Daily Brief

Evolve Bank & Trust notified 7.6 million Americans of a data breach following a LockBit ransomware attack. The breach was initially misattributed to a U.S. Federal Reserve attack, but was later confirmed to involve Evolve's data. The breach occurred after an employee clicked on a malicious link, allowing hackers access to download files and data. Affected services include fintech companies like Affirm, Wise, and Bilt, reporting impacts on their customers. The breach discovery followed nearly four months of undetected network access by the attackers, from February to May. Evolve is offering two years of credit monitoring and identity protection for U.S. victims, and dark web monitoring for international victims. The type of data exposed has not been specified; affected individuals are urged to monitor their account and credit activity closely. No impact has been reported by other Evolve partners such as Shopify, Plaid, Stripe, and Mercury as of now.

Evolve Bank & Trust announced a significant data breach, with personal data of over 7.6 million customers stolen by the LockBit ransomware group. The breach was detected in May 2024 after abnormal system behavior, initially mistaken for a hardware issue, was identified as unauthorized activity. Affected data includes names, addresses, Social Security numbers, and banking details from customers and staff. Evolve has conducted an investigation with cybersecurity experts and has notified law enforcement; ongoing investigations suggest further notifications may be forthcoming. Customers affected by the breach are offered 24 months of credit monitoring, with enrollment instructions pending. The cyber incident occurred amidst criticism from the US Federal Reserve for "unsafe and unsound banking practices" and inadequate risk management at Evolve. Evolve and its partners, including international firms Wise and Affirm, continue to assess and mitigate the breach's impact, although the full extent is not yet disclosed.

A severe vulnerability named BlastRADIUS has been identified in the RADIUS authentication protocol, posing risks for MitM attacks. Researchers reveal the exploit could allow attackers to bypass integrity checks and alter authentication and authorization data in network access. The vulnerability exploits weak spots in the MD5 hash function used in RADIUS, making possible chosen prefix attacks to modify packets. Though the use of TLS and proper message authentication can mitigate risks, RADIUS traffic over the internet remains highly susceptible. The vulnerability affects all standards-compliant RADIUS clients and servers, necessitating immediate updates by ISPs and affected organizations. Particularly vulnerable are methods such as PAP, CHAP, and MS-CHAPv2, with MAC address authentication and administrative logins also at risk. Organizations transmitting RADIUS/UDP over the internet face the highest threat from this vulnerability, which has a severe CVSS score of 9.0. There is currently no evidence of the vulnerability being actively exploited, but the potential for future attacks remains a significant concern.

Researchers discovered attackers exploiting misconfigured Jenkins Script Consoles for cryptocurrency mining. Jenkins, a CI/CD platform, allows execution of arbitrary scripts which can lead to remote code execution when misconfigured. The Jenkins documentation warns that such configurations can grant administrative-like access, exposing sensitive information and control. Attackers used a misconfigured Jenkins Groovy plugin to execute a script for deploying a cryptocurrency miner, enhancing its efficiency by killing other high-resource processes. Trend Micro highlights the necessity of proper authentication settings, configuration audits, and restricting public internet exposure of Jenkins servers. The increase in cryptocurrency theft via such exploits surged in the first half of 2024, with major incidents making up 70% of the stolen amounts. Key vulnerabilities include private key compromises and smart contract exploits, alongside these misconfiguration issues.

The internet is categorized into the Clear Web, Deep Web, and Dark Web, with increasing levels of anonymity and security in lower layers. Criminals increasingly use the Tor network for its strong anonymity, which complicates tracking by law enforcement. Dark Web forums are commercial ecosystems where criminals trade services and goods, including malware and stolen data. Various stages of malware attacks culminate in ransomware deployment and data extortion, often sold in Dark Web auctions. Human Intelligence (HUMINT) is vital for understanding and engaging with cybercriminal communities to prevent cybercrimes. Automated tools, combined with HUMINT, create a robust defense against the sophisticated economic ecosystem of the Dark Web. Law enforcement agents actively engage with online criminal forums to gather actionable, reliable, and timely intelligence. Examples include undercover operations where officers mimic cybercriminals to gather essential data on ongoing cyber threats.

Houthi rebels have created a surveillance malware called GuardZoo, which operates similarly to the notorious Pegasus spyware but is considerably less sophisticated. Despite its basic design and reliance on social engineering for distribution, GuardZoo can extract sensitive data such as photos, documents, and device configuration details. GuardZoo has been primarily identified on devices within Yemen and surrounding regions, particularly targeting military personnel based on the malware's geolocation data extraction including KMZ, WPT, and TRK files. It employs a specific command and control (C2) backend and can stealthily update itself using .dex files, indicating a level of technical adaptation from its creators. Lookout's research highlights that while GuardZoo is not as advanced as state-sponsored tools like Pegasus, it reflects a growing trend of lesser-known, yet effective surveillance tools used by non-state actors. The malware has shown limited activity outside the Middle East, suggesting focused regional use rather than global ambitions. Experts advise maintaining vigilance with patches and security practices due to the increasing prevalence and effectiveness of similar surveillance malware globally.

Over 450 Middle Eastern military personnel have been targeted by the GuardZoo malware, a surveillance tool designed to collect data from Android devices. The GuardZoo campaign is linked to a Houthi-aligned threat actor and utilizes Android remote access trojan features originally found in the Dendroid RAT. The majority of infections have occurred in Yemen, although military personnel from Egypt, Oman, Qatar, Saudi Arabia, Turkey, and the U.A.E. are also affected. The malware, available initially in 2014 for $300, has evolved to include functionalities such as recording audio, capturing photos, and executing HTTP flood attacks. GuardZoo's distribution utilizes WhatsApp and direct browser downloads, leveraging military and religious-themed applications as lures. The updated malware supports over 60 commands, enabling complex operations like file uploading, dynamic C2 address changes, and self-updation or deletion on compromised devices. Since its inception in October 2019, GuardZoo has been consistently using dynamic DNS for C2 operations linked to IP addresses registered to YemenNet.

Microsoft China instructs employees to cease using Android devices due to login and authentication challenges. The company opts for providing Apple devices to its staff, leveraging iOS's ability to host necessary authentication apps. Google Mobile Services' unavailability in China cited as a key reason for the inability to use Android effectively in Microsoft's operations. Microsoft avoids using local Android app stores or sideloading apps, possibly due to security concerns. The decision reflects a broader reluctance from Microsoft to engage deeply with China's mobile ecosystem and local app market. This strategic shift comes amidst broader tensions, including accusations against China of unauthorized access to U.S. officials' emails. Microsoft's move away from Android in China potentially signifies larger geopolitical and tech industry ramifications.

The Australian Competition and Consumer Commission (ACCC) has issued a warning about scammers targeting previous scam victims with fraudulent recovery offers. Scammers exploit databases containing details of previous scam victims, using this information to pose as trusted entities like government agencies or legal firms. Victims are approached with offers to recover their lost funds for an upfront fee, a percentage of the recovered amount, or a purported tax. Personal information and remote access to devices are often requested under the guise of verifying identity or setting up digital wallets for cryptocurrency recovery. People over the age of 65 are particularly vulnerable to these scams, with reported losses totaling AU$2.9 million, not including unreported incidents. Tactics include fake testimonials, social media advertisements, and the creation of authentic-looking websites to lure victims. The ACCC emphasizes the difficulty of recovering money as scammers typically move funds offshore quickly. A mandatory code for banks and telecoms is under development in Australia to detect, prevent, and possibly compensate for such scams.

A multinational cybersecurity advisory warns about the China-linked espionage group, APT40, which rapidly exploits vulnerabilities in widely used software. APT40, active since at least 2013, has a history of cyber-attacks primarily in the Asia-Pacific, and is assessed to be part of China's Ministry of State Security. The group adapts quickly to exploit newly disclosed security flaws, including major vulnerabilities in Log4j, Atlassian Confluence, and Microsoft Exchange. Noteworthy techniques used by APT40 include using web shells for persistence, deploying outdated devices in their infrastructure to reroute traffic and avoid detection, and leveraging Australian websites for command and control operations. The group conducts in-depth reconnaissance on potential targets, operationalizing unpatched, end-of-life devices to exploit vulnerabilities swiftly. Mitigation recommendations include employing strong logging, enforcing multi-factor authentication, implementing a robust patch management strategy, and network segmentation to shield sensitive data against unauthorized access.

Unknown threat actors have implemented a supply chain attack by distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr. Phylum's analysis highlights the sophisticated nature of the attack, where malware was hidden in the less utilized 'end' function of jQuery. A total of 68 malicious packages, named creatively to resemble legitimate ones, were introduced onto the npm registry from May 26 to June 23, 2024. The attackers manually assembled and published these packages, indicated by diverse naming conventions and inconsistent publishing time frames. Phylum discovered that the compromised 'end' function is designed to steal data entered in website forms and send it to a hacker-controlled remote URL. The trojanized jQuery has been found in a GitHub repository under the user "indexsc," which also hosts additional JavaScript files that utilize the malicious library. jsDelivr's automatic URL handling from GitHub to CDN is thought to be exploited by attackers to grant the malware higher legitimacy and easier passage through security frameworks. This event coincides with similar malicious activities detected on the Python Package Index (PyPI), which involve downloading malware based on the system's CPU architecture.

International law enforcement agencies, including from Australia, US, and UK, have issued an advisory on China's state-sponsored APT40. APT40, linked directly to China's Ministry of State Security, can develop and deploy exploits within hours of vulnerabilities being disclosed. The advisory details APT40’s focus on exploiting end-of-life or unpatched systems in their cyber operations. The group uses initial access through compromised devices, often in small businesses or home setups, to deploy further attacks. Techniques used by APT40 include leveraging web shells, searching for valid user credentials, and installing malware for data exfiltration. Highlighted vulnerabilities targeted by APT40 include flaws in Log4J, Atlassian Confluence, and Microsoft Exchange. Recommended mitigation strategies include regular patching, network segmentation, use of multifactor authentication, and disabling unused network services. The advisory stresses the rapid adaptation and operational speed of APT40, posing significant security challenges to vulnerable networks internationally.

Zotac inadvertently made customer return merchandise authorization (RMA) data accessible online due to a misconfiguration of their web folders. The exposed data included sensitive details such as customer names, addresses, contact information, and invoice specifics. The security mishap resulted from inadequate access permissions and the absence of a 'robots.txt' file to prevent search engine indexing. The issue was highlighted by a viewer of the GamersNexus YouTube tech channel, ultimately prompting an investigation into the data exposure. Zotac and GamersNexus have taken steps to notify affected partners and have started securing the exposed data, although some information may still be retrievable via Google Search. To mitigate further risk, Zotac disabled the document upload function on their RMA portal, requesting customers to instead email necessary documents. Customers who have used Zotac's RMA service should assume their personal information may have been exposed and take appropriate precautions.

Hackers known as 'Sp1derHunters' released almost 39,000 print-at-home Ticketmaster tickets for upcoming concerts including major artists like Pearl Jam and Foo Fighters. The leaked data originated from a data theft at Snowflake, where Ticketmaster's data was compromised. The theft involved databases of 165 organizations due to stolen credentials facilitated by malware. Ticketmaster was extorted by hackers demanding up to $2 million to prevent further leaks; however, they asserted that their SafeTix technology nullifies the risk by frequently updating barcode information. Despite Ticketmaster's claims, Sp1derHunters pointed out that the barcodes for print-at-home tickets cannot be refreshed, thus challenging Ticketmaster's security measures. The leaked data includes detailed information needed to create valid tickets, raising concerns over potential fraudulent entry into events. The incident highlights ongoing vulnerabilities in digital ticketing processes and challenges in securing large databases, potentially affecting customer trust and corporate reputation. Response from Ticketmaster regarding future actions for the affected tickets remains unconfirmed.

Neiman Marcus experienced a significant data breach in May 2024, with more than 31 million customer email addresses exposed. Data security expert Troy Hunt confirmed the authenticity of the exposed data, which includes names, contact info, transaction data, and sensitive financial and personal data. Initially, Neiman Marcus reported to the Maine Attorney General that only 64,472 were affected, but further analysis revealed millions affected. The breach was part of the broader Snowflake data theft attacks, targeting multiple companies due to weak multi-factor authentication. Data put up for sale included millions of gift card numbers and detailed transaction records, with hackers initially demanding a ransom. A joint investigation by Snowflake, Mandiant, and CrowdStrike identified the financially motivated threat actor UNC5537, which exploited security vulnerabilities targeting multiple organizations.