Daily Brief

A 22-year-old British national allegedly part of the Scattered Spider hacking group was arrested in Palma de Mallorca, Spain. The individual is accused of leading a cybercrime gang that stole data and cryptocurrencies through phishing and sim-swapping strategies, targeting 45 U.S. companies. Authorities allege the group successfully stole $27 million in cryptocurrencies, exploiting compromised access credentials to access sensitive information and digital wallets. The arrest occurred at Palma airport as the suspect was about to depart for Naples, facilitated by a tip-off and an International Arrest Warrant from the FBI. Confiscated electronic devices, including a laptop and mobile phone, are undergoing forensic analysis for further evidence. Although officially unconfirmed, there are reports linking the suspect to Scattered Spider, a group known for its involvement with the Russian BlackCat ransomware gang and significant breaches like the MGM Resorts attack. The operation highlights ongoing international cooperation in combating sophisticated cybercrime networks.

Spanish police detained a 22-year-old British man believed to be the leader of the Scattered Spider cybercrime gang as he was about to fly to Naples. The investigation that led to his arrest began in May 2023, following a tip from the FBI concerning his activities in Spain. He is accused of orchestrating attacks on 45 companies in the U.S., including high-profile SIM-swapping and casino heists. At the time of arrest, police confiscated a laptop and mobile phone; the suspect allegedly amassed about $26 million from cybercrimes. Another gang member, Noah Michael Urban, was arrested earlier in January facing multiple charges linked to cybercrimes. Scattered Spider, primarily composed of young English-speaking adults, has evolved its operations from SIM-swapping to ransomware and pure extortion schemes. Despite recent arrests, the gang continues its illegal activities, including recent attacks targeting virtual machines and SaaS apps for data theft.

Suspected China-nexus cyber espionage group, Velvet Ant, targeted an East Asian organization for three years using compromised F5 BIG-IP devices. Velvet Ant used the F5 devices as internal command-and-control hubs to persistently collect sensitive customer and financial data. The attackers employed PlugX, a known Chinese-linked modular RAT, utilizing DLL side-loading for initial device infiltration. Two versions of PlugX were deployed; one with external C&C for data exfiltration and another configured without C&C for operation on legacy servers. The campaign involved disabling endpoint security and utilizing tools like Impacket for lateral movement within the network. Forensic analysis revealed additional tools like PMCD for command execution and EarthWorm for network packet capture and tunneling. The exact method of initial penetration—either spear-phishing or exploiting known vulnerabilities—is currently unidentified. This incident is part of a broader pattern of China-linked cyber operations targeting Asia to gather intelligence.

DevSecOps integrates security throughout the software development lifecycle, enhancing collaboration among development, security, and operations teams. By embedding security early in development processes ("shift security left"), DevSecOps enables early vulnerability detection and compliance with regulatory requirements. Traditional security practices, conducted at the end-cycle of development, are inefficient and risk production delays due to the late discovery of vulnerabilities. DevSecOps necessitates profound cultural shifts for success, emphasizing shared responsibility and continuous collaboration across departments. The approach leverages automated tools, AI, and continuous security testing strategies to maintain high development velocity while ensuring software security. Effective DevSecOps implementation helps in managing and securing the increased use of open source and third-party software components in applications. Organizations are compelled to adopt DevSecOps due to increasing regulatory pressures and the evolving threat landscape targeting software vulnerabilities.

Amazon Web Services (AWS) announced mandatory multi-factor authentication (MFA) for privileged account users starting in 2024, with a phased implementation beginning in July for standalone account root users. The new security measure will initially target management account root users within AWS Organizations, a change ongoing since May this year. Users affected by this change will have a 30-day grace period to enable MFA, after which access will be denied until MFA is activated. AWS supports using FIDO2 passkeys, allowing authentication via biometrics or device PINs across multiple devices through systems such as Apple Touch ID and Windows Hello. The initiative responds to an observed increase in credential-based attacks, including credential stuffing, credential spraying, and brute-force attacks, where MFA could significantly reduce vulnerabilities. Instances of major security breaches in companies like Pure Storage, Ticketmaster, and Santander Bank, which failed to implement MFA, underscore the importance of this security step. AWS's implementation of MFA and support for FIDO2 passkeys are part of broader efforts by major tech companies to enhance product security over the next year.

A cybersecurity researcher discovered that UK health club chain Total Fitness exposed over 474,000 images of members and staff due to an unsecured database. The unprotected 47.7GB database contained not only images but also sensitive information including identity documents, bank details, and immigration records. Total Fitness, which operates 15 clubs across northern England and Wales, admitted the exposed data was used for legitimate business purposes but contained more personal information than initially claimed. The company has since locked down the database, conducted a thorough review of the images and removed those that included identifiable data, ensuring member images are not linked to other identifying data. Despite Total Fitness claims, the database was left unsecured for an extended period, potentially since March 2021, exposing members to risks associated with identity theft and digital impersonation. The company reported the incident to the UK's Information Commissioner's Office (ICO) and is supporting ongoing investigations. The incident highlights the larger issue of AI and deepfake technology misusing personal images, raising concerns over digital identity security and privacy in online environments.

UNC3944, previously involved in ransomware, has shifted focus to data theft extortion without using ransomware. The group employs social engineering and fearmongering, including threats of doxxing and physical harm, to manipulate help desk staff into resetting credentials. They exploit SaaS applications like VMware vCenter, CyberArk, Salesforce, and Office 365 to gain access and create virtual machines. These virtual environments within victim infrastructures enable persistent operations and are used to exfiltrate data. Mandiant's report emphasizes the usage of tools like Airbyte and Fivetran by UNC3944 to transfer stolen data into cloud storage they control. Increased vigilance and monitoring are suggested, particularly around SaaS applications and MFA re-registration processes. Mandiant advises centralizing logs and enhancing logging capabilities for detecting malicious activities in SaaS environments.

Legitimate websites, including those based on WordPress, have been compromised to distribute a Windows backdoor known as BadSpace, using deceptive browser update notifications. The malware deployment involves a multi-stage attack sequence initiated by visiting a compromised website, which leads to the execution of a JScript downloader and installation of the backdoor. During a victim's first visit to the compromised site, the site's embedded code collects device data such as IP address and location, and sends it to a malicious domain. A fake Google Chrome update pop-up is then used to either drop the malware directly or download further malicious components. BadSpace is linked to a known malware called SocGholish or FakeUpdates, which also spreads through similar fake update prompts. Features of BadSpace include anti-sandboxing techniques, data theft, the ability to execute commands and take screenshots, and maintaining persistence on the infected system through scheduled tasks. Security firms eSentire and Sucuri have issued warnings regarding ongoing campaigns that employ fake browser updates to implant malware.

Threat actors are using NiceRAT malware to create a botnet, primarily targeting South Korean users. The malware spreads through cracked software downloads, including fake Microsoft Windows and Microsoft Office license verification tools. NiceRAT disguises its distribution by instructing users on disabling anti-malware solutions, making its detection challenging. In addition to direct downloads, NiceRAT also spreads through NanoCore RAT-infected zombie computers, previously used for distributing different malware. NiceRAT, a Python-based open-source RAT and stealer, employs Discord Webhook for its command-and-control operations. Since its initial release on April 17, 2024, NiceRAT has been actively developed and is offered in both free and premium versions under a malware-as-a-service model. Concurrently, the resurgence of the Bondnet cryptocurrency mining botnet has been observed, utilizing high-performance bots as command-and-control servers.

Data443 is initiating a free spam domain and IP blocklist service aimed at former users of the now-defunct SORBS service, which officially ceased operations on June 5. The new service from Data443 will utilize data from their existing Cyren platform, providing a time-lagged version of their commercial offerings specifically for domain/IP blocklists. SORBS, which was operated by security vendor Proofpoint until its closure, served over 200,000 organizations with a DNS-based block list containing 12 million records for servers linked to spam and scams. In cybersecurity enforcement news, a Georgia woman has been charged with cyberstalking and making interstate threats related to an online adoption scam, facing up to 15 years if convicted. Klaus Pflugbeil, a Canadian battery executive residing in China, has pled guilty to stealing Tesla’s proprietary battery charging technology and is now facing a potential 10-year prison sentence. It remains unclear if Data443 intends to acquire the actual SORBS codebase, as they have not made any definite statements regarding this matter.

Japan's Aerospace Exploration Agency (JAXA) and Astroscale have successfully demonstrated a satellite, ADRAS-J, that can approach and monitor space debris, specifically a defunct rocket stage. India's government has appointed a new tech minister, maintaining continuity while aiming to bolster its technology governance. A former NCS employee from India has been jailed for deleting virtual machines after his dismissal, highlighting risks of remote access post-employment. Hong Kong trials a robodog capable of detecting pollution, potentially replacing human inspectors in hazardous environments. Forrester forecasts a significant 6.4% increase in APAC tech spending for 2024, with India expected to see the highest regional growth rate. Australia's bipartisan support emerges for imposing a minimum age requirement of 16 for social media usage, amid broader efforts to combat online financial scams. Environmental and technological advancements across Asia-Pacific signal robust growth and innovation, alongside ongoing regulatory adaptations to new challenges.

A speculative execution attack, named "TIKTAG," has been identified targeting ARM's Memory Tagging Extension (MTE), affecting Google Chrome and Linux systems. The attack exploits ARM's security feature designed to prevent memory corruption by leaking MTE memory tags with over a 95% chance of success. Researchers from Samsung, Seoul National University, and the Georgia Institute of Technology co-authored the study demonstrating the vulnerability. TIKTAG utilizes two specific code gadgets, TIKTAG-v1 and TIKTAG-v2, to manipulate speculative execution paths and infer memory tags from cache states. While leaking MTE tags does not expose direct sensitive data like passwords or encryption keys, it potentially allows attackers to bypass MTE protections and facilitate more severe memory corruption attacks. No immediate fixes have been implemented, though ARM and Google's Chrome security teams have been informed; ARM does not consider this a compromise of the architecture's principles according to their bulletin. Mitigations and potential long-term solutions are still under discussion among the tech community and concerned entities.

U.K. national, linked to the cybercrime group Scattered Spider, was arrested in Palma de Mallorca, Spain. The arrest is a collaboration between the FBI and Spanish Police, targeting the individual as he attempted to leave for Italy. Identified as Tyler Buchanan, known online as "tylerb," specialized in SIM-swapping and associated with multiple ransomware attacks. This arrest follows the earlier capture of another group member, charged with wire fraud and aggravated identity theft in the U.S. Scattered Spider has evolved from SIM swapping and credential harvesting to sophisticated ransomware and data extortion schemes. The group uses phishing, privilege escalation, and data theft from SaaS platforms, increasingly targeting the finance and insurance sectors. Mandiant and other security firms note the group's use of fear-mongering and Okta permissions abuse in their operations.

A new Linux malware, named 'DISGOMOJI', uses emojis for command execution, uniquely controlled via Discord. DISGOMOJI primarily targets a custom Linux distribution used by Indian government agencies, discovered by Volexity linked to Pakistan-based threat actor UTA0137. This malware enables remote operations like command execution, file theft, and additional malware payload deployments, with espionage objectives. Commands to the malware are issued through emojis sent on a Discord server, allowing it to potentially bypass text-command detection systems used by security software. The distribution method likely involves phishing, with the malware initially presented in an executable within a ZIP archive that simulates a PDF document. Upon execution, the malware exfiltrates essential system information and awaits emoji commands for further actions. DISGOMOJI's method of maintaining persistence involves reboot cron commands and other mechanisms, facilitating long-term access and data theft. Researchers uncovered attempts by attackers to spread laterally within networks, aiming to steal credentials and gather extensive intelligence from targeted systems.

ASUS has issued a critical firmware update for seven router models due to a severe authentication bypass flaw identified as CVE-2024-3080, with a CVSS score of 9.8. The vulnerability allows unauthenticated, remote attackers to gain control of affected routers without needing login credentials. Affected router owners are urged to update their firmware immediately or strengthen their device security settings if immediate update isn't possible. Recommendations include enforcing strong passwords, disabling internet access to administration panels, and turning off features like port forwarding and VPN server. The update also fixes another high-severity issue, CVE-2024-3079, a buffer overflow vulnerability that can be exploited with admin access. Additionally, ASUS responded to CVE-2024-3913, impacting multiple router models with a critical arbitrary firmware upload flaw. Not all models will receive updates as some have reached end-of-life status, suggesting alternate mitigation options per model. Alongside the router firmware upgrades, a new version of Download Master for ASUS routers has been released to tackle five less severe, but significant, security threats.