Daily Brief

The U.S. Treasury Department has sanctioned two Iranian firms and four nationals for cyber-attacks on behalf of the Iranian Revolutionary Guard Corps. These entities targeted U.S. companies and governmental bodies through spear-phishing and malware from 2016 to 2021. An indictment was unsealed by the DOJ, charging the four individuals with orchestrating the attacks and offering a $10 million reward for information leading to their apprehension. The targeted Iranian firms, known under aliases like Tortoiseshell, acted as fronts for the IRGC’s cyber operations. These cyber attacks compromised over 200,000 employee accounts across defense and government sectors. Charges against the individuals include conspiracy to commit computer and wire fraud, identity theft, and damaging protected computers. This action highlights ongoing U.S.-Iran tensions, such as recent military exchanges following an Israeli airstrike on Iran’s embassy in Syria.

Cybersecurity experts have identified an active attack strategy using phishing to deploy SSLoad malware, alongside tools like Cobalt Strike and ConnectWise ScreenConnect. The malware operation, dubbed FROZEN#SHADOW by Securonix, utilizes deceitful emails targeting entities across Asia, Europe, and the Americas to initiate the infection using a malicious JavaScript file. Once the malware infiltrates a system, it deploys multiple backdoors and payloads to not only maintain persistence but also to facilitate stealth operations and avoid detection. Attack vectors include delivering malware via macro-enabled Word documents and booby-trapped URLs through website contact forms. Upon infection, the malware conducts initial system reconnaissance, followed by downloading Cobalt Strike which subsequently installs the ScreenConnect software, allowing further remote control by threat actors. The threat actors expand their control within the network, gaining access to domain controllers and creating domain administrator accounts, significantly escalating their level of access. Remediation and recovery from such an infiltration are noted as particularly challenging, time-consuming, and costly for affected organizations.

Security vulnerabilities have been found in several popular Chinese keyboard applications, potentially exposing over 1 billion users' keystrokes. Researchers from Citizen Lab identified that these keyboard apps from companies like Baidu, Honor, iFlytek, and Tencent, lacked adequate encryption, making it possible for malicious actors to intercept user data. Huawei's keyboard app was the only one among the examined apps to have no reported security flaws. The researchers estimate that the vulnerabilities could affect almost one billion users, with the compromised apps being widely used across various mobile devices. Upon responsible disclosure of the findings, all affected companies, except Honor and Tencent (QQ Pinyin), have patched the identified security issues as of April 1, 2024. Users are advised to update their keyboard apps and operating systems, or switch to locally-operated keyboard apps to enhance their data privacy. Citizen Lab recommended that app developers use standardized and rigorously tested encryption protocols to prevent potential security lapses. Concerns were raised about the reluctance of Chinese app developers to adopt Western cryptographic standards due to fears of embedded backdoors, leading them to create their own encryptions which may be less secure.

Silent Push security firm reports that 18 UK and US public-sector sites use ad tech including a Chinese company previously accused of ad fraud. US government rules prohibit ads on .gov websites, whereas UK allows limited advertising on .gov.uk domains. Investigation reveals advertising exchanges are listed in public-sector websites' ads.txt files, allowing real-time trading of visitor data. Concerns are raised about the online privacy and compliance with regulations given the presence of ad-tech on such government portals. The Chinese ad-tech vendor Yeahmobi, involved in these findings, was previously removed from Google Play for alleged ad fraud in 2018. Industry experts express unease over the unregulated nature of ad tech potentially exposing citizen data to foreign entities. Silent Push advocates for a policy change to forbid advertisements on government websites to protect visitor privacy and data.

A malware campaign has been targeting the update mechanism of eScan antivirus software, distributing backdoors and cryptocurrency miners using a threat termed GuptiMiner. Cybersecurity experts at Avast report that the threat actor, with potential links to the North Korean group Kimsuky, employs sophisticated techniques including DNS manipulation, payload sideloading, and malicious DNS servers. The attack exploits a lack of HTTPS security in eScan's update downloads by substituting updates with malicious versions, a vulnerability present for over five years, now patched as of July 31, 2023. The intrusion process involves multiple stages, starting with a rogue DLL execution leading to the deployment of a PNG file loader, which contacts a command-and-control server. At the later stages, it deploys a third-stage malware named Puppeteer, which controls the deployment of an XMRig cryptocurrency miner and additional backdoors allowing lateral movements and further infections on the network. The research highlighted the dual use of backdoors, one aiding in network scanning and lateral attacks, while another focuses on scanning local systems for private keys and crypto wallets. The comprehensive nature of the GuptiMiner operation and the unexpected inclusion of a cryptocurrency miner suggest its deployment might be a diversion to mask deeper network compromises.

A new malware campaign, dubbed CoralRaider, is distributing info-stealing malware through Content Delivery Network (CDN) caches. Threat actor suspected of Vietnamese origin utilizes three types of stealers: CryptBot, LummaC2, and Rhadamanthys, with operations noted from at least February 2024. Cisco Talos researchers identified tactics including the use of Windows Shortcut files, PowerShell scripts, and the FoDHelper technique for UAC bypass. The targeted campaign impacts diverse business sectors across multiple countries such as the U.S., U.K., Germany, Japan, and others. Attack vectors include deceptive downloads of movie files which actually contain malicious software, hinting at a widespread attack approach. The malware utilizes sophisticated methods such as updated CryptBot versions with advanced anti-analysis capabilities targeting data like credentials and financial information. Initial compromise is often achieved via phishing emails that guide victims to download malicious ZIP files containing dangerous LNK files.

CoralRaider, a financially driven cybercrime group, has been exploiting content delivery network caches to distribute info-stealing malware across the U.S., the U.K., Germany, and Japan. Malware deployed includes LummaC2, Rhadamanthys, and Cryptbot info stealers, sourced from malware-as-a-service platforms on underground marketplaces. The campaign operates by tricking users into opening malicious Windows shortcut files that download and execute obfuscated malicious scripts from a CDN. Techniques used involve PowerShell for decryption and payload delivery, modification of Windows Defender settings, and registry editing to bypass UAC. Cisco Talos, which analyzed the attacks, suggests a moderate level of confidence that these activities are linked to CoralRaider due to similarities in methods and procedures seen in past campaigns. This recent operation is not regionally confined, showing a significant expansion in target locations, including several countries across continents. The malware variants used display enhanced obfuscation and capabilities, focusing on stealing credentials, social media account details, and financial information including cryptocurrency wallets.

Microsoft released hotfix updates for issues related to the March 2024 security updates on Exchange servers. The April 2024 hotfix update is optional, adding support for ECC certificates and Hybrid Modern Authentication for web applications. Included fixes address problems such as inability to display inline images and download attachments in Outlook on the Web (OWA). The April update rectifies the error preventing document previews and file downloads in OWA, where users encountered "We can't open this document" messages. The update is applicable for Exchange Server 2019 CU13 and CU14, as well as Exchange Server 2016 CU23. Microsoft continues to offer extended support for Exchange Server 2016 until October 2025 despite the end of mainstream support. Aside from patches, Microsoft now provides documentation and guidance for migration to Microsoft 365, emphasizing the shift towards cloud services.

The U.S. Treasury Department has imposed sanctions on four Iranian nationals and two front companies linked to cyberattacks on U.S. government and private sector entities. The sanctioned individuals were involved in spear phishing campaigns and other cyberattacks targeting the Department of Treasury and defense contractors. Sanctions were placed on front companies Mehrsam Andisheh Saz Nik and Dadeh Afzar Arman, associated with the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command. The sanctioned cybercriminals include Alireza Shafie Nasab, Reza Kazemifar Rahman, Hosein Mohammad Harooni, and Komeil Baradaran Salmani, all linked to extensive cyber operations against the U.S. Assets and interests of the named individuals and companies in the U.S. are frozen, and U.S. persons are prohibited from dealing with them without authorization. The State Department is offering rewards of up to $10 million for information leading to the apprehension or conviction of the sanctioned individuals and entities. The Justice Department also unsealed indictments related to a multi-year hacking campaign against U.S. government agencies and defense contractors, in which over 200,000 employee accounts were compromised in one instance.

South Korean National Police Agency warns of North Korean hacking groups targeting defense contractors. Attackers, including groups like Lazarus, Andariel, and Kimsuky, exploited vulnerabilities to plant malware and steal technology data. Special security inspection from January 15 to February 16 revealed breaches unnoticed by companies since late 2022. Lazarus group compromised a testing network system, stealing critical data from multiple computers and transferring it overseas. Andariel hackers obtained an employee's credentials, accessed subcontractor networks, and caused significant data leaks, exacerbated by poor password practices. Kimsuky exploited an email server vulnerability to illegally download large amounts of technical data. South Korean authorities recommend increased network security measures, regular password updates, two-factor authentication, and blocking foreign IP accesses to protect against cyber threats.

The U.S. State Department announced visa restrictions on 13 individuals involved in the creation and sale of commercial spyware, along with their immediate family members. These initiatives are part of the U.S. administration's broader policy to curb the proliferation and misuse of spyware, which poses threats to human rights and national security. The decision targets individuals whose activities have supported arbitrary detentions, forced disappearances, and extrajudicial killings via the misuse of spyware technologies. The restrictions align with Section 212(a)(3)(C) of the Immigration and Nationality Act, serving foreign policy interests by preventing entry to these individuals. Secretary of State Antony J. Blinken emphasized the role of commercial spyware in violating basic human rights and endangering the privacy and safety of global citizens. The U.S. has coordinatively sought international cooperation through mechanisms like the Freedom Online Coalition and the Commerce Department's Bureau of Industry and Security to manage global surveillance practices. These measures complement the Executive Order issued by the Biden Administration in March 2023, intensifying efforts to tackle mercenary surveillance tools that threaten security.

North Korean hackers exploited the eScan antivirus update mechanism to insert backdoors and deliver the GuptiMiner malware into large corporate networks. GuptiMiner is described as a sophisticated malware capable of DNS manipulation, extracting payloads from images, and evading detection by checking system specifications. The malware, delivered through a hijacked antivirus update, gains system-level privileges via DLL sideloading, establishes persistence, and injects shellcode into legitimate processes. Additional findings reveal the deployment of multiple malware tools including two backdoors and the XMRig Monero miner; one backdoor is used for scanning local networks while the other targets private keys and cryptocurrency wallets. Similarities in malware functionality suggest a potential link to the North Korean APT group Kimsuky. Despite eScan's security improvements, such as HTTPS for update downloads and rejections of non-signed binaries, new infections by GuptiMiner continue to be observed, indicating the presence of outdated clients. Avast has released a list of Indicators of Compromise (IoCs) to help defenders detect and mitigate threats caused by GuptiMiner.

UnitedHealth Group confirmed it paid a ransom following a February ransomware attack by the BlackCat/ALPHV gang, which disrupted multiple healthcare services across the U.S. The cybercriminals claimed to have stolen 6TB of sensitive patient data during the Optum ransomware attack resulting in UnitedHealth paying $22 million to prevent data leaks. Post-payment, the U.S. government initiated an investigation into the health data breach, suspecting extensive unauthorized data access. RansomHub later increased pressure on UnitedHealth by beginning to leak alleged corporate and patient data online. The attack incurred substantial financial damages to UnitedHealth, approximating $872 million. Despite the ransom, stolen data, including PHI and PII, risk extensive public and private sector compromise, although only limited data has reportedly been surfaced on the dark web. UnitedHealth has been proactive in mitigating fallout, offering free credit monitoring and identity theft protection while restoring nearly all impacted services to normal operations.

Researchers discovered a dependency confusion vulnerability in the archived Apache Cordova App Harness project, exposing a method for cyber attacks. Dependency confusion occurs when package managers mistakenly fetch malicious packages from public repositories that masquerade as legitimate private packages. A study by Orca in May 2023 found that nearly 49% of organizations could be susceptible to these types of attacks. The Apache project lacked safeguards against such attacks because it referenced an internal dependency without a relative file path, making it vulnerable to spoofing. The malicious package foisted upon the Cordova App Harness managed over 100 downloads, indicating ongoing use and potential threat exposure. Despite the project's discontinuation in 2019, its continued usage underscores the risks associated with archived but active open-source software. The Apache security team has intervened by securing the ownership of the compromised package to mitigate future risks. Security experts recommend creating public placeholders for packages to prevent similar attacks and stress the importance of updating and securing third-party dependencies.

Global organizations now detect cyberattacks in a record low average of ten days, down from last year's 16 days, Mandiant reports. Despite improvements, attackers are adapting by using more sophisticated methods and zero-day vulnerabilities to evade detection. Ransomware incidents are detected faster than other types of attacks, contributing to the decreased average detection time. The Asia-Pacific (JAPAC) region improved significantly, dropping its average detection time from 33 days to just nine days. The Europe, Middle East, and Africa (EMEA) region saw a slight increase in detection times, potentially influenced by volatile situations like the Ukrainian conflict. Less than half of the intrusions (46 percent) are detected by organizations' internal resources, showing a reliance on external sources for identifying breaches. Mandiant emphasized the necessity of robust threat hunting programs and comprehensive investigative approaches to improve defensive measures against sophisticated cyber threats.