Daily Brief

Telegram addressed a zero-day vulnerability in its Windows app that allowed Python scripts to bypass security warnings and execute automatically. The vulnerability was first rumored on online forums and was related to a typo in source code, which misidentified file extensions. Attackers could disguise Python script files as video files, tricking users into launching them unknowingly. Telegram implemented a server-side fix by appending an ".untrusted" extension to the questionable file types, prompting a manual selection by Windows on how to open the file. Less than 0.01% of Telegram's user base was potentially affected, as exploitation required the Python interpreter to be installed. The security concern did not represent a zero-click vulnerability since user interaction was needed to trigger the script. Telegram plans to integrate a corrected security warning message in future updates of the app to improve user safety against such vulnerabilities.

Google is discontinuing its VPN for Google One service due to low demand, planning a complete shutdown later this year. The VPN will remain operational exclusively for Pixel 7 and newer phone models, adhering to a previous promise by Google to provide the service for at least five years. Google One subscribers were informed via email about the pending discontinuation of the VPN service, which is part of a broader adjustment strategy taking effect by May 15. Initially introduced in October 2020, the VPN was only available with Google One's highest-priced plan but expanded to the basic plan a year later to encourage broader usage. Despite the expansion, utilization remained low, leading Google to prioritize more popular features within the Google One subscription, focusing on enhancing cloud storage and other in-demand services. There are yet no updates on the Google One website indicating the removal of the VPN feature, and it is still listed as a benefit for all plans. This change adds to a long history of Google discontinuing services, marking the end of a 197-day streak without canceling products.

The FBI issued a warning about an extensive SMS phishing operation targeting U.S. citizens with fake unpaid road toll notifications. This phishing wave began last month, and has already impacted thousands, based on over 2,000 complaints lodged with the FBI's Internet Crime Complaint Center (IC3). Scammers are sending texts claiming recipients owe money for road tolls, using consistent language like "outstanding toll amount" across different states. The fraudulent messages include a hyperlink that mimics state toll services, but the URLs and phone numbers are altered to deceive victims into providing personal information. Pennsylvania Turnpike warned its customers against clicking on links in similar phishing texts, underscoring the growing concern among state agencies. The FBI has noted the geographic spread of this scam, moving from state to state, with some areas yet to report incidents. Federal authorities are urging those who receive these phishing texts to immediately report them and avoid clicking on any included links.

Telegram fixed a zero-day vulnerability in its Windows desktop app, caused by a typo in the handling of file extensions. The vulnerability allowed Python scripts disguised as videos to bypass security warnings, automatically executing harmful code upon user interaction. While initial reports suggested a zero-click flaw, Telegram confirmed that the issue required user interaction and affected a very small user base. A proof of concept was posted on the XSS hacking forum, clearly demonstrating the exploit using a modified file extension to execute Python scripts automatically. Telegram implemented a server-side fix, appending the ".untrusted" extension to suspect files, mitigating the risk without needing an immediate software update. It is estimated that less than 0.01% of Telegram users were susceptible to the exploit due to having specific conditions, such as the Python interpreter installed. BleepingComputer and cybersecurity researchers tested and confirmed the exploit's mechanics and Telegram's prompt response with a fix.

Ex-Amazon security engineer Shakeeb Ahmed sentenced to three years for hacking two cryptocurrency exchanges and stealing over $12 million. Convicted on one count of computer fraud, Ahmed received three years of supervised release and was ordered to forfeit $12.3 million and pay restitution. Ahmed exploited a smart contract and blockchain flaws to execute fraudulent transactions, earning millions from inflated fees and manipulated crypto asset prices. He used sophisticated cryptocurrency mixers and conducted transactions across multiple blockchains to obscure the stolen funds. Despite a bounty offered by Nirvana Finance to recover stolen assets, Ahmed refused to return the funds, resulting in substantial losses for the exchange. Ahmed investigated methods to evade detection and extradition, including seeking citizenship in other countries and obstructing asset seizures.

Roku reported 576,000 user accounts were compromised in recent credential stuffing attacks, in addition to 15,000 affected earlier. Threat actors used credentials stolen from other sites to access Roku accounts, enabling unauthorized streaming and hardware purchases. These credentials were tested against Roku accounts using automated tools; accounts with reused passwords were particularly vulnerable. Though payment data was not fully accessed, in fewer instances, attackers made unauthorized purchases using stored payment methods. Roku has since reset passwords for affected accounts, initiated direct notifications to impacted users, and refunded unauthorized transactions. To enhance security, Roku has now enabled two-factor authentication (2FA) by default for all accounts and urges users to select strong, unique passwords. Despite the scale of the attack, Roku confirmed their systems were not compromised nor were the source of the stolen credentials.

A backdoor was embedded into a popular Rust library liblzma-sys, affecting version 0.3.2. Phylum identified the malicious "test files" in liblzma-sys on crates.io, leading to its removal in version 0.3.3. Malicious commits by GitHub user JiaT75 facilitated unauthorized SSH access to execute code remotely. Kaspersky detailed a multi-stage malware operation involving specific malicious commits between versions 5.6.0 and 5.6.1 of XZ Utils. The intended purpose of the malware was to manipulate the Secure Shell Daemon (sshd) and permit remote code execution by attackers. Early detection and remediation prevented a broader compromise of the Linux ecosystem. The incident highlights a trend of targeted social engineering attacks aiming to infiltrate open-source software repositories.

Russian state-sponsored actors, known as Midnight Blizzard or Cozy Bear, infiltrated Microsoft’s email systems and exfiltrated sensitive data including emails and authentication details. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive ED 24-02, compelling federal agencies to review compromised emails, reset credentials, and secure authentication tools. Affected federal agencies must provide status updates on their remediation efforts, with initial reports due by April 8 and a comprehensive update by May 1, followed by weekly reports. Microsoft has agreed to supply metadata about the exfiltrated emails, which include credentials, to CISA, and respond to further requests from the National Cyber Investigative Joint Task Force. Microsoft reported a significant increase in intrusion attempts by Midnight Blizzard in February 2024, indicating an escalation in the group’s activities. Criticism has been leveled at Microsoft for its security practices and handling of the breach, with concerns about the potential implications for both national security and its commercial clients. The incident continues to affect Microsoft’s reputation, with ongoing scrutiny about their disclosure and security incident handling policies.

Palo Alto Networks has issued a warning about a zero-day vulnerability in its PAN-OS firewall software, actively exploited in the wild. The vulnerability, indexed as CVE-2024-3400, is a severe command injection flaw that allows unauthenticated attackers to execute arbitrary code with root privileges. This flaw affects specific versions of PAN-OS (10.2, 11.0, and 11.1) when both the GlobalProtect gateway and device telemetry features are enabled. The vulnerability has a maximum severity score of 10.0 due to its ability to be exploited without special privileges or user interaction. Remedial actions include implementing mitigations proposed by Palo Alto Networks until security updates are available, with hotfixes expected to release by April 14, 2024. Approximately 82,000 devices could be vulnerable to this exploit, with around 40% located in the United States. Non-affected Palo Alto Network products include Cloud NGFW, Panorama appliances, and Prisma Access.

Non-human identities, such as those used by microservices, are essential for API calls and system interactions. These identities are vulnerable to cyber threats, which could lead to stolen secrets, data tampering, or complete system shutdown. A comprehensive security suite is essential to manage and protect non-human identities and secrets at scale. Features needed include centralized governance, real-time monitoring, and comprehensive visibility of all machine identities. Effective management involves differentiating between genuine threats and false positives to focus on real vulnerabilities. The security solution should provide actionable steps for immediate issue resolution and ensure seamless collaboration between security and development teams. Entro's non-human identity management solution offers tools and insights to safeguard these digital assets effectively.

Iranian threat actor MuddyWater has adopted a new C2 framework called DarkBeatC2, expanding its arsenal of cyberattack tools. MuddyWater, also known as Boggy Serpens and TA450, is linked to Iran's Ministry of Intelligence and Security and has been active since 2017. Recent attacks have involved spear-phishing campaigns using compromised email accounts to distribute malicious links and attachments. One spear-phishing effort targeted an educational institution in Israel via a compromised web link, potentially facilitated by earlier breaches carried out by Lord Nemesis. The DarkBeatC2 infrastructure manages infected endpoints using PowerShell, establishing persistence on compromised systems. Palo Alto Networks Unit 42 identified abuse of the Windows Registry AutodialDLL function to load malicious DLLs and connect with the DarkBeatC2 server. Attacks notably rely on the manipulation of system processes and registries to maintain a foothold and control over compromised devices. The ongoing campaign reflects a collaboration between Iranian military and intelligence entities to maximize damage to Israeli targets.

Palo Alto Networks issued a warning about a critical flaw (CVE-2024-3400) in its PAN-OS software, receiving a maximum severity score of 10.0. The vulnerability lies in the GlobalProtect gateways, enabling unauthenticated attackers to execute arbitrary code with root privileges. This flaw only affects specific PAN-OS versions and configurations involving the GlobalProtect gateway and device telemetry features. Fixes for the impacted versions are planned for release on April 14, 2024. Volexity discovered and reported the vulnerability; however, details on the attack methods remain undisclosed. Palo Alto Networks noted a limited number of attacks exploiting this vulnerability and advises customers with Threat Prevention subscriptions to enable Threat ID 95187 for protection. Recent trends show Chinese threat actors exploiting similar zero-day flaws in products from Barracuda Networks, Fortinet, Ivanti, and VMware for targeted attacks and persistent access.

Multiple French municipal governments, including Saint-Nazaire, are experiencing severe service disruptions due to a large-scale cyber attack on shared servers. The origins and duration of the cyber attack are currently unknown, with updates being provided via social media and governmental websites. The cyber attack has affected a number of cities and organizations, disrupting essential services across various municipalities. This cyber disturbance follows a recent DDoS attack, claimed by Anonymous Sudan, which targeted French government websites without disrupting services. Concurrently, France Travail disclosed a significant data breach, compromising personal data of approximately 43 million citizens. Additional data breaches in the past month have exposed over 33 million people’s data through attacks on third-party healthcare and insurance payment providers. The timing of these cyber events is particularly sensitive as France prepares for the upcoming Summer Olympics, heightening concerns about potential cyber threats. French cyber security officials are actively consulting with U.S. counterparts to strategize on protecting the Olympics and other critical infrastructure from expected cyber attacks.

Cybersecurity researchers have uncovered a credit card skimmer hidden within a fake Meta Pixel tracker script. The skimmer replaces the legitimate Facebook tracking domain "connect.facebook[.]net" with a malicious one "b-connected[.]com." This compromised script is injected into websites using customizable code tools in WordPress or Magento platforms. Malicious JavaScript in the fake Meta Pixel script activates on checkout pages, creating a fraudulent overlay to capture credit card details. Compromised data from this skimmer is sent to another hacked site, highlighting the use of multiple compromised domains in the attack chain. Security experts recommend frequent updates, reviewing admin accounts, and updating passwords to mitigate such risks. Websites built on WordPress and Magento platforms are increasingly targeted with similar e-commerce malware, demonstrating a need for heightened security measures.

Apple has stopped using the term "state-sponsored" in its notifications regarding spyware attacks, now labeling them as "mercenary spyware". The change is motivated by the challenge in pinpointing specific attackers or geographical origins due to the sophisticated and globally widespread nature of these threats. Historically, the company has attributed the spyware like NSO Group's Pegasus to state actors based on public reports and research. The alerts, which have been sent to Apple users in over 150 countries, are intended to inform about attempts to remotely compromise devices. The decision to alter the notification language comes amid previous tension with the Indian government, which was accused of using such spyware against political opponents. Apple describes these spyware attacks as exceptionally well-funded and continuously evolving. Apple’s notifications are based on high-confidence signals of targeted attacks and they recommend recipients to take them seriously and seek assistance from Access Now, a nonprofit.