Daily Brief

A threat actor known as TA547 has launched a phishing campaign against German companies, using an information stealer named Rhadamanthys. This marks the first observed use of Rhadamanthys by TA547, indicating a shift in tactics and tools within their operations. The phishing emails used in this campaign impersonate the German company Metro AG and deliver payloads via a password-protected ZIP file. The payload activates a PowerShell script that applies Rhadamanthys stealer directly in memory, showcasing advanced evasion techniques. The PowerShell scripts included in the attack are suspected to be generated or refined using a large language model due to their detailed and context-specific comments. TA547 has diversified its attack strategies over the years, evolving into an initial access broker for ransomware attacks and utilizing region-specific payload delivery methods. The campaign not only highlights TA547's evolving tactics but also illustrates broader trends in cybercriminal strategies, such as leveraging artificial intelligence tools to enhance malware scripts.

iCabbi, a Dublin-based taxi software provider, inadvertently exposed personal information of nearly 300,000 individuals from the UK and Ireland. The unprotected database included names, email addresses, phone numbers, and user IDs, accessible due to a security oversight. Prominent affected parties include MPs, a senior EU ambassador, academic institutions (.ac.uk domains), and senior media and government employees. The exposed data could potentially be exploited for sophisticated phishing attacks impersonating the taxi service. Cybersecurity researcher Jeremiah Fowler discovered the breach via an IoT search engine API, noting the ease of locating the exposed data. iCabbi responded swiftly to Fowler's disclosure, attributing the exposure to human error during customer data migration and has since secured the data. The impact of the breach regarding customer notification and whether the data was accessed by unauthorized parties remains unclear.

Apple has updated its documentation to better inform users potentially targeted by high-cost, complex mercenary spyware, specifically mentioning NSO Group's Pegasus. The revised alert system now includes notifications to users who may be victims of individualized attacks by state actors using commercial surveillance technologies. This change clarifies previous messaging that mainly associated threat notifications with state-sponsored attacks, without tying them to specific geographic regions or threat actors. Alongside the documentation update, Apple sent out notifications to iPhone users in 92 countries, alerting them to the potential spyware risks. The U.S., along with several other countries, is actively developing safeguards against the misuse of commercial spyware, which is a growing security concern globally. Recent insights from Google's Threat Analysis Group reveal that commercial surveillance vendors are exploiting zero-day vulnerabilities in web browsers and mobile devices to conduct espionage. Apple continues to emphasize the sophistication and ongoing threat posed by these spyware tools in their global deployment against high-profile targets like journalists and diplomats.

Fortinet has released critical security patches for a severe vulnerability in FortiClientLinux, identified as CVE-2023-45590. The vulnerability has a high severity score of 9.4 and allows for arbitrary code execution through improper code generation. Attackers can exploit the flaw by tricking users into visiting a malicious website, leading to potential remote code execution. The issue is attributed to a dangerous nodejs configuration in the affected FortiClientLinux versions. Additional patches include fixes for FortiClientMac installer vulnerabilities and a FortiOS/FortiProxy bug that could expose administrator cookies. The vulnerabilities were discovered and reported by CataLpa from Dbappsecurity. While there have been no reports of these vulnerabilities being exploited in the wild, Fortinet advises users to update their systems promptly to avoid potential security threats.

VU Amsterdam researchers have bypassed existing Intel CPU protections against Spectre attacks, revealing vulnerabilities that permit data theft. A new tool, InSpectre Gadget, identifies exploitable code snippets in the Linux kernel that can be used to extract sensitive data despite Spectre mitigations. Researchers demonstrated a Native Branch History Injection (Native BHI) attack, successfully extracting usernames and passwords from kernel memory on an Intel processor. Intel has released an updated software mitigation guidance following the discovery of over 1,500 new exploitable gadgets in the Linux kernel by the academic team. The vulnerabilities disclosed, tagged under CVE-2024-2201, could enable malware or rogue users to access protected areas of RAM and kernel memory. AMD and Arm CPU cores are reportedly not susceptible to this specific Native BHI Spectre exploit. The InSpectre Gadget tool and gadget database have been open-sourced on GitHub by the researchers.

Google has introduced Chrome Enterprise Premium, a higher-tier, security-focused version of its browser for organizations, requiring a subscription of $6 per user, per month. Previously known as Chrome Enterprise, the standard service has been renamed Chrome Enterprise Core, showcasing the new premium service as an advanced offering. Chrome Enterprise Premium focuses on enhancing endpoint security where critical business activities, such as authentication and data access, occur within the browser. This premium version includes expanded controls for administrators to enforce policies, manage updates and extensions, and support secure communication protocols like RDP and SSH. The service leverages AI technologies for advanced threat and data protection capabilities, including content inspection, anti-malware, anti-phishing, and data loss prevention functionalities. One significant benefit reported by early adopters like Snap includes a 50% reduction in sensitive content transfers due to new data loss prevention tools. Roche has also reported immediate effectiveness, being able to thwart substantial data exfiltration attempts shortly after deploying Chrome Enterprise Premium.

Google has launched a new multi-admin approval feature in Google Workspace to enhance security. This feature mandates multiple admin approvals for high-risk settings changes to prevent unauthorized access or mistakes. Multi-party approvals are designed to minimize workflow disruption for administrators while ensuring critical actions are not done in isolation. The feature targets settings that, if compromised, could significantly affect the overall security and integrity of the Workspace. Approval requests, sent to super admins via email, must be approved within 72 hours through the Admin console. Once approved, changes are implemented automatically without further action required by the initiator. The rollout began recently and will be available to all eligible users within two weeks; it is initially deactivated and needs to be manually enabled.

Researchers have discovered a new Spectre v2 speculative execution flaw affecting Linux systems on modern Intel processors. The vulnerability, identified as CVE-2024-2201, allows unauthenticated attackers to read privileged memory data. The exploit is demonstrated by manipulating CPU branch prediction (BTI) and branch history (BHI), leading to data leakage. Intel has responded by updating mitigation techniques, including disabling certain CPU features and enhancing security protocols. Existing mitigation tactics like disabling eBPF and enabling IBT are found to be ineffective against this new variant. The VUSec team has developed a tool to detect exploitable code segments in the Linux kernel, aiming to assist in mitigation. Microsoft and Intel have both issued updated guidance and recommendations to address the vulnerability. Future Intel processors will incorporate built-in mitigations for this and related speculative execution flaws.

A PowerShell script likely crafted with AI has been utilized in a malware campaign targeting German organizations. The script facilitated the delivery of the Rhadamanthys infostealer, a piece of malware traded under the malware-as-a-service (MaaS) model. Security firm Proofpoint linked the malicious activity to TA547, an initial access broker active since 2017 and known for distributing a variety of malware. The campaign involved impersonating the German Metro brand and utilizing invoices in emails to lure victims into downloading a malicious ZIP file. Once the ZIP's contents were executed, the script ran Rhadamanthys directly in memory, a tactic that helps evade disk-based detection. Researchers observed unusual comment quality in the script, suggesting that it might have been generated or aided by AI like OpenAI’s ChatGPT, or similar platforms. Despite restrictions from major AI providers, malicious actors, including state-sponsored groups, have been increasingly leveraging AI for cyber attacks.

An Android malware campaign, named eXotic Visit, has been active since November 2021, targeting users primarily in India and Pakistan. The spyware is distributed through dedicated websites and also appeared on the Google Play Store, hidden within apps that offer legitimate services but contain malicious code. The malware, derived from the open-source XploitSPY RAT, can access sensitive data such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content. Approximately 380 victims downloaded and used the spyware-infected apps for messaging, believing them to be legitimate applications. The apps masqueraded under names like Alpha Chat, ChitChat, and others, and included functionalities like providing SIM owner details or posing as a food ordering service. The threat group, tracked as Virtual Invaders, utilizes advanced tactics like code obfuscation, emulator detection avoidance, and hiding command-and-control server addresses. Slovak cybersecurity firm ESET, who reported the findings, emphasizes that while the apps have been taken down from Google Play, the campaign's main purpose appears to be espionage targeting specific regions.

AT&T has officially recognized a significant data breach impacting 51,226,382 customers after initially denying the data belonged to them. Personal information exposed includes full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account details. Although initially offered for sale in 2021, AT&T only confirmed the breach after comprehensive reports by BleepingComputer and TechCrunch matched the data with DirectTV and AT&T accounts. The dataset, which originated around June 2019 or earlier, lacks personal financial information and call history according to AT&T's investigation. Discrepancies in the number of affected customers are attributed to individuals possessing multiple accounts. Despite the breach's confirmation in 2024, data has been circulating privately among cybercriminals, raising concerns over identity theft and fraud. AT&T is providing one year of identity theft protection and credit monitoring to affected users and urges vigilance in monitoring financial activities and handling unsolicited communications. Multiple class-action lawsuits have been filed against AT&T due to the breach and the prolonged period before acknowledging and informing affected customers.

AT&T has confirmed a data breach impacting 51,226,382 customers after previously denying the breach. Personal information such as full names, email addresses, phone numbers, SSNs, and AT&T passcodes were exposed. Initially reported on a hacking forum where data was offered for sale in 2021, it took nearly three years for AT&T to acknowledge the ownership of the leaked data. The compromised data appears to originate from records dating back to June 2019 or earlier. AT&T's delayed response and handling of the incident, including their initial denials, have led to multiple class-action lawsuits. Despite the potential long-term circulation of the data within criminal forums, AT&T is offering one year of free identity theft protection and credit monitoring. Customers are advised to remain vigilant, monitor their accounts, and report any suspicious activities to prevent identity theft and fraud.

A critical vulnerability in the Rust programming language, capable of causing command injections on Windows, has been addressed. The flaw, identified as CVE-2024-24576, received the highest severity rating of 10 and affects how batch files are handled in Rust’s standard library. An oversight in the Command API's argument escaping could allow attackers to execute arbitrary shell commands, compromising system security. The vulnerability also impacts other programming languages including Erlang, Go, Python, and Ruby, prompting updates and advisories. Rust version 1.77.2 includes a fix developed by contributor Chris Denton, which improves the escaping mechanism and ensures safer argument handling. Despite the fix, the Rust team noted the complexity of Windows Command Prompt could still pose challenges in completely safeguarding against such vulnerabilities. Other major programming platforms such as Node.js and PHP are currently developing patches, while Java has no immediate plans to address the issue. Security experts recommend developers not solely rely on CVSS scores to gauge the severity, but assess the vulnerability impact based on specific application contexts.

Researchers have identified a new Raspberry Robin malware campaign utilizing WSF files to deliver malicious payloads. The campaign marks a shift from the worm's initial spread via USB devices to now incorporating more sophisticated digital methods, including malvertising. Linked to a threat group known as Storm-0856, the malware collaborates with significant cybercrime entities including Evil Corp and TA505. Techniques include heavy obfuscation and anti-analysis steps to avoid detection and thwart virtual machine analysis. Specifically targets Windows systems post-build number 17063, avoiding earlier versions and shutting down if security processes from major antivirus tools are active. Configures Microsoft Defender Antivirus to ignore scans on the main drive, significantly lowering detection chances. Despite these advanced tactics, current antiviral tools on VirusTotal do not yet recognize the new WSF files as malicious, highlighting a gap in current malware detection efforts.

Threat actors exploit GitHub's search features to push malware-laden repositories using fake popularity metrics such as automated updates and fraudulent stars. Malicious code hidden in Microsoft Visual Code project files aims to download further harmful payloads from remote URLs, mimicking popular projects to lure developers. Past incidents saw attackers boost their repositories' visibility with large numbers of fake stars, but recent methods show a more restrained approach to avoid detection. Checkmarx's research unveiled a black market for GitHub stars intended to artificially inflate repository popularity, complicating the authenticity of user-generated content. Detected malware repositories often disguise themselves as legitimate gaming software, tools, or cheat codes, incorporating encrypted files to sidestep antivirus software. The malware, resembling the Keyzetsu clipper, manipulates clipboard data to redirect cryptocurrency transactions to attacker-controlled wallets. Developers are advised to exercise increased diligence when sourcing code from open repositories and to not solely rely on repository star ratings for validation. Related findings by Phylum indicate a rise in non-malicious spam campaigns in npm registries, exploiting platforms like the unaired Tea protocol for crypto farming.