Daily Brief

Avast has identified a cryptographic vulnerability in the DoNex ransomware family, enabling the creation of a free file decryptor. This tool counters several variants of DoNex, previously known as DarkRace and Muse, which earlier masqueraded under the Lockbit 3.0 name. The decryptor has been discreetly provided to affected entities in collaboration with law enforcement since March 2024 to avoid alerting cybercriminals. Following the public revelation of the cryptographic flaw at the Recon 2024 conference, Avast released the decryptor tool publicly. DoNex's recent activities primarily targeted the United States, Italy, and Belgium but maintained a global presence. The ransomware employs a ChaCha20 symmetric key for encrypting files, which when exploited due to its crypto flaws, can aid in file recovery without a ransom. Avast recommends users to use the 64-bit version of the decryptor and to execute it with admin rights, needing a pair of encrypted and original files to function. Caution is advised to back up encrypted files before decryption to prevent potential data loss.

A remote code execution (RCE) vulnerability in Ghostscript is actively being exploited, affecting many Linux-based systems. Ghostscript is integral to document conversion tools like ImageMagick, LibreOffice, and CUPS, and is pre-installed on numerous Linux distributions. Identified as CVE-2024-29510, the flaw bypasses the -dSAFER sandbox, allowing unauthorized command execution and file operations. Attackers exploit this vulnerability by disguising malicious EPS files as harmless JPG images to gain shell access to systems. Despite a patch being available since May, many systems remain vulnerable; updating to Ghostscript v10.03.1 or applying vendor-supplied patches is critical. The vulnerability's exploitation poses a significant risk to web applications and other services that incorporate document conversion features using Ghostscript. Security professionals can use a provided Postscript file to check system vulnerability to these specific attacks.

CloudSorcerer, an APT group, primarily targets Russian government entities using cloud-based command-and-control. This newly identified cyber espionage campaign leverages services like Microsoft Graph, Yandex Cloud, and Dropbox for stealth monitoring and data exfiltration. Kaspersky discovered these cyberattacks in May 2024, noting the innovative use of malware with features similar yet distinct from the earlier known CloudWizard. The malware employs various evasion tactics, adjusting its behavior dynamically based on its host process to avoid detection. Initial intrusion techniques remain unclear, but post-access strategies include utilizing a C-based executable for backdoor access, data collection, and further malicious activities. CloudSorcerer makes initial contact with C2 servers via GitHub, using it as a dead drop resolver before moving to more direct cloud service communications. Sophistication in inter-process communications via Windows pipes suggests high levels of technical sophistication in avoiding common cybersecurity defenses.

The group named CloudSorcerer executes cyberespionage against Russian government entities by exploiting public cloud services. Discovered by Kaspersky in May 2024, this advanced persistent threat (APT) employs custom malware leveraging legitimate cloud platforms for control and data storage. The unique malware uses different tactics depending on the host application, such as "mspaint.exe" or "msiexec.exe," to manage command and control (C2) communications or execute malicious activities. Initial contact by the malware is through a GitHub repository, which facilitates further C2 operations through various cloud services like Microsoft Graph, Yandex Cloud, or Dropbox. The malware ensures stealth and efficacy by using Windows pipes for inter-process communications, adapting to the specific environment of the infected machine. CloudSorcerer can conduct extensive reconnaissance on the infected system, gathering data like computer name, username, and system details. Kaspersky emphasizes the sophistication of the attacks due to the malware's ability to dynamically adapt and obfuscate data transmission. Detection signatures and methods (IoCs and Yara rules) have been made available by Kaspersky for identifying and mitigating CloudSorcerer threats.

Recorded Future's analysis revealed 3,300 users linked to child sexual abuse material (CSAM) sites through malware logs published on the dark web. Approximately 4.2% of these users had credentials for multiple CSAM sources, highlighting extensive criminal behavior. Malware variants such as Kematian Stealer, Neptune Stealer, and others increasingly target sensitive information like credentials and payment data, often ending up for sale on the dark web. The malware distribution channels include phishing, spam, cracked software, fake updates, SEO poisoning, and malvertising. The investigation utilized stolen credentials to identify and unmask individuals accessing known CSAM domains, leading to the identification of three major offenders. Recorded Future noted significant user counts from countries like Brazil, India, and the U.S., attributing high figures possibly to dataset sourcing biases. Insights from malware logs are shared with law enforcement to aid in tracking and investigating dark web child exploitation networks.

Microsoft SwiftKey's support site certificate expired on June 10, leading to security warnings for users. SwiftKey, a predictive keyboard app bought by Microsoft in 2016, still has a significant user base despite competing improvements by Apple and Google. The certificate expiry resulted in browser warnings that deterred users from accessing the support site, displaying concerns about the site’s security. The recent attempt to rebrand SwiftKey with "Copilot" features in February highlights ongoing development, despite this oversight. Microsoft's history of certificate management issues is noted, with similar problems occurring recently with Microsoft 365. Microsoft did not include a solution for the expired certificate in the most recent update on June 14, focused only on general improvements. The lapse in certificate renewal has raised questions regarding Microsoft's commitment to maintaining support infrastructure for its products.

Roblox reported a data breach affecting attendees of its Developer Conferences spanning 2022 to 2024. The breach originated from FNTech, a third-party vendor responsible for conference registration, where unauthorized access to data was gained. Exposed data includes full names, email addresses, and IP addresses of conference participants. The Have I Been Pwned database has verified and added 10,386 affected email addresses, 63% of which were not previously compromised. Prior data leaks related to Roblox in 2023 involve nearly 4,000 developer accounts from a 2021 incident, underscoring ongoing security challenges. The exposure does not pose immediate threats but increases the potential for targeted phishing attacks against developers. Roblox assures enhancements in their security protocols to prevent such occurrences in the future.

A new Ransomware-as-a-Service (RaaS), Eldorado, targets both Windows and Linux platforms, offering double-extortion capabilities. Launched through an advertisement on the RAMP ransomware forum on March 16, 2024, Eldorado has already impacted 16 entities across the U.S., Italy, and Croatia, hitting diverse industry sectors such as healthcare, real estate, and manufacturing. Developed using Golang for cross-platform operation, Eldorado utilizes Chacha20 and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for encryption. The ransomware can encrypt files on shared networks through Server Message Block (SMB) protocol and attempts to evade detection by cleaning its tracks post-encryption. Research from Group-IB highlighted that Eldorado does not share code with previously leaked ransomware strains, indicating a newly developed malware. Increased global ransomware attacks noted, with significant incidents in May 2024 involving other ransomware groups such as LockBit, Play, and Medusa. Law enforcement and cybersecurity firms continue to develop strategies and tools against these threats, with decryption tools being silently provided to victims in some cases.

Avast covertly supplied decryptors to DoNex ransomware victims since March after identifying flaws in the group's encryption method. The cybersecurity company made the decryptor publicly available after confirming that DoNex is no longer a significant threat, following the shutdown of its dark web operations in April. The announcement was formally made at Canada's Recon conference, highlighting Avast's findings and the availability of the free decryption tool. Avast criticized for not disclosing specific details about the cryptographic flaw exploited in DoNex's ransomware, limiting shared technical insights. DoNex ransomware has undergone several rebrands since its inception in April 2022, with the most recent being in March 2023, indicating its short lifespan and low development effort. Avast's decryptor is designed for user-friendly operation, requiring administrative privileges and a recommendation for using a 63-bit system for efficiency. DoNex targeted various countries, including Italy, the US, Belgium, the Netherlands, and uncommonly, Russia, with a ransom note similar to previous incarnations.

CISOs face persistent challenges in presenting cybersecurity risks in terms understandable by company boards to secure necessary support and resources. Recent studies reveal a significant communication gap between CISOs and CEOs, with only 5% of CISOs reporting directly to the CEO, and about 37% of organizations believe they effectively use their CISO's expertise. Effective risk communication requires ditching technical jargon and framing cybersecurity discussions in financial and business terms. A CISO's strategic communication to the board should quantify potential financial losses from breaches and highlight the ROI on security investments. Building a culture of cybersecurity awareness across all departments, including IT, HR, and Legal, strengthens a company’s overall security posture. Prioritizing significant threats and aligning them with business objectives helps CISOs focus resources effectively and optimize their organization’s security strategy. Encouraging board-level engagement through dedicated cybersecurity committees and direct reporting structures can enhance understanding and decision-making about cybersecurity initiatives.

Trend Micro reports a significant increase in cyber attacks by the Mekotio banking trojan, predominantly affecting Latin America. First identified by ESET in 2020, Mekotio has targeted countries including Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials. Mekotio operates by leveraging tax-themed phishing emails to trick users into downloading malicious installers, which then deploy malware scripts to execute the trojan. The malware gathers system information, connects to a command-and-control server for further actions, and displays fake banking pop-ups to capture credentials. It can also perform actions like keystroke logging, screenshot capturing, clipboard data stealing, and establishing persistent access via scheduled tasks. The infected systems allow threat actors to perform fraudulent transactions and unauthorized access to bank accounts. Recent arrests in Spain impacted the network responsible for spreading Mekotio, indicating some law enforcement success against related cybercrime activities.

The European Union is transitioning from eIDAS 1.0 to eIDAS 2.0 to streamline digital identities across member states, aiming to enhance cross-border transactions and digital services. eIDAS 2.0 introduces the EU digital identity wallet (EUDI wallet), allowing individuals and businesses to securely store and manage their electronic ID and credentials for use across the EU. Each EU member state must implement national digital identity schemes by the end of 2026, fostering wider acceptance and integration into both public and private sectors. Despite the push for a unified digital identity, Europe's digital identity landscape remains fragmented, influenced by varying national cultural, political, and technological factors. Countries like Finland and Denmark have established regulated digital identity systems, whereas countries like Germany and Spain show uneven adoption and integration across sectors. The EU Commission supports the development of EUDI wallet through substantial funding and pilot programs, involving key industry players like Signicat. Organizations in the EU must prepare to support multiple forms of electronic IDs and develop comprehensive digital identity strategies to embrace future changes effectively.

Four significant and currently unpatched vulnerabilities were identified in the Gogs open-source Git service, with three classified as critical. Authenticated attackers can potentially execute arbitrary commands, steal, modify, or delete source code, and plant backdoors on affected Gogs instances. The exploitable issues require that the attacker has an authenticated status, with the most critical flaw additionally needing SSH access enabled. Around 7,300 Gogs instances are publicly accessible online, predominantly in China and the U.S., with unclear specifics on how many are vulnerable. SonarSource, the research team that found the flaws, reported a lack of response from Gogs maintainers regarding the implementation of fixes. SonarSource suggests disabling the built-in SSH server, halting user registrations, or shifting to alternative platforms like Gitea due to the absence of vendor-supplied patches. The discovery is parallel to revelations about phantom secrets in SCM systems, stressing persistent risks in managing sensitive data within repositories.

Apple complied with Roskomnadzor's request to remove 25 VPN apps from its Russian App Store on July 4, 2024. Affected VPN providers include notable names like ProtonVPN, Red Shield VPN, NordVPN, and Le VPN. Roskomnadzor's actions are part of broader efforts by the Russian government to control internet access and content. NordVPN had previously ceased operations in Russia in March 2019 by shutting down all its Russian servers. The takedown aligns with Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection". VPN services have been added to Russia's "Unified register" of internet resources prohibited from public distribution. Le VPN introduced an alternative service named Le VPN Give to circumvent these restrictions using obfuscated VPN connections. This incident is part of ongoing censorship initiatives since the Russo-Ukrainian conflict began in February 2022, impacting various media and social media platforms.

Vietnam mandates selfie-based identity verification for digital transactions above $400, raising privacy and security concerns due to the country's poor cybersecurity ranking. Critics argue that Vietnamese banks' implementation accepting still photos instead of live images undermines security claims. Resecurity discovered a surge in leaked Singaporean identity documents with selfies on the dark web, indicating potential exploitation by cybercrime groups. Selfie verification's popularity surged during the pandemic, driven by the need for digital engagement and remote account opening in financial services. Concerns exist about the handling and disposal of the biometric data collected through selfie verification processes. The efficacy of "liveness checks" in verification, which includes real-time movement and biometric matching, may mitigate some risks of data misuse. Debate continues over balancing the need for robust digital identity verification processes with privacy, security, and inclusive accessibility. As technology and regulations evolve, continuous reassessment of privacy and security measures in digital identity verifications is required.