Daily Brief

Rafel RAT, an Android malware, is being utilized in over 120 campaigns by various cybercriminals including known actors like APT-C-35. Major targets include outdated Android devices, particularly those running versions 11 and earlier, which are no longer supported with security updates. High-profile organizations in government and military sectors across the US, China, and Indonesia have been compromised. The malware spreads through deceptive tactics, mimicking popular apps like Instagram and WhatsApp to facilitate the download of malicious APKs. Rafel RAT requests invasive permissions during installation, allowing it to run persistently in the background and evade battery optimization measures. The ransomware module of Rafel RAT can encrypt files, change lock screen passwords, and display a custom ransom message, urging victims to contact via Telegram. In one example, an attack from Iran involved preliminary reconnaissance before executing the ransomware that altered device functionalities and demanded a ransom. Recommendations to mitigate the risk include avoiding downloads from untrusted sources, cautious engagement with unsolicited links in messages, and using Play Protect for app verification.

The UK Ministry of Defence has reportedly spent £174 million on external advice for the Morpheus radio system project. The Morpheus project, intended to replace the aging Bowman radio system, has been fraught with delays and has already cost £766 million. Originally set for deployment in 2025, the introduction of the Morpheus system is now postponed until after 2031 due to ongoing issues. A significant contract with General Dynamics, worth £395 million, was terminated in December after failing to meet project expectations. The Financial Times highlights concerns about the MoD's procurement strategy, citing excessive spending and lack of timely progress on key military technology projects. Despite setbacks, the MoD asserts that the Bowman system remains secure and capable, receiving updates to bridge the gap until Morpheus is ready.

Cybersecurity professionals are overstretched, handling larger workloads with limited resources and are considering career changes due to heightened stress levels. The effective utilization of Cyber Threat Intelligence (CTI) is hindered by various challenges, including interoperability issues, funding shortages, and a global skills gap of approximately 4 million cybersecurity positions. A significant portion of cybersecurity teams' time is consumed in producing detailed reports for stakeholders, mainly driven by media reports on emerging threats. The Cybersixgill IQ Report Generator attempts to alleviate these burdens by automating the generation of comprehensive CTI reports using generative AI technology. The tool customizes reports to meet specific needs, catering to different audiences from board members to technical teams, which enhances understanding and accelerates decision-making. Automation in report generation allows cybersecurity teams to dedicate more resources towards proactive cybersecurity measures and better manage existing skill shortages. Cybersixgill's tool ultimately seeks to empower security teams by efficiently communicating risk and required actions, thereby improving organizational cybersecurity posture.

Levi's disclosed a data breach affecting over 72,000 customers due to a credential stuffing attack, exposing personal and partial payment information. Financial Business and Consumer Solutions (FBCS) revised their breach impact up to 3.435 million people, including Social Security numbers and account info. LivaNova, a medical device manufacturer, reported a data breach affecting 129,219 individuals with sensitive personal and medical information stolen. All affected companies have notified victims and offered credit monitoring services in response to the breaches. Levi’s confirmed its systems were not compromised but were victim to stolen credentials from an external source. FBCS has made multiple notifications to state attorneys general as the extent of their breach expanded. LivaNova was targeted in a ransomware attack by the LockBit group; however, they did not directly use the term "ransomware" in public disclosures.

Meta complies with EU regulations to exclude European social media data from AI training, raising concerns about language processing and potential biases in AI models. Approximately 20% of Microsoft SQL Server instances are beyond their support end date, posing significant security risks due to lack of updates and patches. Outdated databases, crucial for holding sensitive and critical data, remain neglected, increasing the risk of data breaches and ransomware attacks. The article draws parallels between regulatory enforcement in food safety and the potential for similar approaches in software and services to ensure cyber hygiene. The lack of rigorous enforcement and regulation in cyber standards leads to significant vulnerabilities, much like lapses in food safety standards result in health risks. The insurance industry could play a role in enforcing cybersecurity measures by adjusting coverage based on software compliance status. Calls for a systematic application of risk control and evidence-based regulation in software to balance innovation with security.

RedJuliett, a state-sponsored cyber espionage group believed to be based in China, has targeted 75 Taiwanese organizations along with entities in several other countries including the U.S., South Korea, and Kenya. The campaign, active between November 2023 and April 2024, primarily hit government, academic, technology, and diplomacy sectors. The group employs techniques such as exploiting internet-facing devices, using SQL injections and directory traversal exploits, and utilizing SoftEther software for tunneling malicious traffic. Recorded Future’s Insikt Group identifies deployment tactics like the China Chopper web shell to maintain persistence in compromised networks and occasional use of Linux vulnerabilities such as DirtyCow. The espionage efforts are thought to be in service of Beijing’s intelligence collection aimed at gathering economic and diplomatic intelligence from Taiwan. RedJuliett leverages both threat actor-controlled servers and compromised infrastructure, including systems from Taiwanese universities, to orchestrate their attacks. The group's methodology includes a focus on internet-facing devices, leveraging their vulnerabilities due to typically weaker security measures which facilitates easier scaling of initial access.

A technical employee, Hugh, was working on updating scripts at a Florida call center using an Ubuntu system and ViciDial. The call center, described as selling unnecessary items and preventing cancellations, had no test environment, so all changes were made in production. Hugh, during idle time, was browsing adult humor websites and copied some jokes to his clipboard. Mistakenly, the inappropriate jokes were pasted into the live sales scripts, which were then read by 300 sales agents to potential customers. This resulted in an uproar and management demanded an explanation for the inappropriate content in the scripts. Hugh falsely blamed the incident on a technical issue supposedly caused by a previous admin’s negligent file management. Ultimately, Hugh avoided responsibility for the mishap by blaming it on an erroneous update and a former employee's misconduct. The incident inadvertently prevented hundreds of customers from receiving unwanted sales calls.

Multiple cyber espionage groups, including Iranian threat actors, are exploiting an open-source Android RAT named Rafel RAT disguised as popular apps like Instagram and WhatsApp. Rafel RAT enables attackers to perform various malicious tasks including wiping SD cards, deleting call logs, stealing notifications, and acting as ransomware. A significant cyber attack in April 2024 by DoNot Team utilized Rafel RAT, exploiting vulnerabilities in Foxit PDF Reader with military-themed PDF lures. Check Point Research identified around 120 different malicious campaigns using Rafel RAT targeting various international locations like the U.S., Australia, and China. Predominantly, victims with out-of-date Android phones from manufacturers like Samsung, Xiaomi, Vivo, and Huawei were targeted, comprising 87.5% of infected devices. Attack methods include social engineering to persuade victims to grant intrusive permissions, allowing theft of sensitive data such as SMS messages and contact info. Rafel RAT communicates with threat actors via HTTP(S) and Discord APIs, and features a PHP-based control panel for attackers. The surge in Rafel RAT incidents stresses the urgent need for increased vigilance and improved security practices to protect Android devices.

Snowflake's security breach has affected over 165 entities, including significant businesses like Ticketek and Advance Auto Parts. Ticketek recently alerted its customers to a security incident exposing personal details due to the breach. Advance Auto Parts confirmed unauthorized access to employee and applicant information, including SSNs. A hacker from ShinyHunters admitted to breaching Snowflake through third-party vendors, not direct system penetration. Snowflake is enforcing stricter security measures, pushing for mandatory multifactor authentication among its users. Related report highlights ongoing ransomware extortion impacting CDK, affecting their car dealership operations across the US. Global software threats continue, with notable vulnerabilities addressed in Juniper Secure Analytics products. IntelBroker's sale of alleged Apple internal tools turned out to be misinformation, with actual data pertaining only to Apple's SSO integrations for internal use.

Hackers are exploiting a vulnerability in the pkfacebook module for PrestaShop to deploy card skimmers on e-commerce sites. The flaw, identified as CVE-2024-36680, is an SQL injection vulnerability within the module's facebookConnect.php script. Despite claims by Promokit that the vulnerability was previously fixed, there is no supporting evidence and active exploitation is ongoing. The affected pkfacebook add-on, used by PrestaShop operators, allows users to engage via Facebook for comments and communications. Security analysts have exposed active instances where the bug is currently being exploited to steal credit card details from online shoppers. All versions of the module up to 1.0.1 are confirmed vulnerable, with uncertainty around patches as the latest version on Promokit’s website is 1.0.0. The National Vulnerability Database and security groups recommend that all versioning should be assumed vulnerable and advise urgent mitigation. There was a similar incident two years prior when PrestaShop issued warnings and fixes for modules vulnerable to similar SQL injection attacks.

A recent study suggests the prevalence of Security-Noteworthy Extensions (SNEs) in the Chrome Web Store is much higher than Google's reported figures. Researchers identified SNEs as extensions that contain malware, violate store policies, or have vulnerable code, posing significant security threats to users. Over 346 million installations of SNEs were recorded in the past three years, with millions potentially exposed to malware and policy violations. The Chrome Web Store struggles with long-lasting malicious extensions; some remained available for years, with the longest-surviving malicious extension available for 8.5 years. User reviews were found ineffective in identifying malicious or vulnerable extensions, indicating a need for more robust vetting processes by Google. The study calls for better incentives for developers to update and secure extensions, noting that many do not undergo updates, missing crucial security enhancements. Researchers also recommended monitoring for code similarities among extensions to detect vulnerabilities shared across multiple utilities. Although Google has initiated some improvements, including the transition from Manifest V2 to Manifest V3 to enhance security, researchers and users urge more rapid advancements in safety measures.

CDK Global, a major SaaS provider for car dealerships, suffered a significant IT outage due to a ransomware attack by the BlackSuit gang. The disruption forced CDK Global to shut down their IT systems, affecting car sales and service operations across North America. Major car dealership corporations such as Penske Automotive Group and Sonic Automotive were also impacted, resorting to manual operations due to the system outages. CDK Global is actively negotiating with the BlackSuit ransomware gang to obtain a decryptor and prevent the leak of stolen data. The BlackSuit ransomware, believed to be a continuation of the Royal ransomware operation linked to the Conti cybercrime syndicate, started its activities under this new name in 2023. Both the FBI and CISA have issued warnings about the BlackSuit/Royal ransomware, highlighting its attacks on over 350 organizations and accruing over $275 million in ransom demands since 2022.

Ratel RAT, an open-source Android malware, attacks primarily outdated Android devices demanding ransoms via a Telegram module. Over 120 campaigns deploying Ratel RAT have been identified, with significant activity traced back to Iran, Pakistan, and known groups like APT-C-35. The malware has successfully infiltrated high-profile targets, including government and military organisations predominantly in the US, China, and Indonesia. Victims predominantly use Android 11 or older versions, which represent 87.5% of cases, making them vulnerable due to lack of security updates. Malicious APKs masquerading as legitimate apps from brands like Instagram and WhatsApp are the primary method of spreading Ratel RAT. The malware gains extensive permissions during installation, allowing it to run persistently in the background and execute various malicious activities. Key commands include ransomware execution, where the malware can encrypt files, change lock screens, and even control device functions if admin rights are obtained. Protection recommendations include avoiding untrusted APK downloads, refraining from clicking suspicious links, and using Play Protect for app scans.

ExCobalt, a cybercrime group, has been actively targeting Russian organizations using a novel Golang-based backdoor named GoRed. Originating from the remnants of the infamous Cobalt Gang, ExCobalt engages primarily in cyber espionage activities and has been operational since at least 2016. The attack strategy focuses on multiple sectors including government, IT, metallurgy, mining, software development, and telecommunications. Initial infiltration often leverages a compromised contractor or a supply chain attack, where malware-infected components are embedded in legitimate software. ExCobalt employs a variety of tools for executing commands and extracting sensitive information, utilizing exploits for Linux privilege escalation and other sophisticated techniques. GoRed facilitates remote execution, credential access, and data harvesting, communicating via the RPC protocol with its command-and-control server. The cyber gang has demonstrated continuous development and refinement of their tools and tactics to evade detection and adapt to enhanced security measures.

A new adware campaign misleads users into downloading a malicious Meta Quest app clone, inflicting devices with AdsExhaust adware. AdsExhaust is capable of capturing screenshots, simulating keystrokes, and interacting with browsers to generate ad revenue through fraudulent clicks and redirects. The infection initiates from a website shown in Google search results due to SEO poisoning, prompting downloads of a malicious ZIP file that installs the adware. Once installed, AdsExhaust performs actions when Microsoft Edge is idle, including opening new tabs, clicking on ads, and navigating to specific URLs. It employs various techniques to remain stealth, such as creating overlays to conceal actions, detecting user interaction to close browsers, and specifically targeting ads labeled "Sponsored". Additionally, it can fetch keywords from a server, using them to perform Google searches to inflate ad interactions further. Related malware threats and tactics are emerging, such as Hijack Loader leading to Vidar Stealer infections, highlighting increased sophistication and prevalence of cyber threats.