Daily Brief

Declan, a self-taught CAD designer and technical support provider, used a rare version of Windows NT on a Digital Alpha RISC machine which ran most applications in emulation. One afternoon, Declan inadvertently opened an email attachment containing a macro virus, potentially jeopardizing the company's network. The virus attempted to propagate itself by accessing Outlook's contact list and sending out further emails, but was unsuccessful due to poor software integration in the emulation environment. Declan realized the virus's failure when his system started displaying numerous error messages, indicating the virus could not execute its intended actions. This incident highlighted the accidental benefit of using a less common and poorly integrated system, which resisted a potentially damaging virus spread. Ultimately, Declan's experience underscores the importance of preventive measures and the unexpected virtues of outdated or unique technology setups in specific scenarios.

North Korea-linked cyber actors, specifically Emerald Sleet, are using AI technologies to refine spear-phishing and other cyber-espionage tactics. AI-driven large language models help these actors in research, reconnaissance on North Korea-focused organizations, and optimizing phishing content. Proofpoint's report highlights Emerald Sleet's strategy of using benign conversations and think tank personas to build long-term informational exchanges advantageous to North Korea. The group has also exploited weak email authentication policies to enhance their phishing schemes with web beacons for deeper target profiling. Jade Sleet, another North Korean group, is involved in significant cryptocurrency thefts, amassing millions from firms in Estonia and Singapore. Lazarus Group (Diamond Sleet) continues sophisticated cyber operations, including DLL hijacking and database manipulation to deploy malware and disrupt supply chains. Recent adaptations include tactical changes like usage of shortcut (LNK) files with hidden malicious commands to deliver payloads and bypass detection systems. These developments from North Korean cyber groups indicate a sharp increase in cyber threat complexity and underline the need for enhanced cybersecurity measures.

Researchers from SafeBreach presented at Black Hat Asia, exposing vulnerabilities in Microsoft Defender and Kaspersky's EDR systems that allow for remote file deletions through manipulated malware signatures. By embedding a known malware byte signature into legitimate files, EDR systems falsely identify these files as threats and delete them, potentially allowing attackers to remotely erase databases and disrupt services. Despite patches from Microsoft addressing these vulnerabilities, further tests by SafeBreach found ways around the fixes, indicating potential ongoing risks. Microsoft implemented improvements and offered configuration options to reduce risk, while Kaspersky acknowledged the issue but viewed it as a design behavior, planning mitigations rather than calling it a vulnerability. The researchers stressed that security patches alone are insufficient and advocated for additional layers of protection to mitigate the risk of single points of failure in security controls. The findings underline significant challenges in ensuring the efficacy of EDR systems without introducing new vulnerabilities or unwanted behaviors. The issue highlights a broader industry struggle with EDR capabilities being potentially harnessed as tools for attacks rather than purely defensive measures.

China introduced the Information Support Force (ISF) to modernize its military and improve performance for networked wars. President Xi Jinping recognized the establishment of ISF as crucial for the People's Liberation Army to prevail in modern conflicts. The ISF aims to develop a robust network information system tailored to meet the demands of contemporary warfare and align with the specific characteristics of the Chinese military. The force integrates cyber space and aerospace capabilities that were previously part of the Strategic Support Force, under the management of the Central Military Commission. This development comes amid escalating concerns from international communities, exemplified by FBI Director Christopher Wray’s remarks on China’s formidable cyber capabilities and constant threats to US infrastructure. The FBI actively collaborates with the US Cyber Command and other agencies to combat cybersecurity threats, emphasizing the importance of cooperation among nations and private sectors in defending against these threats. Xi’s 2027 milestone emphasizes his long-term vision for China’s military, reflecting the strategic importance of the ISF in fulfilling this goal.

MITRE's R&D center, NERVE, was breached using zero-day flaws in an Ivanti virtual private network. The attack was attributed to a foreign nation-state threat actor, emphasizing no organization's immunity to such sophisticated threats. While MITRE's core networks remained secure, the incident underscores the need for industry-wide vigilance and improved cyber defense strategies. MITRE plans to share insights from this breach to help bolster the cyber defense of other organizations. The broader report also discusses ongoing threats from the Akira ransomware, linked to Russian gangs exploiting Cisco vulnerabilities for data theft and encryption. In recent events, Cerebral, an online mental health care provider, was fined over $7 million for sharing customer data with major social platforms, illustrating ongoing data privacy issues in the telehealth sector. Critical vulnerabilities this week highlighted issues in Atlassian's Bamboo, stressing the persistent risk and importance of timely updates for legacy systems.

A new malware campaign has been initiated targeting individuals seeking child pornography by using ransomware tactics. This malware pretends to be government agencies and demands a "penalty" to prevent sending user information to law enforcement. Notably, this operation uses a software impersonating a service called "UsenetClub," which lures users with the promise of a free VPN tool required to gain access. Upon installation, the malware changes the user’s desktop wallpaper and leaves a ransom note demanding payment to a specific Bitcoin address. The malware, referred to as "PedoRansom" by its creator, has so far received limited payments, indicating low success in extorting money from its targets. Historical iterations of similar sextortion tactics yielded higher revenues, but public awareness has decreased the effectiveness of such scams. Cybersecurity research revealed that the campaign specifically focuses only on individuals actively seeking illegal content, rather than casting a wider net.

Ransom payments to cybercriminals have hit a record low, as only 28% of targeted companies complied with demands in Q1 2024. Despite fewer companies paying, ransomware gangs have intensified their attacks, resulting in $1.1 billion paid to attackers in the previous year. Coveware reveals a 32% decrease in average ransom payments but a 25% rise in median payments, suggesting a shift toward more, yet smaller, demands. Law enforcement efforts, including the FBI's disruption of the LockBit operation, have caused significant disturbances among ransomware groups, disrupting their activities. Many ransomware affiliates, disillusioned by crackdowns and unreliable revenue, are moving to independent operations or exiting the cybercrime scene altogether. Advanced protective measures and growing legal repercussions have incentivized organizations not to yield to ransomware demands. The most active ransomware strain, Akira, remains at the forefront of attacks, having compromised at least 250 organizations and accumulated $42 million in payments.

A new variant of RedLine Stealer malware is using Lua bytecode to increase stealth and effectiveness. McAfee Labs identified the variant through the identification of a known command-and-control server linked to previous RedLine Stealer activities. The malware is distributed via GitHub within ZIP files falsely labeled as game cheats, exploiting the trust in Microsoft’s repositories. Targeted primarily at gamers, the ZIP files contain an MSI installer which uses deceptive messages encouraging sharing with friends to spread malicious software. Once installed, the setup deploys a scheduled task for persistence and connects to a C2 server to execute commands, which may include capturing screenshots and data exfiltration. The distribution method of the ZIP files remains unclear, although there is a rising concern over GitHub being used to distribute malware. Related cybercrime campaigns are leveraging Web3 gaming lures and fake branding to spread various types of information-stealing malware across different operating systems.

Over 500,000 websites employing the Forminator WordPress plugin are at risk due to a critical vulnerability. The flaw, identified as CVE-2024-28890 with a CVSS score of 9.8, enables unauthorized file uploads and potential malware injection. Japan's CERT issued an alert highlighting three main risks: unauthorized data access, website modification, and denial-of-service attacks. Users are urged to update Forminator to version 1.29.3, which mitigates these vulnerabilities. Despite the availability of the patch since April 8, 2024, approximately 320,000 websites remain unpatched and vulnerable. There have been no public incidents of exploitation yet, but the high severity of the flaw poses a significant threat. Recommended actions include minimizing plugin use, quickly updating to new versions, and deactivating unnecessary plugins.

Threat actors exploit a GitHub design flaw to distribute malware through URLs appearing to come from Microsoft repositories. Malware disguised as files in comments on GitHub bypasses scrutiny by leveraging trusted repo URLs, making the deception highly convincing. Files attached in comments on GitHub are stored on GitHub's CDN, with persistent URLs that do not get deleted even if the comment is removed. Malicious actors have abused this GitHub feature by attaching malware to comments within reputable projects, such as Microsoft's "C++ Library Manager" (vcpkg) repository. The exposed repositories maintain active download links indefinitely, potentially deceiving users long after the initial comment manipulation. GitHub's settings currently lack robust mechanisms to manage or delete files attached to project comments, complicating efforts to mitigate abuse. Disabling comments is a potential but inconvenient solution, as it can significantly restrict community contributions and project development.

Palo Alto Networks has disclosed details about a critical flaw in PAN-OS, identified as CVE-2024-3400, which is actively being exploited. CVE-2024-3400, with a severity score of 10.0, combines two vulnerabilities that enable remote shell command execution without authentication when exploited together. The exploitation known as Operation MidnightEclipse involves two stages, where the first compromises file naming protocols, and the second manipulates system commands for executing arbitrary code. Attackers use the UPSTYLE backdoor and cron job scripts to maintain persistence and execute further commands, which includes downloading additional tools like GOST. Despite initial beliefs, telemetry requirements do not impact the exploitability of the flaw, resulting in broader device vulnerability. Urgent updates and patches have been issued by Palo Alto Networks, covering multiple maintenance releases to correct the flaw. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch vulnerable systems by April 19, 2024, and approximately 22,542 internet-exposed devices could potentially be affected globally.

CrushFTP enterprise file transfer software discovered a zero-day vulnerability affecting versions below 11.1. Users are encouraged to update their software to version 11.1.0 where the vulnerability is patched. The vulnerability allows unauthorized downloading of system files by escaping VFS (Virtual File System). Customers using CrushFTP in a DMZ (demilitarized zone) setting are reportedly protected from this exploit. Cybersecurity firm CrowdStrike identified the exploit used in targeted attacks primarily against U.S. entities. These exploits are suspected to be politically motivated, focusing on intelligence gathering. The vulnerability has not yet received a CVE identifier, but ongoing updates and patches are recommended. The vulnerability was disclosed by Simon Garrelou of Airbus CERT.

Ransomware attack frequencies have rebounded after a temporary decline, with new groups like RansomHub emerging prominently. Change HealthCare has been doubly extorted by a former BlackCat affiliate, now using RansomHub, resulting in $872 million in losses for UnitedHealth Group. The Daixin ransomware group disrupted operations at Omni Hotels, threatening to leak customer data unless a ransom is paid. Significant breaches were also reported by chipmaker Nexperia and various global organizations including the United Nations Development Programme and Octapharma Plasma. The U.S. Justice Department charged a Moldovan national with managing a large botnet that deployed ransomware, highlighting ongoing legal actions against cybercriminals. According to the FBI, the Akira ransomware operation amassed $42 million from over 250 victims, underscoring the profitable nature of ransomware campaigns. HelloKitty, a known ransomware operator, rebranded to HelloGookie and continued its malicious activities, leaking data from previous attacks.

CrushFTP has issued an urgent warning to users about a zero-day vulnerability that is actively being exploited. The security flaw allows attackers without authentication to access and download system files beyond their virtual file system permissions. The vulnerability, detected and initially reported by Simon Garrelou from Airbus CERT, affects versions up to CrushFTP v9. Users are strongly advised to upgrade immediately to versions 10.7.1 or 11.1.0 to mitigate risk. Servers behind a DMZ network remain protected against this specific attack vector. CrowdStrike reported that the compromise is part of a targeted intelligence-gathering campaign, likely with political motives. Past incidents in November highlighted additional vulnerabilities in CrushFTP, emphasizing ongoing security challenges. At least 2,700 online instances of CrushFTP may be vulnerable, underlining the importance of immediate updates.

Sacramento International Airport experienced significant flight delays due to an intentional severing of an AT&T internet cable. This incident disabled internet services at airline facilities, particularly affecting Southwest and Delta airlines. The Sacramento County Sheriff's Office confirmed the cable was deliberately cut and is investigating the incident. No suspects have been identified yet, and the damage appears to be isolated without ongoing threats reported. Flight operations were delayed over two hours, but normal services resumed by midday. This disruption followed similar infrastructure attacks in the U.S., including widespread 911 service outages and sabotage of electrical substations. The FBI may be involved in further investigations to determine motives and possibly elevate charges.