Daily Brief

Many SMBs are reducing their cybersecurity budgets, making themselves vulnerable to sophisticated cybercriminals who see these businesses as easy targets. Cyberattacks on SMBs can lead to substantial financial burdens, including disruptions in normal operations, extensive recovery costs, and potential legal fees. A significant proportion of SMBs have experienced cyberattacks or are unaware of breaches within the last year, highlighting widespread security gaps and the need for effective cybersecurity solutions. A Managed Endpoint Detection and Response (EDR) solution can provide essential cyber defense for SMBs, offering 24/7 monitoring and professional threat management without the need for extensive in-house resources. Implementing robust cybersecurity measures like managed EDR can be more cost-effective than the expenses associated with recovering from a cyberattack. The Huntress Managed EDR solution, backed by a dedicated Security Operations Center, ensures continuous monitoring and quick remediation of potential threats, alleviating the cybersecurity burden for SMBs. Beyond financial losses, cyberattacks can also cause reputational damage, psychological trauma, and legal issues, underscoring the wide-reaching impact of these security breaches.

Multiple security vulnerabilities were disclosed in Xiaomi devices running Android, affecting various applications and system components. Reported flaws could lead to unauthorized activities and services access, arbitrary file theft, and data leakage involving Xiaomi account details. Specific vulnerabilities include a shell command injection in the System Tracing app and data leakage issues in the Settings app. Additional flaws found in the Print Spooler and Phone Services show that modified legitimate components from AOSP are susceptible to attacks. A memory corruption issue was also discovered in the GetApps application, stemming from an unresolved bug in an Android library. The Mi Video app is at risk of broadcasting sensitive user information such as usernames and emails, which can be intercepted by third-party apps. Oversecured reported these security issues to Xiaomi from April 25 to April 30, 2024, advising users to update their systems to protect against these vulnerabilities.

Cybersecurity researchers discovered a new macOS-targeted spyware named Cuckoo, affecting both Intel and Arm Macs, capable of stealing host information and establishing persistent access. Cuckoo utilizes a fake password prompt for privilege escalation and conducts thorough surveillance, including harvesting data from iCloud Keychain, Apple Notes, and various applications such as web browsers and crypto wallets. The malware checks the machine's locale and avoids execution if the system is based in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. Distribution methods seem to involve deceptive websites claiming to offer music ripping and MP3 conversion software, with affected sites including dumpmedia.com, tunesolo.com, and others. The infected disk images from these sites initiate a bash shell to ascertain and prepare the host system before deploying the malware. Some application bundles associated with the malware come signed with a valid developer ID from Yian Technology Shenzhen Co., Ltd., except for one variant from fonedog.com with a different developer ID. This disclosure follows recent discoveries of other macOS threats, including CloudChat and a variant of AdLoad malware, indicating rising threats against macOS systems. Cuckoo's multifaceted approach includes screening for specific files, executing commands to extract hardware details, capturing running processes, and taking screenshots.

German officials have attributed a series of cyberattacks on government, infrastructure, and private sectors to APT28, also known as Fancy Bear, a Russian-linked cyber group. The attacks are believed to be a response to Germany's military support to Ukraine, including the provision of tanks. Although described as largely ineffective, these attacks also targeted the Social Democratic Party of Germany and are part of ongoing Russian cyber operations against its geopolitical adversaries. The United States has supported Germany's claims, following joint efforts to disrupt APT28's use of compromised networks and devices for malicious activities. APT28 has previously been involved in significant global cyber incidents, including the creation of the NotPetya malware and exploitation of major vulnerabilities. The situation underscores the continuing threats from state-sponsored cyber actors and international tensions surrounding cyber warfare and intelligence operations.

Finland's Transport and Communications Agency (Traficom) has issued a warning about a malware campaign targeting Android users to breach bank accounts. The malware masquerades as a McAfee app, tricking victims into downloading it via SMS messages that appear to be from banks or local telecom operators using spoofing technology. Once installed, the malware grants threat actors access to victims' banking accounts, enabling unauthorized transactions and fund transfers. The scam involves sending victims SMS prompts to call a number, where they are then persuaded to install the fraudulent app from a link outside the official app store. Police reports highlight significant financial losses, with one victim losing 95,000 euros due to unauthorized access to their banking account. The malware, suspected to be a new version of the Vultur trojan, features advanced capabilities like file management abuse and service disruptions, making detection and removal challenging. Traficom advises infected users to contact their banks immediately for protective measures and to perform a factory reset on devices to eliminate the malware. Enhanced vigilance is recommended, including skepticism towards unexpected requests for app installations or sharing sensitive information via phone.

Robin Wilton of the Internet Society advocates for the continued use of strong end-to-end encryption (E2EE), despite opposition from law enforcement. Law enforcement agencies argue that E2EE hinders their ability to investigate serious crimes, including human trafficking and child exploitation. Wilton counters this perspective by highlighting the steady number of arrests despite the increased use of E2EE services since 2015, suggesting encryption does not impede crime solving. Europol's recent statements pushing against E2EE lack substantial evidence, according to Wilton. The UK's Online Safety Act, challenging E2EE by favoring police access, reflects ongoing tensions but does not signify a victory against encryption, per Wilton. Wilton emphasizes the necessity of E2EE in the modern world, given the ubiquity of connected devices and the unrealistic expectations of selective encryption legislation.

The Mozilla Foundation's recent study found that 22 out of 25 top dating apps fail to properly protect user privacy. Researchers highlighted that dating apps harvest extensive personal details including sensitive information like sexual preferences and HIV status. Many of these apps share or sell extensive user data to third parties, including advertisers, without robust privacy safeguards. One disturbing incident noted involved user data from certain apps being sold to a Catholic organization, which then used the information to publicly out a priest. The research revealed significant concerns over the use of AI in dating apps, with plans for further AI integration posing additional privacy risks. Only one app, Lex (a queer dating app), received a positive privacy evaluation from the Mozilla team. The findings raise serious questions about the privacy measures of major dating platforms, including those owned by Match Group and their interactions with AI companies like OpenAI.

An Android bug allows DNS queries to leak even when the VPN kill switch is enabled, threatening user privacy. Discovered by Mullvad VPN, the issue arises when switching VPN servers or reconfiguring them, affecting all Android versions, including Android 14. The Android feature "Always-on VPN" with a kill switch is supposed to prevent any data from bypassing the VPN, but the bug circumvents this by leaking DNS data during certain configurations and network changes. Apps using the C function getaddrinfo for hostname resolution leak DNS queries, while those using Android APIs like DnsResolver do not. To mitigate the leak when switching servers, users can configure a false DNS server during the VPN's active period. However, no solution has yet been found for leaks occurring during VPN reconnections. Previous issues found in October 2022 show Android leaking DNS queries during WiFi connections, highlighting recurrent privacy risks. Google has acknowledged the issue and expressed a commitment to investigating and resolving it to safeguard Android user privacy.

Iranian hackers linked to the state-backed APT42 group are impersonating journalists to infiltrate networks in the West and Middle East. Mandiant first identified APT42 in 2022, revealing their activities have spanned since 2015 across 14 countries. Targets include NGOs, media, educational bodies, and legal entities; attacks often begin with spear-phishing emails. Malware used includes "Nicecurl" and "Tamecat" backdoors, facilitating data theft, command execution, and system manipulation. Phishing tactics involve creating trust via communication before directing victims to malicious sites that mimic reputable services to steal credentials and MFA tokens. APT42 meticulously avoids detection by using built-in cloud tool features, regularly clearing browser histories, and masking malicious activities within legitimate operations. Utilization of VPNs, Cloudflare domains, and temporary servers complicates attributing the attacks directly to APT42. Indicators of Compromise (IoCs) and detection tools are detailed in Google’s comprehensive report on the APT42 campaign.

Czechia and Germany reported targeted by Russia's APT28, using a Microsoft Outlook vulnerability. The attacks are part of an espionage campaign, affecting political, state, and infrastructure entities. The exploited bug, CVE-2023-23397, in Outlook allowed unauthorized Net-NTLMv2 hash access. German Federal Government identified a long-term breach affecting the Social Democratic Party's emails. The EU, NATO, UK, and US condemned the actions, citing threats to democratic processes and security. A parallel Microsoft report linked APT28 to other cyberattacks via a Microsoft Windows Print Spooler component. Recent coordinated law enforcement disrupted a related botnet used by APT28 to mask their activities. Ongoing attacks by pro-Russia hacktivists pose risks to critical infrastructure in North America and Europe.

InformNapalm, a volunteer intelligence group, has accused Kaspersky of aiding Russia in the development of military drones used in Ukraine. The allegations stem from a 100 GB data breach from Albatross, a Russian company allegedly involved in drone manufacturing with Iranian collaboration. Kaspersky allegedly contributed neural network technologies essential for Albatross drones, said to be vital for their operational capabilities. Some Kaspersky employees purportedly engaged heavily in the development of these drones, and even held leadership roles within Albatross. Albatross presentations highlighted the critical role of Kaspersky’s neural network solutions in making the drones functional. Despite claims of non-commercial, humanitarian collaboration with Albatross, Kaspersky faces scrutiny and potential U.S. sanctions for its involvement. Kaspersky denies the accusations, framing the allegations as based on misinterpretations and disinformation.

Kaspersky has been implicated in assisting the development of military drones used by Russia in the Ukrainian conflict, according to volunteer group InformNapalm. Data from a hacked 100 GB archive from Russian company Albatross reveals connections with Kaspersky employees contributing to drone technology since 2018. Albatross, in collaboration with Kaspersky, reportedly developed technology crucial for operational UAVs, which are currently operational in scouting against Ukraine. InformNapalm argues that due to these activities, Kaspersky should face U.S sanctions similar to those imposed on the Russian technology sector. U.S sanctions could impact Kaspersky's ability to acquire equipment and create products that might support Russian military efforts. Kaspersky denies involvement claiming the cooperation with Albatross was for humanitarian purposes and non-commercial, stressing transparency and mission dedication against malware. Despite Kaspersky's denials, InformNapalm suggests their findings warrant further investigation and possible action due to the strategic use of drones based on Kaspersky-developed technologies.

A Mullvad VPN user discovered a bug in Android devices leaking DNS queries during VPN server switches, even with "Always-on VPN" enabled. This issue persists across all VPN apps on Android and occurs with direct calls to the getaddrinfo C function during certain situations such as VPN reconfiguration, crashes, or stops. Mullvad revealed that this leakage happens even with the "Block Connections Without VPN" (VPN kill switch) activated, contrary to expected secure behavior. Proposed mitigation includes using a bogus DNS server while the VPN is active, although no fix has been found for reconnect leakage scenarios. Mullvad had previously noted similar DNS leakage on Android due to connectivity checks when Wi-Fi is engaged, highlighting ongoing privacy risks. This problem presents substantial privacy concerns, potentially exposing users' locations and the websites they visit, and persists on the latest Android version. Mullvad urges a fix at the operating system level to protect all Android users, regardless of the apps they use, highlighting ongoing vulnerabilities.

The NSA and FBI reported that North Korean APT43 hackers are exploiting weak DMARC email policies to conduct spearphishing campaigns. These attacks mimic credible entities like journalists and academics to gain access to sensitive geopolitical and policy-related data. North Korea's Reconnaissance General Bureau, involved in multiple espionage activities, manages APT43, which operates under various aliases including Kimsuky and Black Banshee. The hacking group targets think tanks, research centers, and academic institutions primarily in the US, Europe, Japan, and South Korea. Compromises achieved via these phishing scams are used to enhance the credibility and success of future attacks and to gather intelligence beneficial to North Korea’s regime. APT43's activities aim at thwarting any perceived political, military, or economic threats to North Korea by staying abreast of adversarial strategies and events. To counter these threats, the agencies recommend strengthening DMARC policies by setting configurations to quarantine or reject emails failing DMARC checks, and setting other fields to enhance email server reports and security.

Software supply chain vulnerabilities are increasingly prevalent, forming a significant cybersecurity frontier. Varun Badhwar, CEO of Endor Labs, predicts that 95-99% of enterprise code could soon derive from untrusted, unvetted sources. The surge in open-source software usage heightens these risks, necessitating improved management and security practices. Adequate solutions include detailed documentation, reliable software bills of materials, and better vetting of open-source libraries. Automation is viewed as a crucial tool for enhancing software supply chain management, yet it is not the only solution needed. Enterprises must reevaluate and retool their approaches to software procurement and management to mitigate emerging risks. The full maturity of software supply chain security could take up to a decade, indicating the beginning stages of this cybersecurity field.