Daily Brief

French diplomatic entities have been subject to targeted cyber attacks by state-sponsored actors with ties to Russia. The attacks are attributed to Midnight Blizzard, also known under various aliases such as APT29 and Nobelium, linked to the Russian Foreign Intelligence Service (SVR). ANSSI identifies separate threat clusters including Midnight Blizzard and Dark Halo, noted for different cyber attack strategies. Attack methods primarily include phishing campaigns using compromised legitimate email accounts from diplomatic staff. Phishing emails sent by Nobelium were recently aimed at European embassies in Kyiv including the French embassy in May 2023. Additional attacks targeted the French Embassy in Romania leveraging security flaws in JetBrains TeamCity servers but were unsuccessful. Nobelium’s infiltration attempts extend to IT and cybersecurity entities, enhancing their espionage capabilities and posing a sustained threat. The Polish government also reported a DDoS attack by Russian hackers against Telewizja Polska during a broadcast in June 2024.

France's CERT-FR has revealed ongoing cyber espionage operations by Nobelium, a Russian-linked cyber group, aimed at French national security and democratic processes. Nobelium, differentiated from APT29 and Dark Halo by ANSSI, targets diplomatic emails via sophisticated phishing attacks and business email compromise (BEC) tactics. Notable incidents include repeated attempts to infiltrate the French Ministry of Foreign Affairs and other public sector entities, using themes like embassy closures and diplomatic appointments to deploy Cobalt Strike tools. The cybersecurity report underscores Nobelium's persistence and strategic targeting, hinting at state-sponsored operations aimed at gathering intelligence and influencing political outcomes. French officials are concerned about potential Russian interference in upcoming elections and diplomatic relations, especially with the impending Olympic and Paralympic Games hosted by France. Russia has also been implicated in disinformation campaigns, including attempts to influence previous French presidential elections and spread misleading narratives about socio-economic issues in France.

MSPs manage a vast array of cybersecurity tools, making integration and management complex. Recent surveys indicate 36% of MSPs utilize over 10 different cybersecurity tools, increasing the risk of security gaps. An excess of tools often leads to alert fatigue, causing delays in response and potentially undetected vulnerabilities. The Guardz Unified Cybersecurity Platform offers a centralized solution to manage risks and streamline operations. Guardz integrates multiple security functions like email and endpoint security, phishing simulations, and cyber insurance. The platform enhances threat detection and response, ensuring consistent security policies across all environments. Continuous Attack Surface Discovery and Penetration Testing help MSPs stay ahead of threats by prioritizing critical vulnerabilities.

Qilin ransomware group orchestrated a deliberate attack on Synnovis, causing a significant healthcare crisis in London hospitals, demanding a $50 million ransom. The group claims the attack was politically motivated, targeting entities linked to political elites who allegedly withhold high-quality medicines. Despite their claim, experts and analysts suggest Qilin's traditional operations have been financially motivated rather than politically, questioning the authenticity of their stated ideology. So far, the attack has led to over 1,500 cancellations of operations and appointments, seriously impacting patient care and hospital functions. Qilin alleges to have used a zero-day vulnerability to initiate the attack, though specifics about the vulnerability remain unconfirmed by Synnovis and UK's NCSC. Synnovis is currently investigating the breach, in coordination with The Information Commissioner’s Office (ICO) and other relevant authorities, assessing the extent of data impacted. Qilin's claims and previous activities suggest a sophisticated level of operational capability, likely supported by advanced cybercriminal techniques and tools.

Chinese cyber espionage groups linked to infiltrating telecom operators in Asia, ongoing since at least 2021. The attacks involve placing backdoors into networks, credential theft, and targeting an additional services company and university. Symantec identifies use of known Chinese cyber tools such as COOLCLIENT, QuickHeal, and RainyDay, which capture sensitive data and connect to C2 servers. Initial access methods to target systems remain unclear; the campaign includes port scanning and Windows Registry hive dumping. The operations may involve collaboration or independent actions of different espionage collectives known as Mustang Panda, RedFoxtrot, and Naikon. Motives likely include intelligence gathering on telecom sectors and potentially establishing capabilities for future disruptions in critical infrastructure. Parallel reporting by Kaspersky in November 2023 exposes a related ShadowPad malware attack exploiting Microsoft Exchange vulnerabilities in Pakistani telecom infrastructure.

Fickle Stealer is a Rust-based malware focused on stealing sensitive data from compromised systems using various attack chains. The malware employs multiple distribution methods including VBA dropper, downloader, link downloader, and executable downloader. It uses a PowerShell script to bypass User Account Control (UAC) and facilitate data exfiltration to a Telegram bot controlled by the attacker. The malware performs anti-analysis checks to avoid detection and operates in non-sandboxed environments to gather data. Fickle Stealer specifically targets data from crypto wallets, several popular web browsers, and applications like AnyDesk and Discord. It searches for files with various extensions including .txt, .pdf, and .docx, and also adapts its targets based on server-side instructions. The article briefly discusses another stealer, AZStealer, which is Python-based and available on GitHub, noted for stealing information through Discord webhooks.

Cybersecurity experts identified a new malware loader, SquidLoader, primarily targeting Chinese entities through phishing emails disguised as legitimate Microsoft Word documents. SquidLoader employs advanced evasion techniques including encrypted code segments and direct syscalls, complicating both static and dynamic malware analysis. The malware facilitates the delivery of second-stage shellcode payloads, such as Cobalt Strike, directly within the loader process without writing payloads to disk, enhancing its ability to evade detection. It features several defense evasion mechanisms such as Control Flow Graph obfuscation and debugger detection, which make it difficult for security programs to effectively identify and neutralize. Loader malware is increasingly popular among cybercriminals, serving as a critical tool to bypass antivirus defenses and inject additional harmful payloads into compromised systems. The discovery of SquidLoader follows similar findings of other loader malware like PikaBot and Taurus Loader, indicating a persistent and evolving threat landscape in malware development and deployment. The recent operation "Endgame" led to the takedown of infrastructure supporting various loader malwares, signaling law enforcement's ongoing efforts to mitigate such cyber threats.

T-Mobile has denied any direct breach or theft of its source code after allegations by the group IntelBroker about stolen company data. IntelBroker, a notorious hacker group, asserted they compromised T-Mobile in June 2024 and exhibited proof through screenshots from internal systems like Confluence and Slack. The leaked data, however, is reported to be older and stolen from a third-party vendor's servers rather than T-Mobile's infrastructure directly. The nature of the breach at the third-party service provider is unclear, though vulnerability CVE-2024-1597 in Confluence systems could be related. T-Mobile insists no customer data or source code was compromised during this incident and continues to investigate the claims. The identity of the third-party service provider has not been publicly disclosed as investigations are ongoing. T-Mobile's history with cybersecurity issues includes significant breaches in 2023 impacting millions of customers.

Crown Equipment confirmed a cyberattack disrupted manufacturing operations starting around June 8. The attack was perpetrated by an international cybercriminal organization, leading to a shutdown of IT systems. Initial reports suggest the breach occurred through social engineering, where an employee enabled unauthorized device access. Despite the breach, Crown asserts that their security measures limited the extent of data accessed by attackers. Crown has engaged with cybersecurity experts and the FBI to mitigate effects and investigate the compromised data. The company experienced internal communication issues, impacting employee transparency and pay arrangements. Manufacturing is still affected, but Crown is transitioning towards normal operations and is restoring IT systems.

Advance Auto Parts has verified a data breach exposing personal information of employees and potentially customers. The breach stemmed from unauthorized access to a third-party cloud database used by the company. The incident was first noted on May 23, 2024, and confirmed when a hacker named 'Sp1d3r' attempted to sell the data in June. Among the compromised data are social security numbers, government identification numbers, full names, and email addresses of employees and job applicants. There is an indication that some customer data, including email addresses and names, may also have been exposed. The company has contacted law enforcement, begun notifying affected parties, and is offering free credit monitoring and identity restoration services. Advance Auto driven to spend around $3 million in response to the breach to mitigate its impacts and strengthen security measures.

CDK Global, a software provider for car dealerships, was the victim of a significant cyberattack, which led to a shutdown of its systems. Over 15,000 North American car dealerships were affected, unable to access critical operational tools like CRM, inventory, and financing systems. The cyberattack prompted CDK Global to take its two main data centers offline to contain the spread, severely impacting day-to-day dealership operations. Dealership employees were advised to disconnect the always-on VPN links to CDK's data centers, a measure to prevent further network infiltration. The attack may have involved ransomware, which could also compromise backups, leading to prolonged system downtimes and potential data leaks. There remains uncertainty and lack of information from CDK Global about the exact nature and scope of the breach, as official confirmations are still pending. The incident has forced many dealership employees to revert to manual processes, with some being sent home due to the inability to operate normally.

Kraken Crypto Exchange disclosed a $3 million theft exploiting a critical zero-day flaw in their platform by an unnamed security researcher. The exploit was linked to a recent user interface change allowing users to use deposited funds before clearance. Within 47 minutes of detecting the issue, Kraken remedied the flaw that allowed artificial inflating of account balances. Three accounts manipulated this vulnerability shortly after its emergence, leading to the siphoning of funds directly from Kraken's treasuries. The supposed researcher, instead of reporting the bug for a bounty, collaborated with others to withdraw substantial amounts, rejecting the return of the funds and demanding a payment from Kraken. The incident has been escalated to a criminal case, with Kraken engaging law enforcement. Kraken's Chief Security Officer emphasized the ethical protocols of bug bounties, indicating that the actions of the researcher constituted extortion and criminal behavior.

The cyber espionage group UNC3886, linked to China, has exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. Mandiant researchers report that UNC3886 uses sophisticated tactics to maintain long-term access in compromised networks by employing multiple persistence mechanisms. Techniques include deploying backdoors and harvesting credentials through the exploitation of CVEs like CVE-2022-41328 (Fortinet FortiOS) and CVE-2023-20867 (VMware Tools). UNC3886 targets entities across multiple global regions and various industries including government, telecommunications, and aerospace. The espionage activities include the use of publicly available rootkits and custom malware like Reptile, Medusa, MOPSLED, and RIFLESPINE, leveraging GitHub and Google Drive for command-and-control operations. UNC3886 has also developed tactics to evade detection and lateral movement through legitimate credentials. Security advisories from Fortinet and VMware recommend best practices to mitigate exposure to these threats.

Kraken's security team was alerted about a critical bug on June 9th, which allowed artificial inflation of wallet balances. Researchers exploited a zero-day vulnerability, initiated by a recent UI change, to steal $3 million from Kraken's treasury. The exploit enabled initiating deposits and crediting funds even if transactions did not complete, misleadingly boosting account balances. The security flaw was swiftly corrected within an hour of its discovery, but not before substantial funds were withdrawn. Three individuals, including one posing as a researcher, abused the vulnerability; despite this, they did not cooperate with Kraken post-disclosure. The alleged researchers involved have attempted to extort Kraken by withholding details of the bug and the stolen funds. Kraken has refrained from publicly identifying the exploiters and has reported the incident to law enforcement authorities for further investigation.

Amtrak has issued notifications to users of its Guest Rewards program about a data breach between May 15-18, involving unauthorized access using valid credentials obtained from third-party sources. The breach potentially exposed sensitive data including email addresses, contact info, account numbers, dates of birth, partial credit card numbers with expiration dates, and details of past travel. Amtrak has enforced mandatory multi-factor authentication (MFA) for all affected accounts to strengthen security and prevent future unauthorized access. Affected users are also advised to reset their passwords to something unique and review other online accounts for any unusual activity. In the aftermath, Amtrak has taken steps to modify the account email addresses and forced password resets where necessary. The company has provided affected customers with instructions for securing their accounts and accessing a free credit report to monitor for fraudulent activity. This incident marks the second breach of Amtrak's rewards program following a similar episode in 2020, although no financial data was compromised in the earlier breach.