspected member of the Scattered Spider cybercrime group involved in large-scale ransomware attacks on major organizations. The arrest follows a multinational investigation by the UK’s National Crime Agency, the U.S. FBI, and other law enforcement bodies globally, including a related arrest of another syndicate member in Spain. Scattered Spider, linked to a larger group known as The Com, is now prominent as an initial access broker for ransomware operations involving malware like BlackCat and Qilin. The syndicate has shifted tactics towards "encryptionless" extortion attacks targeting Software-as-a-Service platforms, as described in a report by Mandiant. Concurrent legal actions include the sentencing of a Texas man for operating a DDoS attack service, highlighting ongoing responses to various forms of cybercrimes. Additional developments include U.S. sanctions against two Russian nationals linked to cyberattacks on critical infrastructure through a group identified as CyberArmyofRussia_Reborn.