Daily Brief

Cryptocurrency analysts from Elliptic revealed that HuiOne Guarantee facilitated over $11 billion in transactions, predominantly servicing cybercriminals. HuiOne Guarantee, linked to the Cambodian Hun family, is part of a larger conglomerate involved in global money laundering operations through HuiOne International Payments. The platform, posing as a marketplace for legitimate goods like real estate and cars, primarily supports the operations of pig butchering scams. These scams involve enticing individuals to fraudulent job offers in Southeast Asia, leading to coercion into scam activities within controlled "scam compounds." Merchants on HuiOne Guarantee offer a range of services from software for creating fake crypto investment sites to physical products like electronic shackles for use in scam compounds. The network, established in 2021, includes extensive Telegram channels used by merchants to coordinate and execute various aspects of the scams. HuiOne's financial arm claims 500,000 users and lists major companies like Alipay and UnionPay as customers, though primarily it facilitates illicit activities.

ViperSoftX, an infostealer malware first identified in 2020, has resurfaced with enhanced capabilities, now utilizing the .NET runtime to obfuscate malicious PowerShell commands. This latest variant leverages AutoIt, a legitimate freeware, to further conceal its activity by embedding malicious scripts within what appear to be benign scripts and applications. Trellix researchers have discovered that this version of ViperSoftX is distributed through pirated eBooks, indicating a shift towards targeting professionals, particularly those using enterprise environments. The malware is capable of stealing system data, cryptocurrency wallets, clipboard contents, and more, while actively avoiding detection by disabling Windows security features like the Antimalware Scan Interface (AMSI). ViperSoftX utilizes complex obfuscation techniques including burying command sequences in fake JPG files, which install malicious scripts and configure scheduled tasks to diminish system defenses. The techniques employed signify a new wave of sophisticated malware threats aimed at both evading detection and enhancing the effectiveness of their attacks. Trellix has not attributed the development or spread of ViperSoftX to any specific actor or group, indicating the malware's usage is broadly targeted for financial gain.

ViperSoftX malware is being distributed as disguised eBooks on torrent platforms, utilizing advanced stealth tactics. Researchers highlight its use of the Common Language Runtime (CLR) to dynamically run PowerShell scripts, enhancing its ability to evade detection by traditional security measures. Originally identified in 2020, ViperSoftX has evolved with complex anti-analysis techniques including byte remapping and communication blocks to web browsers. Recent malicious campaigns have used ViperSoftX to deliver other threats like Quasar RAT and TesseractStealer. Infectious tactics include deceptive eBook files that trigger a multi-stage infection process, using a hidden folder and a malevolent Windows shortcut to execute harmful scripts. ViperSoftX is capable of harvesting system data, scanning for cryptocurrency wallets, and can dynamically interact with a remote server for further malicious activities. Its use of self-deletion mechanisms poses significant challenges for detection and analysis, emphasizing its sophistication and the continuous innovation of cyber threats.

A new vulnerability in OpenSSH versions 8.7p1 and 8.8p1, found in Red Hat Enterprise Linux 9, allows potential remote code execution. Identified as CVE-2024-6409 with a CVSS score of 7.0, this vulnerability differs from the recently disclosed CVE-2024-6387. The bug was discovered by security researcher Alexander Peslyak and occurs due to a race condition in signal handling when the privsep child process is active. The condition enables remote attackers to exploit unprivileged child processes of the sshd server due to unsafe signal handling during the cleanup_exit() function. CVE-2024-6387, related but distinct, is currently exploited in the wild, primarily targeting servers in China. Veriti has reported the active exploit, tracing back to an IP with tools for exploiting SSH vulnerabilities. Administrators are urged to update affected systems to mitigate the risk from both CVE-2024-6409 and CVE-2024-6387 vulnerabilities.

A major vulnerability in the RADIUS protocol, potentially allowing unauthorized network access, has been identified by cybersecurity teams from Cloudflare, Microsoft, and other institutions. Termed Blast RADIUS, this exploit leverages a flaw in the MD5 hashing function, facilitating man-in-the-middle attacks to bypass authentication processes. Attackers can manipulate network traffic to forge authentication approvals, gaining access without legitimate credentials, primarily impacting client-server communications reliant on RADIUS. While exploiting this vulnerability is complex and requires existing network presence, the overall CVSS severity rating is marked at 7.5, indicating considerable risk. Network operators, particularly within enterprise environments, are encouraged to urgently apply firmware updates to mitigate the risk and consider transitioning to RADIUS over TLS (RadSec) for enhanced security. All major RADIUS implementations have reportedly updated their software to address the issue, incorporating stronger authentication measures advised by upcoming RADIUS RFCs.

Microsoft's July Patch Tuesday addresses 139 CVEs, including actively exploited vulnerabilities in Hyper-V and MSHTML. Two severe vulnerabilities under active attack: a privilege elevation flaw in Windows Hyper-V and a spoofing vulnerability in MSHTML, requiring user-triggered file execution. Other highlighted patches include three critical 9.8-rated RCE vulnerabilities in Windows Remote Desktop Licensing Service, deemed exploitable by sending a malicious message. Adobe’s update resolves seven CVEs, with six critical bugs in Premiere Pro and InDesign potentially allowing arbitrary code execution. SAP and Fortinet also released patches, targeting vulnerabilities such as unauthorized data access in SAP Product Design Cost Estimating and XSS attacks in FortiOS. Additionally, Citrix addressed two 8.5-rated privilege escalation flaws in Windows Virtual Delivery Agent and Citrix Workspace app. Google’s latest Android patches address 27 CVEs, including a critical privilege escalation flaw in the Framework component, requiring no special permissions for exploitation.

The FBI, along with cybersecurity agencies from Canada and the Netherlands, shut down a Russian-controlled Twitter bot farm of nearly 1,000 accounts. RT News, a state-run Russian media outlet, reportedly operated the bot farm using generative AI to spread disinformation in the US and other countries. Two web domains and 968 Twitter accounts were seized in the operation, which aimed to sow discord and distrust among communities. The operation included collaboration with Twitter to suspend the misinformation-linked accounts, and the Feds identified key individuals, including RT's deputy editor-in-chief, allegedly responsible for the bot farm's setup. Generative AI technology was used to create “authentic” appearing personas and propagate misinformation, designed to affect public opinion and exacerbate societal discord. The bot farm employed various evasion techniques, including using proxy IP addresses and interacting with large and ideologically aligned accounts to avoid detection. The initiative represents a concerted effort by multiple nations to tackle state-sponsored disinformation campaigns and protect public discourse from foreign interference.

Nearly a thousand Twitter accounts linked to a bot farm controlled by Russia Today (RT) and an FSB officer were recently dismantled. The operation was led by the U.S. Department of Justice with international support, targeting bots spreading Russian propaganda globally. Utilizing AI software called Meliorator, the bot farm created realistic social media personas to distribute false narratives and amplify Russian influence. This disinformation campaign aimed to disrupt public opinion in various countries, including the U.S., Germany, and Ukraine. FBI Director Christopher Wray emphasized this as a pioneering effort to impede Russian AI-generated foreign disinformation efforts. The domains used for bot registration were seized, and 968 social media profiles were taken down in the operation. A joint advisory was issued by the FBI, CNMF, AIVD, and other agencies, detailing the technical aspects of Meliorator and the bot farm activities.

The U.S. Justice Department, in coordination with international partners, dismantled a major bot farm operated by Russian state media and FSB. Nearly 1000 Twitter accounts and associated domains used to register bots spreading Russian propaganda were seized. The bot farm utilized AI software “Meliorator” to generate realistic social media profiles that disseminated false narratives globally. The operation targeted Russian influence operations, which attempted to disrupt international discourse and skew public opinion. RT (Russia Today) aimed to extend its informational influence beyond traditional media, using the bot farm to reach global audiences on social media platforms. The FBI highlighted this as the first major disruption of a Russian-sponsored AI-enhanced social media bot operation. Future threats indicate possible expansion of bot technologies to other social media platforms beyond Twitter. Global intelligence and cybersecurity agencies, including agencies from Canada and the Netherlands, collaborated in this effort, providing further technical insights on the operations of the bot farm.

The recently discovered Blast-RADIUS attack targets the RADIUS/UDP protocol, used for various authentication needs across enterprise and telecom networks. Threat actors can manipulate RADIUS server responses by performing an MD5 collision attack, allowing unauthorized admin access without needing actual credentials. This vulnerability affects a vast number of devices including routers, switches, and network infrastructures that utilize RADIUS for critical functions like Wi-Fi authentication, 5G network access, and VPN connections. Although exploiting this attack currently takes between 3 to 6 minutes, optimization techniques could significantly speed up this process, making the attack more feasible in real-world scenarios. The exploit involves a sophisticated 'chosen-prefix' MD5 collision, which was previously deemed unfeasible in RADIUS contexts but has now been proven possible. To mitigate the risk, network operators are advised to use upgraded protocols like RADSEC and implement network-design best practices such as multihop deployments and isolated RADIUS traffic. Since end-users' credentials are not compromised by this attack, protective measures predominantly involve system administrator and vendor intervention.

Fujitsu announced a data breach affecting customer and individual information due to a malware attack detected in March. The breach stemmed from malware that spread across 49 computers in the company, starting from a single point of infection. The malware used advanced techniques to evade detection and facilitate the unauthorized copying of sensitive data. While not ransomware, the malware allowed the exfiltration of personal and business-related information from Fujitsu's network. The company has completed its investigation with external experts and has isolated affected systems to contain the breach. Fujitsu has implemented enhanced security measures and updated their malware detection systems to prevent future incidents. No misuse of the compromised data has been reported as of the company's latest updates.

Microsoft's July 2024 Patch Tuesday addressed 142 security vulnerabilities, including 4 zero-day flaws, two of which were actively exploited. Among the fixed vulnerabilities, five were classified as critical and capable of allowing remote code execution. The two zero-days actively exploited include vulnerabilities in Windows Hyper-V and the Windows MSHTML Platform. The actively exploited Hyper-V flaw allowed elevation of privileges, giving attackers SYSTEM access, while the MSHTML flaw involved a spoofing vulnerability. Two publicly disclosed zero-days addressed involve a .NET and Visual Studio remote code execution flaw and a FetchBench side-channel attack on ARM architectures. Microsoft has provided fixes without revealing specific details on the exploitation scenarios or the identities of the attackers. Other vendors also released updates and advisories, reflecting a broader industry response to ongoing security challenges in the digital space.

Hackers are exploiting a vulnerability (CVE-2024-5441) in the Modern Events Calendar WordPress plugin, affecting over 150,000 websites. The vulnerability allows unauthorized file uploads and remote code execution potentially leading to complete site takeover. The high-severity issue arises due to absent validation for file types in the plugin’s image upload function, permitting uploads of executable files like PHP. Any registered user, and even non-members if settings permit, can exploit this vulnerability. Webnus, the plugin's developer, has addressed the issue by releasing an updated version (7.12.0). Wordfence, a security firm, has observed and blocked over 100 exploitation attempts within 24 hours of reporting. Website administrators are urged to immediately upgrade to the latest plugin version or disable it to safeguard against potential cyberattacks.

The City of Philadelphia announced a data breach affecting 35,881 individuals, involving personal and protected health information. The breach occurred between May 26, 2023, and July 28, 2023, with disclosure delayed until October. Compromised data includes names, addresses, Social Security numbers, financial account details, and health information. The City has notified affected individuals and offered free credit monitoring services for 12 months along with advice on protecting against identity theft. Federal law enforcement has been informed of the breach, and the City is enhancing employee training and security measures. Previous related incident in June 2020 involved a HIPAA breach by the City's Department of Behavioral Health impacting email accounts. The methods used by attackers to breach the email accounts and the reason for the delayed disclosure remain unexplained.

Chinese state-sponsored hacking group APT40 has been reported to hijack SOHO routers to launch cyberespionage attacks targeting entities in the US and Australia. Active since at least 2011, APT40 employs a methodology focusing on exploiting vulnerabilities in public-facing infrastructure and networking devices. Recent activities involve exploiting major flaws in software like Log4J, Atlassian Confluence, and Microsoft Exchange as soon as they are openly reported. The joint advisory, authored by Australia's ACSC, detailed two cases from 2022 demonstrating APT40's tactics, including web shells deployment and sensitive data exfiltration. APT40 bypasses direct interaction techniques, instead preferring the use of proxy networks through hijacked routers to mask their activities. Recommendations for mitigation include timely patching of disclosed vulnerabilities, comprehensive logging, using WAFs, applying MFA, and replacing EoL networking gear. Enhanced resilience against such APT groups requires international cooperation, as evidenced by contributions to the advisory from various global cybersecurity bodies.