Daily Brief

Iranian-backed hacking group MuddyWater has introduced a new malware, BugSleep, targeting a broad array of global entities including government, airlines, and media. BugSleep, a customizable backdoor malware, is still under active development and is being utilized to exfiltrate files and execute commands on infiltrated systems. The malware distribution involves sophisticated phishing emails that masquerade as webinar or online course invitations, redirecting victims to malicious payloads via the Egnyte platform. Check Point Research identified several versions of BugSleep displaying ongoing improvements and adjustments, indicative of a trial-and-error development strategy. Transitioning from legitimate Remote Management Tools, BugSleep allows MuddyWater expanded capabilities to inject malware directly into processes of popular applications like Google Chrome and Microsoft Edge. The shift in tactics denotes an escalation in MuddyWater's operational scope and sophistication, consistently targeting regions beyond their initial focus on the Middle East. U.S. Cyber Command has linked MuddyField directly to Iran's Ministry of Intelligence and Security, highlighting their significant role in state-sponsored cyber espionage.

Kaspersky Lab, a Russian cybersecurity firm, is ceasing its operations in the United States effective July 20, following U.S. sanctions. The U.S. Treasury Department sanctioned 12 Kaspersky executives, freezing their assets due to their operation within Russia's technology sector. The U.S. Department of Commerce added Kaspersky Lab and its subsidiaries to the Entity List, blocking American businesses from dealing with them. These government actions stem from concerns that Kaspersky poses a national security risk, potentially influenced by the Russian government. The Bureau of Industry and Security banned the sale of Kaspersky software and delivery of updates in the U.S., citing cybersecurity threats. Kaspersky announced the decision to shutdown after evaluating the impact of U.S. legal and regulatory measures, declaring the business nonviable in the U.S. Less than 50 U.S.-based employees will be affected by the layoff as part of the company's gradual wind-down.

Microsoft addressed a bug in Outlook that incorrectly triggered security alerts for ICS calendar files after a December security update. The alerts warned users of potential security concerns due to an issue initially intended to patch a vulnerability allowing theft of NT-LM hashes. The vulnerability (CVE-2023-35636) could enable attackers to use stolen NTLM hashes for pass-the-hash attacks and data breaches. Although initially fixed in April, Microsoft retracted the update after discovering problems during Beta Channel tests with Office Insiders. A final fix was successfully rolled out in the July 9 public update for the Outlook Desktop application. Microsoft recommended customers who used a temporary workaround involving registry keys to revert these changes to ensure the new patch’s effectiveness. The company also announced upcoming deprecation of basic authentication for personal email accounts and addressed a separate bug affecting encrypted email replies.

Microsoft reports Scattered Spider cybercrime gang now utilizes Qilin ransomware in attacks, enhancing their capability to target high-profile organizations. Scattered Spider, also known as Octo Tempest and other aliases, previously conducted the 0ktapus campaign impacting over 130 prominent entities including Microsoft and T-Mobile. The group aligned with BlackCat/ALPHV ransomware as an affiliate in 2023 and was recognized for their association with the RansomHub ransomware-as-a-service by Symantec. Tactics employed by Scattered Spider involve phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain unauthorized entry and persistence in corporate networks. Qilin ransomware, active since late 2023 after a rebranding from "Agenda", has rapidly advanced, focusing on customizable encryptors for Linux systems and VMware ESXi virtual machines. The gang carries out double-extortion ransomware attacks by exfiltrating sensitive data before encryption, then leveraging it for ransom negotiations. According to the FBI and CISA, the latest surge in Qilin ransomware activities includes high ransom demands and targets several enterprise-scale organizations.

Rite Aid reported that personal information of 2.2 million customers was compromised in a data breach in June. The breach involved unauthorized access using an employee's credentials, detected 12 hours post-incident on June 6. Exposed data includes names, addresses, dates of birth, and government-issued IDs linked to transactions between June 2017 and July 2018. RansomHub, a ransomware gang, claimed responsibility, alleging they acquired 10 GB of customer data following failed ransom negotiations. The breach was publicized after Rite Aid appeared on RansomHub's dark web leak site, with a warning of potential data leakage. Rite Aid confirmed that Social Security numbers, financial, and health information were not exposed in this breach. RansomHub specializes in data theft and extortion, distinctively selling or auctioning data if ransom negotiations falter.

GitHub Personal Access Token leaked, exposing crucial Python and PyPI repositories to potential unauthorized access. JFrog discovered the leaked token in a public Docker container, which could have led to significant misuse such as injecting malicious code into Python packages. The leaked token granted admin access, posing a risk of a large-scale supply chain attack on the Python programming language’s core source code. Immediate action taken post-disclosure: the leaked token was revoked quickly with no evidence of exploitation found. The token belonged to PyPI Admin Ee Durbin and was unintentionally pushed in modified local code meant for rate limit avoidance during development. Security incident highlights wider issues: Checkmarx found PyPI hosted malicious packages that exfiltrate data to a Telegram bot linked to cybercriminal groups in Iraq. The incident underscores the critical need for stringent security measures in software development and repository management practices.

ZDI reported a zero-day exploit in Microsoft's MSHTML engine to the company in May, which was later patched in July without proper credit to ZDI. Microsoft described the flaw as a spoofing vulnerability, whereas ZDI identified it as a more severe remote code execution flaw. Confusion persists over the nature of the patch, with ZDI expressing concerns about Microsoft's grasp on the patch's specifics. The cybersecurity group dubbed attackers exploiting the flaw as Void Banshee, who targeted multiple regions to extract cryptocurrency. Microsoft's failure to coordinate properly with researchers post-bug report submission is a noted issue, leading to frustration among cybersecurity researchers. This incident highlights a broader industry problem regarding vulnerability disclosures and the treatment of cybersecurity researchers by large software vendors. The potential consequence of poor disclosure practices is that end-users may not understand risks properly, affecting timely patch applications.

SEXi ransomware, known for targeting VMware ESXi servers, has rebranded to APT INC as of June. The group targets organizations using leaked Babuk and LockBit 3 encryptors, focusing on VMware ESXi and Windows systems. In a notable incident, APT INC launched a major attack on Chilean hosting provider IxMetro Powerhost, encrypting their VMware servers. Post-rebrand, victims shared experiences of attacks involving file encryption specific to VMware virtual machines, storage, and backups, excluding other operating system files. Each ransom demand by APT INC involves unique victim identifiers for ransom notes and encrypted file extensions, and communication with the attackers is conducted via the secure Session messaging app. Ransom demands range significantly, with IxMetro Powerhost being asked for two bitcoins per encrypted customer. No decryption options are available for free, with Babuk and LockBit 3 encryptors deemed secure and lacking known weaknesses. The rebranding and continued use of powerful encryptors indicate an escalating threat from APT INC to organizations utilizing VMware ESX servers.

Security researchers have linked recent DNS hijackings at web3 companies to flaws during the Squarespace migration of Google Domains customer data. Attackers exploited unvalidated pre-registered admin email addresses to gain unauthorized access to domain accounts. Phishing attacks were conducted by rerouting legitimate website traffic to malicious sites, aiming to steal digital assets and tokens. The compromised email addresses allowed attackers to register as Google Workspace admins, leading to further unauthorized access and potential data breaches. Numerous web3 firms, including Compound Labs and Unstoppable Domains, have detected and resolved these security breaches in their systems. Several other businesses could still be vulnerable; companies are urged to enforce two-factor authentication to strengthen security. Ongoing vigilance through log reviews and account verifications is recommended to detect and reverse any unsanctioned alterations.

Cybercriminals leverage Facebook business pages and ads to promote malvertising featuring fake Windows themes and pirated software. The ads direct users to download links on Google Sites or True Hosting, delivering malware-infected files disguised as popular software. The malvertising campaigns utilize various fake offers, including Windows themes, free game downloads, and cracked versions of well-known programs like Photoshop and Microsoft Office. Downloaded zip files contain the SYS01 malware, which uses DLL sideloading tactics for installation and data theft, including browser cookies, stored credentials, and cryptocurrency wallet information. The malware campaign primarily affects Facebook, but similar tactics have been observed on LinkedIn and YouTube, expanding its potential impact. Trustwave's report indicates that this method of cyberattack has evolved from previous campaigns targeting narrower audiences with adult-themed content or game-related ads. The data stolen via this malware campaign can be used for further malvertising campaigns or sold to other cybercriminals, enhancing the threat landscape on social media platforms.

Infostealer malware is rampant, compromising thousands of users daily with data theft from organizations. Low entry costs and high rewards empower even non-technical individuals to participate in cybercrime, exploiting or selling stolen data. Specialization within the cybercriminal community has led to a sophisticated, segmented industry where various actors focus on specific roles such as malware development, data trafficking, and credential selling. Popular tools among cybercriminals include malware droppers or loaders, which facilitate the download of malicious code, bypassing antivirus defenses. Communication and transaction channels include darknet forums, Telegram, and custom malware markets where stolen data and tools are bought and sold. Subscription-based malware services and crypter services enable attackers to continuously evade detection and operate stealthily. Infostealer malware often targets credentials and sensitive information, which can then be used directly or sold to other criminals for profit. The article underscores the scale of the threat and the ease of access to malicious tools, highlighting the urgent need for robust cybersecurity measures in organizations.

CRYSTALRAY hackers have significantly expanded their malicious activities, infecting over 1,500 victims by exploiting vulnerabilities and deploying backdoors using open-source security tools. They primarily aim to harvest and sell credentials, install cryptocurrency miners, and establish persistent access in targeted environments. Key tool exploited by the group is SSH-Snake, used for network traversal and lateral movements within compromised systems. Targets include public-facing instances of Apache ActiveMQ, Atlassian Confluence, and other services, exploiting known security gaps and automating scans using tools like asn, zmap, httpx, and nuclei. Persistent access and control are maintained using legitimate software like the Sliver command-and-control framework and the Platypus reverse shell manager. The operation also focuses on shutting down competing cryptocurrency miners and leveraging victim resources to mine cryptocurrencies, generating illicit financial gains. Stolen credentials from these attacks are sold on black markets, fetching thousands of dollars and involving various services such as Cloud Service Providers and SaaS email providers.

Singapore's retail banks are mandated to phase out one-time passwords (OTPs) for online logins within three months, aiming to reduce phishing attack risks. This initiative, announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), promotes the use of more secure digital tokens over OTPs. Digital tokens will be used for authenticating bank account logins via browsers and mobile banking apps, without the vulnerabilities associated with OTPs. The use of OTPs has been exploited by cybercriminals using advanced phishing kits and banking trojans, undermining its effectiveness as a second-factor authentication method. OTP bots, often sold on platforms like Telegram, employ social engineering tactics to deceive users into providing their 2FA codes, facilitating unauthorized account access. Recent cybersecurity reports highlight new phishing tools like FishXProxy, which simplify launching phishing campaigns and evading security measures through techniques like HTML smuggling. In response to the rising threat from mobile malware, Google has started a pilot program in Singapore to prevent sideloading of apps on Android devices, which often aim to steal OTPs and sensitive data.

HardBit Ransomware 4.0 has introduced advanced obfuscation and passphrase protection features to avoid detection and complicate security analysis. The new HardBit version requires a passphrase during runtime for execution, complicating direct assessment and increasing the challenge for security researchers. The threat group remains financially driven, utilizing double extortion methods without operating a traditional data leak site, instead threatening further attacks to coerce victims into paying ransoms. Initial access is suspected through brute-forcing RDP and SMB services, followed by credential theft using Mimikatz and NLBrute, and system reconnaissance with tools like Advanced Port Scanner. HardBit uses the Neshta file infector for delivery, disables Microsoft Defender, and alters system settings to hinder recovery efforts and maximize damage. The ransomware has both command-line and GUI versions, with an added wiper mode feature that permanently deletes files, available through additional purchase by operators. The GUI version prompts for an encryption key after the decoded authorization ID is input, following which file encryption on the target machines is initiated. Ransomware attacks continue to rise with prevalent ransomware families like LockBit, Akira, and BlackSuit dominating and exploiting known vulnerabilities to deploy attacks.

Google is in advanced negotiations to acquire cybersecurity company Wiz for a reported $23 billion, potentially marking Alphabet's largest acquisition deal yet. Wiz, established in 2020 by former Microsoft employees, has gained prominence by identifying significant vulnerabilities in Microsoft Azure, including the ChaosDB and OMIGOD flaws. Acquiring Wiz would complement Google's recent purchase of Mandiant, significantly bolstering its security capabilities and offerings within the cloud sector. Both the New York Times and Wall Street Journal suggest that while the acquisition discussions are ongoing, the deal is not guaranteed to finalize. Competitors such as Palo Alto and Fortinet currently lead in security-specific revenues, but Google’s aggregation of Mandiant and Wiz could position it as a formidable player in the security market. The acquisition would enable Google Cloud to possibly claim near-leadership in security, a stark contrast to broader cloud services like AWS and existing controls like Microsoft's cloud security.