Daily Brief

Chinese keyboard apps with input method editors (IME) are vulnerable to snooping, impacting around 750 million users globally. Researchers from the University of Toronto’s Citizen Lab discovered that popular Pinyin apps upload keystrokes to the cloud with weak or compromised encryption. Affected apps are widespread, including those from major brands like Samsung, Xiaomi, OPPO, and Honor; Baidu’s Pinyin app notably features the same security issues across platforms. Companies have been inconsistent in responding to disclosed vulnerabilities; while some are committed to fixing them, others have not fully addressed the issues. The inherent challenges in updating the keyboard apps mean that even with patches, vulnerabilities may persist, particularly on devices that lack easy update mechanisms. Despite the high prevalence of these insecure apps in China, Citizen Lab does not support the hypothesis of intentional government backdoors, citing existing data collection practices. The ongoing security concerns suggest a broader need for improvements across the smartphone ecosystem, including better encryption practices and more reliable update protocols.

Baltimore police arrested former athletic director Dazhon Leslie Darien for allegedly using AI to impersonate a school principal in a hate speech recording. The AI-generated audio depicted Pikesville High School Principal Eric Eiswert making racist and antisemitic comments, which led to his temporary removal and sparked widespread outrage. An FBI-contracted forensic analyst and a University of California, Berkeley analyst both determined the recording was not authentic, identifying traces of AI-generated content. Darien was charged with multiple offenses, including witness retaliation, stalking, theft, and disruption of school operations, and was apprehended at an airport. The fake recording was initially circulated through social media and had profound impacts on the school environment, leading to threats and the need for increased security. Investigations revealed Darien created the Gmail account used to disseminate the recording using his grandmother’s IP address and had a motive linked to his job dissatisfaction and possible termination. Baltimore County officials emphasized the need for public caution and discernment in the age of advanced AI and synthetic media to prevent misuse.

The FBI advises against using unlicensed cryptocurrency transfer services due to potential financial risks. Unlicensed platforms may not comply with Money Services Business (MSB) registration or anti-money laundering laws. Users risk losing access to funds if these platforms are targeted and taken down by law enforcement. The warning follows the seizure of Samourai, a platform involved in laundering over $100 million from criminal activities. Samourai provided a crypto mixer that obscured the origins of illicitly obtained funds, facilitating large-scale money laundering and sanctions evasion. Owners of Samourai were charged for operating this service, which processed transactions worth over $2 billion in Bitcoin. Users are encouraged to only use licensed and compliant cryptocurrency services to avoid legal issues and potential losses.

The FTC has issued $5.6 million in refunds to Ring customers as restitution for privacy violations. Allegations included unauthorized access by rogue Ring employees and cybercriminal attacks on customer accounts. The FTC accused Ring of inadequate security measures, allowing easy access to customer video feeds and account control by unauthorized users. Ring's insufficient privacy controls granted employees and contractors unrestricted access to user's private videos, including sensitive footage. Interactions from compromised accounts included harassment and threats directed at customers through their security cameras. One serious incident involved a rogue employee who specifically accessed videos of female users he found attractive. The refund affects 117,044 Ring accounts, with each affected customer receiving less than $50 via PayPal. The fine represents a minor expense on the balance sheet for Amazon, which owns Ring.

The Los Angeles County Department of Health Services reported a data breach following a phishing attack that compromised over two dozen employee email accounts. Personal and health information of an undisclosed number of patients was exposed, although Social Security Numbers and financial details were not included in the breach. The attack occurred between February 19 and 20, 2024, when 23 DHS employees were deceived into providing their login credentials via a phishing email. In response, the affected email accounts were disabled, compromised devices were reset, and all employees were reminded to exercise caution with emails. L.A. County Health Services has notified several oversight bodies, including the U.S. Department of Health & Human Services' Office for Civil Rights. Although no misuse of exposed data has been detected, patients have been advised to review their medical records for discrepancies. This incident highlights ongoing vulnerabilities to phishing attacks within major public healthcare systems.

Researchers at Seqoia successfully sinkholed a command and control server for PlugX malware, observing traffic from over 2.5 million unique IP addresses. The sinkholed server, operational from September 2023, captured daily connection requests from 90,000 to 100,000 systems spread across 170 countries. The highest number of infections were concentrated in 15 countries, including majorly affected regions like Nigeria, India, China, and the United States. The sinkhole operation allowed Seqoia to prevent further misuse, analyze traffic, map infection spreads, and develop targeted disinfection strategies. Seqoia crafted specific disinfection tactics, including a self-delete command for PlugX; however, challenges such as reinfection via USB drives persist. The cybersecurity company has coordinated with national CERTs to promote widespread disinfection and manage the legal complexities of intervening on foreign systems. Despite being initially developed for espionage, PlugX has evolved into a widely used tool by various threat actors, complicating its attribution to specific groups or agendas. The researchers raised concerns about potential future malicious use if control over the C2 server is seized by other entities, highlighting ongoing security risks.

Two co-founders of cryptocurrency business Samourai Wallet, Keonne Rodriguez and William Lonergan Hill, were arrested on charges of facilitating over $100 million in money laundering using their crypto mixing services. The Department of Justice alleges the service transacted more than $2 billion, heavily utilized by criminals for laundering money from dark web marketplaces such as Silk Road and Hydra Market. The operations offered crypto services like Ricochet and Whirlpool that added layers to transactions making it difficult for authorities to trace criminal activities. Rodriguez, who was the CEO of Samourai Wallet, was apprehended in the US, while CTO Hill was arrested in Portugal. They face up to 25 years in prison if convicted. U.S., Icelandic, and other international law enforcement agencies collaborated to seize Samourai's servers and block the app's distribution in the U.S. The service is accused of operating without adhering to anti-money laundering (AML) and Know Your Customer (KYC) regulations, further complicating legal compliance. Both founders are charged with conspiracy to commit money laundering and operate an unlicensed money-transmitting business, emphasizing serious federal crackdown on illicit crypto activities.

North Korea's Lazarus Group has deployed a new remote access trojan, Kaolin RAT, using fabricated job offer lures as part of their Operation Dream Job campaign. Kaolin RAT is capable of changing file timestamps and loading DLL binaries from its command-and-control (C2) server, serving as a precursor to deliver the FudModule rootkit. The malware utilizes a patched exploit, CVE-2024-21338, to manipulate kernel operations and bypass security settings, enhancing its stealth and persistence capabilities. Initial infection is achieved through tricking targets into running a malicious ISO file pretending to contain a VNC client for Amazon, which instead loads additional malware payloads. The malware's sophisticated multi-stage infection process involves the use of RollFling and RollSling loaders to retrieve further malicious components stored in memory to avoid detection. The ultimate goal of the attack chain is comprehensive control over the victim's system, involving file manipulation, process control, and executing remote commands. Researchers at Avast highlight the technical complexity and significant resources invested by Lazarus Group in continuously evolving their methods to circumvent advanced security measures.

Over 1,400 online-exposed CrushFTP servers are vulnerable to a critical server-side template injection (SSTI) vulnerability, CVE-2024-4040, enabling unauthenticated remote code execution (RCE). The vulnerability allows attackers to bypass authentication, access administrator accounts, and execute arbitrary file reads as root. Security firms including CrowdStrike identified the exploitation of this vulnerability in politically motivated intelligence-gathering attacks targeting U.S. organizations. Rapid7 confirmed the bug as "fully unauthenticated and trivially exploitable," urging immediate updates for affected systems. The majority of the vulnerable servers are located in the United States, Germany, and Canada. CrushFTP has issued a patch and advises customers to update their software to prevent exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. federal agencies to patch their vulnerable servers by May 1st in response to the active exploitation of this flaw.

Hackers exploit a high severity vulnerability in the WP Automatic plugin on WordPress to create admin accounts and plant backdoors. Over 5.5 million attack attempts have been made since the vulnerability, identified as CVE-2024-27956, was disclosed on March 13. The vulnerability allows attackers to bypass user authentication and execute SQL queries to gain administrative access. WPScan observed most attack attempts on March 31st, highlighting the urgency and widespread nature of the exploits. Once access is secured, attackers establish persistence by creating backdoors and renaming files to obfuscate their activities and prevent detection. Compromised sites show specific indicators of compromise, such as admin accounts starting with "xtw" and certain backdoor file names like web.php and index.php. WPScan advises updating the WP Automatic plugin to version 3.92.1 or later and regularly backing up website data to mitigate and recover from breaches.

Russia and Iran identified as the primary threats to the 2024 U.S. and UK elections, employing sophisticated cyber tactics. Mandiant report highlights the "four Ds" of election interference: DDoS attacks, data theft, disinformation, and deepfakes. Potential for hybrid attacks combining multiple tactics to influence voter perceptions and outcomes. Deepfake technology becoming more convincing, used to fabricate endorsements or criticisms by well-known figures. Disinformation campaigns expected to leverage both stolen data and fabricated content to sow discord and manipulate public opinion. Cyber defense agencies need to prepare for a variety of threats, from data theft to complex disinformation operations. The effectiveness of these interference efforts remains uncertain due to improved defensive measures and increased public awareness.

The article demonstrates a simulated network attack in six stages from initial access to data exfiltration, based on real-world tactics. It highlights the use of simple, commonly available tools by attackers, rather than sophisticated or advanced technologies. The attack starts with a spear-phishing email containing a malicious attachment that exploits a vulnerability in Microsoft Office. After gaining initial access, attackers deploy commonly used administrative tools maliciously for tasks like credential dumping and lateral movements within the network. The importance of a defense-in-depth strategy is emphasized, suggesting multiple security layers at different points to detect and mitigate such attacks. It underlines the necessity for security teams to simulate attacks to test systems, enhance network defenses, and demonstrate the importance of security investments to leadership. The article concludes by advocating for holistic security measures as crucial for effectively protecting against network breaches.

The U.S. Department of Justice (DoJ) arrested two co-founders of the cryptocurrency mixer Samourai, Keonne Rodriguez and William Lonergan Hill, on charges related to facilitating illegal transactions and money laundering. Samourai allegedly processed over $2 billion in transactions and laundered more than $100 million from criminal activities, including operations on dark web marketplaces like Silk Road and Hydra. The service utilized features like Whirlpool and Ricochet Send, designed to obscure the origins and destinations of cryptocurrency, reportedly enhancing user privacy and evading financial surveillance. Law enforcement cooperated internationally, involving agencies from Iceland, Portugal, and Europol to apprehend the suspects and dismantle the service’s infrastructure. Rodriguez and Hill face up to 25 years in prison if convicted; they are charged with money laundering and operating an unlicensed money-transmitting business. The case emphasizes the ongoing governmental scrutiny and regulatory actions against platforms that facilitate cryptocurrency-based criminal activities.

Security researchers identified a new Android malware named Brokewell, designed to capture and steal data by controlling device functions. The malware is distributed through a deceptive alert for a Google Chrome update encountered during browsing sessions. Brokewell offers extensive capabilities for data theft and remote control, and it's being actively developed to enhance these functions. The developers behind Brokewell have previously targeted financial services, utilizing the malware to impersonate legitimate applications. The malware leverages a specialized tool called "Brokewell Android Loader" to bypass recent Google security restrictions, enhancing its malicious effectiveness. ThreatFabric, a fraud risk analysis firm, discovered the malware after tracing a fake Chrome update page that deployed the infection. Research indicates that Brokewell may soon be marketed more broadly in cybercriminal circles as a component of malware-as-a-service offerings. Users are advised to download apps exclusively from the Google Play Store and ensure the continuous activation of Play Protect to mitigate risks.

The UK government faced intense criticism in March 2024 for its insufficient response to cyber-attacks by the espionage group APT31. A National Cyber Security Centre review highlighted that the UK's critical infrastructure is underprepared for cyber threats. The critique stems from a broader context of escalating ransomware attacks, data breaches, and cyber extortion affecting global organizations. Upcoming webinar hosted by Rubrik featuring Tim Phillips and CISO Richard Cassidy aims to address strategies for mitigating cyberattacks. The discussion will focus on understanding the evolution and complexities of the cybersecurity crisis to help businesses refine their defensive strategies. The webinar is scheduled for April 29, aiming to equip participants with knowledge to enhance operational resilience and data integrity post-attack.