Daily Brief

Europol targets the privacy-enhancing technologies (PET) in Home Routing systems which hinder criminal investigations by encrypting data. Home Routing allows users to maintain their home network's services abroad, preventing local interception due to PET. Enforcement officials face delays and depend on foreign service provider cooperation due to encrypted communication paths. Europol proposes disabling PET for individuals using foreign SIM cards within EU to ease lawful interceptions. An alternative suggestion involves creating a quick mechanism for EU-wide communication interception requests. Currently, criminals exploit this system, aware of the delays and hurdles in cross-border law enforcement. Europol emphasizes the urgent need for collaborative solutions between national authorities, policymakers, and telecommunications providers to adjust or enhance current regulations.

Shopify has denied experiencing a data breach within its own networks, attributing the incident instead to a third-party application. A threat actor known as '888' claimed to have obtained customer data from Shopify and began selling it. This data includes detailed personal information and transaction records. Shopify has stated that the data loss stemmed from a compromised third-party app, whose developer will inform the impacted customers. Samples of the stolen data showed elements such as Shopify IDs, customer names, contacts, spending, and subscription details. This is not the first controversy involving Shopify; in 2020, they reported a breach involving unauthorized access by two members of their support team to merchant data. Threat actor 888, responsible for this data sale, has a history of dealing with stolen data from various prominent organizations worldwide.

Apple has removed certain VPN apps from its Russian App Store following demands from Russia's internet regulatory agency, Roskomnadzor. Two VPN providers, Red Shield VPN and Le VPN, confirmed their apps were taken down, allegedly to comply with local laws. Red Shield VPN criticized Apple's compliance, accusing the company of supporting an authoritarian regime, highlighting the effectiveness of Apple's action compared to the Kremlin's previous efforts. Mozilla resisted similar pressures from Roskomnadzor, reversing a temporary ban on VPNs in their store after one week. Google has also received requests from Roskomnadzor to remove VPN services but has not yet acted on these demands. Eight VPN apps, including big names like NordVPN, Proton, and Private Internet Access, are reportedly no longer available in the Russian App Store, though some may have been unlisted voluntarily by the providers in 2023. The focus of Roskomnadzor appears to be on preventing the distribution of VPN apps rather than attempting to block server access.

Cloudflare's DNS resolver service, 1.1.1.1, experienced service disruption affecting 300 networks across 70 countries due to BGP hijacking and a route leak. The incident started when Eletronet S.A. mistakenly announced the 1.1.1.1/32 IP address, leading other networks including a Tier 1 provider to treat it as a blackhole route. This specific announcement inadvertently redirected traffic meant for Cloudflare to Eletronet, causing service availability issues for Cloudflare users. Shortly after the initial disruption, another network, Nova Rede de Telecomunicações, further complicated the issue by leaking a 1.1.1.0/24 route to an upstream provider, exacerbating the hijacking impact. Cloudflare took corrective actions including disabling peering with the affected networks and resolving the incorrect route announcements within a few hours. To prevent future occurrences, Cloudflare highlighted the adoption of Resource Public Key Infrastructure (RPKI) which helped in rejecting invalid route announcements automatically.

Hackers, identifying as Sp1d3rHunters, have leaked barcode data for 166,000 tickets to Taylor Swift's Eras Tour, posing a threat to numerous upcoming concerts. The leak is part of an extortion attempt demanding $2 million to prevent further exposure of sensitive data, including information on events by major artists and sports fixtures. This cyber threat stems from a breach of Ticketmaster's data stored on Snowflake's platform, where hackers accessed databases using stolen credentials through malware. Additional victims compromised through the Snowflake breach include well-known organizations such as Neiman Marcus, Los Angeles Unified School District, and Santander. The breach was initially triggered by ShinyHunters, a notorious hacking group with a history of large-scale data leaks, who reportedly began selling 560 million Ticketmaster customer records in May. Sp1d3rHunters provided instructions on converting the leaked barcode information into scannable tickets, further complicating security measures for the affected events. Authorities and affected organizations, including Ticketmaster, are investigating the scope of the breach, evaluating impacts, and considering responses to prevent potential misuse of the leaked data.

A ransomware attack by Qilin targeted Synnovis, a key pathology services provider in London, causing severe disruptions. Approximately 1,500 medical procedures were canceled across major hospitals in London following the cyberattack, which first struck four weeks ago. Johanna Groothuizen, a cancer patient, was forced to opt for a simple mastectomy over a planned skin-sparing mastectomy and immediate reconstruction due to the attack. The attack compromised the ability of hospitals to perform certain surgeries by limiting access to essential services like blood transfusion support from Synnovis. Hanna had less than 24 hours to make a decision about her surgery, ultimately choosing the simpler procedure to avoid delaying her cancer treatment. The cyberattack has raised questions about the resilience and funding of cybersecurity within the UK's public health infrastructure. Services are slowly returning to normal, but the incident highlights the broader impacts of cyberattacks on public health and safety. The incident not only affected the immediate health outcomes for patients but also increased stress and urgency among hospital staff and impacted patient aftercare.

New ransomware-as-a-service, Eldorado, was first observed in March, targeting systems in the U.S., particularly within the real estate, educational, healthcare, and manufacturing sectors. Eldorado is designed to infect both Windows and VMware ESXi platforms, encrypted using the ChaCha20 algorithm. The operators are actively recruiting skilled affiliates online and have established a data leak site for extortion, though it was not accessible at the time of the report. Group-IB researchers accessed the ransomware encryptor and user manual, revealing that the malware supports both 32/64-bit systems and features significant customization options for targeted attacks. The malware avoids damaging critical system files and directories to maintain the bootability and usability of the compromised systems, and it is programmed to automatically delete itself post-attack to hinder forensic analysis. The cybersecurity firm provided defense recommendations, highlighting that proactive security measures are essential to defend against ransomware threats like Eldorida.

French cloud computing firm OVHcloud successfully mitigated a DDoS attack in April 2024, which recorded a peak packet rate of 840 million packets per second, surpassing the previous record of 809 million Mpps from 2020. The attack combined a TCP ACK flood from 5,000 source IPs and a DNS reflection leveraging around 15,000 DNS servers, utilizing 2/3 of the traffic from just four U.S.-based points of presence. OVHcloud has noted a significant rise in DDoS attacks since 2023, with occurrences of attacks exceeding 1 terabit per second becoming almost daily. The attacks are primarily facilitated by exploiting compromised MikroTik Cloud Core Router devices, with nearly 100,000 routers being vulnerable due to outdated operating systems. Potential threat levels escalate as even 1% compromise of these routers could lead to botnet attacks issuing over 2 billion packets per second. OVHcloud's observations highlight an urgent need for enhanced anti-DDoS measures and infrastructures to handle the evolving scale and complexity of DDoS threats.

The Ghostscript software, integral to many systems for PDF viewing and conversion, harbors a newly disclosed vulnerability labeled CVE-2024-29510. Despite being identified and partially mitigated, the flaw allows for remote code execution (RCE) and has significant implications if exploited. Ghostscript is widely used across various platforms and in automated workflows, often operating behind the scenes in image rendering, PDF conversions, and OCR tasks. The vulnerability's severity score (CVSS 5.5) has been contested by experts who believe its impact might be underestimated due to its potential for exploitation without user interaction. There's a divergence in the security community regarding the need for immediate action, with some professionals urging quicker remediation to prevent potential breaches. A proof of concept (PoC) for the vulnerability, facilitating RCE via EPS file handling, has been released, making public and operational attentions imperative. The National Vulnerability Database has yet to provide a comprehensive analysis, raising concerns about timely and accurate vulnerability assessments in the cybersecurity sector.

Upcoming webinar focused on the significance of Identity Threat Detection and Response (ITDR) in combating advanced identity-based cyber threats. The webinar is geared towards IT and cybersecurity professionals, aiming to equip them with the knowledge to safeguard digital identities. Yiftach Keshet, Silverfort's VP of Product Marketing, will lead the session, offering deep insights into ITDR technologies. Attendees will learn about continuous threat detection tactics and the importance of staying proactive in cybersecurity measures. The presentation will cover cutting-edge strategies for preventing ransomware attacks, unauthorized lateral movements, and data breaches. Every day without ITDR increases vulnerability to sophisticated cybercriminals targeting organizational digital assets. Registration urgency is stressed, as spots are filling up quickly and the opportunity is billed as a can't-miss for those serious about cybersecurity.

Continuous Threat Exposure Management (CTEM) emerged in 2022, providing a framework to improve security resilience by continuously viewing and managing threats across an expanding attack surface. CTEM addresses security measures across digital assets, workloads, networks, identities, and data, challenging traditional asset management's limited visibility. Enhances vulnerability management by focusing on prioritizing repairs based on exploitability and the risk impact, rather than just chronological or vendor-supplied severity scores. Stresses the inadequate coverage of current vulnerability management practices that mainly identify known CVEs, with a shift towards addressing a broader range of non-patchable vulnerabilities and exposures. Final pillar of CTEM involves validation processes that actively test the effectiveness of security controls by emulating attacker methods, thus moving from theoretical strategies to proven defenses. By continuously discovering, prioritizing, and mitigating high-risk exposures, CTEM aims to ensure an ongoing high level of security readiness across all aspects of the organization's digital environment.

GootLoader malware has been updated to version 3, expanding its functionality and distribution techniques. The malware, associated with Gootkit banking trojan and operated by Hive0127 (UNC2565), now includes tools for command-and-control activities and lateral movement dubbed GootBot. GootLoader infects victims by masquerading as legitimate documents on compromised websites, using refined SEO poisoning to enhance its distribution. Following infection, the malware establishes persistence through scheduled tasks and uses a series of encoded JavaScript and PowerShell scripts to gather system data and await further commands. Attack methods have evolved to include embedding the malware within legitimate JavaScript libraries, like jQuery and Lodash, complicating detection and analysis. Victims are typically enticed by manipulated search engine results directing them to download seemingly benign business documents, which contain the malicious payload. The updated version maintains core functionalities similar to earlier iterations but has enhanced evasion techniques to stifle security analysis and detection efforts.

Europol has issued a position paper addressing the difficulties posed by SMS home routing technology, which complicates criminal investigations. The technology involves service-level encryption that prevents local authorities in the EU from accessing communication data when a suspect uses a foreign SIM card. Current legal frameworks allow only prolonged processes like the European Investigation Order (EIO), which can take up to 120 days to deliver results, insufficient for timely law enforcement actions. Europol advocates for a legislative change to remove the additional encryption layer in roaming, aiming to equalize the security level as experienced within the user's home country without removing encryption entirely. The proposed solution is deemed technically feasible and may be enforced by national telecommunications regulators across the EU. Potential downsides include operational risks such as unwanted awareness of a person of interest's location by other EU member states. Europol seeks further debate on this issue to find a balanced solution that facilitates lawful interception of data without disproportionately impacting secure communications.

Over 380,000 hosts are embedding a compromised Polyfill script, pointing to malicious domains. Affected domains include major corporations such as WarnerBros, Hulu, Mercedes-Benz, and Pearson. The domain and associated GitHub repository linked to Polyfill.io sold in February 2024 to a Chinese company, leading to unauthorized redirections on the site. The attack prompted actions from domain and service providers, including Namecheap and Cloudflare, distancing themselves and blocking malicious links. The attackers attempted to relaunch under a different domain, and numerous related potentially malevolent domains were identified. Analysis by Censys revealed that other domains related to these attacks show similar malicious activities, threatening future exploitations. Patchstack highlighted additional risks to WordPress sites using legitimate plugins referencing the rogue domain, pointing to broader security implications.

Zergeca, a new botnet written in Golang, is designed for DDoS attacks and features advanced network capabilities. The botnet utilizes multiple attack methods, including proxying, scanning, self-upgrading, and collecting sensitive device information. DNS-over-HTTPS is being used for C2 communication concealment, with enhanced techniques like modified UPX packing and XOR encryption for evasion. Researchers identified the C2 IP previously associated with the Mirai botnet, suggesting experienced actors behind Zergeca. Zergeca employs a modular structure with distinct functionality for persistence, proxying, security evasion, and device control exclusively on x86-64 CPU architecture. Since its discovery, Zergeca has targeted multiple countries including Canada, Germany, and the U.S., with significant DDoS attack impacts reported in mid-2023. Continuous development and feature integration are suggested by updates in command capabilities and botnet behavior.